diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index cae74d63a4..dfaf5a09e2 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -19929,6 +19929,11 @@ "source_path": "windows/client-management/mdm/wmi-providers-supported-in-windows.md", "redirect_url": "/windows/client-management/wmi-providers-supported-in-windows", "redirect_document_id": false + }, + { + "source_path": "windows/deployment/do/mcc-enterprise.md", + "redirect_url": "/windows/deployment/do/waas-microsoft-connected-cache", + "redirect_document_id": false }, { "source_path": "windows/client-management/advanced-troubleshooting-802-authentication.md", diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000000..e138ec5d6a --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,41 @@ + + +## Security + +Microsoft takes the security of our software products and services seriously, which includes all source code repositories managed through our GitHub organizations, which include [Microsoft](https://github.com/microsoft), [Azure](https://github.com/Azure), [DotNet](https://github.com/dotnet), [AspNet](https://github.com/aspnet), [Xamarin](https://github.com/xamarin), and [our GitHub organizations](https://opensource.microsoft.com/). + +If you believe you have found a security vulnerability in any Microsoft-owned repository that meets [Microsoft's definition of a security vulnerability](https://aka.ms/opensource/security/definition), please report it to us as described below. + +## Reporting Security Issues + +**Please do not report security vulnerabilities through public GitHub issues.** + +Instead, please report them to the Microsoft Security Response Center (MSRC) at [https://msrc.microsoft.com/create-report](https://aka.ms/opensource/security/create-report). + +If you prefer to submit without logging in, send email to [secure@microsoft.com](mailto:secure@microsoft.com). If possible, encrypt your message with our PGP key; please download it from the [Microsoft Security Response Center PGP Key page](https://aka.ms/opensource/security/pgpkey). + +You should receive a response within 24 hours. If for some reason you do not, please follow up via email to ensure we received your original message. Additional information can be found at [microsoft.com/msrc](https://aka.ms/opensource/security/msrc). + +Please include the requested information listed below (as much as you can provide) to help us better understand the nature and scope of the possible issue: + + * Type of issue (e.g. buffer overflow, SQL injection, cross-site scripting, etc.) + * Full paths of source file(s) related to the manifestation of the issue + * The location of the affected source code (tag/branch/commit or direct URL) + * Any special configuration required to reproduce the issue + * Step-by-step instructions to reproduce the issue + * Proof-of-concept or exploit code (if possible) + * Impact of the issue, including how an attacker might exploit the issue + +This information will help us triage your report more quickly. + +If you are reporting for a bug bounty, more complete reports can contribute to a higher bounty award. Please visit our [Microsoft Bug Bounty Program](https://aka.ms/opensource/security/bounty) page for more details about our active programs. + +## Preferred Languages + +We prefer all communications to be in English. + +## Policy + +Microsoft follows the principle of [Coordinated Vulnerability Disclosure](https://aka.ms/opensource/security/cvd). + + diff --git a/education/docfx.json b/education/docfx.json index df077d1783..70b106e401 100644 --- a/education/docfx.json +++ b/education/docfx.json @@ -62,14 +62,6 @@ "garycentric" ] }, - "fileMetadata": { - "ms.localizationpriority": { - "windows/tutorial-school-deployment/**/**.md": "medium" - }, - "ms.topic": { - "windows/tutorial-school-deployment/**/**.md": "tutorial" - } - }, "externalReference": [], "template": "op.html", "dest": "education", diff --git a/education/windows/index.yml b/education/windows/index.yml index 8f01835c6d..a84e4b3961 100644 --- a/education/windows/index.yml +++ b/education/windows/index.yml @@ -7,7 +7,8 @@ metadata: title: Windows for Education documentation description: Learn about how to plan, deploy and manage Windows devices in an education environment with Microsoft Intune ms.topic: landing-page - ms.prod: windows + ms.prod: windows-client + ms.technology: itpro-edu ms.collection: - education - highpri diff --git a/education/windows/windows-11-se-overview.md b/education/windows/windows-11-se-overview.md index 96a201ab55..f7ea182a40 100644 --- a/education/windows/windows-11-se-overview.md +++ b/education/windows/windows-11-se-overview.md @@ -82,7 +82,6 @@ The following applications can also run on Windows 11 SE, and can be deployed us | Application | Supported version | App Type | Vendor | |-----------------------------------------|-------------------|----------|------------------------------| | 3d builder | 15.2.10821.1070 | Win32 | Microsoft | -| Absolute Software Endpoint Agent | 7.21-15655 | Win32 | Absolute Software Corporation| | AirSecure | 8.0.0 | Win32 | AIR | | Alertus Desktop | 5.4.44.0 | Win32 | Alertus technologies | | Brave Browser | 106.0.5249.65 | Win32 | Brave | diff --git a/images/grouppolicy-paste.png b/images/grouppolicy-paste.png new file mode 100644 index 0000000000..ba2de148f1 Binary files /dev/null and b/images/grouppolicy-paste.png differ diff --git a/windows/application-management/index.yml b/windows/application-management/index.yml index e13b0747f4..73c14c4195 100644 --- a/windows/application-management/index.yml +++ b/windows/application-management/index.yml @@ -1,25 +1,19 @@ ### YamlMime:Landing -title: Windows application management # < 60 chars -summary: Learn about managing applications in Windows client, including how to remove background task resource restrictions. # < 160 chars +title: Windows application management +summary: Learn about managing applications in Windows client, including how to remove background task resource restrictions. metadata: - title: Windows application management # Required; page title displayed in search results. Include the brand. < 60 chars. - description: Learn about managing applications in Windows 10 and Windows 11. # Required; article description that is displayed in search results. < 160 chars. - services: windows-10 - ms.service: windows-10 #Required; service per approved list. service slug assigned to your service by ACOM. - ms.subservice: subservice - ms.topic: landing-page # Required - ms.collection: - - windows-10 + title: Windows application management + description: Learn about managing applications in Windows 10 and Windows 11. + ms.topic: landing-page + ms.prod: windows-client + ms.collection: - highpri author: nicholasswhite ms.author: nwhite manager: aaroncz - ms.date: 08/24/2021 #Required; mm/dd/yyyy format. - ms.localizationpriority : medium - -# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new + ms.date: 08/24/2021 landingContent: # Cards and links should be based on top customer tasks or top subjects diff --git a/windows/client-management/azure-active-directory-integration-with-mdm.md b/windows/client-management/azure-active-directory-integration-with-mdm.md index d02f1b1f53..7e49be291f 100644 --- a/windows/client-management/azure-active-directory-integration-with-mdm.md +++ b/windows/client-management/azure-active-directory-integration-with-mdm.md @@ -202,9 +202,9 @@ The following table shows the required information to create an entry in the Azu ### Add on-premises MDM to the app gallery -There are no special requirements for adding on-premises MDM to the app gallery. There's a generic entry for administrator to add an app to their tenant. +There are no special requirements for adding on-premises MDM to the app gallery. There's a generic entry for administrators to add an app to their tenant. -However, key management is different for on-premises MDM. You must obtain the client ID (app ID) and key assigned to the MDM app within the customer's tenant. Thee ID and key obtain authorization to access the Microsoft Graph API and for reporting device compliance. +However, key management is different for on-premises MDM. You must obtain the client ID (app ID) and key assigned to the MDM app within the customer's tenant. The ID and key obtain authorization to access the Microsoft Graph API and for reporting device compliance. ## Themes diff --git a/windows/client-management/index.yml b/windows/client-management/index.yml index 7fdf68a9fa..ff469792d0 100644 --- a/windows/client-management/index.yml +++ b/windows/client-management/index.yml @@ -6,12 +6,10 @@ summary: Find out how to apply custom configurations to Windows client devices. metadata: title: Manage Windows client # Required; page title displayed in search results. Include the brand. < 60 chars. description: Learn about the administrative tools, tasks, and best practices for managing Windows clients across your enterprise. # Required; article description that is displayed in search results. < 160 chars. - services: windows-10 - ms.service: windows-10 #Required; service per approved list. service slug assigned to your service by ACOM. - ms.subservice: subservice - ms.topic: landing-page # Required + ms.topic: landing-page + ms.prod: windows-client + ms.technology: itpro-manage ms.collection: - - windows-10 - highpri author: aczechowski ms.author: aaroncz diff --git a/windows/client-management/mdm/index.yml b/windows/client-management/mdm/index.yml index fe657489a9..d8bd8ed982 100644 --- a/windows/client-management/mdm/index.yml +++ b/windows/client-management/mdm/index.yml @@ -6,11 +6,10 @@ summary: Learn more about the configuration service provider (CSP) policies avai metadata: title: Configuration Service Provider # Required; page title displayed in search results. Include the brand. < 60 chars. description: Learn more about the configuration service provider (CSP) policies available on Windows 10 and Windows 11. # Required; article description that is displayed in search results. < 160 chars. - ms.topic: landing-page # Required - services: windows-10 - ms.prod: windows + ms.topic: landing-page + ms.technology: itpro-manage + ms.prod: windows-client ms.collection: - - windows-10 - highpri ms.custom: intro-hub-or-landing author: vinaypamnani-msft diff --git a/windows/client-management/mdm/policy-csp-deliveryoptimization.md b/windows/client-management/mdm/policy-csp-deliveryoptimization.md index 441350957a..828657eada 100644 --- a/windows/client-management/mdm/policy-csp-deliveryoptimization.md +++ b/windows/client-management/mdm/policy-csp-deliveryoptimization.md @@ -1457,9 +1457,11 @@ ADMX Info: Set this policy to restrict peer selection via selected option. -Options available are: 1=Subnet mask (more options will be added in a future release). +In Windows 11 the 'Local Peer Discovery' option was introduced to restrict peer discovery to the local network. Currently, the available options include: 0 = NAT, 1 = Subnet mask, and 2 = Local Peer Discovery. These options apply to both Download Modes LAN (1) and Group (2) and therefore it means that there is no peering between subnets. The default value in Windows 11 is set to "Local Peer Discovery". -Option 1 (Subnet mask) applies to both Download Mode LAN (1) and Group (2). +If Group mode is set, Delivery Optimization will connect to locally discovered peers that are also part of the same Group (have the same Group ID). + +The Local Peer Discovery (DNS-SD) option can only be set via MDM delivered policies on Windows 11 builds. @@ -1474,7 +1476,9 @@ ADMX Info: The following list shows the supported values: -- 1 - Subnet mask. +- 0 - NAT +- 1 - Subnet mask +- 2 - Local Peer Discovery diff --git a/windows/client-management/mdm/policy-csp-internetexplorer.md b/windows/client-management/mdm/policy-csp-internetexplorer.md index 8475dbc0d9..ee0b9dac66 100644 --- a/windows/client-management/mdm/policy-csp-internetexplorer.md +++ b/windows/client-management/mdm/policy-csp-internetexplorer.md @@ -4426,7 +4426,7 @@ The following list shows the supported values: ADMX Info: - GP Friendly name: *Enable extended hot keys in Internet Explorer mode* - GP name: *EnableExtendedIEModeHotkeys* -- GP path: *Windows Components/Internet Explorer/Security Features/Add-on Management* +- GP path: *Windows Components/Internet Explorer/Main* - GP ADMX file name: *inetres.admx* diff --git a/windows/client-management/mdm/policy-csp-kioskbrowser.md b/windows/client-management/mdm/policy-csp-kioskbrowser.md index 13fe288906..693f130feb 100644 --- a/windows/client-management/mdm/policy-csp-kioskbrowser.md +++ b/windows/client-management/mdm/policy-csp-kioskbrowser.md @@ -113,7 +113,7 @@ List of exceptions to the blocked website URLs (with wildcard support). This pol -List of blocked website URLs (with wildcard support). This policy is used to configure blocked URLs kiosk browsers can't navigate to. +List of blocked website URLs (with wildcard support). This policy is used to configure blocked URLs kiosk browsers can't navigate to. The delimiter for the URLs is "\uF000" character. > [!NOTE] > This policy only applies to the Kiosk Browser app in Microsoft Store. @@ -310,4 +310,4 @@ The value is an int 1-1440 that specifies the number of minutes the session is i ## Related topics -[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-localusersandgroups.md b/windows/client-management/mdm/policy-csp-localusersandgroups.md index 32217ff75b..10e2076e07 100644 --- a/windows/client-management/mdm/policy-csp-localusersandgroups.md +++ b/windows/client-management/mdm/policy-csp-localusersandgroups.md @@ -104,11 +104,11 @@ See [Use custom settings for Windows 10 devices in Intune](/mem/intune/configura Example 1: Azure Active Directory focused. -The following example updates the built-in administrators group with Azure AD account "bob@contoso.com" and an Azure AD group with the SID **S-1-12-1-111111111-22222222222-3333333333-4444444444** on an AAD-joined machine. +The following example updates the built-in administrators group with the SID **S-1-5-21-2222222222-3333333333-4444444444-500** with an Azure AD account "bob@contoso.com" and an Azure AD group with the SID **S-1-12-1-111111111-22222222222-3333333333-4444444444** on an AAD-joined machine. ```xml - + @@ -119,12 +119,12 @@ The following example updates the built-in administrators group with Azure AD ac Example 2: Replace / Restrict the built-in administrators group with an Azure AD user account. > [!NOTE] -> When using ‘R’ replace option to configure the built-in ‘Administrators’ group. It is required to always specify the administrator as a member + any other custom members. This is because the built-in administrator must always be a member of the administrators group. +> When using the ‘R’ replace option to configure the built-in Administrators group with the SID **S-1-5-21-2222222222-3333333333-4444444444-500** you should always specify the administrator as a member plus any other custom members. This is necessary because the built-in administrator must always be a member of the administrators group. Example: ```xml - + @@ -134,11 +134,11 @@ Example: Example 3: Update action for adding and removing group members on a hybrid joined machine. -The following example shows how you can update a local group (**Administrators**)—add an AD domain group as a member using its name (**Contoso\ITAdmins**), add a Azure Active Directory group by its SID (**S-1-12-1-111111111-22222222222-3333333333-4444444444**), and remove a local account (**Guest**) if it exists. +The following example shows how you can update a local group (**Administrators** with the SID **S-1-5-21-2222222222-3333333333-4444444444-500**)—add an AD domain group as a member using its name (**Contoso\ITAdmins**), add an Azure Active Directory group by its SID (**S-1-12-1-111111111-22222222222-3333333333-4444444444**), and remove a local account (**Guest**) if it exists. ```xml - + diff --git a/windows/configuration/index.yml b/windows/configuration/index.yml index be1a9d7a92..fe0ebfbafc 100644 --- a/windows/configuration/index.yml +++ b/windows/configuration/index.yml @@ -6,12 +6,9 @@ summary: Find out how to apply custom configurations to Windows 10 and Windows 1 metadata: title: Configure Windows client # Required; page title displayed in search results. Include the brand. < 60 chars. description: Find out how to apply custom configurations to Windows client devices. # Required; article description that is displayed in search results. < 160 chars. - services: windows-10 - ms.service: windows-10 #Required; service per approved list. service slug assigned to your service by ACOM. - ms.subservice: subservice ms.topic: landing-page # Required + ms.prod: windows-client ms.collection: - - windows-10 - highpri author: aczechowski ms.author: aaroncz diff --git a/windows/configuration/kiosk-policies.md b/windows/configuration/kiosk-policies.md index dec9776934..32f8c08e76 100644 --- a/windows/configuration/kiosk-policies.md +++ b/windows/configuration/kiosk-policies.md @@ -56,7 +56,7 @@ Remove Task Manager | Enabled Remove Change Password option in Security Options UI | Enabled Remove Sign Out option in Security Options UI | Enabled Remove All Programs list from the Start Menu | Enabled – Remove and disable setting -Prevent access to drives from My Computer | Enabled - Restrict all drivers +Prevent access to drives from My Computer | Enabled - Restrict all drives >[!NOTE] >When **Prevent access to drives from My Computer** is enabled, users can browse the directory structure in File Explorer, but they cannot open folders and access the contents. Also, they cannot use the **Run** dialog box or the **Map Network Drive** dialog box to view the directories on these drives. The icons representing the specified drives still appear in File Explorer, but if users double-click the icons, a message appears explaining that a setting prevents the action. This setting does not prevent users from using programs to access local and network drives. It does not prevent users from using the Disk Management snap-in to view and change drive characteristics. diff --git a/windows/deployment/TOC.yml b/windows/deployment/TOC.yml index a732f8301a..85b109b135 100644 --- a/windows/deployment/TOC.yml +++ b/windows/deployment/TOC.yml @@ -221,7 +221,11 @@ - name: UCClientUpdateStatus href: update/wufb-reports-schema-ucclientupdatestatus.md - name: UCDeviceAlert - href: update/wufb-reports-schema-ucdevicealert.md + href: update/wufb-reports-schema-ucdevicealert.md + - name: UCDOAggregatedStatus + href: update/wufb-reports-schema-ucdoaggregatedstatus.md + - name: UCDOStatus + href: update/wufb-reports-schema-ucdostatus.md - name: UCServiceUpdateStatus href: update/wufb-reports-schema-ucserviceupdatestatus.md - name: UCUpdateAlert diff --git a/windows/deployment/Windows-AutoPilot-EULA-note.md b/windows/deployment/Windows-AutoPilot-EULA-note.md index bdcc134152..674bd00551 100644 --- a/windows/deployment/Windows-AutoPilot-EULA-note.md +++ b/windows/deployment/Windows-AutoPilot-EULA-note.md @@ -3,7 +3,7 @@ title: Windows Autopilot EULA dismissal – important information description: A notice about EULA dismissal through Windows Autopilot ms.prod: windows-client ms.localizationpriority: medium -ms.date: 10/31/2022 +ms.date: 11/23/2022 author: frankroj ms.author: frankroj manager: aaroncz @@ -13,8 +13,8 @@ ms.technology: itpro-deploy --- # Windows Autopilot EULA dismissal – important information ->[!IMPORTANT] ->The information below isn't the EULA. It is a notice of awareness to the administrator that's configuring to skip End User License Agreement (EULA) during the OOBE (Out-of-Box Experience). +> [!IMPORTANT] +> The information below isn't the EULA. It is a notice of awareness to the administrator that's configuring to skip End User License Agreement (EULA) during the OOBE (Out-of-Box Experience). Using this tool allows you to configure individual installations of Windows on devices managed by your organization. You may choose to suppress or hide certain set-up screens that are normally presented to users when setting up Windows, including the EULA acceptance screen. diff --git a/windows/deployment/add-store-apps-to-image.md b/windows/deployment/add-store-apps-to-image.md index ac883e80a0..1d67fee4df 100644 --- a/windows/deployment/add-store-apps-to-image.md +++ b/windows/deployment/add-store-apps-to-image.md @@ -9,72 +9,83 @@ ms.reviewer: manager: aaroncz ms.topic: article ms.custom: seo-marvel-apr2020 -ms.date: 10/31/2022 +ms.date: 11/23/2022 ms.technology: itpro-deploy --- # Add Microsoft Store for Business applications to a Windows 10 image -**Applies to** +*Applies to:* -- Windows 10 +- Windows 10 This article describes the correct way to add Microsoft Store for Business applications to a Windows 10 image. Adding Microsoft Store for Business applications to a Windows 10 image will enable you to deploy Windows 10 with pre-installed Microsoft Store for Business apps. ->[!IMPORTANT] ->In order for Microsoft Store for Business applications to persist after image deployment, these applications need to be pinned to Start prior to image deployment. +> [!IMPORTANT] +> In order for Microsoft Store for Business applications to persist after image deployment, these applications need to be pinned to Start prior to image deployment. ## Prerequisites -* [Windows Assessment and Deployment Kit (Windows ADK)](windows-adk-scenarios-for-it-pros.md) for the tools required to mount and edit Windows images. +- [Windows Assessment and Deployment Kit (Windows ADK)](windows-adk-scenarios-for-it-pros.md) for the tools required to mount and edit Windows images. -* Download an offline signed app package and license of the application you would like to add through [Microsoft Store for Business](/microsoft-store/distribute-offline-apps#download-an-offline-licensed-app). -* A Windows Image. For instructions on image creation, see [Create a Windows 10 reference image](deploy-windows-mdt/create-a-windows-10-reference-image.md). +- Download an offline signed app package and license of the application you would like to add through [Microsoft Store for Business](/microsoft-store/distribute-offline-apps#download-an-offline-licensed-app). +- A Windows Image. For instructions on image creation, see [Create a Windows 10 reference image](deploy-windows-mdt/create-a-windows-10-reference-image.md). ->[!NOTE] +> [!NOTE] > If you'd like to add an internal LOB Microsoft Store application, please follow the instructions on **[Sideload line of business (LOB) apps in Windows client devices](/windows/application-management/sideload-apps-in-windows-10)**. ## Adding a Store application to your image On a machine where your image file is accessible: + 1. Open Windows PowerShell with administrator privileges. -2. Mount the image. At the Windows PowerShell prompt, type: + +2. Mount the image. At the Windows PowerShell prompt, enter: `Mount-WindowsImage -ImagePath c:\images\myimage.wim -Index 1 -Path C:\test` -3. Use the Add-AppxProvisionedPackage cmdlet in Windows PowerShell to preinstall the app. Use the /PackagePath option to specify the location of the Store package and /LicensePath to specify the location of the license .xml file. In Windows PowerShell, type: + +3. Use the Add-AppxProvisionedPackage cmdlet in Windows PowerShell to preinstall the app. Use the /PackagePath option to specify the location of the Store package and /LicensePath to specify the location of the license .xml file. In Windows PowerShell, enter: `Add-AppxProvisionedPackage -Path C:\test -PackagePath C:\downloads\appxpackage -LicensePath C:\downloads\appxpackage\license.xml` ->[!NOTE] ->Paths and file names are examples. Use your paths and file names where appropriate. +> [!NOTE] +> Paths and file names are examples. Use your paths and file names where appropriate. > ->Do not dismount the image, as you will return to it later. +> Do not dismount the image, as you will return to it later. ## Editing the Start Layout In order for Microsoft Store for Business applications to persist after image deployment, these applications need to be pinned to Start prior to image deployment. On a test machine: + 1. **Install the Microsoft Store for Business application you previously added** to your image. + 2. **Pin these apps to the Start screen**, by typing the name of the app, right-clicking and selecting **Pin to Start**. + 3. Open Windows PowerShell with administrator privileges. + 4. Use `Export-StartLayout -path .xml` where *\\* is the path and name of the xml file your will later import into your Windows Image. + 5. Copy the XML file you created to a location accessible by the machine you previously used to add Store applications to your image. Now, on the machine where your image file is accessible: -1. Import the Start layout. At the Windows PowerShell prompt, type: + +1. Import the Start layout. At the Windows PowerShell prompt, enter: `Import-StartLayout -LayoutPath ".xml" -MountPath "C:\test\"` -2. Save changes and dismount the image. At the Windows PowerShell prompt, type: + +2. Save changes and dismount the image. At the Windows PowerShell prompt, enter: `Dismount-WindowsImage -Path c:\test -Save` ->[!NOTE] ->Paths and file names are examples. Use your paths and file names where appropriate. +> [!NOTE] +> Paths and file names are examples. Use your paths and file names where appropriate. > ->For more information on Start customization, see [Windows 10 Start Layout Customization](/archive/blogs/deploymentguys/windows-10-start-layout-customization) +> For more information on Start customization, see [Windows 10 Start Layout Customization](/archive/blogs/deploymentguys/windows-10-start-layout-customization) ## Related articles -* [Customize and export Start layout](/windows/configuration/customize-and-export-start-layout) -* [Export-StartLayout](/powershell/module/startlayout/export-startlayout) -* [Import-StartLayout](/powershell/module/startlayout/import-startlayout) -* [Sideload line of business (LOB) apps in Windows client devices](/windows/application-management/sideload-apps-in-windows-10) -* [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md) -* [Deploy Windows 10 with the Microsoft Deployment Toolkit](./deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md) -* [Windows Assessment and Deployment Kit (Windows ADK)](windows-adk-scenarios-for-it-pros.md) + +- [Customize and export Start layout](/windows/configuration/customize-and-export-start-layout) +- [Export-StartLayout](/powershell/module/startlayout/export-startlayout) +- [Import-StartLayout](/powershell/module/startlayout/import-startlayout) +- [Sideload line of business (LOB) apps in Windows client devices](/windows/application-management/sideload-apps-in-windows-10) +- [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md) +- [Deploy Windows 10 with the Microsoft Deployment Toolkit](./deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md) +- [Windows Assessment and Deployment Kit (Windows ADK)](windows-adk-scenarios-for-it-pros.md) diff --git a/windows/deployment/configure-a-pxe-server-to-load-windows-pe.md b/windows/deployment/configure-a-pxe-server-to-load-windows-pe.md index 0ee1248e7e..3dbdf7eef2 100644 --- a/windows/deployment/configure-a-pxe-server-to-load-windows-pe.md +++ b/windows/deployment/configure-a-pxe-server-to-load-windows-pe.md @@ -8,15 +8,15 @@ manager: aaroncz ms.author: frankroj ms.topic: article ms.custom: seo-marvel-apr2020 -ms.date: 10/31/2022 +ms.date: 11/23/2022 ms.technology: itpro-deploy --- # Configure a PXE server to load Windows PE -**Applies to** +*Applies to:* -- Windows 10 +- Windows 10 This walkthrough describes how to configure a PXE server to load Windows PE by booting a client computer from the network. Using the Windows PE tools and a Windows 10 image file, you can install Windows 10 from the network. @@ -37,107 +37,122 @@ All four of the roles specified above can be hosted on the same computer or each 3. Run the following command to copy the base Windows PE files into a new folder. The script requires two arguments: hardware architecture and destination location. The value of **<architecture>** can be **x86**, **amd64**, or **arm** and **<destination>** is a path to a local directory. If the directory doesn't already exist, it will be created. - ``` + ```cmd copype.cmd ``` For example, the following command copies **amd64** architecture files to the **C:\winpe_amd64** directory: - ``` + ```cmd copype.cmd amd64 C:\winpe_amd64 ``` The script creates the destination directory structure and copies all the necessary files for that architecture. In the previous example, the following directories are created: - - ``` + + ```cmd C:\winpe_amd64 C:\winpe_amd64\fwfiles C:\winpe_amd64\media C:\winpe_amd64\mount ``` + 4. Mount the base Windows PE image (winpe.wim) to the \mount directory using the DISM tool. Mounting an image file unpacks the file contents into a folder so that you can make changes directly or by using tools such as DISM. See the following example. + ```cmd + dism.exe /mount-image /imagefile:c:\winpe_amd64\media\sources\boot.wim /index:1 /mountdir:C:\winpe_amd64\mount ``` - Dism /mount-image /imagefile:c:\winpe_amd64\media\sources\boot.wim /index:1 /mountdir:C:\winpe_amd64\mount - ``` - Verify that "The operation completed successfully" is displayed. Note: To view currently mounted images, type **dism /get-MountedWiminfo**. + + Verify that the message **The operation completed successfully** is displayed. + + > [!NOTE] + > To view currently mounted images, enter **`dism.exe /get-MountedWiminfo`**. 5. Map a network share to the root TFTP directory on the PXE/TFTP server and create a \Boot folder. Consult your TFTP server documentation to determine the root TFTP server directory, then enable sharing for this directory, and verify it can be accessed on the network. In the following example, the PXE server name is PXE-1 and the TFTP root directory is shared using a network path of **\\\PXE-1\TFTPRoot**: - ``` - net use y: \\PXE-1\TFTPRoot + ```cmd + net.exe use y: \\PXE-1\TFTPRoot y: md Boot ``` + 6. Copy the PXE boot files from the mounted directory to the \boot folder. For example: - ``` + ```cmd copy c:\winpe_amd64\mount\windows\boot\pxe\*.* y:\Boot ``` -7. Copy the boot.sdi file to the PXE/TFTP server. - ``` +7. Copy the boot.sdi file to the PXE/TFTP server. + + ```cmd copy C:\winpe_amd64\media\boot\boot.sdi y:\Boot ``` -8. Copy the bootable Windows PE image (boot.wim) to the \boot folder. - ``` +8. Copy the bootable Windows PE image (boot.wim) to the \boot folder. + + ```cmd copy C:\winpe_amd64\media\sources\boot.wim y:\Boot ``` -9. (Optional) Copy true type fonts to the \boot folder - ``` +9. (Optional) Copy TrueType fonts to the \boot folder + + ```cmd copy C:\winpe_amd64\media\Boot\Fonts y:\Boot\Fonts ``` ## Step 2: Configure boot settings and copy the BCD file -1. Create a BCD store using bcdedit.exe: +1. Create a BCD store using bcdedit.exe: + ```cmd + bcdedit.exe /createstore c:\BCD ``` - bcdedit /createstore c:\BCD - ``` -2. Configure RAMDISK settings: +2. Configure RAMDISK settings: + + ```cmd + bcdedit.exe /store c:\BCD /create {ramdiskoptions} /d "Ramdisk options" + bcdedit.exe /store c:\BCD /set {ramdiskoptions} ramdisksdidevice boot + bcdedit.exe /store c:\BCD /set {ramdiskoptions} ramdisksdipath \Boot\boot.sdi + bcdedit.exe /store c:\BCD /create /d "winpe boot image" /application osloader ``` - bcdedit /store c:\BCD /create {ramdiskoptions} /d "Ramdisk options" - bcdedit /store c:\BCD /set {ramdiskoptions} ramdisksdidevice boot - bcdedit /store c:\BCD /set {ramdiskoptions} ramdisksdipath \Boot\boot.sdi - bcdedit /store c:\BCD /create /d "winpe boot image" /application osloader - ``` + The last command will return a GUID, for example: - ``` + + ```console The entry {a4f89c62-2142-11e6-80b6-00155da04110} was successfully created. ``` + Copy this GUID for use in the next set of commands. In each command shown, replace "GUID1" with your GUID. -3. Create a new boot application entry for the Windows PE image: +3. Create a new boot application entry for the Windows PE image: + ```cmd + bcdedit.exe /store c:\BCD /set {GUID1} device ramdisk=[boot]\Boot\boot.wim,{ramdiskoptions} + bcdedit.exe /store c:\BCD /set {GUID1} path \windows\system32\winload.exe + bcdedit.exe /store c:\BCD /set {GUID1} osdevice ramdisk=[boot]\Boot\boot.wim,{ramdiskoptions} + bcdedit.exe /store c:\BCD /set {GUID1} systemroot \windows + bcdedit.exe /store c:\BCD /set {GUID1} detecthal Yes + bcdedit.exe /store c:\BCD /set {GUID1} winpe Yes ``` - bcdedit /store c:\BCD /set {GUID1} device ramdisk=[boot]\Boot\boot.wim,{ramdiskoptions} - bcdedit /store c:\BCD /set {GUID1} path \windows\system32\winload.exe - bcdedit /store c:\BCD /set {GUID1} osdevice ramdisk=[boot]\Boot\boot.wim,{ramdiskoptions} - bcdedit /store c:\BCD /set {GUID1} systemroot \windows - bcdedit /store c:\BCD /set {GUID1} detecthal Yes - bcdedit /store c:\BCD /set {GUID1} winpe Yes - ``` -4. Configure BOOTMGR settings (remember to replace GUID1 in the third command with your GUID): - ``` - bcdedit /store c:\BCD /create {bootmgr} /d "boot manager" - bcdedit /store c:\BCD /set {bootmgr} timeout 30 - bcdedit /store c:\BCD -displayorder {GUID1} -addlast - ``` -5. Copy the BCD file to your TFTP server: +4. Configure BOOTMGR settings (remember to replace GUID1 in the third command with your GUID): + ```cmd + bcdedit.exe /store c:\BCD /create {bootmgr} /d "boot manager" + bcdedit.exe /store c:\BCD /set {bootmgr} timeout 30 + bcdedit.exe /store c:\BCD -displayorder {GUID1} -addlast ``` + +5. Copy the BCD file to your TFTP server: + + ```cmd copy c:\BCD \\PXE-1\TFTPRoot\Boot\BCD ``` -Your PXE/TFTP server is now configured. You can view the BCD settings that have been configured using the command bcdedit /store <BCD file location> /enum all. See the following example. Note: Your GUID will be different than the one shown below. +Your PXE/TFTP server is now configured. You can view the BCD settings that have been configured using the command bcdedit.exe /store <BCD file location> /enum all. See the following example. Note: Your GUID will be different than the one shown below. -``` -C:\>bcdedit /store C:\BCD /enum all +```cmd +C:\>bcdedit.exe /store C:\BCD /enum all Windows Boot Manager -------------------- identifier {bootmgr} @@ -163,25 +178,46 @@ ramdisksdidevice boot ramdisksdipath \Boot\boot.sdi ``` ->[!TIP] ->If you start the PXE boot process, but receive the error that "The boot configuration data for your PC is missing or contains errors" then verify that \\boot directory is installed under the correct TFTP server root directory. In the example used here the name of this directory is TFTPRoot, but your TFTP server might be different. +> [!TIP] +> If you start the PXE boot process, but receive the error **The boot configuration data for your PC is missing or contains error**, then verify that `\boot` directory is installed under the correct TFTP server root directory. In the example used here the name of this directory is TFTPRoot, but your TFTP server might be different. ## PXE boot process summary The following process summarizes the PXE client boot. ->The following assumes that you have configured DHCP option 67 (Bootfile Name) to "boot\PXEboot.n12" which enables direct boot to PXE with no user interaction. For more information about DHCP options for network boot, see [Managing Network Boot Programs](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc732351(v=ws.10)). + + +> [!NOTE] +> The following assumes that the client and PXE server are on the same network/subnet/vlan or that PXE requests have been appropriately forwarded from the client to the PXE server using IP helpers configured in the router or switch. For more information about IP helpers, see [Configuring Your Router to Forward Broadcasts](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc732351(v=ws.10)#configuring-your-router-to-forward-broadcasts-recommended). + +1. A client contacts the PXE server. When the client is on a different network/subnet/vlan as the PXE server, the client is routed to the PXE server using the IP helpers. + +2. The PXE server sends DHCP options 060 (client identifier **PXEClient**), 066 (boot server host name) and 067 (boot file name) to the client. + +3. The client downloads `boot\PXEboot.n12` from the TFTP server based on DHCP option 067 boot file name value received from the PXE server. + +4. `PXEboot.n12` immediately begins a network boot. + +5. The client downloads `boot\bootmgr.exe` and the `boot\BCD` file from the TFTP server. + + > [!NOTE] + > The BCD store must reside in the `\boot` directory on the TFTP server and must be named BCD. + +6. `Bootmgr.exe` reads the BCD operating system entries and downloads `boot\boot.sdi` and the Windows PE image (`boot\boot.wim`). Optional files that can also be downloaded include TrueType fonts (`boot\Fonts\wgl4_boot.ttf`) and the hibernation state file (`\hiberfil.sys`) if these files are present. + +7. `Bootmgr.exe` starts Windows PE by calling `winload.exe` within the Windows PE image. + +8. Windows PE loads, a command prompt opens and `wpeinit.exe` is run to initialize Windows PE. + +9. The Windows PE client provides access to tools like `imagex.exe`, `diskpart.exe`, and `bcdboot.exe` using the Windows PE command prompt. With the help of these tools accompanied by a Windows 10 image file, the destination computer can be formatted properly to load a full Windows 10 operating system. + +### Related articles [Windows PE Walkthroughs](/previous-versions/windows/it-pro/windows-vista/cc748899(v=ws.10)) diff --git a/windows/deployment/deploy-enterprise-licenses.md b/windows/deployment/deploy-enterprise-licenses.md index b3dd2899ed..f19a79ea47 100644 --- a/windows/deployment/deploy-enterprise-licenses.md +++ b/windows/deployment/deploy-enterprise-licenses.md @@ -12,7 +12,7 @@ ms.collection: highpri appliesto: - ✅ Windows 10 - ✅ Windows 11 -ms.date: 10/31/2022 +ms.date: 11/23/2022 --- # Deploy Windows Enterprise licenses @@ -252,7 +252,7 @@ Use the following procedures to review whether a particular device meets these r To determine if the computer has a firmware-embedded activation key, enter the following command at an elevated Windows PowerShell prompt: -```PowerShell +```powershell (Get-CimInstance -query 'select * from SoftwareLicensingService').OA3xOriginalProductKey ``` diff --git a/windows/deployment/deploy-m365.md b/windows/deployment/deploy-m365.md index f7574e0d11..ace17b1b9f 100644 --- a/windows/deployment/deploy-m365.md +++ b/windows/deployment/deploy-m365.md @@ -10,15 +10,15 @@ author: frankroj ms.topic: article ms.collection: M365-modern-desktop ms.custom: seo-marvel-apr2020 -ms.date: 10/31/2022 +ms.date: 11/23/2022 ms.technology: itpro-deploy --- # Deploy Windows 10 with Microsoft 365 -**Applies to** +*Applies to:* -- Windows 10 +- Windows 10 This article provides a brief overview of Microsoft 365 and describes how to use a free 90-day trial account to review some of the benefits of Microsoft 365. @@ -34,38 +34,40 @@ For Windows 10 deployment, Microsoft 365 includes a fantastic deployment advisor ## Free trial account -**If you already have a Microsoft services subscription account and access to the Microsoft 365 Admin Center** +### If you already have a Microsoft services subscription account and access to the Microsoft 365 Admin Center From the [Microsoft 365 Admin Center](https://portal.office.com), go to Billing and then Purchase services. In the Enterprise Suites section of the service offerings, you'll find Microsoft 365 E3 and Microsoft 365 E5 tiles. There are "Start Free Trial" options available for your selection by hovering your mouse over the tiles. -**If you do not already have a Microsoft services subscription** +### If you do not already have a Microsoft services subscription -You can check out the Microsoft 365 deployment advisor and other resources for free! Just follow the steps below. +You can check out the Microsoft 365 deployment advisor and other resources for free! Just follow the steps below. ->[!NOTE] ->If you have not run a setup guide before, you will see the **Prepare your environment** guide first. This is to make sure you have basics covered like domain verification and a method for adding users. At the end of the "Prepare your environment" guide, there will be a **Ready to continue** button that sends you to the original guide that was selected. +> [!NOTE] +> If you have not run a setup guide before, you will see the **Prepare your environment** guide first. This is to make sure you have basics covered like domain verification and a method for adding users. At the end of the "Prepare your environment" guide, there will be a **Ready to continue** button that sends you to the original guide that was selected. 1. [Obtain a free Microsoft 365 trial](/microsoft-365/commerce/try-or-buy-microsoft-365). 2. Check out the [Microsoft 365 deployment advisor](https://aka.ms/microsoft365setupguide). -3. Also check out the [Windows Analytics deployment advisor](/mem/configmgr/desktop-analytics/overview). This advisor will walk you through deploying [Desktop Analytics](/mem/configmgr/desktop-analytics/overview). +3. Also check out the [Windows Analytics deployment advisor](/mem/configmgr/desktop-analytics/overview). This advisor will walk you through deploying [Desktop Analytics](/mem/configmgr/desktop-analytics/overview). Examples of these two deployment advisors are shown below. - [Deploy Windows 10 with Microsoft 365](#deploy-windows-10-with-microsoft-365) - [Free trial account](#free-trial-account) + - [If you already have a Microsoft services subscription account and access to the Microsoft 365 Admin Center](#if-you-already-have-a-microsoft-services-subscription-account-and-access-to-the-microsoft-365-admin-center) + - [If you do not already have a Microsoft services subscription](#if-you-do-not-already-have-a-microsoft-services-subscription) - [Microsoft 365 deployment advisor example](#microsoft-365-deployment-advisor-example) - [Windows Analytics deployment advisor example](#windows-analytics-deployment-advisor-example) - [Microsoft 365 Enterprise poster](#microsoft-365-enterprise-poster) - [Related articles](#related-articles) ## Microsoft 365 deployment advisor example + ![Microsoft 365 deployment advisor.](images/m365da.png) ## Windows Analytics deployment advisor example - ## Microsoft 365 Enterprise poster [![Microsoft 365 Enterprise poster.](images/m365e.png)](https://aka.ms/m365eposter) diff --git a/windows/deployment/deploy-whats-new.md b/windows/deployment/deploy-whats-new.md index 170984a53f..309fe14ba0 100644 --- a/windows/deployment/deploy-whats-new.md +++ b/windows/deployment/deploy-whats-new.md @@ -9,13 +9,14 @@ author: frankroj ms.topic: article ms.custom: seo-marvel-apr2020 ms.collection: highpri -ms.date: 10/31/2022 +ms.date: 11/23/2022 ms.technology: itpro-deploy --- # What's new in Windows client deployment -**Applies to:** +*Applies to:* + - Windows 10 - Windows 11 @@ -30,13 +31,14 @@ When you deploy Windows 11 with Autopilot, you can enable users to view addition ## Windows 11 Check out the following new articles about Windows 11: + - [Overview of Windows 11](/windows/whats-new/windows-11) - [Plan for Windows 11](/windows/whats-new/windows-11-plan) - [Prepare for Windows 11](/windows/whats-new/windows-11-prepare) The [Windows ADK for Windows 11](/windows-hardware/get-started/adk-install) is available.
-## Deployment tools +## Deployment tools [SetupDiag](#setupdiag) is included with Windows 10, version 2004 and later, and Windows 11.
New capabilities are available for [Delivery Optimization](#delivery-optimization) and [Windows Update for Business](#windows-update-for-business).
@@ -51,6 +53,7 @@ The [Modern Desktop Deployment Center](/microsoft-365/enterprise/desktop-deploym ## Microsoft 365 Microsoft 365 is a new offering from Microsoft that combines + - Windows 10 - Office 365 - Enterprise Mobility and Security (EMS). @@ -68,6 +71,7 @@ Windows PowerShell cmdlets for Delivery Optimization have been improved: - **Enable-DeliveryOptimizationVerboseLogs** is a new cmdlet that enables a greater level of logging detail to help in troubleshooting. Other improvements in [Delivery Optimization](./do/waas-delivery-optimization.md) include: + - Enterprise network [throttling is enhanced](/windows-insider/archive/new-for-business#new-download-throttling-options-for-delivery-optimization-build-18917) to optimize foreground vs. background throttling. - Automatic cloud-based congestion detection is available for PCs with cloud service support. - Improved peer efficiency for enterprises and educational institutions with complex networks is enabled with [new policies](/windows/client-management/mdm/policy-csp-deliveryoptimization). These policies now support Microsoft 365 Apps for enterprise updates and Intune content. @@ -84,6 +88,7 @@ The following Delivery Optimization policies are removed in the Windows 10, vers ### Windows Update for Business [Windows Update for Business](./update/waas-manage-updates-wufb.md) enhancements in this release include: + - Intune console updates: target version is now available allowing you to specify which version of Windows 10 you want devices to move to. Additionally, this capability enables you to keep devices on their current version until they reach end of service. Check it out in Intune, also available as a Group Policy and Configuration Service Provider (CSP) policy. - Validation improvements: To ensure devices and end users stay productive and protected, Microsoft uses safeguard holds to block devices from updating when there are known issues that would impact that device. Also, to better enable IT administrators to validate on the latest release, we've created a new policy that enables admins to opt devices out of the built-in safeguard holds. diff --git a/windows/deployment/deploy-windows-cm/add-a-windows-10-operating-system-image-using-configuration-manager.md b/windows/deployment/deploy-windows-cm/add-a-windows-10-operating-system-image-using-configuration-manager.md index c723dc30ae..23b36c4d59 100644 --- a/windows/deployment/deploy-windows-cm/add-a-windows-10-operating-system-image-using-configuration-manager.md +++ b/windows/deployment/deploy-windows-cm/add-a-windows-10-operating-system-image-using-configuration-manager.md @@ -15,46 +15,53 @@ ms.date: 10/27/2022 # Add a Windows 10 operating system image using Configuration Manager -**Applies to** +*Applies to:* -- Windows 10 +- Windows 10 Operating system images are typically the production image used for deployment throughout the organization. This article shows you how to add a Windows 10 operating system image created with Microsoft Configuration Manager, and how to distribute the image to a distribution point. ## Infrastructure For the purposes of this guide, we'll use one server computer: CM01. + - CM01 is a domain member server and Configuration Manager software distribution point. In this guide, CM01 is a standalone primary site server. - CM01 is running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used. An existing Configuration Manager infrastructure that is integrated with MDT is used for the following procedures. For more information about the setup for this article, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md). ->[!IMPORTANT] ->The procedures in this article require a reference image. Our reference images is named **REFW10-X64-001.wim**. If you have not already created a reference image, then perform all the steps in [Create a Windows 10 reference image](../deploy-windows-mdt/create-a-windows-10-reference-image.md) on CM01, replacing MDT01 with CM01. The final result will be a reference image located in the D:\MDTBuildLab\Captures folder that you can use for the procedure below. +> [!IMPORTANT] +> The procedures in this article require a reference image. Our reference images is named **REFW10-X64-001.wim**. If you have not already created a reference image, then perform all the steps in [Create a Windows 10 reference image](../deploy-windows-mdt/create-a-windows-10-reference-image.md) on CM01, replacing MDT01 with CM01. The final result will be a reference image located in the D:\MDTBuildLab\Captures folder that you can use for the procedure below. - ## Add a Windows 10 operating system image +## Add a Windows 10 operating system image On **CM01**: -1. Using File Explorer, in the **D:\\Sources\\OSD\\OS** folder, create a subfolder named **Windows 10 Enterprise x64 RTM**. -2. Copy the REFW10-X64-001.wim file to the **D:\\Sources\\OSD\\OS\\Windows 10 Enterprise x64 RTM** folder. +1. Using File Explorer, in the **`D:\Sources\OSD\OS`** folder, create a subfolder named **Windows 10 Enterprise x64 RTM**. + +2. Copy the `REFW10-X64-001.wim` file to the **`D:\Sources\OSD\OS\Windows 10 Enterprise x64 RTM`** folder. ![figure 17.](../images/ref-image.png) The Windows 10 image being copied to the Sources folder structure. -3. Using the Configuration Manager Console, in the Software Library workspace, right-click **Operating System Images**, and select **Add Operating System Image**. -4. On the **Data Source** page, in the **Path:** text box, browse to \\\\CM01\\Sources$\\OSD\\OS\\Windows 10 Enterprise x64 RTM\\REFW10-X64-001.wim, select x64 next to Architecture and choose a language, then select **Next**. -5. On the **General** page, assign the name Windows 10 Enterprise x64 RTM, select **Next** twice, and then select **Close**. -6. Distribute the operating system image to the CM01 distribution point by right-clicking the **Windows 10 Enterprise x64 RTM** operating system image and then clicking **Distribute Content**. -7. In the Distribute Content Wizard, add the CM01 distribution point, select **Next** and select **Close**. -8. View the content status for the Windows 10 Enterprise x64 RTM package. Don't continue until the distribution is completed (it might take a few minutes). You also can review the D:\\Program Files\\Microsoft Configuration Manager\\Logs\\distmgr.log file and look for the **STATMSG: ID=2301** line. +3. Using the Configuration Manager Console, in the **Software Library** workspace, right-click **Operating System Images**, and select **Add Operating System Image**. + +4. On the **Data Source** page, in the **Path:** text box, browse to **`\\CM01\Sources$\OSD\OS\Windows 10 Enterprise x64 RTM\REFW10-X64-001.wim`**, select x64 next to Architecture and choose a language, then select **Next**. + +5. On the **General** page, assign the name Windows 10 Enterprise x64 RTM, select **Next** twice, and then select **Close**. + +6. Distribute the operating system image to the CM01 distribution point by right-clicking the **Windows 10 Enterprise x64 RTM** operating system image and then clicking **Distribute Content**. + +7. In the Distribute Content Wizard, add the CM01 distribution point, select **Next** and select **Close**. + +8. View the content status for the Windows 10 Enterprise x64 RTM package. Don't continue until the distribution is completed (it might take a few minutes). You also can review the `D:\Program Files\Microsoft Configuration Manager\Logs\distmgr.log` file and look for the **STATMSG: ID=2301** line. ![figure 18.](../images/fig18-distwindows.png) The distributed Windows 10 Enterprise x64 RTM package. -Next, see [Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md). +Next, see [Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md). ## Related articles diff --git a/windows/deployment/deploy-windows-cm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md b/windows/deployment/deploy-windows-cm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md index 7dfcbe25b8..feff4155ed 100644 --- a/windows/deployment/deploy-windows-cm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md +++ b/windows/deployment/deploy-windows-cm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md @@ -15,25 +15,26 @@ ms.date: 10/27/2022 # Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager -**Applies to** +*Applies to:* - Windows 10 In this article, you'll learn how to configure the Windows Preinstallation Environment (Windows PE) to include the network drivers required to connect to the deployment share and the storage drivers required to see the local storage on machines. Even though the Windows PE boot image and the Windows 10 operating system contain many out-of-the-box drivers, it's likely you'll have to add new or updated drivers to support all your hardware. In this section, you import drivers for both Windows PE and the full Windows 10 operating system. For the purposes of this guide, we'll use one server computer: CM01. + - CM01 is a domain member server and Configuration Manager software distribution point. In this guide, CM01 is a standalone primary site server. CM01 is running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used. An existing Configuration Manager infrastructure that is integrated with MDT is used for the following procedures. For more information about the setup for this article, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md). ## Add drivers for Windows PE -This section will show you how to import some network and storage drivers for Windows PE. +This section will show you how to import some network and storage drivers for Windows PE. ->[!NOTE] ->Windows PE usually has a fairly comprehensive set of drivers out of the box, assuming that you are using a recent version of the Windows ADK. This is different than the full Windows OS which will often require drivers. You shouldn't add drivers to Windows PE unless you've an issue or are missing functionality, and in these cases you should only add the driver that you need. An example of a common driver that is added is the Intel I217 driver. Adding too many drivers can cause conflicts and lead to driver bloat in the Config Mgr database. This section shows you how to add drivers, but typically you can just skip this procedure. +> [!NOTE] +> Windows PE usually has a fairly comprehensive set of drivers out of the box, assuming that you are using a recent version of the Windows ADK. This is different than the full Windows OS which will often require drivers. You shouldn't add drivers to Windows PE unless you've an issue or are missing functionality, and in these cases you should only add the driver that you need. An example of a common driver that is added is the Intel I217 driver. Adding too many drivers can cause conflicts and lead to driver bloat in the Config Mgr database. This section shows you how to add drivers, but typically you can just skip this procedure. -This section assumes you've downloaded some drivers to the **D:\\Sources\\OSD\\DriverSources\\WinPE x64** folder on CM01. +This section assumes you've downloaded some drivers to the **`D:\Sources\OSD\DriverSources\WinPE x64`** folder on CM01. ![Drivers.](../images/cm01-drivers.png) @@ -41,12 +42,18 @@ Driver folder structure on CM01 On **CM01**: -1. Using the Configuration Manager Console, in the Software Library workspace, expand **Operating Systems**, right-click the **Drivers** node and select **Import Driver**. -2. In the Import New Driver Wizard, on the **Specify a location to import driver** page, select the **Import all drivers in the following network path (UNC)** option, browse to the **\\\\CM01\\Sources$\\OSD\\DriverSources\\WinPE x64** folder and select **Next**. +1. Using the Configuration Manager Console, in the **Software Library** workspace, expand **Operating Systems**, right-click the **Drivers** node and select **Import Driver**. + +2. In the Import New Driver Wizard, on the **Specify a location to import driver** page, select the **Import all drivers in the following network path (UNC)** option, browse to the **`\\CM01\Sources$\OSD\DriverSources\WinPE x64`** folder and select **Next**. + 3. On the **Specify the details for the imported driver** page, select **Categories**, create a category named **WinPE x64**, and then select **Next**. + 4. On the **Select the packages to add the imported driver** page, select **Next**. + 5. On the **Select drivers to include in the boot image** page, select the **Zero Touch WinPE x64** boot image and select **Next**. + 6. In the popup window that appears, select **Yes** to automatically update the distribution point. + 7. Select **Next**, wait for the image to be updated, and then select **Close**. ![Add drivers to Windows PE step 1.](../images/fig21-add-drivers1.png)
@@ -68,27 +75,28 @@ Driver folder structure on CM01 On **CM01**: -1. Using the Configuration Manager Console, in the Software Library workspace, expand **Operating Systems**, right-click the **Drivers** node and select **Import Driver**. -2. In the Import New Driver Wizard, on the **Specify a location to import driver** page, select the **Import all drivers in the following network path (UNC)** option, browse to the **\\\\CM01\\Sources$\\OSD\\DriverSources\\Windows 10 x64\\Hewlett-Packard\\HP EliteBook 8560w** folder and select **Next**. Wait a minute for driver information to be validated. +1. Using the Configuration Manager Console, in the **Software Library** workspace, expand **Operating Systems**, right-click the **Drivers** node and select **Import Driver**. + +2. In the Import New Driver Wizard, on the **Specify a location to import driver** page, select the **Import all drivers in the following network path (UNC)** option, browse to the **`\\CM01\Sources$\OSD\DriverSources\Windows 10 x64\Hewlett-Packard\HP EliteBook 8560w`** folder and select **Next**. Wait a minute for driver information to be validated. + 3. On the **Specify the details for the imported driver** page, select **Categories**, create a category named **Windows 10 x64 - HP EliteBook 8560w**, select **OK**, and then select **Next**. ![Create driver categories.](../images/fig22-createcategories.png "Create driver categories") Create driver categories - 4. On the **Select the packages to add the imported driver** page, select **New Package**, use the following settings for the package, and then select **Next**: - * Name: Windows 10 x64 - HP EliteBook 8560w - * Path: \\\\CM01\\Sources$\\OSD\\DriverPackages\\Windows 10 x64\\Hewlett-Packard\\HP EliteBook 8560w + - Name: Windows 10 x64 - HP EliteBook 8560w + - Path: **`\\CM01\Sources$\OSD\DriverPackages\Windows 10 x64\Hewlett-Packard\HP EliteBook 8560w`** - >[!NOTE] - >The package path does not yet exist, so you've to type it in. The wizard will create the new package using the path you specify. + > [!NOTE] + > The package path does not yet exist so it has to be created by typing it in. The wizard will create the new package using the path you specify. -5. On the **Select drivers to include in the boot image** page, don't select anything, and select **Next** twice. After the package has been created, select **Close**. +5. On the **Select drivers to include in the boot image** page, don't select anything, and select **Next** twice. After the package has been created, select **Close**. - >[!NOTE] - >If you want to monitor the driver import process more closely, you can open the SMSProv.log file during driver import. + > [!NOTE] + > If you want to monitor the driver import process more closely, you can open the SMSProv.log file during driver import. ![Drivers imported and a new driver package created.](../images/cm01-drivers-packages.png "Drivers imported and a new driver package created") diff --git a/windows/deployment/deploy-windows-cm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md b/windows/deployment/deploy-windows-cm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md index 25f8bd58cf..bc6f5f88b1 100644 --- a/windows/deployment/deploy-windows-cm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md +++ b/windows/deployment/deploy-windows-cm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md @@ -15,14 +15,16 @@ ms.date: 10/27/2022 # Create a custom Windows PE boot image with Configuration Manager -**Applies to** +*Applies to:* - Windows 10 In Microsoft Configuration Manager, you can create custom Windows Preinstallation Environment (Windows PE) boot images that include extra components and features. This article shows you how to create a custom Windows PE 5.0 boot image with the Microsoft Deployment Toolkit (MDT) wizard. You can also add the Microsoft Diagnostics and Recovery Toolset (DaRT) 10 to the boot image as part of the boot image creation process. + - The boot image that is created is based on the version of ADK that is installed. For the purposes of this guide, we'll use one server computer: CM01. + - CM01 is a domain member server and Configuration Manager software distribution point. In this guide, CM01 is a standalone primary site server. CM01 is running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used. An existing Configuration Manager infrastructure that is integrated with MDT is used for the following procedures. For more information about the setup for this article, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md). @@ -31,16 +33,21 @@ For the purposes of this guide, we'll use one server computer: CM01. The steps below outline the process for adding DaRT 10 installation files to the MDT installation directory. You also copy a custom background image to be used later. These steps are optional. If you don't wish to add DaRT, skip the steps below to copy DaRT tools, and later skip adding the DaRT component to the boot image. -We assume you've downloaded [Microsoft Desktop Optimization Pack (MDOP) 2015](https://my.visualstudio.com/Downloads?q=Desktop%20Optimization%20Pack%202015) and copied the x64 version of MSDaRT100.msi to the **C:\\Setup\\DaRT 10** folder on CM01. We also assume you've created a custom background image and saved it in **C:\\Setup\\Branding** on CM01. In this section, we use a custom background image named ContosoBackground.bmp. +We assume you've downloaded [Microsoft Desktop Optimization Pack (MDOP) 2015](https://my.visualstudio.com/Downloads?q=Desktop%20Optimization%20Pack%202015) and copied the x64 version of MSDaRT100.msi to the **C:\\Setup\\DaRT 10** folder on CM01. We also assume you've created a custom background image and saved it in **`C:\Setup\Branding`** on CM01. In this section, we use a custom background image named [ContosoBackground.png](../images/ContosoBackground.png) On **CM01**: -1. Install DaRT 10 (C:\\Setup\\DaRT 10\\MSDaRT100.msi) using the default settings. -2. Using File Explorer, navigate to the **C:\\Program Files\\Microsoft DaRT\\v10** folder. -3. Copy the Toolsx64.cab file to the **C:\\Program Files\\Microsoft Deployment Toolkit\\Templates\\Distribution\\Tools\\x64** folder. -4. Copy the Toolsx86.cab file to the **C:\\Program Files\\Microsoft Deployment Toolkit\\Templates\\Distribution\\Tools\\x86** folder. -5. Using File Explorer, navigate to the **C:\\Setup** folder. -6. Copy the **Branding** folder to **D:\\Sources\\OSD**. +1. Install DaRT 10 (**`C:\\Setup\\DaRT 10\\MSDaRT100.msi`**) using the default settings. + +2. Using File Explorer, navigate to the **`C:\Program Files\Microsoft DaRT\v10`** folder. + +3. Copy the Toolsx64.cab file to the **`C:\Program Files\Microsoft Deployment Toolkit\Templates\Distribution\Tools\x64`** folder. + +4. Copy the Toolsx86.cab file to the **`C:\Program Files\Microsoft Deployment Toolkit\Templates\Distribution\Tools\x86`** folder. + +5. Using File Explorer, navigate to the **`C:\Setup`** folder. + +6. Copy the **Branding** folder to **`D:\Sources\OSD`**. ## Create a boot image for Configuration Manager using the MDT wizard @@ -48,15 +55,18 @@ By using the MDT wizard to create the boot image in Configuration Manager, you g On **CM01**: -1. Using the Configuration Manager Console, in the Software Library workspace, expand **Operating Systems**, right-click **Boot Images**, and select **Create Boot Image using MDT**. -2. On the **Package Source** page, in the **Package source folder to be created (UNC Path):** text box, type **\\\\CM01\\Sources$\\OSD\\Boot\\Zero Touch WinPE x64** and select **Next**. +1. Using the Configuration Manager Console, in the **Software Library** workspace, expand **Operating Systems**, right-click **Boot Images**, and select **Create Boot Image using MDT**. - >[!NOTE] - >The Zero Touch WinPE x64 folder does not yet exist. The folder will be created later by the wizard. +2. On the **Package Source** page, in the **Package source folder to be created (UNC Path):** text box, enter **`\\CM01\Sources$\OSD\Boot\Zero Touch WinPE x64`** and select **Next**. -3. On the **General Settings** page, assign the name **Zero Touch WinPE x64** and select **Next**. -4. On the **Options** page, select the **x64** platform, and select **Next**. -5. On the **Components** page, in addition to the default selected **Microsoft Data Access Components (MDAC/ADO)** support, select the **Microsoft Diagnostics and Recovery Toolkit (DaRT)** check box and select **Next**. + > [!NOTE] + > The Zero Touch WinPE x64 folder does not yet exist. The folder will be created later by the wizard. + +3. On the **General Settings** page, assign the name **Zero Touch WinPE x64** and select **Next**. + +4. On the **Options** page, select the **x64** platform, and select **Next**. + +5. On the **Components** page, in addition to the default selected **Microsoft Data Access Components (MDAC/ADO)** support, select the **Microsoft Diagnostics and Recovery Toolkit (DaRT)** check box and select **Next**. ![Add the DaRT component to the Configuration Manager boot image.](../images/mdt-06-fig16.png "Add the DaRT component to the Configuration Manager boot image") @@ -64,19 +74,25 @@ On **CM01**: >Note: Another common component to add here is Windows PowerShell to enable PowerShell support within Windows PE. -6. On the **Customization** page, select the **Use a custom background bitmap file** check box, and in the **UNC path:** text box, browse to **\\\\CM01\\Sources$\\OSD\\Branding\\ContosoBackground.bmp** and then select **Next** twice. Wait a few minutes while the boot image is generated, and then select **Finish**. -7. Distribute the boot image to the CM01 distribution point by selecting the **Boot images** node, right-clicking the **Zero Touch WinPE x64** boot image, and selecting **Distribute Content**. -8. In the Distribute Content Wizard, add the CM01 distribution point, and complete the wizard. -9. Using Configuration Manager Trace, review the D:\\Program Files\\Microsoft Configuration Manager\\Logs\\distmgr.log file. Don't continue until you can see that the boot image is distributed. Look for the line that reads **STATMSG: ID=2301**. You also can monitor Content Status in the Configuration Manager Console at **\Monitoring\Overview\Distribution Status\Content Status\Zero Touch WinPE x64**. See the following examples: +6. On the **Customization** page, select the **Use a custom background bitmap file** check box, and in the **UNC path:** text box, browse to **`\\CM01\Sources$\OSD\Branding\ContosoBackground.bmp`** and then select **Next** twice. Wait a few minutes while the boot image is generated, and then select **Finish**. + +7. Distribute the boot image to the CM01 distribution point by selecting the **Boot images** node, right-clicking the **Zero Touch WinPE x64** boot image, and selecting **Distribute Content**. + +8. In the Distribute Content Wizard, add the CM01 distribution point, and complete the wizard. + +9. Using Configuration Manager Trace, review the `D:\Program Files\Microsoft Configuration Manager\Logs\distmgr.log` file. Don't continue until you can see that the boot image is distributed. Look for the line that reads **STATMSG: ID=2301**. You also can monitor Content Status in the Configuration Manager Console at **Monitoring** > **Overview** > **Distribution Status** > **Content Status** > **Zero Touch WinPE x64**. See the following examples: ![Content status for the Zero Touch WinPE x64 boot image step 1.](../images/fig16-contentstatus1.png)
![Content status for the Zero Touch WinPE x64 boot image step 2.](../images/fig16-contentstatus2.png) Content status for the Zero Touch WinPE x64 boot image -10. Using the Configuration Manager Console, in the Software Library workspace, under **Boot Images**, right-click the **Zero Touch WinPE x64** boot image and select **Properties**. +10. Using the Configuration Manager Console, in the **Software Library** workspace, under **Boot Images**, right-click the **Zero Touch WinPE x64** boot image and select **Properties**. + 11. On the **Data Source** tab, select the **Deploy this boot image from the PXE-enabled distribution point** check box, and select **OK**. + 12. Using Configuration Manager Trace, review the D:\\Program Files\\Microsoft Configuration Manager\\Logs\\distmgr.log file and look for this text: **Expanding PS100009 to D:\\RemoteInstall\\SMSImages**. + 13. Review the **D:\\RemoteInstall\\SMSImages** folder. You should see three folders containing boot images. Two are from the default boot images, and the third folder (PS100009) is from your new boot image with DaRT. See the examples below: ![PS100009 step 1.](../images/ps100009-1.png)
diff --git a/windows/deployment/deploy-windows-cm/create-a-task-sequence-with-configuration-manager-and-mdt.md b/windows/deployment/deploy-windows-cm/create-a-task-sequence-with-configuration-manager-and-mdt.md index 3378ffe20d..dc5fff054b 100644 --- a/windows/deployment/deploy-windows-cm/create-a-task-sequence-with-configuration-manager-and-mdt.md +++ b/windows/deployment/deploy-windows-cm/create-a-task-sequence-with-configuration-manager-and-mdt.md @@ -14,13 +14,14 @@ ms.date: 10/27/2022 # Create a task sequence with Configuration Manager and MDT -**Applies to** +*Applies to:* -- Windows 10 +- Windows 10 In this article, you'll learn how to create a Configuration Manager task sequence with Microsoft Deployment Toolkit (MDT) integration using the MDT wizard. Creating task sequences in Configuration Manager requires many more steps than creating task sequences for MDT Lite Touch installation. Luckily, the MDT wizard helps you through the process and also guides you through creating the needed packages. For the purposes of this guide, we'll use one server computer: CM01. + - CM01 is a domain member server and Configuration Manager software distribution point. In this guide, CM01 is a standalone primary site server. CM01 is running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used. An existing Configuration Manager infrastructure that is integrated with MDT is used for the following procedures. For more information about the setup for this article, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md). Note: Active Directory [permissions](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md#configure-active-directory-permissions) for the **CM_JD** account are required for the task sequence to work properly. @@ -31,32 +32,46 @@ This section walks you through the process of creating a Configuration Manager t On **CM01**: -1. Using the Configuration Manager Console, in the Software Library workspace, expand **Operating Systems**, right-click **Task Sequences**, and select **Create MDT Task Sequence**. -2. On the **Choose Template** page, select the **Client Task Sequence** template and select **Next**. -3. On the **General** page, assign the following settings and then select **Next**: - * Task sequence name: Windows 10 Enterprise x64 RTM - * Task sequence comments: Production image with Office 365 Pro Plus x64 -4. On the **Details** page, assign the following settings and then select **Next**: - * Join a Domain - * Domain: contoso.com - * Account: contoso\\CM\_JD - * Password: pass@word1 - * Windows Settings - * User name: Contoso - * Organization name: Contoso - * Product key: <blank> +1. Using the Configuration Manager Console, in the **Software Library** workspace, expand **Operating Systems**, right-click **Task Sequences**, and select **Create MDT Task Sequence**. + +2. On the **Choose Template** page, select the **Client Task Sequence** template and select **Next**. + +3. On the **General** page, assign the following settings and then select **Next**: + - Task sequence name: Windows 10 Enterprise x64 RTM + - Task sequence comments: Production image with Office 365 Pro Plus x64 + +4. On the **Details** page, assign the following settings and then select **Next**: + - Join a Domain + - Domain: contoso.com + - Account: contoso\\CM\_JD + - Password: pass@word1 + - Windows Settings + - User name: Contoso + - Organization name: Contoso + - Product key: *\* + +5. On the **Capture Settings** page, accept the default settings, and select **Next**. + +6. On the **Boot Image** page, browse and select the **Zero Touch WinPE x64** boot image package. Then select **Next**. + +7. On the **MDT Package** page, select **Create a new Microsoft Deployment Toolkit Files package**, and in the **Package source folder to be created (UNC Path):** text box, enter **`\\CM01\Sources$\OSD\MDT\MDT`**. Then select **Next**. + +8. On the **MDT Details** page, assign the name **MDT** and select **Next**. + +9. On the **OS Image** page, browse and select the **Windows 10 Enterprise x64 RTM** package. Then select **Next**. -5. On the **Capture Settings** page, accept the default settings, and select **Next**. -6. On the **Boot Image** page, browse and select the **Zero Touch WinPE x64** boot image package. Then select **Next**. -7. On the **MDT Package** page, select **Create a new Microsoft Deployment Toolkit Files package**, and in the **Package source folder to be created (UNC Path):** text box, type **\\\\CM01\\Sources$\\OSD\\MDT\\MDT**. Then select **Next**. -8. On the **MDT Details** page, assign the name **MDT** and select **Next**. -9. On the **OS Image** page, browse and select the **Windows 10 Enterprise x64 RTM** package. Then select **Next**. 10. On the **Deployment Method** page, accept the default settings (Zero Touch installation) and select **Next**. + 11. On the **Client Package** page, browse and select the **Microsoft Corporation Configuration Manager Client Package** and select **Next**. + 12. On the **USMT Package** page, browse and select the **Microsoft Corporation User State Migration Tool for Windows** package and select **Next**. -13. On the **Settings Package** page, select the **Create a new settings package** option, and in the **Package source folder to be created (UNC Path):** text box, type **\\\\CM01\\Sources$\\OSD\\Settings\\Windows 10 x64 Settings** and select **Next**. + +13. On the **Settings Package** page, select the **Create a new settings package** option, and in the **Package source folder to be created (UNC Path):** text box, enter **`\\CM01\Sources$\OSD\Settings\Windows 10 x64 Settings`** and select **Next**. + 14. On the **Settings Details** page, assign the name **Windows 10 x64 Settings** and select **Next**. + 15. On the **Sysprep Package** page, select **Next** twice. + 16. On the **Confirmation** page, select **Finish**. ## Edit the task sequence @@ -65,66 +80,70 @@ After you create the task sequence, we recommend that you configure the task seq On **CM01**: -1. Using the Configuration Manager Console, in the Software Library workspace, expand **Operating Systems**, select **Task Sequences**, right-click the **Windows 10 Enterprise x64 RTM** task sequence, and select **Edit**. -2. In the **Install** group (about halfway down), select the **Set Variable for Drive Letter** action and configure the following: - * OSDPreserveDriveLetter: True - - >[!NOTE] - >If you don't change this value, your Windows installation will end up in D:\\Windows. +1. Using the Configuration Manager Console, in the **Software Library** workspace, expand **Operating Systems**, select **Task Sequences**, right-click the **Windows 10 Enterprise x64 RTM** task sequence, and select **Edit**. + +2. In the **Post Install** group, select **Apply Network Settings**, and configure the **Domain OU** value to use the **Contoso / Computers / Workstations** OU (browse for values). + +3. In the **Post Install** group, disable the **Auto Apply Drivers** action. (Disabling is done by selecting the action and, in the **Options** tab, selecting the **Disable this step** check box.) + +4. After the disabled **Post Install / Auto Apply Drivers** action, add a new group name: **Drivers**. + +5. After the **Post Install / Drivers** group, add an **Apply Driver Package** action with the following settings: + + - Name: HP EliteBook 8560w + - Driver Package: Windows 10 x64 - HP EliteBook 8560w + - Options tab - Add Condition: Task Sequence Variable: Model equals HP EliteBook 8560w + + > [!NOTE] + > You also can add a Query WMI condition with the following query: SELECT \* FROM Win32\_ComputerSystem WHERE Model LIKE '%HP EliteBook 8560w%' -3. In the **Post Install** group, select **Apply Network Settings**, and configure the **Domain OU** value to use the **Contoso / Computers / Workstations** OU (browse for values). -4. In the **Post Install** group, disable the **Auto Apply Drivers** action. (Disabling is done by selecting the action and, in the **Options** tab, selecting the **Disable this step** check box.) -5. After the disabled **Post Install / Auto Apply Drivers** action, add a new group name: **Drivers**. -6. After the **Post Install / Drivers** group, add an **Apply Driver Package** action with the following settings: - * Name: HP EliteBook 8560w - * Driver Package: Windows 10 x64 - HP EliteBook 8560w - * Options tab - Add Condition: Task Sequence Variable: Model equals HP EliteBook 8560w - - >[!NOTE] - >You also can add a Query WMI condition with the following query: SELECT \* FROM Win32\_ComputerSystem WHERE Model LIKE '%HP EliteBook 8560w%' - ![Driver package options.](../images/fig27-driverpackage.png "Driver package options") - + The driver package options -7. In the **State Restore / Install Applications** group, select the **Install Application** action. -8. Select the **Install the following applications** radio button, and add the OSD / Adobe Reader DC - OSD Install application to the list. +6. In the **State Restore / Install Applications** group, select the **Install Application** action. + +7. Select the **Install the following applications** radio button, and add the OSD / Adobe Reader DC - OSD Install application to the list. ![Add an application to the task sequence.](../images/fig28-addapp.png "Add an application to the task sequence") Add an application to the Configuration Manager task sequence - >[!NOTE] - >In recent versions of Configuration Manager the Request State Store and Release State Store actions described below are present by default. These actions are used for common computer replace scenarios. There's also the additional condition on the options tab: USMTOfflineMigration not equals TRUE. If these actions are not present, try updating to the Config Mgr current branch release. + > [!NOTE] + > In recent versions of Configuration Manager the Request State Store and Release State Store actions described below are present by default. These actions are used for common computer replace scenarios. There's also the additional condition on the options tab: USMTOfflineMigration not equals TRUE. If these actions are not present, try updating to the latest Configuration Manager current branch release. -9. In the **State Restore** group, after the **Set Status 5** action, verify there's a **User State \ Request State Store** action with the following settings: - * Request state storage location to: Restore state from another computer - * If computer account fails to connect to state store, use the Network Access account: selected - * Options: Continue on error - * Options / Add Condition: - * Task Sequence Variable - * USMTLOCAL not equals True +8. In the **State Restore** group, after the **Set Status 5** action, verify there's a **User State \ Request State Store** action with the following settings: -10. In the **State Restore** group, after the **Restore User State** action, verify there's a **Release State Store** action with the following settings: - * Options: Continue on error - * Options / Condition: - * Task Sequence Variable - * USMTLOCAL not equals True + - Request state storage location to: Restore state from another computer + - If computer account fails to connect to state store, use the Network Access account: selected + - Options: Continue on error + - Options / Add Condition: + - Task Sequence Variable + - USMTLOCAL not equals True -11. Select **OK**. +9. In the **State Restore** group, after the **Restore User State** action, verify there's a **Release State Store** action with the following settings: + - Options: Continue on error + - Options / Condition: + - Task Sequence Variable + - USMTLOCAL not equals True + +10. Select **OK**. ## Organize your packages (optional) -If desired, you can create a folder structure for packages. This folder structure is purely for organizational purposes and is useful if you need to manage a large number of packages. +If desired, you can create a folder structure for packages. This folder structure is purely for organizational purposes and is useful if you need to manage a large number of packages. To create a folder for packages: On **CM01**: -1. Using the Configuration Manager Console, in the Software Library workspace, expand **Application Management**, and then select **Packages**. -2. Right-click **Packages**, point to **Folder**, select **Create Folder** and create the OSD folder. This process will create the Root \ OSD folder structure. -3. Select the **MDT**, **User State Migration Tool for Windows**, and **Windows 10 x64 Settings** packages, right-click and select **Move**. -4. In the **Move Selected Items** dialog box, select the **OSD** folder, and select **OK**. +1. Using the Configuration Manager Console, in the **Software Library** workspace, expand **Application Management**, and then select **Packages**. + +2. Right-click **Packages**, point to **Folder**, select **Create Folder** and create the OSD folder. This process will create the Root \ OSD folder structure. + +3. Select the **MDT**, **User State Migration Tool for Windows**, and **Windows 10 x64 Settings** packages, right-click and select **Move**. + +4. In the **Move Selected Items** dialog box, select the **OSD** folder, and select **OK**. Next, see [Finalize the operating system configuration for Windows 10 deployment with Configuration Manager](finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md). diff --git a/windows/deployment/deploy-windows-cm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md b/windows/deployment/deploy-windows-cm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md index 104e5718ef..7a7d509012 100644 --- a/windows/deployment/deploy-windows-cm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md +++ b/windows/deployment/deploy-windows-cm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md @@ -15,62 +15,73 @@ ms.date: 10/27/2022 # Create an application to deploy with Windows 10 using Configuration Manager +*Applies to:* -**Applies to** - -- Windows 10 +- Windows 10 Microsoft Configuration Manager supports deploying applications as part of the Windows 10 deployment process. In this section, you create an application in Microsoft Configuration Manager that you later configure the task sequence to use. For the purposes of this guide, we'll use one server computer: CM01. -- CM01 is a domain member server and Configuration Manager software distribution point. In this guide, CM01 is a standalone primary site server. CM01 is running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used. ->[!NOTE] ->The [reference image](add-a-windows-10-operating-system-image-using-configuration-manager.md) used in this lab already contains some applications, such as Microsoft Office 365 Pro Plus x64. The procedure demonstrated in this article enables you to add some additional custom applications beyond those included in the reference image. +- CM01 is a domain member server and Configuration Manager software distribution point. In this guide, CM01 is a standalone primary site server. CM01 is running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used. + +> [!NOTE] +> The [reference image](add-a-windows-10-operating-system-image-using-configuration-manager.md) used in this lab already contains some applications, such as Microsoft Office 365 Pro Plus x64. The procedure demonstrated in this article enables you to add some additional custom applications beyond those included in the reference image. ## Example: Create the Adobe Reader application On **CM01**: -1. Create the **D:\Setup** folder if it doesn't already exist. -1. Download the Enterprise distribution version of [Adobe Acrobat Reader DC](https://get.adobe.com/reader/enterprise/) (ex: AcroRdrDC2000620034_en_US.exe) to **D:\\Setup\\Adobe** on CM01. The filename will differ depending on the version of Acrobat Reader. -2. Extract the .exe file that you downloaded to a .msi. The source folder will differ depending on where you downloaded the file. See the following example: +1. Create the **`D:\Setup`** folder if it doesn't already exist. - ```powershell - Set-Location C:\Users\administrator.CONTOSO\Downloads - .\AcroRdrDC2000620034_en_US.exe -sfx_o"d:\Setup\Adobe\" -sfx_ne - ``` - >Note: the extraction process will create the "Adobe" folder +2. Download the Enterprise distribution version of [Adobe Acrobat Reader DC](https://get.adobe.com/reader/enterprise/) (ex: AcroRdrDC2000620034_en_US.exe) to **`D:\Setup\Adobe`** on CM01. The filename will differ depending on the version of Acrobat Reader. -3. Using File Explorer, copy the **D:\\Setup\\Adobe** folder to the **D:\\Sources\\Software\\Adobe** folder. -4. In the Configuration Manager Console, in the Software Library workspace, expand **Application Management**. -5. Right-click **Applications**, point to **Folder** and then select **Create Folder**. Assign the name **OSD**. -6. Right-click the **OSD** folder, and select **Create Application**. -7. In the Create Application Wizard, on the **General** page, use the following settings: +3. Extract the .exe file that you downloaded to a .msi. The source folder will differ depending on where you downloaded the file. See the following example: - * Automatically detect information about this application from installation files - * Type: Windows Installer (\*.msi file) - * Location: \\\\CM01\\Sources$\\Software\\Adobe\\AcroRead.msi + ```powershell + Set-Location C:\Users\administrator.CONTOSO\Downloads + .\AcroRdrDC2000620034_en_US.exe -sfx_o"d:\Setup\Adobe\" -sfx_ne + ``` + + > [!NOTE] + > The extraction process will create the "Adobe" folder. + +4. Using File Explorer, copy the **`D:\Setup\Adobe`** folder to the **`D:\Sources\Software\Adobe`** folder. + +5. In the Configuration Manager Console, in the **Software Library** workspace, expand **Application Management**. + +6. Right-click **Applications**, point to **Folder** and then select **Create Folder**. Assign the name **OSD**. + +7. Right-click the **OSD** folder, and select **Create Application**. + +8. In the Create Application Wizard, on the **General** page, use the following settings: + + - Automatically detect information about this application from installation files + - Type: Windows Installer (\*.msi file) + - Location: `\\CM01\Sources$\Software\Adobe\AcroRead.msi` ![The Create Application Wizard.](../images/mdt-06-fig20.png "The Create Application Wizard") The Create Application Wizard -8. Select **Next**, and wait while Configuration Manager parses the MSI file. -9. On the **Import Information** page, review the information and then select **Next**. -10. On the **General Information** page, name the application Adobe Acrobat Reader DC - OSD Install, select **Next** twice, and then select **Close**. +9. Select **Next**, and wait while Configuration Manager parses the MSI file. - >[!NOTE] - >Because it is not possible to reference an application deployment type in the task sequence, you should have a single deployment type for applications deployed by the task sequence. If you are deploying applications via both the task sequence and normal application deployment, and you have multiple deployment types, you should have two applications of the same software. In this section, you add the "OSD Install" suffix to applications that are deployed via the task sequence. If using packages, you can still reference both package and program in the task sequence. +10. On the **Import Information** page, review the information and then select **Next**. + +11. On the **General Information** page, name the application Adobe Acrobat Reader DC - OSD Install, select **Next** twice, and then select **Close**. + + > [!NOTE] + > Because it is not possible to reference an application deployment type in the task sequence, you should have a single deployment type for applications deployed by the task sequence. If you are deploying applications via both the task sequence and normal application deployment, and you have multiple deployment types, you should have two applications of the same software. In this section, you add the "OSD Install" suffix to applications that are deployed via the task sequence. If using packages, you can still reference both package and program in the task sequence. - ![Add the OSD Install suffix to the application name.](../images/mdt-06-fig21.png "Add the OSD Install suffix to the application name") + ![Add the OSD Install suffix to the application name.](../images/mdt-06-fig21.png "Add the OSD Install suffix to the application name") - Add the "OSD Install" suffix to the application name + Add the "OSD Install" suffix to the application name -11. In the **Applications** node, select the Adobe Reader - OSD Install application, and select **Properties** on the ribbon bar (this path is another place to view properties, you can also right-click and select properties). -12. On the **General Information** tab, select the **Allow this application to be installed from the Install Application task sequence action without being deployed** check box, and select **OK**. +12. In the **Applications** node, select the Adobe Reader - OSD Install application, and select **Properties** on the ribbon bar (this path is another place to view properties, you can also right-click and select properties). -Next, see [Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md). +13. On the **General Information** tab, select the **Allow this application to be installed from the Install Application task sequence action without being deployed** check box, and select **OK**. + +Next, see [Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md). ## Related articles diff --git a/windows/deployment/deploy-windows-cm/deploy-windows-10-using-pxe-and-configuration-manager.md b/windows/deployment/deploy-windows-cm/deploy-windows-10-using-pxe-and-configuration-manager.md index c9e0d32d11..6a0dd625b6 100644 --- a/windows/deployment/deploy-windows-cm/deploy-windows-10-using-pxe-and-configuration-manager.md +++ b/windows/deployment/deploy-windows-cm/deploy-windows-10-using-pxe-and-configuration-manager.md @@ -14,13 +14,14 @@ ms.date: 10/27/2022 # Deploy Windows 10 using PXE and Configuration Manager -**Applies to** +*Applies to:* -- Windows 10 +- Windows 10 In this article, you'll learn how to deploy Windows 10 using Microsoft Configuration Manager deployment packages and task sequences. This article will walk you through the process of deploying the Windows 10 Enterprise image to a Unified Extensible Firmware Interface (UEFI) computer named PC0001. An existing Configuration Manager infrastructure that is integrated with MDT is used for the procedures in this article. This article assumes that you've completed the following prerequisite procedures: + - [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md) - [Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md) - [Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md) @@ -30,37 +31,49 @@ This article assumes that you've completed the following prerequisite procedures - [Finalize the operating system configuration for Windows 10 deployment with Configuration Manager](finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md) For the purposes of this guide, we'll use a minimum of two server computers (DC01 and CM01) and one client computer (PC0001). + - DC01 is a domain controller and DNS server for the contoso.com domain. DHCP services are also available and optionally installed on DC01 or another server. Note: DHCP services are required for the client (PC0001) to connect to the Windows Deployment Service (WDS). + - CM01 is a domain member server and Configuration Manager software distribution point. In this guide, CM01 is a standalone primary site server. - - CM01 is also running WDS that will be required to start PC0001 via PXE. **Note**: Ensure that only CM01 is running WDS. + + - CM01 is also running WDS that will be required to start PC0001 via PXE. + + > [!NOTE] + > Ensure that only CM01 is running WDS. + - PC0001 is a client computer that is blank, or has an operating system that will be erased and replaced with Windows 10. The device must be configured to boot from the network. ->[!NOTE] ->If desired, PC0001 can be a VM hosted on the server HV01, which is a Hyper-V host computer that we used previously to build a Windows 10 reference image. However, if PC0001 is a VM then you must ensure it has sufficient resources available to run the Configuration Manager OSD task sequence. 2GB of RAM or more is recommended. +> [!NOTE] +> If desired, PC0001 can be a VM hosted on the server HV01, which is a Hyper-V host computer that we used previously to build a Windows 10 reference image. However, if PC0001 is a VM then you must ensure it has sufficient resources available to run the Configuration Manager OSD task sequence. 2GB of RAM or more is recommended. -All servers are running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used. +All servers are running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used. All server and client computers referenced in this guide are on the same subnet. This connection isn't required. But each server and client computer must be able to connect to each other to share files, and to resolve all DNS names and Active Directory information for the `contoso.com` domain. Internet connectivity is also required to download OS and application updates. ->[!NOTE] ->No WDS console configuration is required for PXE to work. Everything is done with the Configuration Manager console. +> [!NOTE] +> No WDS console configuration is required for PXE to work. Everything is done with the Configuration Manager console. ## Procedures 1. Start the PC0001 computer. At the Pre-Boot Execution Environment (PXE) boot menu, press **Enter** to allow it to PXE boot. -2. On the **Welcome to the Task Sequence Wizard** page, type in the password **pass\@word1** and select **Next**. + +2. On the **Welcome to the Task Sequence Wizard** page, enter in the password **pass\@word1** and select **Next**. + 3. On the **Select a task sequence to run** page, select **Windows 10 Enterprise x64 RTM** and select **Next**. -4. On the **Edit Task Sequence Variables** page, double-click the **OSDComputerName** variable, and in the **Value** field, type **PC0001** and select **OK**. Then select **Next**. -5. The operating system deployment will take several minutes to complete. + +4. On the **Edit Task Sequence Variables** page, double-click the **OSDComputerName** variable, and in the **Value** field, enter **PC0001** and select **OK**. Then select **Next**. + +5. The operating system deployment will take several minutes to complete. + 6. You can monitor the deployment on CM01 using the MDT Deployment Workbench. When you see the PC0001 entry, double-click **PC0001**, and then select **DaRT Remote Control** and review the **Remote Control** option. The task sequence will run and do the following steps: - * Install the Windows 10 operating system. - * Install the Configuration Manager client and the client hotfix. - * Join the computer to the domain. - * Install the application added to the task sequence. - - >[!NOTE] - >You also can use the built-in reports to get information about ongoing deployments. For example, a task sequence report gives you a quick overview of the task sequence progress. + - Install the Windows 10 operating system. + - Install the Configuration Manager client and the client hotfix. + - Join the computer to the domain. + - Install the application added to the task sequence. + + > [!NOTE] + > You also can use the built-in reports to get information about ongoing deployments. For example, a task sequence report gives you a quick overview of the task sequence progress. ![MDT monitoring.](../images/pc0001-monitor.png) diff --git a/windows/deployment/deploy-windows-cm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md b/windows/deployment/deploy-windows-cm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md index 5bec64ed7d..581ec6010d 100644 --- a/windows/deployment/deploy-windows-cm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md +++ b/windows/deployment/deploy-windows-cm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md @@ -15,31 +15,32 @@ ms.date: 10/27/2022 # Finalize the operating system configuration for Windows 10 deployment with Configuration Manager -**Applies to** +*Applies to:* -- Windows 10 +- Windows 10 This article walks you through the steps to finalize the configuration of your Windows 10 operating deployment, which includes enabling optional MDT monitoring for Configuration Manager, logs folder settings, rules configuration, content distribution, and deployment of the previously created task sequence. For the purposes of this guide, we'll use one server computer: CM01. + - CM01 is a domain member server and Configuration Manager software distribution point. In this guide, CM01 is a standalone primary site server. CM01 is running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used. An existing Configuration Manager infrastructure that is integrated with MDT is used for the following procedures. For more information about the setup for this article, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md). ## Enable MDT monitoring -This section will walk you through the process of creating the D:\\MDTProduction deployment share using the MDT Deployment Workbench to enable monitoring for Configuration Manager. +This section will walk you through the process of creating the **`D:\MDTProduction`** deployment share using the MDT Deployment Workbench to enable monitoring for Configuration Manager. On **CM01**: -1. Open the Deployment Workbench, right-click **Deployment Shares** and select **New Deployment Share**. Use the following settings for the New Deployment Share Wizard: +1. Open the Deployment Workbench, right-click **Deployment Shares** and select **New Deployment Share**. Use the following settings for the New Deployment Share Wizard: - * Deployment share path: D:\\MDTProduction - * Share name: MDTProduction$ - * Deployment share description: MDT Production - * Options: <default settings> + - Deployment share path: D:\\MDTProduction + - Share name: MDTProduction$ + - Deployment share description: MDT Production + - Options: *\* -2. Right-click the **MDT Production** deployment share, and select **Properties**. On the **Monitoring** tab, select the **Enable monitoring for this deployment share** check box, and select **OK**. +2. Right-click the **MDT Production** deployment share, and select **Properties**. On the **Monitoring** tab, select the **Enable monitoring for this deployment share** check box, and select **OK**. ![Enable MDT monitoring for Configuration Manager.](../images/mdt-06-fig31.png) @@ -51,16 +52,17 @@ The D:\Logs folder was [created previously](prepare-for-zero-touch-installation- On **CM01**: -1. To configure NTFS permissions using icacls.exe, type the following command at an elevated Windows PowerShell prompt: +1. To configure NTFS permissions using `icacls.exe`, enter the following command at an elevated Windows PowerShell prompt: - ``` - icacls D:\Logs /grant '"CM_NAA":(OI)(CI)(M)' + ```cmd + icacls.exe D:\Logs /grant '"CM_NAA":(OI)(CI)(M)' ``` -2. Using File Explorer, navigate to the **D:\\Sources\\OSD\\Settings\\Windows 10 x64 Settings** folder. -3. To enable server-side logging, edit the CustomSetting.ini file with Notepad.exe and enter the following settings: +2. Using File Explorer, navigate to the **`D:\Sources\OSD\Settings\Windows 10 x64 Settings`** folder. - ``` +3. To enable server-side logging, edit the `CustomSetting.ini` file with `Notepad.exe` and enter the following settings: + + ```ini [Settings] Priority=Default Properties=OSDMigrateConfigFiles,OSDMigrateMode @@ -79,12 +81,12 @@ On **CM01**: ![Settings package during deployment.](../images/fig30-settingspack.png) - The Settings package, holding the rules and the Unattend.xml template used during deployment + The Settings package, holding the rules and the `Unattend.xml` template used during deployment -3. In the Configuration Manager console, update the distribution point for the **Windows 10 x64 Settings** package by right-clicking the **Windows 10 x64 Settings** package and selecting **Update Distribution Points**. Select **OK** in the popup dialog box. +4. In the Configuration Manager console, update the distribution point for the **Windows 10 x64 Settings** package by right-clicking the **Windows 10 x64 Settings** package and selecting **Update Distribution Points**. Select **OK** in the popup dialog box. - >[!NOTE] - >Although you haven't yet added a distribution point, you still need to select Update Distribution Points. This process also updates the Configuration Manager content library with changes. + > [!NOTE] + > Although you haven't yet added a distribution point, you still need to select Update Distribution Points. This process also updates the Configuration Manager content library with changes. ## Distribute content to the CM01 distribution portal @@ -92,9 +94,11 @@ In Configuration Manager, you can distribute all packages needed by a task seque On **CM01**: -1. Using the Configuration Manager console, in the Software Library workspace, expand **Operating Systems** and select **Task Sequences**. Right-click the **Windows 10 Enterprise x64 RTM** task sequence, and select **Distribute Content**. -2. In the Distribute Content Wizard, select **Next** twice then on the **Specify the content destination** page add the Distribution Point: **CM01.CONTOSO.COM**, and then complete the wizard. -3. Using the CMTrace tool, verify the distribution to the CM01 distribution point by reviewing the distmgr.log file, or use the Distribution Status / Content Status option in the Monitoring workspace. Don't continue until you see all the new packages being distributed successfully. +1. Using the Configuration Manager console, in the **Software Library** workspace, expand **Operating Systems** and select **Task Sequences**. Right-click the **Windows 10 Enterprise x64 RTM** task sequence, and select **Distribute Content**. + +2. In the Distribute Content Wizard, select **Next** twice then on the **Specify the content destination** page add the Distribution Point: **CM01.CONTOSO.COM**, and then complete the wizard. + +3. Using the CMTrace tool, verify the distribution to the CM01 distribution point by reviewing the `distmgr.log` file, or use the Distribution Status / Content Status option in the Monitoring workspace. Don't continue until you see all the new packages being distributed successfully. ![Content status.](../images/cm01-content-status1.png) @@ -106,20 +110,25 @@ This section provides steps to help you create a deployment for the task sequenc On **CM01**: -1. Using the Configuration Manager console, in the Software Library workspace, expand **Operating Systems** and select **Task Sequences**, right-click **Windows 10 Enterprise x64 RTM** and then select **Deploy**. +1. Using the Configuration Manager console, in the **Software Library** workspace, expand **Operating Systems** and select **Task Sequences**, right-click **Windows 10 Enterprise x64 RTM** and then select **Deploy**. + 2. In the Deploy Software Wizard, on the **General** page, select the **All Unknown Computers** collection and select **Next**. + 3. On the **Deployment Settings** page, use the below settings and then select **Next**: - * Purpose: Available - * Make available to the following: Only media and PXE + - Purpose: Available + - Make available to the following: Only media and PXE ![Configure the deployment settings.](../images/mdt-06-fig33.png) - + Configure the deployment settings 4. On the **Scheduling** page, accept the default settings and select **Next**. + 5. On the **User Experience** page, accept the default settings and select **Next**. + 6. On the **Alerts** page, accept the default settings and select **Next**. + 7. On the **Distribution Points** page, accept the default settings, select **Next** twice, and then select **Close**. ![Task sequence deployed.](../images/fig32-deploywiz.png) @@ -134,20 +143,20 @@ This section provides steps to help you configure the All Unknown Computers coll On **CM01**: -1. Using the Configuration Manager console, in the Asset and Compliance workspace, select **Device Collections**, right-click **All Unknown Computers**, and select **Properties**. +1. Using the Configuration Manager console, in the **Asset and Compliance** workspace, select **Device Collections**, right-click **All Unknown Computers**, and select **Properties**. 2. On the **Collection Variables** tab, create a new variable with the following settings: - * Name: OSDComputerName - * Clear the **Do not display this value in the Configuration Manager console** check box. + - Name: OSDComputerName + - Clear the **Do not display this value in the Configuration Manager console** check box. 3. Select **OK**. - >[!NOTE] - >Configuration Manager can prompt for information in many ways. Using a collection variable with an empty value is just one of them. Another option is the User-Driven Installation (UDI) wizard. - + > [!NOTE] + > Configuration Manager can prompt for information in many ways. Using a collection variable with an empty value is just one of them. Another option is the User-Driven Installation (UDI) wizard. + ![Configure a collection variable.](../images/mdt-06-fig35.png) - + Configure a collection variable Next, see [Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md). diff --git a/windows/deployment/deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md b/windows/deployment/deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md index ce164ba563..2fa98b5ab7 100644 --- a/windows/deployment/deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md +++ b/windows/deployment/deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md @@ -14,7 +14,7 @@ ms.date: 10/27/2022 # Prepare for Zero Touch Installation of Windows 10 with Configuration Manager -**Applies to** +*Applies to:* - Windows 10 @@ -28,18 +28,30 @@ In this article, you'll use [components](#components-of-configuration-manager-op > [!NOTE] > Procedures in this guide use Configuration Manager version 1910. For more information about the versions of Windows 10 supported by Configuration Manager, see [Support for Windows 10](/mem/configmgr/core/plan-design/configs/support-for-windows-10). + - The [Active Directory Schema has been extended](/mem/configmgr/core/plan-design/network/extend-the-active-directory-schema) and System Management container created. + - Active Directory Forest Discovery and Active Directory System Discovery are [enabled](/mem/configmgr/core/servers/deploy/configure/configure-discovery-methods). + - IP range [boundaries and a boundary group](/mem/configmgr/core/servers/deploy/configure/define-site-boundaries-and-boundary-groups) for content and site assignment have been created. + - The Configuration Manager [reporting services](/mem/configmgr/core/servers/manage/configuring-reporting) point role has been added and configured. + - A file system folder structure and Configuration Manager console folder structure for packages has been created. Steps to verify or create this folder structure are [provided below](#review-the-sources-folder-structure). -- The [Windows ADK](/windows-hardware/get-started/adk-install) (including USMT) version 1903, Windows PE add-on, WSIM 1903 update, [MDT](https://www.microsoft.com/download/details.aspx?id=54259) version 8456, and DaRT 10 (part of [MDOP 2015](https://my.visualstudio.com/Downloads?q=Desktop%20Optimization%20Pack%202015)) are installed. + +- The [Windows ADK](/windows-hardware/get-started/adk-install) version that is [supported for the version of Configuration Manager](/mem/configmgr/core/plan-design/configs/support-for-windows-adk) that is installed, including the Windows PE add-on. USMT should be installed as part of the Windows ADK install. + +- [MDT](https://www.microsoft.com/download/details.aspx?id=54259) version 8456 + +- DaRT 10 (part of [MDOP 2015](https://my.visualstudio.com/Downloads?q=Desktop%20Optimization%20Pack%202015)) are installed. + - The [CMTrace tool](/configmgr/core/support/cmtrace) (cmtrace.exe) is installed on the distribution point. > [!NOTE] - > CMTrace is automatically installed with the current branch of Configuration Manager at **Program Files\Microsoft Configuration Manager\tools\cmtrace.exe**. + > CMTrace is automatically installed with the current branch of Configuration Manager at **`Program Files\Microsoft Configuration Manager\tools\cmtrace.exe`**. + +For the purposes of this guide, we'll use three server computers: DC01, CM01 and HV01. -For the purposes of this guide, we'll use three server computers: DC01, CM01 and HV01. - DC01 is a domain controller and DNS server for the contoso.com domain. DHCP services are also available and optionally installed on DC01 or another server. - CM01 is a domain member server and Configuration Manager software distribution point. In this guide, CM01 is a standalone primary site server. - HV01 is a Hyper-V host computer that is used to build a Windows 10 reference image. This computer doesn't need to be a domain member. @@ -54,12 +66,12 @@ The following generic credentials are used in this guide. You should replace the - **Active Directory domain name**: `contoso.com` - **Domain administrator username**: `administrator` --**Domain administrator password**: `pass@word1` +- **Domain administrator password**: `pass@word1` ## Create the OU structure ->[!NOTE] ->If you've already [created the OU structure](../deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md#create-the-ou-structure) that was used in the OSD guide for MDT, the same structure is used here and you can skip this section. +> [!NOTE] +> If you've already [created the OU structure](../deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md#create-the-ou-structure) that was used in the OSD guide for MDT, the same structure is used here and you can skip this section. On **DC01**: @@ -107,25 +119,27 @@ A role-based model is used to configure permissions for the service accounts nee On **DC01**: -1. In the Active Directory Users and Computers console, browse to **contoso.com / Contoso / Service Accounts**. -2. Select the Service Accounts OU and create the CM\_JD account using the following settings: +1. In the Active Directory Users and Computers console, browse to **contoso.com** > **Contoso** > **Service Accounts**. - * Name: CM\_JD - * User sign-in name: CM\_JD - * Password: `pass@word1` - * User must change password at next logon: Clear - * User can't change password: Selected - * Password never expires: Selected +2. Select the Service Accounts OU and create the CM\_JD account using the following settings: -3. Repeat the step, but for the CM\_NAA account. -4. After creating the accounts, assign the following descriptions: + - Name: CM\_JD + - User sign-in name: CM\_JD + - Password: `pass@word1` + - User must change password at next logon: Clear + - User can't change password: Selected + - Password never expires: Selected - * CM\_JD: Configuration Manager Join Domain Account - * CM\_NAA: Configuration Manager Network Access Account +3. Repeat the step, but for the CM\_NAA account. + +4. After creating the accounts, assign the following descriptions: + + - CM\_JD: Configuration Manager Join Domain Account + - CM\_NAA: Configuration Manager Network Access Account ## Configure Active Directory permissions -In order for the Configuration Manager Join Domain Account (CM\_JD) to join machines into the contoso.com domain, you need to configure permissions in Active Directory. These steps assume you've downloaded the sample [Set-OUPermissions.ps1 script](https://go.microsoft.com/fwlink/p/?LinkId=619362) and copied it to C:\\Setup\\Scripts on DC01. +In order for the Configuration Manager Join Domain Account (CM\_JD) to join machines into the contoso.com domain, you need to configure permissions in Active Directory. These steps assume you've downloaded the sample [Set-OUPermissions.ps1 script](https://go.microsoft.com/fwlink/p/?LinkId=619362) and copied it to `C:\Setup\Scripts` on DC01. On **DC01**: @@ -139,18 +153,18 @@ On **DC01**: 2. The Set-OUPermissions.ps1 script allows the CM\_JD user account permissions to manage computer accounts in the Contoso / Computers / Workstations OU. The following list is that of permissions being granted: - * Scope: This object and all descendant objects - * Create Computer objects - * Delete Computer objects - * Scope: Descendant Computer objects - * Read All Properties - * Write All Properties - * Read Permissions - * Modify Permissions - * Change Password - * Reset Password - * Validated write to DNS host name - * Validated write to service principal name + - Scope: This object and all descendant objects + - Create Computer objects + - Delete Computer objects + - Scope: Descendant Computer objects + - Read All Properties + - Write All Properties + - Read Permissions + - Modify Permissions + - Change Password + - Reset Password + - Validated write to DNS host name + - Validated write to service principal name ## Review the Sources folder structure @@ -158,9 +172,6 @@ On **CM01**: To support the packages you create in this article, the following folder structure should be created on the Configuration Manager primary site server (CM01): ->[!NOTE] ->In most production environments, the packages are stored on a Distributed File System (DFS) share or a "normal" server share, but in a lab environment you can store them on the site server. - - D:\\Sources - D:\\Sources\\OSD - D:\\Sources\\OSD\\Boot @@ -173,11 +184,13 @@ To support the packages you create in this article, the following folder structu - D:\\Sources\\Software - D:\\Sources\\Software\\Adobe - D:\\Sources\\Software\\Microsoft +- D:\\Logs + +> [!NOTE] +> In most production environments, the packages are stored on a Distributed File System (DFS) share or a "normal" server share, but in a lab environment you can store them on the site server. You can run the following commands from an elevated Windows PowerShell prompt to create this folder structure: ->We'll also create the D:\Logs folder here which will be used later to support server-side logging. - ```powershell New-Item -ItemType Directory -Path "D:\Sources" New-Item -ItemType Directory -Path "D:\Sources\OSD" @@ -203,11 +216,13 @@ To extend the Configuration Manager console with MDT wizards and templates, inst On **CM01**: 1. Sign in as contoso\administrator. -2. Ensure the Configuration Manager Console is closed before continuing. -5. Select Start, type **Configure ConfigManager Integration**, and run the application the following settings: - * Site Server Name: CM01.contoso.com - * Site code: PS1 +2. Ensure the Configuration Manager Console is closed before continuing. + +3. Select Start, type **Configure ConfigManager Integration**, and run the application with the following settings: + + - Site Server Name: CM01.contoso.com + - Site code: PS1 ![figure 8.](../images/mdt-06-fig08.png) @@ -219,9 +234,11 @@ Most organizations want to display their name during deployment. In this section On **CM01**: -1. Open the Configuration Manager Console, select the Administration workspace, then select **Client Settings**. -2. In the right pane, right-click **Default Client Settings** and then select **Properties**. -3. In the **Computer Agent** node, in the **Organization name displayed in Software Center** text box, type in **Contoso** and select **OK**. +1. Open the Configuration Manager Console, select the **Administration** workspace, then select **Client Settings**. + +2. In the right pane, right-click **Default Client Settings** and then select **Properties**. + +3. In the **Computer Agent** node, in the **Organization name displayed in Software Center** text box, enter in **Contoso** and select **OK**. ![figure 9.](../images/mdt-06-fig10.png) @@ -237,9 +254,11 @@ Configuration Manager uses the Network Access account during the Windows 10 depl On **CM01**: -1. Using the Configuration Manager Console, in the Administration workspace, expand **Site Configuration** and select **Sites**. -2. Right-click **PS1 - Primary Site 1**, point to **Configure Site Components**, and then select **Software Distribution**. -3. On the **Network Access Account** tab, select **Specify the account that accesses network locations** and add the *New Account* **CONTOSO\\CM\_NAA** as the Network Access account (password: pass@word1). Use the new **Verify** option to verify that the account can connect to the **\\\\DC01\\sysvol** network share. +1. Using the Configuration Manager Console, in the **Administration** workspace, expand **Site Configuration** and select **Sites**. + +2. Right-click **PS1 - Primary Site 1**, point to **Configure Site Components**, and then select **Software Distribution**. + +3. On the **Network Access Account** tab, select **Specify the account that accesses network locations** and add the account **CONTOSO\\CM\_NAA** as the Network Access account (password: **pass@word1**). Use the new **Verify** option to verify that the account can connect to the **`\\DC01\sysvol`** network share. ![figure 11.](../images/mdt-06-fig12.png) @@ -251,36 +270,39 @@ Configuration Manager has many options for starting a deployment, but starting v On **CM01**: -1. In the Configuration Manager Console, in the Administration workspace, select **Distribution Points**. -2. Right-click the **\\\\CM01.CONTOSO.COM distribution point** and select **Properties**. -3. On the **PXE** tab, use the following settings: +1. In the Configuration Manager Console, in the **Administration** workspace, select **Distribution Points**. - * Enable PXE support for clients - * Allow this distribution point to respond to incoming PXE requests - * Enable unknown computer - * Require a password when computers use PXE - * Password and Confirm password: pass@word1 +2. Right-click the **\\\\CM01.CONTOSO.COM distribution point** and select **Properties**. + +3. On the **PXE** tab, use the following settings: + + - Enable PXE support for clients + - Allow this distribution point to respond to incoming PXE requests + - Enable unknown computer + - Require a password when computers use PXE + - Password and Confirm password: pass@word1 ![figure 12.](../images/mdt-06-fig13.png) Configure the CM01 distribution point for PXE. - >[!NOTE] - >If you select **Enable a PXE responder without Windows Deployment Service**, then WDS won't be installed, or if it's already installed it will be suspended, and the **ConfigMgr PXE Responder Service** (SccmPxe) will be used instead of WDS. The ConfigMgr PXE Responder doesn't support multicast. For more information, see [Install and configure distribution points](/configmgr/core/servers/deploy/configure/install-and-configure-distribution-points#bkmk_config-pxe). + > [!NOTE] + > If you select **Enable a PXE responder without Windows Deployment Service**, then WDS won't be installed, or if it's already installed it will be suspended, and the **ConfigMgr PXE Responder Service** (**SccmPxe**) will be used instead of WDS. The ConfigMgr PXE Responder doesn't support multicast. For more information, see [Install and configure distribution points](/configmgr/core/servers/deploy/configure/install-and-configure-distribution-points#bkmk_config-pxe). -4. Using the CMTrace tool, review the C:\\Program Files\\Microsoft Configuration Manager\\Logs\\distmgr.log file. Look for ConfigurePXE and CcmInstallPXE lines. +4. Using the CMTrace tool, review the **`C:\Program Files\Microsoft Configuration Manager\Logs\distmgr.log`** file. Look for the **ConfigurePXE** and **CcmInstallPXE** lines. ![figure 13.](../images/mdt-06-fig14.png) - The distmgr.log displays a successful configuration of PXE on the distribution point. + The `distmgr.log` displays a successful configuration of PXE on the distribution point. -5. Verify that you've seven files in each of the folders **D:\\RemoteInstall\\SMSBoot\\x86** and **D:\\RemoteInstall\\SMSBoot\\x64**. +5. Verify that you've seven files in each of the folders **`D:\RemoteInstall\SMSBoot\x86`** and **`D:\RemoteInstall\SMSBoot\x64`**. ![figure 14.](../images/mdt-06-fig15.png) The contents of the D:\\RemoteInstall\\SMSBoot\\x64 folder after you enable PXE. - **Note**: These files are used by WDS. They aren't used by the ConfigMgr PXE Responder. This article doesn't use the ConfigMgr PXE Responder. + > [!NOTE] + > These files are used by WDS. They aren't used by the ConfigMgr PXE Responder. This article doesn't use the ConfigMgr PXE Responder. Next, see [Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md). @@ -288,15 +310,24 @@ Next, see [Create a custom Windows PE boot image with Configuration Manager](cre Operating system deployment with Configuration Manager is part of the normal software distribution infrastructure, but there are more components. For example, operating system deployment in Configuration Manager may use the State Migration Point role, which isn't used by normal application deployment in Configuration Manager. This section describes the Configuration Manager components involved with the deployment of an operating system, such as Windows 10. -- **State migration point (SMP).** The state migration point is used to store user state migration data during computer replace scenarios. -- **Distribution point (DP).** The distribution point is used to store all packages in Configuration Manager, including the operating system deployment-related packages. -- **Software update point (SUP).** The software update point, which is normally used to deploy updates to existing machines, also can be used to update an operating system as part of the deployment process. You also can use offline servicing to update the image directly on the Configuration Manager server. -- **Reporting services point.** The reporting services point can be used to monitor the operating system deployment process. -- **Boot images.** Boot images are the Windows Preinstallation Environment (Windows PE) images Configuration Manager uses to start the deployment. -- **Operating system images.** The operating system image package contains only one file, the custom .wim image. This image is typically the production deployment image. -- **Operating system installers.** The operating system installers were originally added to create reference images using Configuration Manager. Instead, we recommend that you use MDT Lite Touch to create your reference images. For more information on how to create a reference image, see [Create a Windows 10 reference image](../deploy-windows-mdt/create-a-windows-10-reference-image.md). -- **Drivers.** Like MDT Lite Touch, Configuration Manager also provides a repository (catalog) of managed device drivers. -- **Task sequences.** The task sequences in Configuration Manager look and feel much like the sequences in MDT Lite Touch, and they're used for the same purpose. However, in Configuration Manager, the task sequence is delivered to the clients as a policy via the Management Point (MP). MDT provides more task sequence templates to Configuration Manager. +- **State migration point (SMP).** The state migration point is used to store user state migration data during computer replace scenarios. + +- **Distribution point (DP).** The distribution point is used to store all packages in Configuration Manager, including the operating system deployment-related packages. + +- **Software update point (SUP).** The software update point, which is normally used to deploy updates to existing machines, also can be used to update an operating system as part of the deployment process. You also can use offline servicing to update the image directly on the Configuration Manager server. + +- **Reporting services point.** The reporting services point can be used to monitor the operating system deployment process. + +- **Boot images.** Boot images are the Windows Preinstallation Environment (Windows PE) images Configuration Manager uses to start the deployment. + +- **Operating system images.** The operating system image package contains only one file, the custom .wim image. This image is typically the production deployment image. + +- **Operating system installers.** The operating system installers were originally added to create reference images using Configuration Manager. Instead, we recommend that you use MDT Lite Touch to create your reference images. For more information on how to create a reference image, see [Create a Windows 10 reference image](../deploy-windows-mdt/create-a-windows-10-reference-image.md). + +- **Drivers.** Like MDT Lite Touch, Configuration Manager also provides a repository (catalog) of managed device drivers. + +- **Task sequences.** The task sequences in Configuration Manager look and feel much like the sequences in MDT Lite Touch, and they're used for the same purpose. However, in Configuration Manager, the task sequence is delivered to the clients as a policy via the Management Point (MP). MDT provides more task sequence templates to Configuration Manager. + > [!NOTE] > The Windows Assessment and Deployment Kit (ADK) for Windows 10 is also required to support management and deployment of Windows 10. @@ -304,28 +335,31 @@ Operating system deployment with Configuration Manager is part of the normal sof As noted above, MDT adds many enhancements to Configuration Manager. While these enhancements are called Zero Touch, that name doesn't reflect how deployment is conducted. The following sections provide a few samples of the 280 enhancements that MDT adds to Configuration Manager. ->[!NOTE] ->MDT installation requires the following: ->- The Windows ADK for Windows 10 (installed in the previous procedure) ->- Windows PowerShell ([version 5.1](https://www.microsoft.com/download/details.aspx?id=54616) is recommended; type **$host** to check) ->- Microsoft .NET Framework +> [!NOTE] +> MDT installation requires the following: +> +> - The Windows ADK for Windows 10 (installed in the previous procedure) +> - Windows PowerShell ([version 5.1](https://www.microsoft.com/download/details.aspx?id=54616) is recommended; type **$host** to check) +> - Microsoft .NET Framework ### MDT enables dynamic deployment -When MDT is integrated with Configuration Manager, the task sequence takes more instructions from the MDT rules. In its most simple form, these settings are stored in a text file, the CustomSettings.ini file, but you can store the settings in Microsoft SQL Server databases, or have Microsoft Visual Basic Scripting Edition (VBScripts) or web services provide the settings used. +When MDT is integrated with Configuration Manager, the task sequence processes more instructions from the MDT rules. In its most simple form, these settings are stored in a text file, the `CustomSettings.ini` file, but you can store the settings in Microsoft SQL Server databases, or have Microsoft Visual Basic Scripting Edition (VBScripts) or web services provide the settings used. The task sequence uses instructions that allow you to reduce the number of task sequences in Configuration Manager and instead store settings outside the task sequence. Here are a few examples: -- The following settings instruct the task sequence to install the HP Hotkeys package, but only if the hardware is an HP EliteBook 8570w. You don't have to add the package to the task sequence. - ``` syntax +- The following settings instruct the task sequence to install the HP Hotkeys package, but only if the hardware is an HP EliteBook 8570w. You don't have to add the package to the task sequence. + + ```ini [Settings] Priority=Model [HP EliteBook 8570w] Packages001=PS100010:Install HP Hotkeys ``` -- The following settings instruct the task sequence to put laptops and desktops in different organizational units (OUs) during deployment, assign different computer names, and finally have the task sequence install the Cisco VPN client, but only if the machine is a laptop. - ``` syntax +- The following settings instruct the task sequence to put laptops and desktops in different organizational units (OUs) during deployment, assign different computer names, and finally have the task sequence install the Cisco VPN client, but only if the machine is a laptop. + + ```ini [Settings] Priority= ByLaptopType, ByDesktopType [ByLaptopType] @@ -373,13 +407,17 @@ MDT Zero Touch simply extends Configuration Manager with many useful built-in op ### Why use MDT Lite Touch to create reference images -You can create reference images for Configuration Manager in Configuration Manager, but in general we recommend creating them in MDT Lite Touch for the following reasons: +You can create reference images for Configuration Manager in Configuration Manager, but in general it is recommended to create them in MDT Lite Touch for the following reasons: -- You can use the same image for every type of operating system deployment - Microsoft Virtual Desktop Infrastructure (VDI), Microsoft System Center Virtual Machine Manager (VMM), MDT, Configuration Manager, Windows Deployment Services (WDS), and more. -- Configuration Manager performs deployment in the LocalSystem context, which means that you can't configure the Administrator account with all of the settings that you would like to be included in the image. MDT runs in the context of the Local Administrator, which means you can configure the look and feel of the configuration and then use the CopyProfile functionality to copy these changes to the default user during deployment. -- The Configuration Manager task sequence doesn't suppress user interface interaction. -- MDT Lite Touch supports a Suspend action that allows for reboots, which is useful when you need to perform a manual installation or check the reference image before it's automatically captured. -- MDT Lite Touch doesn't require any infrastructure and is easy to delegate. +- You can use the same image for every type of operating system deployment - Microsoft Virtual Desktop Infrastructure (VDI), Microsoft System Center Virtual Machine Manager (VMM), MDT, Configuration Manager, Windows Deployment Services (WDS), and more. + +- Configuration Manager performs deployment in the LocalSystem context, which means that you can't configure the Administrator account with all of the settings that you would like to be included in the image. MDT runs in the context of the Local Administrator, which means you can configure the look and feel of the configuration and then use the CopyProfile functionality to copy these changes to the default user during deployment. + +- The Configuration Manager task sequence suppresses user interface interaction. + +- MDT Lite Touch supports a Suspend action that allows for reboots, which is useful when you need to perform a manual installation or check the reference image before it's automatically captured. + +- MDT Lite Touch doesn't require any infrastructure and is easy to delegate. ## Related articles diff --git a/windows/deployment/deploy-windows-cm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md b/windows/deployment/deploy-windows-cm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md index 473643d7e9..d87aff2989 100644 --- a/windows/deployment/deploy-windows-cm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md +++ b/windows/deployment/deploy-windows-cm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md @@ -15,7 +15,7 @@ ms.date: 10/27/2022 # Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager -**Applies to** +*Applies to:* - Windows 10 @@ -23,29 +23,31 @@ This article will show you how to refresh a Windows 7 SP1 client with Windows 10 A computer refresh with Configuration Manager works the same as it does with MDT Lite Touch installation. Configuration Manager also uses the User State Migration Tool (USMT) from the Windows Assessment and Deployment Kit (Windows ADK) 10 in the background. A computer refresh with Configuration Manager has the following steps: -1. Data and settings are backed up locally in a backup folder. -2. The partition is wiped, except for the backup folder. -3. The new operating system image is applied. -4. Other applications are installed. -5. Data and settings are restored. +1. Data and settings are backed up locally in a backup folder. +2. The partition is wiped, except for the backup folder. +3. The new operating system image is applied. +4. Other applications are installed. +5. Data and settings are restored. ## Infrastructure -An existing Configuration Manager infrastructure that is integrated with MDT is used for the following procedures. For more information about the setup for this article, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md). +An existing Configuration Manager infrastructure that is integrated with MDT is used for the following procedures. For more information about the setup for this article, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md). For the purposes of this article, we'll use one server computer (CM01) and one client computer (PC0003). + - CM01 is a domain member server and Configuration Manager software distribution point. In this guide, CM01 is a standalone primary site server. + - PC0003 is a domain member client computer running Windows 7 SP1, or a later version of Windows, with the Configuration Manager client installed, that will be refreshed to Windows 10. ->[!NOTE] ->If desired, PC0003 can be a VM hosted on the server HV01, which is a Hyper-V host computer that we used previously to build a Windows 10 reference image. However, if PC0003 is a VM then you must ensure it has sufficient resources available to run the Configuration Manager OSD task sequence. 2GB of RAM or more is recommended. +> [!NOTE] +> If desired, PC0003 can be a VM hosted on the server HV01, which is a Hyper-V host computer that we used previously to build a Windows 10 reference image. However, if PC0003 is a VM then you must ensure it has sufficient resources available to run the Configuration Manager OSD task sequence. 2GB of RAM or more is recommended. -All servers are running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used. +All servers are running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used. All server and client computers referenced in this guide are on the same subnet. This interrelation isn't required, but each server and client computer must be able to connect to each other to share files, and to resolve all DNS names and Active Directory information for the contoso.com domain. Internet connectivity is also required to download OS and application updates. ->[!IMPORTANT] ->This article assumes that you have [configured Active Directory permissions](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md#configure-active-directory-permissions) in the specified OU for the **CM_JD** account, and the client's Active Directory computer account is in the **Contoso > Computers > Workstations** OU. Use the Active Directory Users and Computers console to review the location of computer objects and move them if needed. +> [!IMPORTANT] +> This article assumes that you have [configured Active Directory permissions](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md#configure-active-directory-permissions) in the specified OU for the **CM_JD** account, and the client's Active Directory computer account is in the **Contoso** > **Computers** > **Workstations** OU. Use the Active Directory Users and Computers console to review the location of computer objects and move them if needed. ## Verify the Configuration Manager client settings @@ -53,8 +55,10 @@ To verify that PC003 is correctly assigned to the PS1 site: On **PC0003**: -1. Open the Configuration Manager control panel (control smscfgrc). +1. Open the Configuration Manager control panel (`control.exe smscfgrc`). + 2. On the **Site** tab, select **Configure Settings**, then select **Find Site**. + 3. Verify that Configuration Manager has successfully found a site to manage this client is displayed. See the following example. ![Found a site to manage this client.](../images/pc0003a.png) @@ -63,49 +67,49 @@ On **PC0003**: On **CM01**: -1. Using the Configuration Manager console, in the Asset and Compliance workspace, expand **Overview**, right-click **Device Collections**, and then select **Create Device Collection**. Use the following settings: +1. Using the Configuration Manager console, in the **Asset and Compliance** workspace, expand **Overview**, right-click **Device Collections**, and then select **Create Device Collection**. Use the following settings: - * General - * Name: Install Windows 10 Enterprise x64 - * Limited Collection: All Systems - * Membership rules - * Add Rule: Direct rule - * Resource Class: System Resource - * Attribute Name: Name - * Value: PC0003 - * Select Resources - * Select **PC0003** + - General + - Name: Install Windows 10 Enterprise x64 + - Limited Collection: All Systems + - Membership rules + - Add Rule: Direct rule + - Resource Class: System Resource + - Attribute Name: Name + - Value: PC0003 + - Select Resources + - Select **PC0003** - Use the default settings to complete the remaining wizard pages and select **Close**. + Use the default settings to complete the remaining wizard pages and select **Close**. -2. Review the Install Windows 10 Enterprise x64 collection. Don't continue until you see the PC0003 machine in the collection. +2. Review the Install Windows 10 Enterprise x64 collection. Don't continue until you see the PC0003 machine in the collection. - >[!NOTE] - >It may take a short while for the collection to refresh; you can view progress via the Colleval.log file. If you want to speed up the process, you can manually update membership on the Install Windows 10 Enterprise x64 collection by right-clicking the collection and selecting Update Membership. + > [!NOTE] + > It may take a short while for the collection to refresh; you can view progress via the `Colleval.log` file. If you want to speed up the process, you can manually update membership on the Install Windows 10 Enterprise x64 collection by right-clicking the collection and selecting Update Membership. ## Create a new deployment On **CM01**: -Using the Configuration Manager console, in the Software Library workspace, expand **Operating Systems**, select **Task Sequences**, right-click **Windows 10 Enterprise x64 RTM**, and then select **Deploy**. Use the below settings: +Using the Configuration Manager console, in the **Software Library** workspace, expand **Operating Systems**, select **Task Sequences**, right-click **Windows 10 Enterprise x64 RTM**, and then select **Deploy**. Use the below settings: - General - - Collection: Install Windows 10 Enterprise x64 + - Collection: Install Windows 10 Enterprise x64 - Deployment Settings - - Purpose: Available - - Make available to the following: Configuration Manager clients, media and PXE + - Purpose: Available + - Make available to the following: Configuration Manager clients, media and PXE - >[!NOTE] - >It's not necessary to make the deployment available to media and Pre-Boot Execution Environment (PXE) for a computer refresh, but you will use the same deployment for bare-metal deployments later on and you will need it at that point. + > [!NOTE] + > It's not necessary to make the deployment available to media and Pre-Boot Execution Environment (PXE) for a computer refresh, but you will use the same deployment for bare-metal deployments later on and you will need it at that point. - Scheduling - - <default> + - *\* - User Experience - - <default> + - *\* - Alerts - - <default> + - *\* - Distribution Points - - <default> + - *\* ## Initiate a computer refresh @@ -113,12 +117,14 @@ Now you can start the computer refresh on PC0003. On **CM01**: -1. Using the Configuration Manager console, in the Assets and Compliance workspace, select the **Install Windows 10 Enterprise x64** collection, right-click **PC0003**, point to **Client Notification**, select **Download Computer Policy**, and then select **OK** in the popup dialog box that appears. +1. Using the Configuration Manager console, in the **Assets and Compliance** workspace, select the **Install Windows 10 Enterprise x64** collection, right-click **PC0003**, point to **Client Notification**, select **Download Computer Policy**, and then select **OK** in the popup dialog box that appears. On **PC0003**: -1. Open the Software Center (select Start and type **Software Center**, or select the **New software is available** balloon in the system tray), select **Operating Systems** and select the **Windows 10 Enterprise x64 RTM** deployment, then select **Install**. -2. In the **Software Center** warning dialog box, select **Install Operating System**. +1. Open the Software Center (select Start and type **Software Center**, or select the **New software is available** balloon in the system tray), select **Operating Systems** and select the **Windows 10 Enterprise x64 RTM** deployment, then select **Install**. + +2. In the **Software Center** warning dialog box, select **Install Operating System**. + 3. The client computer will run the Configuration Manager task sequence, boot into Windows PE, and install the new OS and applications. See the following examples: ![Task sequence example 1.](../images/pc0003b.png)
diff --git a/windows/deployment/deploy-windows-cm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md b/windows/deployment/deploy-windows-cm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md index 45a35d3282..dd75747e26 100644 --- a/windows/deployment/deploy-windows-cm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md +++ b/windows/deployment/deploy-windows-cm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md @@ -16,7 +16,7 @@ ms.date: 10/27/2022 # Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager -**Applies to** +*Applies to:* - Windows 10 @@ -26,46 +26,56 @@ In this article, you'll create a backup-only task sequence that you run on PC000 ## Infrastructure -An existing Configuration Manager infrastructure that is integrated with MDT is used for the following procedures. For more information about the setup for this article, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md). +An existing Configuration Manager infrastructure that is integrated with MDT is used for the following procedures. For more information about the setup for this article, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md). For the purposes of this article, we'll use one server computer (CM01) and two client computers (PC0004, PC0006). + - CM01 is a domain member server and Configuration Manager software distribution point. In this guide, CM01 is a standalone primary site server. - - Important: CM01 must include the **[State migration point](/configmgr/osd/get-started/manage-user-state#BKMK_StateMigrationPoint)** role for the replace task sequence used in this article to work. + - Important: CM01 must include the **[State migration point](/configmgr/osd/get-started/manage-user-state#BKMK_StateMigrationPoint)** role for the replace task sequence used in this article to work. + - PC0004 is a domain member client computer running Windows 7 SP1, or a later version of Windows, with the Configuration Manager client installed, that will be replaced. + - PC0006 is a domain member client computer running Windows 10, with the Configuration Manager client installed, that will replace PC0004. ->[!NOTE] ->PC0004 and PC006 can be VMs hosted on the server HV01, which is a Hyper-V host computer that we used previously to build a Windows 10 reference image. However, the VMs must have sufficient resources available to run the Configuration Manager OSD task sequence. 2GB of RAM or more is recommended. +> [!NOTE] +> PC0004 and PC006 can be VMs hosted on the server HV01, which is a Hyper-V host computer that we used previously to build a Windows 10 reference image. However, the VMs must have sufficient resources available to run the Configuration Manager OSD task sequence. 2GB of RAM or more is recommended. -All servers are running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used. +All servers are running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used. All server and client computers referenced in this guide are on the same subnet. This interrelation isn't required, but each server and client computer must be able to connect to each other to share files, and to resolve all DNS names and Active Directory information for the contoso.com domain. Internet connectivity is also required to download OS and application updates. ->[!IMPORTANT] ->This article assumes that you have [configured Active Directory permissions](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md#configure-active-directory-permissions) in the specified OU for the **CM_JD** account, and the client's Active Directory computer account is in the **Contoso > Computers > Workstations** OU. Use the Active Directory Users and Computers console to review the location of computer objects and move them if needed. +> [!IMPORTANT] +> This article assumes that you have [configured Active Directory permissions](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md#configure-active-directory-permissions) in the specified OU for the **CM_JD** account, and the client's Active Directory computer account is in the **Contoso > Computers > Workstations** OU. Use the Active Directory Users and Computers console to review the location of computer objects and move them if needed. ## Create a replace task sequence On **CM01**: -1. Using the Configuration Manager console, in the Software Library workspace, expand **Operating Systems**, right-click **Task Sequences**, and select **Create MDT Task Sequence**. +1. Using the Configuration Manager console, in the **Software Library** workspace, expand **Operating Systems**, right-click **Task Sequences**, and select **Create MDT Task Sequence**. + 2. On the **Choose Template** page, select the **Client Replace Task Sequence** template and select **Next**. + 3. On the **General** page, assign the following settings and select **Next**: - * Task sequence name: Replace Task Sequence - * Task sequence comments: USMT backup only + - Task sequence name: Replace Task Sequence + - Task sequence comments: USMT backup only 4. On the **Boot Image** page, browse and select the **Zero Touch WinPE x64** boot image package. Then select **Next**. + 5. On the **MDT Package** page, browse and select the **OSD / MDT** package. Then select **Next**. + 6. On the **USMT Package** page, browse and select the **OSD / Microsoft Corporation User State Migration Tool for Windows** package. Then select **Next**. + 7. On the **Settings Package** page, browse and select the **OSD / Windows 10 x64 Settings** package. Then select **Next**. + 8. On the **Summary** page, review the details and then select **Next**. + 9. On the **Confirmation** page, select **Finish**. -10. Review the Replace Task Sequence. +10. Review the Replace Task Sequence. - >[!NOTE] - >This task sequence has many fewer actions than the normal client task sequence. If it doesn't seem different, make sure you selected the **Client Replace Task Sequence** template when creating the task sequence. + > [!NOTE] + > This task sequence has many fewer actions than the normal client task sequence. If it doesn't seem different, make sure you selected the **Client Replace Task Sequence** template when creating the task sequence. ![The back-up only task sequence.](../images/mdt-06-fig42.png "The back-up only task sequence") @@ -77,70 +87,78 @@ This section walks you through the process of associating a new, blank device (P On **HV01** (if PC0006 is a VM) or in the PC0006 BIOS: -1. Make a note of the MAC address for PC0006. (If PC0006 is a virtual machine, you can see the MAC Address in the virtual machine settings.) In our example, the PC0006 MAC Address is 00:15:5D:0A:6A:96. Don't attempt to PXE boot PC0006 yet. +1. Make a note of the MAC address for PC0006. (If PC0006 is a virtual machine, you can see the MAC Address in the virtual machine settings.) In our example, the PC0006 MAC Address is 00:15:5D:0A:6A:96. Don't attempt to PXE boot PC0006 yet. On **CM01**: -2. When you're using the Configuration Manager console, in the Assets and Compliance workspace, right-click **Devices**, and then select **Import Computer Information**. -3. On the **Select Source** page, select **Import single computer** and select **Next**. -4. On the **Single Computer** page, use the following settings and then select **Next**: +1. When you're using the Configuration Manager console, in the **Assets and Compliance** workspace, right-click **Devices**, and then select **Import Computer Information**. - * Computer Name: PC0006 - * MAC Address: <the mac address that you wrote down> - * Source Computer: PC0004 +2. On the **Select Source** page, select **Import single computer** and select **Next**. + +3. On the **Single Computer** page, use the following settings and then select **Next**: + + - Computer Name: PC0006 + - MAC Address: *\ + - Source Computer: PC0004 ![Create the computer association.](../images/mdt-06-fig43.png "Create the computer association") Creating the computer association between PC0004 and PC0006. -5. On the **User Accounts** page, select **Capture and restore all user accounts** and select **Next**. -6. On the **Data Preview** page, select **Next**. -7. On the **Choose additional collections** page, select **Add** and then select the **Install Windows 10 Enterprise x64** collection. Now, select the checkbox next to the Install Windows 10 Enterprise x64 collection you just added, and then select **Next**. -8. On the **Summary** page, select **Next**, and then select **Close**. -9. Select the **User State Migration** node and review the computer association in the right hand pane. -10. Right-click the **PC0004/PC0006** association and select **View Recovery Information**. A recovery key has been assigned already, but a user state store location hasn't. -11. Review the **Install Windows 10 Enterprise x64** collection. Don't continue until you see the **PC0006** computer in the collection. You might have to update membership and refresh the collection again. +4. On the **User Accounts** page, select **Capture and restore all user accounts** and select **Next**. + +5. On the **Data Preview** page, select **Next**. + +6. On the **Choose additional collections** page, select **Add** and then select the **Install Windows 10 Enterprise x64** collection. Now, select the checkbox next to the Install Windows 10 Enterprise x64 collection you just added, and then select **Next**. + +7. On the **Summary** page, select **Next**, and then select **Close**. + +8. Select the **User State Migration** node and review the computer association in the right hand pane. + +9. Right-click the **PC0004/PC0006** association and select **View Recovery Information**. A recovery key has been assigned already, but a user state store location hasn't. + +10. Review the **Install Windows 10 Enterprise x64** collection. Don't continue until you see the **PC0006** computer in the collection. You might have to update membership and refresh the collection again. ## Create a device collection and add the PC0004 computer On **CM01**: -1. When you're using the Configuration Manager console, in the Asset and Compliance workspace, right-click **Device Collections**, and then select **Create Device Collection**. Use the following settings: +1. When you're using the Configuration Manager console, in the **Asset and Compliance** workspace, right-click **Device Collections**, and then select **Create Device Collection**. Use the following settings: - * General - * Name: USMT Backup (Replace) - * Limited Collection: All Systems - * Membership rules: - * Add Rule: Direct rule - * Resource Class: System Resource - * Attribute Name: Name - * Value: PC0004 - * Select Resources: - * Select **PC0004** + - General + - Name: USMT Backup (Replace) + - Limited Collection: All Systems + - Membership rules: + - Add Rule: Direct rule + - Resource Class: System Resource + - Attribute Name: Name + - Value: PC0004 + - Select Resources: + - Select **PC0004** Use default settings for the remaining wizard pages, then select **Close**. -2. Review the **USMT Backup (Replace)** collection. Don't continue until you see the **PC0004** computer in the collection. +2. Review the **USMT Backup (Replace)** collection. Don't continue until you see the **PC0004** computer in the collection. ## Create a new deployment On **CM01**: -Using the Configuration Manager console, in the Software Library workspace, expand **Operating Systems**, select **Task Sequences**, right-click **Replace Task Sequence**, and then select **Deploy**. Use the following settings: +Using the Configuration Manager console, in the **Software Library** workspace, expand **Operating Systems**, select **Task Sequences**, right-click **Replace Task Sequence**, and then select **Deploy**. Use the following settings: -- General - - Collection: USMT Backup (Replace) -- Deployment Settings - - Purpose: Available - - Make available to the following: Only Configuration Manager Clients -- Scheduling - - <default> -- User Experience - - <default> -- Alerts - - <default> -- Distribution Points - - <default> +- General + - Collection: USMT Backup (Replace) +- Deployment Settings + - Purpose: Available + - Make available to the following: Only Configuration Manager Clients +- Scheduling + - *\ +- User Experience + - *\ +- Alerts + - *\ +- Distribution Points + - *\ ## Verify the backup @@ -148,15 +166,17 @@ This section assumes that you have a computer named PC0004 with the Configuratio On **PC0004**: -1. If it's not already started, start the PC0004 computer and open the Configuration Manager control panel (control smscfgrc). -2. On the **Actions** tab, select **Machine Policy Retrieval & Evaluation Cycle**, select **Run Now**, and then select **OK** in the popup dialog box that appears. +1. If it's not already started, start the PC0004 computer and open the Configuration Manager control panel (**`control.exe smscfgrc`**). +2. On the **Actions** tab, select **Machine Policy Retrieval & Evaluation Cycle**, select **Run Now**, and then select **OK** in the popup dialog box that appears. - >[!NOTE] - >You also can use the Client Notification option in the Configuration Manager console, as shown in [Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md). + > [!NOTE] + > You also can use the Client Notification option in the Configuration Manager console, as shown in [Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md). -3. Open the Software Center, select the **Replace Task Sequence** deployment and then select **Install**. -4. Confirm you want to upgrade the operating system on this computer by clicking **Install** again. -5. Allow the Replace Task Sequence to complete. The PC0004 computer will gather user data, boot into Windows PE and gather more data, then boot back to the full OS. The entire process should only take a few minutes. +3. Open the Software Center, select the **Replace Task Sequence** deployment and then select **Install**. + +4. Confirm you want to upgrade the operating system on this computer by clicking **Install** again. + +5. Allow the Replace Task Sequence to complete. The PC0004 computer will gather user data, boot into Windows PE and gather more data, then boot back to the full OS. The entire process should only take a few minutes. ![Task sequence example.](../images/pc0004b.png) @@ -164,11 +184,12 @@ Capturing the user state On **CM01**: -6. Open the state migration point storage folder (ex: D:\Migdata) and verify that a subfolder was created containing the USMT backup. -7. Using the Configuration Manager console, in the Assets and Compliance workspace, select the **User State Migration** node, right-click the **PC0004/PC0006** association, and select **View Recovery Information**. The object now also has a user state store location. +1. Open the state migration point storage folder (ex: D:\Migdata) and verify that a subfolder was created containing the USMT backup. - >[!NOTE] - >It may take a few minutes for the user state store location to be populated. +2. Using the Configuration Manager console, in the **Assets and Compliance** workspace, select the **User State Migration** node, right-click the **PC0004/PC0006** association, and select **View Recovery Information**. The object now also has a user state store location. + + > [!NOTE] + > It may take a few minutes for the user state store location to be populated. ## Deploy the new computer @@ -176,16 +197,16 @@ On **PC0006**: 1. Start the PC0006 virtual machine (or physical computer), press **F12** to Pre-Boot Execution Environment (PXE) boot when prompted. Allow it to boot Windows Preinstallation Environment (Windows PE), and then complete the deployment wizard using the following settings: - * Password: pass@word1 - * Select a task sequence to execute on this computer: Windows 10 Enterprise x64 RTM + - Password: pass@word1 + - Select a task sequence to execute on this computer: Windows 10 Enterprise x64 RTM -2. The setup now starts and does the following steps: +2. The setup now starts and does the following steps: - * Installs the Windows 10 operating system - * Installs the Configuration Manager client - * Joins it to the domain - * Installs the applications - * Restores the PC0004 backup + - Installs the Windows 10 operating system + - Installs the Configuration Manager client + - Joins it to the domain + - Installs the applications + - Restores the PC0004 backup When the process is complete, you'll have a new Windows 10 computer in your domain with user data and settings restored. See the following examples: diff --git a/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager.md b/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager.md index 687b63ad7c..db3236d549 100644 --- a/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager.md +++ b/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager.md @@ -15,25 +15,25 @@ ms.date: 10/27/2022 # Perform an in-place upgrade to Windows 10 using Configuration Manager +*Applies to:* -**Applies to** - -- Windows 10 +- Windows 10 The simplest path to upgrade PCs currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade. You can use a Microsoft Configuration Manager task sequence to completely automate the process. ->[!IMPORTANT] ->Beginning with Windows 10 and Windows Server 2016, Windows Defender is already installed. A management client for Windows Defender is also installed automatically if the Configuration Manager client is installed. However, previous Windows operating systems installed the System Center Endpoint Protection (SCEP) client with the Configuration Manager client. The SCEP client can block in-place upgrade to Windows 10 due to incompatibility, and must be removed from a device before performing an in-place upgrade to Windows 10. +> [!IMPORTANT] +> Beginning with Windows 10 and Windows Server 2016, Windows Defender is already installed. A management client for Windows Defender is also installed automatically if the Configuration Manager client is installed. However, previous Windows operating systems installed the System Center Endpoint Protection (SCEP) client with the Configuration Manager client. The SCEP client can block in-place upgrade to Windows 10 due to incompatibility, and must be removed from a device before performing an in-place upgrade to Windows 10. ## Infrastructure -An existing Configuration Manager infrastructure that is integrated with MDT is used for the following procedures. For more information about the setup for this article, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md). +An existing Configuration Manager infrastructure that is integrated with MDT is used for the following procedures. For more information about the setup for this article, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md). For the purposes of this article, we'll use one server computer (CM01) and one client computer (PC0004). + - CM01 is a domain member server and Configuration Manager software distribution point. In this guide, CM01 is a standalone primary site server. - PC0004 is a domain member client computer running Windows 7 SP1, or a later version of Windows, with the Configuration Manager client installed, that will be upgraded to Windows 10. -All servers are running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used. +All servers are running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used. All server and client computers referenced in this guide are on the same subnet. This interrelation isn't required. But each server and client computer must be able to connect to each other to share files, and to resolve all DNS names and Active Directory information for the `contoso.com` domain. Internet connectivity is also required to download OS and application updates. @@ -43,30 +43,40 @@ Configuration Manager Current Branch includes a native in-place upgrade task. Th On **CM01**: -1. Using the Configuration Manager console, in the Software Library workspace, expand **Operating Systems**, right-click **Operating System Upgrade Packages**, and select **Add Operating System Upgrade Package**. -2. On the **Data Source** page, under **Path**, select **Browse** and enter the UNC path to your media source. In this example, we've extracted the Windows 10 installation media to **\\\\cm01\\Sources$\\OSD\\UpgradePackages\\Windows 10**. +1. Using the Configuration Manager console, in the **Software Library** workspace, expand **Operating Systems**, right-click **Operating System Upgrade Packages**, and select **Add Operating System Upgrade Package**. + +2. On the **Data Source** page, under **Path**, select **Browse** and enter the UNC path to your media source. In this example, we've extracted the Windows 10 installation media to **`\\cm01\Sources$\OSD\UpgradePackages\Windows 10`**. + 3. If you have multiple image indexes in the installation media, select **Extract a specific image index from install.wim...** and choose the image index you want from the dropdown menu. In this example, we've chosen **Windows 10 Enterprise**. + 4. Next to **Architecture**, select **x64**, choose a language from the dropdown menu next to **Language**, and then select **Next**. + 5. Next to **Name**, enter **Windows 10 x64 RTM** and then complete the wizard by clicking **Next** and **Close**. -6. Distribute the OS upgrade package to the CM01 distribution point by right-clicking the **Windows 10 x64 RTM** OS upgrade package and then clicking **Distribute Content**. -7. In the Distribute Content Wizard, add the CM01 distribution point, select **Next** and select **Close**. -8. View the content status for the Windows 10 x64 RTM upgrade package. Don't continue until the distribution is completed (it might take a few minutes). You also can review the D:\\Program Files\\Microsoft Configuration Manager\\Logs\\distmgr.log file and look for the **STATMSG: ID=2301** line. + +6. Distribute the OS upgrade package to the CM01 distribution point by right-clicking the **Windows 10 x64 RTM** OS upgrade package and then clicking **Distribute Content**. + +7. In the Distribute Content Wizard, add the CM01 distribution point, select **Next** and select **Close**. + +8. View the content status for the Windows 10 x64 RTM upgrade package. Don't continue until the distribution is completed (it might take a few minutes). You also can review the **`D:\Program Files\Microsoft Configuration Manager\Logs\distmgr.log`** file and look for the **STATMSG: ID=2301** line. ## Create an in-place upgrade task sequence On **CM01**: -1. Using the Configuration Manager console, in the Software Library workspace, expand **Operating Systems**, right-click **Task Sequences**, and select **Create Task Sequence**. +1. Using the Configuration Manager console, in the **Software Library** workspace, expand **Operating Systems**, right-click **Task Sequences**, and select **Create Task Sequence**. + 2. On the **Create a new task sequence** page, select **Upgrade an operating system from an upgrade package** and select **Next**. + 3. Use the below settings to complete the wizard: - * Task sequence name: Upgrade Task Sequence - * Description: In-place upgrade - * Upgrade package: Windows 10 x64 RTM - * Include software updates: Don't install any software updates - * Install applications: OSD \ Adobe Acrobat Reader DC + - Task sequence name: Upgrade Task Sequence + - Description: In-place upgrade + - Upgrade package: Windows 10 x64 RTM + - Include software updates: Don't install any software updates + - Install applications: OSD \ Adobe Acrobat Reader DC 4. Complete the wizard, and select **Close**. + 5. Review the Upgrade Task Sequence. ![The upgrade task sequence.](../images/cm-upgrade-ts.png) @@ -79,7 +89,7 @@ After you create the upgrade task sequence, you can create a collection to test On **CM01**: -1. When you're using the Configuration Manager console, in the Asset and Compliance workspace, right-click **Device Collections**, and then select **Create Device Collection**. Use the following settings: +1. When you're using the Configuration Manager console, in the **Asset and Compliance** workspace, right-click **Device Collections**, and then select **Create Device Collection**. Use the following settings: - General - Name: Windows 10 x64 in-place upgrade - Limited Collection: All Systems @@ -91,7 +101,7 @@ On **CM01**: - Select Resources - Select PC0004 -2. Review the Windows 10 x64 in-place upgrade collection. Don't continue until you see PC0004 in the collection. +2. Review the Windows 10 x64 in-place upgrade collection. Don't continue until you see PC0004 in the collection. ## Deploy the Windows 10 upgrade @@ -99,15 +109,23 @@ In this section, you create a deployment for the Windows 10 Enterprise x64 Updat On **CM01**: -1. Using the Configuration Manager console, in the Software Library workspace, right-click the **Upgrade Task Sequence** task sequence, and then select **Deploy**. -2. On the **General** page, browse and select the **Windows 10 x64 in-place upgrade** collection, and then select **Next**. -3. On the **Content** page, select **Next**. -4. On the **Deployment Settings** page, select **Next**: -5. On the **Scheduling** page, accept the default settings, and then select **Next**. -6. On the **User Experience** page, accept the default settings, and then select **Next**. -7. On the **Alerts** page, accept the default settings, and then select **Next**. -7. On the **Distribution Points** page, accept the default settings, and then select **Next**. -8. On the **Summary** page, select **Next**, and then select **Close**. +1. Using the Configuration Manager console, in the **Software Library** workspace, right-click the **Upgrade Task Sequence** task sequence, and then select **Deploy**. + +2. On the **General** page, browse and select the **Windows 10 x64 in-place upgrade** collection, and then select **Next**. + +3. On the **Content** page, select **Next**. + +4. On the **Deployment Settings** page, select **Next**: + +5. On the **Scheduling** page, accept the default settings, and then select **Next**. + +6. On the **User Experience** page, accept the default settings, and then select **Next**. + +7. On the **Alerts** page, accept the default settings, and then select **Next**. + +8. On the **Distribution Points** page, accept the default settings, and then select **Next**. + +9. On the **Summary** page, select **Next**, and then select **Close**. ## Start the Windows 10 upgrade @@ -115,15 +133,18 @@ Next, run the in-place upgrade task sequence on PC0004. On **PC0004**: -1. Open the Configuration Manager control panel (control smscfgrc). -2. On the **Actions** tab, select **Machine Policy Retrieval & Evaluation Cycle**, select **Run Now**, and then select **OK** in the popup dialog box that appears. +1. Open the Configuration Manager control panel (`control.exe smscfgrc`). - >[!NOTE] - >You also can use the Client Notification option in the Configuration Manager console, as shown in [Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md). +2. On the **Actions** tab, select **Machine Policy Retrieval & Evaluation Cycle**, select **Run Now**, and then select **OK** in the popup dialog box that appears. -3. Open the Software Center, select the **Upgrade Task Sequence** deployment and then select **Install**. -4. Confirm you want to upgrade the operating system on this computer by clicking **Install** again. -5. Allow the Upgrade Task Sequence to complete. The PC0004 computer will download the install.wim file, perform an in-place upgrade, and install your added applications. See the following examples: + > [!NOTE] + > You also can use the Client Notification option in the Configuration Manager console, as shown in [Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md). + +3. Open the Software Center, select the **Upgrade Task Sequence** deployment and then select **Install**. + +4. Confirm you want to upgrade the operating system on this computer by clicking **Install** again. + +5. Allow the Upgrade Task Sequence to complete. The PC0004 computer will download the **Operating System Upgrade Package** (the Windows installation source files), perform an in-place upgrade, and install your added applications. See the following examples: ![Upgrade task sequence example 1.](../images/pc0004-a.png)
![Upgrade task sequence example 2.](../images/pc0004-b.png)
diff --git a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md index efcf8b1227..a4990f1916 100644 --- a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md +++ b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md @@ -143,8 +143,8 @@ When you configure your MDT Build Lab deployment share, you can also add applica On **MDT01**: -1. Download the Enterprise distribution version of [Adobe Acrobat Reader DC](https://get.adobe.com/reader/enterprise/) (AcroRdrDC2200320263_en_US.exe) to **D:\\setup\\adobe** on MDT01. -2. Extract the .exe file that you downloaded to a .msi (ex: .\AcroRdrDC2200320263_en_US.exe -sfx_o"d:\setup\adobe\install\" -sfx_ne). +1. Download the Enterprise distribution version of [Adobe Acrobat Reader DC](https://get.adobe.com/reader/enterprise/) (AcroRdrDC2200320282_en_US.exe) to **D:\\setup\\adobe** on MDT01. +2. Extract the .exe file that you downloaded to a .msi (ex: .\AcroRdrDC2200320282_en_US.exe -sfx_o"d:\setup\adobe\install\" -sfx_ne). 3. In the Deployment Workbench, expand the **MDT Production** node and navigate to the **Applications** node. 4. Right-click the **Applications** node, and create a new folder named **Adobe**. diff --git a/windows/deployment/deploy-windows-to-go.md b/windows/deployment/deploy-windows-to-go.md index 873c456881..0a538f15f8 100644 --- a/windows/deployment/deploy-windows-to-go.md +++ b/windows/deployment/deploy-windows-to-go.md @@ -6,16 +6,17 @@ manager: aaroncz author: frankroj ms.author: frankroj ms.prod: windows-client +ms.technology: itpro-deploy ms.topic: article ms.custom: seo-marvel-apr2020 -ms.date: 10/31/2022 +ms.date: 11/23/2022 --- # Deploy Windows To Go in your organization -**Applies to** +*Applies to:* -- Windows 10 +- Windows 10 This article helps you to deploy Windows To Go in your organization. Before you begin deployment, make sure that you've reviewed the articles [Windows To Go: feature overview](planning/windows-to-go-overview.md) and [Prepare your organization for Windows To Go](planning/prepare-your-organization-for-windows-to-go.md) to ensure that you have the correct hardware and are prepared to complete the deployment. You can then use the steps in this article to start your Windows To Go deployment. @@ -26,15 +27,15 @@ This article helps you to deploy Windows To Go in your organization. Before you The below list is items that you should be aware of before you start the deployment process: -* Only use recommended USB drives for Windows To Go. Use of other drives isn't supported. Check the list at [Windows To Go: feature overview](planning/windows-to-go-overview.md) for the latest USB drives certified for use as Windows To Go drives. +- Only use recommended USB drives for Windows To Go. Use of other drives isn't supported. Check the list at [Windows To Go: feature overview](planning/windows-to-go-overview.md) for the latest USB drives certified for use as Windows To Go drives. -* After you provision a new workspace, always eject a Windows To Go drive using the **Safely Remove Hardware and Eject Media** control that can be found in the notification area or in Windows Explorer. Removing the drive from the USB port without ejecting it first can cause the drive to become corrupted. +- After you provision a new workspace, always eject a Windows To Go drive using the **Safely Remove Hardware and Eject Media** control that can be found in the notification area or in Windows Explorer. Removing the drive from the USB port without ejecting it first can cause the drive to become corrupted. -* When running a Windows To Go workspace, always shut down the workspace before unplugging the drive. +- When running a Windows To Go workspace, always shut down the workspace before unplugging the drive. -* Configuration Manager SP1 and later includes support for user self-provisioning of Windows To Go drives. For more information on this deployment option, see [How to Provision Windows To Go in Configuration Manager](/previous-versions/system-center/system-center-2012-R2/jj651035(v=technet.10)). +- Configuration Manager SP1 and later includes support for user self-provisioning of Windows To Go drives. For more information on this deployment option, see [How to Provision Windows To Go in Configuration Manager](/previous-versions/system-center/system-center-2012-R2/jj651035(v=technet.10)). -* If you're planning on using a USB drive duplicator to duplicate Windows To Go drives, don't configure offline domain join or BitLocker on the drive. +- If you're planning on using a USB drive duplicator to duplicate Windows To Go drives, don't configure offline domain join or BitLocker on the drive. ## Basic deployment steps @@ -42,15 +43,15 @@ Unless you're using a customized operating system image, your initial Windows To Completing these steps will give you a generic Windows To Go drive that can be distributed to your users and then customized for their usage as needed. This drive is also appropriate for use with USB drive duplicators. Your specific deployment scenarios will involve more than just these basic steps but these additional deployment considerations are similar to traditional PC deployment and can be incorporated into your Windows To Go deployment plan. For more information, see [Windows Deployment Options](/previous-versions/windows/it-pro/windows-8.1-and-8/hh825230(v=win.10)). ->[!WARNING] ->If you plan to use the generic Windows To Go drive as the master drive in a USB duplicator, the drive should not be booted. If the drive has been booted inadvertently it should be reprovisioned prior to duplication. +> [!WARNING] +> If you plan to use the generic Windows To Go drive as the master drive in a USB duplicator, the drive should not be booted. If the drive has been booted inadvertently it should be reprovisioned prior to duplication. ### Create the Windows To Go workspace In this step we're creating the operating system image that will be used on the Windows To Go drives. You can use the Windows To Go Creator Wizard or you can [do this manually](/previous-versions/windows/it-pro/windows-8.1-and-8/jj721578(v=ws.11)) using a combination of Windows PowerShell and command-line tools. ->[!WARNING] ->The preferred method to create a single Windows To Go drive is to use the Windows To Go Creator Wizard included in Windows 10 Enterprise and Windows 10 Education. +> [!WARNING] +> The preferred method to create a single Windows To Go drive is to use the Windows To Go Creator Wizard included in Windows 10 Enterprise and Windows 10 Education. #### To create a Windows To Go workspace with the Windows To Go Creator Wizard @@ -58,37 +59,31 @@ In this step we're creating the operating system image that will be used on the 2. Insert the USB drive that you want to use as your Windows To Go drive into your PC. -3. Verify that the .wim file location (which can be a network share, a DVD, or a USB drive) is accessible and that it contains a valid Windows 10 Enterprise or Windows 10 Education image that has been generalized using sysprep. Many environments can use the same image for both Windows To Go and desktop deployments. +3. Verify that the `.wim` file location (which can be a network share, a DVD, or a USB drive) is accessible and that it contains a valid Windows 10 Enterprise or Windows 10 Education image that has been generalized using sysprep. Many environments can use the same image for both Windows To Go and desktop deployments. - >[!NOTE] - >For more information about .wim files, see [Windows System Image Manager (Windows SIM) Technical Reference](/previous-versions/windows/it-pro/windows-8.1-and-8/hh824929(v=win.10)). For more information about using sysprep, see [Sysprep Overview](/previous-versions/windows/it-pro/windows-8.1-and-8/hh825209(v=win.10)). + > [!NOTE] + > For more information about `.wim` files, see [Windows System Image Manager (Windows SIM) Technical Reference](/previous-versions/windows/it-pro/windows-8.1-and-8/hh824929(v=win.10)). For more information about using sysprep, see [Sysprep Overview](/previous-versions/windows/it-pro/windows-8.1-and-8/hh825209(v=win.10)). -4. Using Cortana, search for **Windows To Go** and then press **Enter**. If the **User Account Control** dialog box appears, confirm that the action it displays is what you want, and then select **Yes**. The **Windows To Go Creator Wizard** opens. +4. Search for **Windows To Go** and then press **Enter**. If the **User Account Control** dialog box appears, confirm that the action it displays is what you want, and then select **Yes**. The **Windows To Go Creator Wizard** opens. 5. On the **Choose the drive you want to use** page select the drive that represents the USB drive you inserted previously, then select **Next.** -6. On the **Choose a Windows image** page, select **Add Search Location** and then navigate to the .wim file location and select select folder. The wizard will display the installable images present in the folder; select the Windows 10 Enterprise or Windows 10 Education image you wish to use and then select **Next**. +6. On the **Choose a Windows image** page, select **Add Search Location** and then navigate to the `.wim` file location and select folder. The wizard will display the installable images present in the folder; select the Windows 10 Enterprise or Windows 10 Education image you wish to use and then select **Next**. -7. (Optional) On the **Set a BitLocker password (optional)** page, you can select **Use BitLocker with my Windows To Go Workspace** to encrypt your Windows To Go drive. If you don't wish to encrypt the drive at this time, select **Skip**. If you decide you want to add BitLocker protection later, see [Enable BitLocker protection for your Windows To Go drive](/previous-versions/windows/it-pro/windows-8.1-and-8/jj721578(v=ws.11)) for instructions. -r +7. (Optional) On the **Set a BitLocker password (optional)** page, you can select **Use BitLocker with my Windows To Go Workspace** to encrypt your Windows To Go drive. If you don't wish to encrypt the drive at this time, select **Skip**. If you decide you want to add BitLocker protection later, for instructions see [Enable BitLocker protection for your Windows To Go drive](/previous-versions/windows/it-pro/windows-8.1-and-8/jj721578(v=ws.11)). - >[!WARNING] - >If you plan to use a USB-Duplicator to create multiple Windows To Go drives, do not enable BitLocker. Drives protected with BitLocker should not be duplicated. + > [!WARNING] + > If you plan to use a USB-Duplicator to create multiple Windows To Go drives, do not enable BitLocker. Drives protected with BitLocker should not be duplicated. - If you choose to encrypt the Windows To Go drive now: + If you choose to encrypt the Windows To Go drive now, enter a password that is at least eight characters long and conforms to your organizations password complexity policy. This password will be provided before the operating system is started so any characters you use must be able to be interpreted by the firmware. Some firmware doesn't support non-ASCII characters. - - Type a password that is at least eight characters long and conforms to your organizations password complexity policy. This password will be provided before the operating system is started so any characters you use must be able to be interpreted by the firmware. Some firmware doesn't support non-ASCII characters. - - -~~~ - >[!IMPORTANT] - >The BitLocker recovery password will be saved in the documents library of the computer used to create the workspace automatically. If your organization is using Active Directory Domain Services (AD DS) to store recovery passwords it will also be saved in AD DS under the computer account of the computer used to create the workspace. This password will be used only if you need to recover access to the drive because the BitLocker password specified in the previous step is not available, such as if a password is lost or forgotten. For more information about BitLocker and AD DS, see [Active Directory Domain Services considerations](/previous-versions/windows/it-pro/windows-8.1-and-8/jj592683(v=ws.11)). -~~~ + > [!IMPORTANT] + > The BitLocker recovery password will be saved in the documents library of the computer used to create the workspace automatically. If your organization is using Active Directory Domain Services (AD DS) to store recovery passwords it will also be saved in AD DS under the computer account of the computer used to create the workspace. This password will be used only if you need to recover access to the drive because the BitLocker password specified in the previous step is not available, such as if a password is lost or forgotten. For more information about BitLocker and AD DS, see [Active Directory Domain Services considerations](/previous-versions/windows/it-pro/windows-8.1-and-8/jj592683(v=ws.11)). 8. Verify that the USB drive inserted is the one you want to provision for Windows To Go and then select **Create** to start the Windows To Go workspace creation process. - >[!WARNING] - >The USB drive identified will be reformatted as part of the Windows To Go provisioning process and any data on the drive will be erased. + > [!WARNING] + > The USB drive identified will be reformatted as part of the Windows To Go provisioning process and any data on the drive will be erased. 9. Wait for the creation process to complete, which can take 20 to 30 minutes. A completion page will be displayed that tells you when your Windows To Go workspace is ready to use. From the completion page, you can configure the Windows To Go startup options to configure the current computer as a Windows To Go host computer. @@ -98,11 +93,15 @@ Your Windows To Go workspace is now ready to be started. You can now [prepare a The following Windows PowerShell cmdlet or cmdlets perform the same function as the preceding procedure. Enter each cmdlet on a single line, even though they may appear word-wrapped across several lines here because of formatting constraints. This procedure can only be used on PCs that are running Windows 10. Before starting, ensure that only the USB drive that you want to provision as a Windows To Go drive is connected to the PC. -1. Using Cortana, search for **powershell**, right-click **Windows PowerShell**, and then select **Run as administrator**. +1. Search for **powershell**, right-click **Windows PowerShell**, and then select **Run as administrator**. -2. In the Windows PowerShell session type, the following commands to partition a master boot record (MBR) disk for use with a FAT32 system partition and an NTFS-formatted operating system partition. This disk layout can support computers that use either UEFI or BIOS firmware: +2. In the Windows PowerShell session, enter the following commands to partition a master boot record (MBR) disk for use with a FAT32 system partition and an NTFS-formatted operating system partition. This disk layout can support computers that use either UEFI or BIOS firmware: - ``` +
+
+ Expand to show PowerShell commands to partition an MBR disk + + ```powershell # The following command will set $Disk to all USB drives with >20 GB of storage $Disk = Get-Disk | Where-Object {$_.Path -match "USBSTOR" -and $_.Size -gt 20Gb -and -not $_.IsBoot } @@ -136,27 +135,31 @@ The following Windows PowerShell cmdlet or cmdlets perform the same function as Set-Partition -InputObject $OSPartition -NoDefaultDriveLetter $TRUE ``` +
+ 3. Next you need to apply the operating system image that you want to use with Windows To Go to the operating system partition you created on the disk (this may take 30 minutes or longer, depending on the size of the image and the speed of your USB connection). The following command shows how this can be accomplished using the [Deployment Image Servicing and Management](/windows-hardware/manufacture/desktop/dism---deployment-image-servicing-and-management-technical-reference-for-windows) command-line tool (DISM): - >[!TIP] - >The index number must be set correctly to a valid Enterprise image in the .WIM file. + > [!TIP] + > The index number must be set correctly to a valid Enterprise image in the `.wim` file. - ``` + ```cmd #The WIM file must contain a sysprep generalized image. - dism /apply-image /imagefile:n:\imagefolder\deploymentimages\mywtgimage.wim /index:1 /applydir:W:\ + dism.exe /apply-image /imagefile:n:\imagefolder\deploymentimages\mywtgimage.wim /index:1 /applydir:W:\ ``` -4. Now use the [bcdboot](/previous-versions/windows/it-pro/windows-8.1-and-8/hh824874(v=win.10)) command line tool to move the necessary boot components to the system partition on the disk. This helps ensure that the boot components, operating system versions, and architectures match. The `/f ALL` parameter indicates that boot components for UEFI and BIOS should be placed on the system partition of the disk. The following example illustrates this step: +4. Now use the [bcdboot](/previous-versions/windows/it-pro/windows-8.1-and-8/hh824874(v=win.10)) command line tool to move the necessary boot components to the system partition on the disk. This helps ensure that the boot components, operating system versions, and architectures match. The `/f ALL` parameter indicates that boot components for UEFI and BIOS should be placed on the system partition of the disk. The following example illustrates this step: -~~~ -``` -W:\Windows\System32\bcdboot W:\Windows /f ALL /s S: -``` -~~~ + ```cmd + W:\Windows\System32\bcdboot.exe W:\Windows /f ALL /s S: + ``` 5. Apply SAN policy—OFFLINE\_INTERNAL - "4" to prevent the operating system from automatically bringing online any internally connected disk. This is done by creating and saving a **san\_policy.xml** file on the disk. The following example illustrates this step: - ``` +
+
+ Expand to show example san_policy.xml file + + ```xml @@ -186,15 +189,21 @@ W:\Windows\System32\bcdboot W:\Windows /f ALL /s S: ``` +
+ 6. Place the **san\_policy.xml** file created in the previous step into the root directory of the Windows partition on the Windows To Go drive (W: from the previous examples) and run the following command: - ``` + ```cmd Dism.exe /Image:W:\ /Apply-Unattend:W:\san_policy.xml ``` 7. Create an answer file (unattend.xml) that disables the use of Windows Recovery Environment with Windows To Go. You can use the following code sample to create a new answer file or you can paste it into an existing answer file: - ``` +
+
+ Expand to show example san_policy.xml file + + ```xml @@ -218,10 +227,12 @@ W:\Windows\System32\bcdboot W:\Windows /f ALL /s S: ``` - After the answer file has been saved, copy unattend.xml into the sysprep folder on the Windows To Go drive (for example, W:\\Windows\\System32\\sysprep\) +
- >[!IMPORTANT] - >Setup unattend files are processed based on their location. Setup will place a temporary unattend file into the **%systemroot%\\panther** folder which is the first location that setup will check for installation information. You should make sure that folder does not contain a previous version of an unattend.xml file to ensure that the one you just created is used. + After the answer file has been saved, copy `unattend.xml` into the sysprep folder on the Windows To Go drive (for example, `W:\Windows\System32\sysprep\`) + + > [!IMPORTANT] + > Setup unattend files are processed based on their location. Setup will place a temporary unattend file into the **`%systemroot%\panther`** folder which is the first location that setup will check for installation information. You should make sure that folder does not contain a previous version of an unattend.xml file to ensure that the one you just created is used. If you don't wish to boot your Windows To Go device on this computer and want to remove it to boot it on another PC, be sure to use the **Safely Remove Hardware and Eject Media** option to safely disconnect the drive before physically removing it from the PC. @@ -231,14 +242,14 @@ Your Windows To Go workspace is now ready to be started. You can now [prepare a Computers running Windows 8 and later can be configured as host computers that use Windows To Go automatically whenever a Windows To Go workspace is available at startup. When the Windows To Go startup options are enabled on a host computer, Windows will divert startup to the Windows To Go drive whenever it's attached to the computer. This makes it easy to switch from using the host computer to using the Windows To Go workspace. ->[!TIP] ->If you will be using a PC running Windows 7 as your host computer, see [Tips for configuring your BIOS settings to work with Windows To Go](https://go.microsoft.com/fwlink/p/?LinkId=618951) for information to help you prepare the host computer. +> [!TIP] +> If you will be using a PC running Windows 7 as your host computer, see [Tips for configuring your BIOS settings to work with Windows To Go](https://go.microsoft.com/fwlink/p/?LinkId=618951) for information to help you prepare the host computer. If you want to use the Windows To Go workspace, shut down the computer, plug in the Windows To Go drive, and turn on the computer. To use the host computer, shut down the Windows To Go workspace, unplug the Windows To Go drive, and turn on the computer. To set the Windows To Go Startup options for host computers running Windows 10: -1. Using Cortana, search for **Windows To Go startup options** and then press **Enter**. +1. Search for **Windows To Go startup options** and then press **Enter**. 2. In the **Windows To Go Startup Options** dialog box, select **Yes**, and then select **Save Changes** to configure the computer to boot from USB @@ -250,7 +261,7 @@ For host computers running Windows 8 or Windows 8.1: You can configure your organization's computers to automatically start from the USB drive by enabling the following Group Policy setting: -**\\\\Computer Configuration\\Administrative Templates\\Windows Components\\Portable Operating System\\Windows To Go Default Startup Options** +**Computer Configuration** > **Administrative Templates** > **Windows Components** > **Portable Operating System** > **Windows To Go Default Startup Options** After this policy setting is enabled, automatic starting of a Windows To Go workspace will be attempted when a USB drive is connected to the computer when it's started. Users won't be able to use the Windows To Go Startup Options to change this behavior. If you disable this policy setting, booting to Windows To Go when a USB drive is connected won't occur unless a user configures the option manually in the firmware. If you don't configure this policy setting, users who are members of the Administrators group can enable or disable booting from a USB drive using the Windows To Go Startup Options. @@ -260,13 +271,13 @@ Your host computer is now ready to boot directly into Windows To Go workspace wh After you've configured your host PC to boot from USB, you can use the following procedure to boot your Windows To Go workspace: -**To boot your workspace** +**To boot your workspace:** -1. Make sure that the host PC isn't in a sleep state. If the computer is in a sleep state, either shut it down or hibernate it. +1. Make sure that the host PC isn't in a sleep state. If the computer is in a sleep state, either shut it down or hibernate it. -2. Insert the Windows To Go USB drive directly into a USB 3.0 or USB 2.0 port on the PC. Don't use a USB hub or extender. +2. Insert the Windows To Go USB drive directly into a USB 3.0 or USB 2.0 port on the PC. Don't use a USB hub or extender. -3. Turn on the PC. If your Windows To Go drive is protected with BitLocker you'll be asked to type the password, otherwise the workspace will boot directly into the Windows To Go workspace. +3. Turn on the PC. If your Windows To Go drive is protected with BitLocker you'll be asked to enter the password, otherwise the workspace will boot directly into the Windows To Go workspace. ## Advanced deployment steps @@ -276,26 +287,26 @@ The following steps are used for more advanced deployments where you want to hav Making sure that Windows To Go workspaces are effective when used off premises is essential to a successful deployment. One of the key benefits of Windows To Go is the ability for your users to use the enterprise managed domain joined workspace on an unmanaged computer that is outside your corporate network. To enable this usage, typically you would provision the USB drive as described in the basic deployment instructions and then add the configuration to support domain joining of the workspace, installation of any line-of-business applications, and configuration of your chosen remote connectivity solution such as a virtual private network client or DirectAccess. Once these configurations have been performed the user can work from the workspace using a computer that is off-premises. The following procedure allows you to provision domain joined Windows To Go workspaces for workers that don't have physical access to your corporate network. -**Prerequisites for remote access scenario** +**Prerequisites for remote access scenario:** -- A domain-joined computer running Windows 8 or later and is configured as a Windows To Go host computer +- A domain-joined computer running Windows 8 or later and is configured as a Windows To Go host computer -- A Windows To Go drive that hasn't been booted or joined to the domain using unattend settings. +- A Windows To Go drive that hasn't been booted or joined to the domain using unattend settings. -- A domain user account with rights to add computer accounts to the domain and is a member of the Administrator group on the Windows To Go host computer +- A domain user account with rights to add computer accounts to the domain and is a member of the Administrator group on the Windows To Go host computer -- [DirectAccess](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831539(v=ws.11)) configured on the domain +- [DirectAccess](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831539(v=ws.11)) configured on the domain -**To configure your Windows To Go workspace for remote access** +**To configure your Windows To Go workspace for remote access:** 1. Start the host computer and sign in using a user account with privileges to add workstations to the domain and then run the following command from an elevated command prompt replacing the example placeholder parameters (denoted by <>) with the ones applicable for your environment: - ``` - djoin /provision /domain /machine /certtemplate /policynames /savefile /reuse + ```cmd + djoin.exe /provision /domain /machine /certtemplate /policynames /savefile /reuse ``` - >[!NOTE] - >The **/certtemplate** parameter supports the use of certificate templates for distributing certificates for DirectAccess, if your organization is not using certificate templates you can omit this parameter. Additionally, if are using djoin.exe with Windows Server 2008-based Domain Controllers, append the /downlevel switch during provisioning. For more information, see the [Offline Domain Join Step-by-Step guide](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd392267(v=ws.10)). + > [!NOTE] + > The **/certtemplate** parameter supports the use of certificate templates for distributing certificates for DirectAccess, if your organization is not using certificate templates you can omit this parameter. Additionally, if are using `djoin.exe` with Windows Server 2008-based Domain Controllers, append the /downlevel switch during provisioning. For more information, see the [Offline Domain Join Step-by-Step guide](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd392267(v=ws.10)). 2. Insert the Windows To Go drive. @@ -303,7 +314,11 @@ Making sure that Windows To Go workspaces are effective when used off premises i 4. From the Windows PowerShell command prompt run: - ``` +
+
+ Expand this section to show PowerShell commands to run + + ```powershell # The following command will set $Disk to all USB drives with >20 GB of storage $Disk = Get-Disk | Where-Object {$_.Path -match "USBSTOR" -and $_.Size -gt 20Gb -and -not $_.IsBoot } @@ -337,27 +352,31 @@ Making sure that Windows To Go workspaces are effective when used off premises i Set-Partition -InputObject $OSPartition -NoDefaultDriveLetter $TRUE ``` +
+ 5. Next you need to apply the operating system image that you want to use with Windows To Go to the operating system partition you created on the disk (this may take 30 minutes or longer, depending on the size of the image and the speed of your USB connection). The following command shows how this can be accomplished using the [Deployment Image Servicing and Management](/windows-hardware/manufacture/desktop/dism---deployment-image-servicing-and-management-technical-reference-for-windows) command-line tool (DISM): -~~~ ->[!TIP] ->The index number must be set correctly to a valid Enterprise image in the .WIM file. + ```cmd + #The WIM file must contain a sysprep generalized image. + dism.exe /apply-image /imagefile:n:\imagefolder\deploymentimages\mywtgimage.wim /index:1 /applydir:W:\ + ``` -``` -#The WIM file must contain a sysprep generalized image. -dism /apply-image /imagefile:n:\imagefolder\deploymentimages\mywtgimage.wim /index:1 /applydir:W:\ -``` -~~~ + > [!TIP] + > The index number must be set correctly to a valid Enterprise image in the `.wim` file. 6. After those commands have completed, run the following command: - ``` - djoin /requestodj /loadfile C:\example\path\domainmetadatafile /windowspath W:\Windows + ```cmd + djoin.exe /requestodj /loadfile C:\example\path\domainmetadatafile /windowspath W:\Windows ``` 7. Next, we'll need to edit the unattend.xml file to configure the first run (OOBE) settings. In this example we're hiding the Microsoft Software License Terms (EULA) page, configuring automatic updates to install important and recommended updates automatically, and identifying this workspace as part of a private office network. You can use other OOBE settings that you've configured for your organization if desired. For more information about the OOBE settings, see [OOBE](/previous-versions/windows/it-pro/windows-8.1-and-8/ff716016(v=win.10)): - ``` +
+
+ Expand this section to show example unattend.xml file + + ```xml @@ -391,16 +410,18 @@ dism /apply-image /imagefile:n:\imagefolder\deploymentimages\mywtgimage.wim /ind ``` +
+ 8. Safely remove the Windows To Go drive. 9. From a host computer, either on or off premises, start the computer and boot the Windows To Go workspace. - * If on premises using a host computer with a direct network connection, sign on using your domain credentials. + - If on premises using a host computer with a direct network connection, sign on using your domain credentials. - * If off premises, join a wired or wireless network with internet access and then sign on again using your domain credentials. + - If off premises, join a wired or wireless network with internet access and then sign on again using your domain credentials. - >[!NOTE] - >Depending on your DirectAccess configuration you might be asked to insert your smart card to log on to the domain. + > [!NOTE] + > Depending on your DirectAccess configuration you might be asked to insert your smart card to log on to the domain. You should now be able to access your organization's network resources and work from your Windows To Go workspace as you would normally work from your standard desktop computer on premises. @@ -410,17 +431,23 @@ Enabling BitLocker on your Windows To Go drive will help ensure that your data i #### Prerequisites for enabling BitLocker scenario -* A Windows To Go drive that can be successfully provisioned. +- A Windows To Go drive that can be successfully provisioned. -* A computer running Windows 8 configured as a Windows To Go host computer +- A computer running Windows 8 configured as a Windows To Go host computer -* Review the following Group Policy settings for BitLocker Drive Encryption and modify the configuration as necessary: +- Review the following Group Policy settings for BitLocker Drive Encryption and modify the configuration as necessary: - **\\Windows Components\\BitLocker Drive Encryption\\Operating System Drives\\Require additional authentication at startup**. This policy allows the use of a password key protector with an operating system drive; this policy must be enabled to configure BitLocker from within the Windows To Go workspace. This policy setting allows you to configure whether BitLocker requires additional authentication each time the computer starts and whether you're using BitLocker with or without a Trusted Platform Module (TPM). You must enable this setting and select the **Allow BitLocker without a compatible TPM** check box and then enable the **Configure use of passwords for operating system drives** setting. + - **Windows Components** > **BitLocker Drive Encryption** > **Operating System Drives** > **Require additional authentication at startup** - **\\Windows Components\\BitLocker Drive Encryption\\Operating System Drives\\Configure use of passwords for operating system drives**. This policy setting enables passwords to be used to unlock BitLocker-protected operating system drives and provides the means to configure complexity and length requirements on passwords for Windows To Go workspaces. For the complexity requirement setting to be effective the Group Policy setting **Password must meet complexity requirements** located in **Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password Policy\\** must be also enabled. + This policy allows the use of a password key protector with an operating system drive; this policy must be enabled to configure BitLocker from within the Windows To Go workspace. This policy setting allows you to configure whether BitLocker requires additional authentication each time the computer starts and whether you're using BitLocker with or without a Trusted Platform Module (TPM). You must enable this setting and select the **Allow BitLocker without a compatible TPM** check box and then enable the **Configure use of passwords for operating system drives** setting. - **\\Windows Components\\BitLocker Drive Encryption\\Operating System Drives\\Enable use of BitLocker authentication requiring preboot keyboard input on slates**. This policy setting allows users to enable authentication options that require user input from the preboot environment even if the platform indicates a lack of preboot input capability. If this setting isn't enabled, passwords can't be used to unlock BitLocker-protected operating system drives. + - **Windows Components** > **BitLocker Drive Encryption** > **Operating System Drives** > **Configure use of passwords for operating system drives** + + This policy setting enables passwords to be used to unlock BitLocker-protected operating system drives and provides the means to configure complexity and length requirements on passwords for Windows To Go workspaces. For the complexity requirement setting to be effective the Group Policy setting **Password must meet complexity requirements** located in **Computer Configuration** > **Windows Settings** > **Security Settings** > **Account Policies** > **Password Policy** must be also enabled. + + - **Windows Components** > **BitLocker Drive Encryption** > **Operating System Drives** > **Enable use of BitLocker authentication requiring preboot keyboard input on slates** + + This policy setting allows users to enable authentication options that require user input from the preboot environment even if the platform indicates a lack of preboot input capability. If this setting isn't enabled, passwords can't be used to unlock BitLocker-protected operating system drives. You can choose to enable BitLocker protection on Windows To Go drives before distributing them to users as part of your provisioning process or you can allow your end-users to apply BitLocker protection to them after they have taken possession of the drive. A step-by-step procedure is provided for both scenarios. @@ -432,10 +459,12 @@ Enabling BitLocker after distribution requires that your users turn on BitLocker BitLocker recovery keys are the keys that can be used to unlock a BitLocker protected drive if the standard unlock method fails. It's recommended that your BitLocker recovery keys be backed up to Active Directory Domain Services (AD DS). If you don't want to use AD DS to store recovery keys you can save recovery keys to a file or print them. How BitLocker recovery keys are managed differs depending on when BitLocker is enabled. -- If BitLocker protection is enabled during provisioning, the BitLocker recovery keys will be stored under the computer account of the computer used for provisioning the drives. If backing up recovery keys to AD DS isn't used, the recovery keys will need to be printed or saved to a file for each drive. The IT administrator must track which keys were assigned to which Windows To Go drive. +- If BitLocker protection is enabled during provisioning, the BitLocker recovery keys will be stored under the computer account of the computer used for provisioning the drives. If backing up recovery keys to AD DS isn't used, the recovery keys will need to be printed or saved to a file for each drive. The IT administrator must track which keys were assigned to which Windows To Go drive. -- **Warning** - If BitLocker is enabled after distribution, the recovery key will be backed up to AD DS under the computer account of the workspace. If backing up recovery keys to AD DS isn't used, they can be printed or saved to a file by the user. If the IT administrator wants a central record of recovery keys, a process by which the user provides the key to the IT department must be put in place. +- If BitLocker is enabled after distribution, the recovery key will be backed up to AD DS under the computer account of the workspace. If backing up recovery keys to AD DS isn't used, they can be printed or saved to a file by the user. + + > [!WARNING] + > If backing up recovery keys to AD DS isn't used and the IT administrator wants a central record of recovery keys, a process by which the user provides the key to the IT department must be put in place. #### To enable BitLocker during provisioning @@ -447,10 +476,14 @@ BitLocker recovery keys are the keys that can be used to unlock a BitLocker prot 4. Provision the Windows To Go drive using the following cmdlets: - >[!NOTE] - >If you used the [manual method for creating a workspace](/previous-versions/windows/it-pro/windows-8.1-and-8/jj721578(v=ws.11)) you should have already provisioned the Windows To Go drive. If so, you can continue on to the next step. + > [!NOTE] + > If you used the [manual method for creating a workspace](/previous-versions/windows/it-pro/windows-8.1-and-8/jj721578(v=ws.11)) you should have already provisioned the Windows To Go drive. If so, you can continue on to the next step. - ``` +
+
+ Expand this section to show PowerShell commands to run + + ```powershell # The following command will set $Disk to all USB drives with >20 GB of storage $Disk = Get-Disk | Where-Object {$_.Path -match "USBSTOR" -and $_.Size -gt 20Gb -and -not $_.IsBoot } @@ -484,25 +517,27 @@ BitLocker recovery keys are the keys that can be used to unlock a BitLocker prot Set-Partition -InputObject $OSPartition -NoDefaultDriveLetter $TRUE ``` +
+ Next you need to apply the operating system image that you want to use with Windows To Go to the operating system partition you created on the disk (this may take 30 minutes or longer, depending on the size of the image and the speed of your USB connection). The following command shows how this can be accomplished using the [Deployment Image Servicing and Management](/windows-hardware/manufacture/desktop/dism---deployment-image-servicing-and-management-technical-reference-for-windows) command-line tool (DISM): - >[!TIP] - >The index number must be set correctly to a valid Enterprise image in the .WIM file. + > [!TIP] + > The index number must be set correctly to a valid Enterprise image in the `.wim` file. - ``` + ```cmd #The WIM file must contain a sysprep generalized image. - dism /apply-image /imagefile:n:\imagefolder\deploymentimages\mywtgimage.wim /index:1 /applydir:W:\ + dism.exe /apply-image /imagefile:n:\imagefolder\deploymentimages\mywtgimage.wim /index:1 /applydir:W:\ ``` 5. In the same PowerShell session, use the following cmdlet to add a recovery key to the drive: - ``` + ```powershell $BitlockerRecoveryProtector = Add-BitLockerKeyProtector W: -RecoveryPasswordProtector ``` 6. Next, use the following cmdlets to save the recovery key to a file: - ``` + ```powershell #The BitLocker Recovery key is essential if for some reason you forget the BitLocker password #This recovery key can also be backed up into Active Directory using manage-bde.exe or the #PowerShell cmdlet Backup-BitLockerKeyProtector. @@ -512,35 +547,34 @@ BitLocker recovery keys are the keys that can be used to unlock a BitLocker prot 7. Then, use the following cmdlets to add the password as a secure string. If you omit the password the cmdlet will prompt you for the password before continuing the operation: - ``` + ```powershell # Create a variable to store the password $spwd = ConvertTo-SecureString -String -AsplainText -Force Enable-BitLocker W: -PasswordProtector $spwd ``` - >[!WARNING] - >To have BitLocker only encrypt used space on the disk append the parameter `-UsedSpaceOnly` to the `Enable-BitLocker` cmdlet. As data is added to the drive BitLocker will encrypt additional space. Using this parameter will speed up the preparation process as a smaller percentage of the disk will require encryption. If you are in a time critical situation where you cannot wait for encryption to complete you can also safely remove the Windows To Go drive during the encryption process. The next time the drive is inserted in a computer it will request the BitLocker password. Once the password is supplied, the encryption process will continue. If you do this, make sure your users know that BitLocker encryption is still in process and that they will be able to use the workspace while the encryption completes in the background. + > [!WARNING] + > To have BitLocker only encrypt used space on the disk append the parameter `-UsedSpaceOnly` to the `Enable-BitLocker` cmdlet. As data is added to the drive BitLocker will encrypt additional space. Using this parameter will speed up the preparation process as a smaller percentage of the disk will require encryption. If you are in a time critical situation where you cannot wait for encryption to complete you can also safely remove the Windows To Go drive during the encryption process. The next time the drive is inserted in a computer it will request the BitLocker password. Once the password is supplied, the encryption process will continue. If you do this, make sure your users know that BitLocker encryption is still in process and that they will be able to use the workspace while the encryption completes in the background. 8. Copy the numerical recovery password and save it to a file in a safe location. The recovery password will be required if the password is lost or forgotten. - >[!WARNING] - >If the **Choose how BitLocker-protected removable data drives can be recovered** Group Policy setting has been configured to back up recovery information to Active Directory Domain Services, the recovery information for the drive will be stored under the account of the host computer used to apply the recovery key. + > [!WARNING] + > If the **Choose how BitLocker-protected removable data drives can be recovered** Group Policy setting has been configured to back up recovery information to Active Directory Domain Services, the recovery information for the drive will be stored under the account of the host computer used to apply the recovery key. - If you want to have the recovery information stored under the account of the Windows To Go workspace, you can turn BitLocker from within the Windows To Go workspace using the BitLocker Setup Wizard from the BitLocker Control Panel item as described in [To enable BitLocker after distribution](#enable-bitlocker). + If you want to have the recovery information stored under the account of the Windows To Go workspace, you can turn BitLocker from within the Windows To Go workspace using the BitLocker Setup Wizard from the BitLocker Control Panel item as described in [To enable BitLocker after distribution](#to-enable-bitlocker-after-distribution). 9. Safely remove the Windows To Go drive. The Windows To Go drives are now ready to be distributed to users and are protected by BitLocker. When you distribute the drives, make sure the users know the following information: -* Initial BitLocker password that they'll need to boot the drives. +- Initial BitLocker password that they'll need to boot the drives. -* Current encryption status. +- Current encryption status. -* Instructions to change the BitLocker password after the initial boot. +- Instructions to change the BitLocker password after the initial boot. -* Instructions for how to retrieve the recovery password if necessary. These instructions may be a help desk process, an automated password retrieval site, or a person to contact. +- Instructions for how to retrieve the recovery password if necessary. These instructions may be a help desk process, an automated password retrieval site, or a person to contact. - #### To enable BitLocker after distribution 1. Insert your Windows To Go drive into your host computer (that is currently shut down) and then turn on the computer and boot into your Windows To Go workspace @@ -551,8 +585,8 @@ The Windows To Go drives are now ready to be distributed to users and are protec 4. Complete the steps in the **BitLocker Setup Wizard** selecting the password protection option. ->[!NOTE] ->If you have not configured the Group Policy setting **\\Windows Components\\BitLocker Drive Encryption\\Operating System Drives\\Require additional authentication at startup** to specify **Allow BitLocker without a compatible TPM** you will not be able to enable BitLocker from within the Windows To Go workspace. +> [!NOTE] +> If you have not configured the Group Policy setting **Windows Components** > **BitLocker Drive Encryption** > **Operating System Drives** > **Require additional authentication at startup** to specify **Allow BitLocker without a compatible TPM** you will not be able to enable BitLocker from within the Windows To Go workspace. ### Advanced deployment sample script @@ -562,11 +596,11 @@ The sample script creates an unattend file that streamlines the deployment proce #### Prerequisites for running the advanced deployment sample script -* To run this sample script, you must open a Windows PowerShell session as an administrator from a domain-joined computer using an account that has permission to create domain accounts. +- To run this sample script, you must open a Windows PowerShell session as an administrator from a domain-joined computer using an account that has permission to create domain accounts. -* Using offline domain join is required by this script, since the script doesn't create a local administrator user account. However, domain membership will automatically put "Domain admins" into the local administrators group. Review your domain policies. If you're using DirectAccess, you'll need to modify the djoin.exe command to include the `policynames` and potentially the `certtemplate` parameters. +- Using offline domain join is required by this script, since the script doesn't create a local administrator user account. However, domain membership will automatically put "Domain admins" into the local administrators group. Review your domain policies. If you're using DirectAccess, you'll need to modify the `djoin.exe` command to include the `policynames` and potentially the `certtemplate` parameters. -* The script needs to use drive letters, so you can only provision half as many drives as you have free drive letters. +- The script needs to use drive letters, so you can only provision half as many drives as you have free drive letters. #### To run the advanced deployment sample script @@ -576,22 +610,26 @@ The sample script creates an unattend file that streamlines the deployment proce 3. Configure the PowerShell execution policy. By default PowerShell's execution policy is set to Restricted; that means that scripts won't run until you have explicitly given them permission to. To configure PowerShell's execution policy to allow the script to run, use the following command from an elevated PowerShell prompt: - ``` + ```powershell Set-ExecutionPolicy RemoteSigned ``` The RemoteSigned execution policy will prevent unsigned scripts from the internet from running on the computer, but will allow locally created scripts to run. For more information on execution policies, see [Set-ExecutionPolicy](/powershell/module/microsoft.powershell.security/set-executionpolicy). > [!TIP] - > To get online help for any Windows PowerShell cmdlet, whether or not it is installed locally type the following cmdlet, replacing <cmdlet-name> with the name of the cmdlet you want to see the help for: - > + > To get online help for any Windows PowerShell cmdlet, whether or not it is installed locally, enter the following cmdlet, replacing `` with the name of the cmdlet you want to see the help for: + > > `Get-Help -Online` - > + > > This command causes Windows PowerShell to open the online version of the help topic in your default Internet browser. #### Windows To Go multiple drive provisioning sample script -``` +
+
+ Expand this section to view Windows To Go multiple drive provisioning sample script + +```powershell <# .SYNOPSIS Windows To Go multiple drive provisioning sample script. @@ -959,22 +997,23 @@ write-output "Provsioning completed in: $elapsedTime (hh:mm:ss.000)" write-output "" "Provisioning script complete." ``` +
+ ## Considerations when using different USB keyboard layouts with Windows To Go In the PowerShell provisioning script, after the image has been applied, you can add the following commands that will correctly set the keyboard settings. The following example uses the Japanese keyboard layout: -``` - reg load HKLM\WTG-Keyboard ${OSDriveLetter}:\Windows\System32\config\SYSTEM > info.log - reg add HKLM\WTG-Keyboard\ControlSet001\Services\i8042prt\Parameters /v LayerDriver /d JPN:kbd106dll /t REG_SZ /f - reg add HKLM\WTG-Keyboard\ControlSet001\Services\i8042prt\Parameters /v OverrideKeyboardIdentifier /d PCAT_106KEY /t REG_SZ /f - reg add HKLM\WTG-Keyboard\ControlSet001\Services\i8042prt\Parameters /v OverrideKeyboardSubtype /d 2 /t REG_DWORD /f - reg add HKLM\WTG-Keyboard\ControlSet001\Services\i8042prt\Parameters /v OverrideKeyboardType /d 7 /t REG_DWORD /f - reg unload HKLM\WTG-Keyboard +```cmd +reg.exe load HKLM\WTG-Keyboard ${OSDriveLetter}:\Windows\System32\config\SYSTEM > info.log +reg.exe add HKLM\WTG-Keyboard\ControlSet001\Services\i8042prt\Parameters /v LayerDriver /d JPN:kbd106dll /t REG_SZ /f +reg.exe add HKLM\WTG-Keyboard\ControlSet001\Services\i8042prt\Parameters /v OverrideKeyboardIdentifier /d PCAT_106KEY /t REG_SZ /f +reg.exe add HKLM\WTG-Keyboard\ControlSet001\Services\i8042prt\Parameters /v OverrideKeyboardSubtype /d 2 /t REG_DWORD /f +reg.exe add HKLM\WTG-Keyboard\ControlSet001\Services\i8042prt\Parameters /v OverrideKeyboardType /d 7 /t REG_DWORD /f +reg.exe unload HKLM\WTG-Keyboard ``` ## Related articles - [Windows To Go: feature overview](planning/windows-to-go-overview.md) [Windows 10 forums](https://go.microsoft.com/fwlink/p/?LinkId=618949) diff --git a/windows/deployment/deploy.md b/windows/deployment/deploy.md index 51982b85d2..6274640054 100644 --- a/windows/deployment/deploy.md +++ b/windows/deployment/deploy.md @@ -9,7 +9,7 @@ ms.prod: windows-client ms.localizationpriority: medium ms.topic: article ms.custom: seo-marvel-apr2020 -ms.date: 10/31/2022 +ms.date: 11/23/2022 ms.technology: itpro-deploy --- @@ -23,7 +23,7 @@ Windows 10 upgrade options are discussed and information is provided about plann |[Windows 10 upgrade paths](upgrade/windows-10-upgrade-paths.md) |This article provides information about support for upgrading directly to Windows 10 from a previous operating system. | |[Windows 10 edition upgrade](upgrade/windows-10-edition-upgrades.md) |This article provides information about support for upgrading from one edition of Windows 10 to another. | |[Windows 10 volume license media](windows-10-media.md) |This article provides information about updates to volume licensing media in the current version of Windows 10. | -|[Manage Windows upgrades with Upgrade Readiness](/mem/configmgr/desktop-analytics/overview) |With Upgrade Readiness, enterprises now have the tools to plan and manage the upgrade process end to end, allowing them to adopt new Windows releases more quickly. With Windows diagnostic data enabled, Upgrade Readiness collects system, application, and driver data for analysis. We then identify compatibility issues that can block an upgrade and suggest fixes when they're known to Microsoft. The Upgrade Readiness workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded. | +|[Manage Windows upgrades with Upgrade Readiness](/mem/configmgr/desktop-analytics/overview) |With Upgrade Readiness, enterprises now have the tools to plan and manage the upgrade process end to end, allowing them to adopt new Windows releases more quickly. With Windows diagnostic data enabled, Upgrade Readiness collects system, application, and driver data for analysis. We then identify compatibility issues that can block an upgrade and suggest fixes when they're known to Microsoft. The Upgrade Readiness workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded. | |[Windows 10 deployment test lab](windows-10-poc.md) |This guide contains instructions to configure a proof of concept (PoC) environment requiring a minimum amount of resources. The guide makes extensive use of Windows PowerShell and Hyper-V. Subsequent companion guides contain steps to deploy Windows 10 using the PoC environment. After you complete this guide, more guides are provided to deploy Windows 10 in the test lab using [Microsoft Deployment Toolkit](windows-10-poc-mdt.md) or [Microsoft Configuration Manager](windows-10-poc-sc-config-mgr.md). | |[Plan for Windows 10 deployment](planning/index.md) | This section describes Windows 10 deployment considerations and provides information to help Windows 10 deployment planning. | |[Deploy Windows 10 with the Microsoft Deployment Toolkit](./deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md) |This guide will walk you through the process of deploying Windows 10 in an enterprise environment using the Microsoft Deployment Toolkit (MDT). | diff --git a/windows/deployment/do/TOC.yml b/windows/deployment/do/TOC.yml index 4589ac5834..07805dc6fb 100644 --- a/windows/deployment/do/TOC.yml +++ b/windows/deployment/do/TOC.yml @@ -1,51 +1,67 @@ -- name: Delivery Optimization for Windows client +- name: Delivery Optimization for Windows client and Microsoft Connected Cache href: index.yml +- name: What's new + href: whats-new-do.md items: - - name: Get started - items: - - name: What is Delivery Optimization - href: waas-delivery-optimization.md - - name: What's new - href: whats-new-do.md - - name: Delivery Optimization Frequently Asked Questions - href: waas-delivery-optimization-faq.yml - - - - - name: Configure Delivery Optimization +- name: Delivery Optimization + items: + - name: What is Delivery Optimization + href: waas-delivery-optimization.md + - name: Delivery Optimization Frequently Asked Questions + href: waas-delivery-optimization-faq.yml + - name: Configure Delivery Optimization for Windows clients + items: + - name: Windows client Delivery Optimization settings + href: waas-delivery-optimization-setup.md#recommended-delivery-optimization-settings + - name: Configure Delivery Optimization settings using Microsoft Intune + href: /mem/intune/configuration/delivery-optimization-windows + - name: Resources for Delivery Optimization + items: + - name: Set up Delivery Optimization for Windows + href: waas-delivery-optimization-setup.md + - name: Delivery Optimization reference + href: waas-delivery-optimization-reference.md + - name: Delivery Optimization client-service communication + href: delivery-optimization-workflow.md + - name: Using a proxy with Delivery Optimization + href: delivery-optimization-proxy.md +- name: Microsoft Connected Cache + items: + - name: Microsoft Connected Cache overview + href: waas-microsoft-connected-cache.md + - name: MCC for Enterprise and Education items: - - name: Configure Windows Clients - items: - - name: Windows Delivery Optimization settings - href: waas-delivery-optimization-setup.md#recommended-delivery-optimization-settings - - name: Windows Delivery Optimization Frequently Asked Questions - href: ../do/waas-delivery-optimization-faq.yml - - name: Configure Microsoft Intune - items: - - name: Delivery Optimization settings in Microsoft Intune - href: /mem/intune/configuration/delivery-optimization-windows - - - name: Microsoft Connected Cache + - name: Requirements + href: mcc-enterprise-prerequisites.md + - name: Deploy Microsoft Connected Cache + href: mcc-enterprise-deploy.md + - name: Update or uninstall MCC + href: mcc-enterprise-update-uninstall.md + - name: Appendix + href: mcc-enterprise-appendix.md + - name: MCC for ISPs items: - - name: MCC overview - href: waas-microsoft-connected-cache.md - - name: MCC for Enterprise and Education - href: mcc-enterprise.md - - name: MCC for ISPs + - name: How-to guides + items: + - name: Operator sign up and service onboarding + href: mcc-isp-signup.md + - name: Create, provision, and deploy the cache node in Azure portal + href: mcc-isp-create-provision-deploy.md + - name: Verify cache node functionality and monitor health and performance + href: mcc-isp-verify-cache-node.md + - name: Update or uninstall your cache node + href: mcc-isp-update.md + - name: Resources + items: + - name: Frequently Asked Questions + href: mcc-isp-faq.yml + - name: Enhancing VM performance + href: mcc-isp-vm-performance.md + - name: Support and troubleshooting + href: mcc-isp-support.md + - name: MCC for ISPs (early preview) href: mcc-isp.md +- name: Content endpoints for Delivery Optimization and Microsoft Connected Cache + href: delivery-optimization-endpoints.md - - name: Resources - items: - - name: Set up Delivery Optimization for Windows - href: waas-delivery-optimization-setup.md - - name: Delivery Optimization reference - href: waas-delivery-optimization-reference.md - - name: Delivery Optimization client-service communication - href: delivery-optimization-workflow.md - - name: Using a proxy with Delivery Optimization - href: delivery-optimization-proxy.md - - name: Content endpoints for Delivery Optimization and Microsoft Connected Cache - href: delivery-optimization-endpoints.md - - name: Testing Delivery Optimization - href: delivery-optimization-test.md - + diff --git a/windows/deployment/do/images/addcachenode.png b/windows/deployment/do/images/addcachenode.png new file mode 100644 index 0000000000..ea8db2a08a Binary files /dev/null and b/windows/deployment/do/images/addcachenode.png differ diff --git a/windows/deployment/do/images/elixir_ux/readme-elixir-ux-files.md b/windows/deployment/do/images/elixir_ux/readme-elixir-ux-files.md new file mode 100644 index 0000000000..f97aed1785 --- /dev/null +++ b/windows/deployment/do/images/elixir_ux/readme-elixir-ux-files.md @@ -0,0 +1,30 @@ +--- +title: Don't Remove images under do/images/elixir_ux - used by Azure portal Diagnose/Solve feature UI +manager: aaroncz +description: Elixir images read me file +keywords: updates, downloads, network, bandwidth +ms.prod: w10 +ms.mktglfcycl: deploy +audience: itpro +author: nidos +ms.localizationpriority: medium +ms.author: nidos +ms.collection: M365-modern-desktop +ms.topic: article +--- + +# Read Me + +This file contains the images that are included in this GitHub repository that are used by the Azure UI for Diagnose and Solve. The following images _shouldn't be removed_ from the repository: + +:::image type="content" source="ux-check-verbose-2.png" alt-text="A screenshot that shows 6 out of the 22 checks raising errors."::: + +:::image type="content" source="ux-check-verbose-1.png" alt-text="A screenshot that all checks passing after the iotedge check command."::: + +:::image type="content" source="ux-connectivity-check.png" alt-text="A screenshot of green checkmarks, showing that all of the connectivity checks are successful."::: + +:::image type="content" source="ux-edge-agent-failed.png" alt-text="A screenshot of the terminal after the command 'iotedge list', which shows three containers and the edgeAgent container failing."::: + +:::image type="content" source="ux-iot-edge-list.png" alt-text="A screenshot of the terminal after the command 'iotedge list', showing all three containers running successfully."::: + +:::image type="content" source="ux-mcc-failed.png" alt-text="A screenshot of the terminal after the command 'iotedge list', showing the MCC container in a failure state."::: \ No newline at end of file diff --git a/windows/deployment/do/images/elixir_ux/ux-check-verbose-1.png b/windows/deployment/do/images/elixir_ux/ux-check-verbose-1.png new file mode 100644 index 0000000000..692416d04c Binary files /dev/null and b/windows/deployment/do/images/elixir_ux/ux-check-verbose-1.png differ diff --git a/windows/deployment/do/images/elixir_ux/ux-check-verbose-2.png b/windows/deployment/do/images/elixir_ux/ux-check-verbose-2.png new file mode 100644 index 0000000000..5f232fe0c6 Binary files /dev/null and b/windows/deployment/do/images/elixir_ux/ux-check-verbose-2.png differ diff --git a/windows/deployment/do/images/elixir_ux/ux-connectivity-check.png b/windows/deployment/do/images/elixir_ux/ux-connectivity-check.png new file mode 100644 index 0000000000..0e72c45b33 Binary files /dev/null and b/windows/deployment/do/images/elixir_ux/ux-connectivity-check.png differ diff --git a/windows/deployment/do/images/elixir_ux/ux-edge-agent-failed.png b/windows/deployment/do/images/elixir_ux/ux-edge-agent-failed.png new file mode 100644 index 0000000000..1ce0e3e929 Binary files /dev/null and b/windows/deployment/do/images/elixir_ux/ux-edge-agent-failed.png differ diff --git a/windows/deployment/do/images/elixir_ux/ux-iot-edge-list.png b/windows/deployment/do/images/elixir_ux/ux-iot-edge-list.png new file mode 100644 index 0000000000..a26638a119 Binary files /dev/null and b/windows/deployment/do/images/elixir_ux/ux-iot-edge-list.png differ diff --git a/windows/deployment/do/images/elixir_ux/ux-mcc-failed.png b/windows/deployment/do/images/elixir_ux/ux-mcc-failed.png new file mode 100644 index 0000000000..b82d0e4441 Binary files /dev/null and b/windows/deployment/do/images/elixir_ux/ux-mcc-failed.png differ diff --git a/windows/deployment/do/images/emcc07.png b/windows/deployment/do/images/emcc07.png deleted file mode 100644 index 21420eab09..0000000000 Binary files a/windows/deployment/do/images/emcc07.png and /dev/null differ diff --git a/windows/deployment/do/images/emcc10.png b/windows/deployment/do/images/emcc10.png deleted file mode 100644 index 77c8754bf5..0000000000 Binary files a/windows/deployment/do/images/emcc10.png and /dev/null differ diff --git a/windows/deployment/do/images/emcc06.png b/windows/deployment/do/images/ent-mcc-azure-cache-created.png similarity index 100% rename from windows/deployment/do/images/emcc06.png rename to windows/deployment/do/images/ent-mcc-azure-cache-created.png diff --git a/windows/deployment/do/images/emcc05.png b/windows/deployment/do/images/ent-mcc-azure-create-connected-cache.png similarity index 100% rename from windows/deployment/do/images/emcc05.png rename to windows/deployment/do/images/ent-mcc-azure-create-connected-cache.png diff --git a/windows/deployment/do/images/emcc04.png b/windows/deployment/do/images/ent-mcc-azure-marketplace.png similarity index 100% rename from windows/deployment/do/images/emcc04.png rename to windows/deployment/do/images/ent-mcc-azure-marketplace.png diff --git a/windows/deployment/do/images/emcc03.png b/windows/deployment/do/images/ent-mcc-azure-search-result.png similarity index 100% rename from windows/deployment/do/images/emcc03.png rename to windows/deployment/do/images/ent-mcc-azure-search-result.png diff --git a/windows/deployment/do/images/emcc08.png b/windows/deployment/do/images/ent-mcc-cache-nodes.png similarity index 100% rename from windows/deployment/do/images/emcc08.png rename to windows/deployment/do/images/ent-mcc-cache-nodes.png diff --git a/windows/deployment/do/images/emcc20.png b/windows/deployment/do/images/ent-mcc-connect-eflowvm.png similarity index 100% rename from windows/deployment/do/images/emcc20.png rename to windows/deployment/do/images/ent-mcc-connect-eflowvm.png diff --git a/windows/deployment/do/images/ent-mcc-connected-cache-installer-download.png b/windows/deployment/do/images/ent-mcc-connected-cache-installer-download.png new file mode 100644 index 0000000000..45cb01de9f Binary files /dev/null and b/windows/deployment/do/images/ent-mcc-connected-cache-installer-download.png differ diff --git a/windows/deployment/do/images/emcc02.png b/windows/deployment/do/images/ent-mcc-create-azure-resource.png similarity index 100% rename from windows/deployment/do/images/emcc02.png rename to windows/deployment/do/images/ent-mcc-create-azure-resource.png diff --git a/windows/deployment/do/images/ent-mcc-create-cache-failed.png b/windows/deployment/do/images/ent-mcc-create-cache-failed.png new file mode 100644 index 0000000000..5c2ac09d56 Binary files /dev/null and b/windows/deployment/do/images/ent-mcc-create-cache-failed.png differ diff --git a/windows/deployment/do/images/emcc09.5.png b/windows/deployment/do/images/ent-mcc-create-cache-node-name.png similarity index 100% rename from windows/deployment/do/images/emcc09.5.png rename to windows/deployment/do/images/ent-mcc-create-cache-node-name.png diff --git a/windows/deployment/do/images/emcc09.png b/windows/deployment/do/images/ent-mcc-create-cache-node.png similarity index 100% rename from windows/deployment/do/images/emcc09.png rename to windows/deployment/do/images/ent-mcc-create-cache-node.png diff --git a/windows/deployment/do/images/emcc11.png b/windows/deployment/do/images/ent-mcc-delete-cache-node.png similarity index 100% rename from windows/deployment/do/images/emcc11.png rename to windows/deployment/do/images/ent-mcc-delete-cache-node.png diff --git a/windows/deployment/do/images/emcc29.png b/windows/deployment/do/images/ent-mcc-delivery-optimization-activity.png similarity index 100% rename from windows/deployment/do/images/emcc29.png rename to windows/deployment/do/images/ent-mcc-delivery-optimization-activity.png diff --git a/windows/deployment/do/images/emcc12.png b/windows/deployment/do/images/ent-mcc-download-installer.png similarity index 100% rename from windows/deployment/do/images/emcc12.png rename to windows/deployment/do/images/ent-mcc-download-installer.png diff --git a/windows/deployment/do/images/emcc28.png b/windows/deployment/do/images/ent-mcc-get-deliveryoptimizationstatus.png similarity index 100% rename from windows/deployment/do/images/emcc28.png rename to windows/deployment/do/images/ent-mcc-get-deliveryoptimizationstatus.png diff --git a/windows/deployment/do/images/emcc26.png b/windows/deployment/do/images/ent-mcc-group-policy-hostname.png similarity index 100% rename from windows/deployment/do/images/emcc26.png rename to windows/deployment/do/images/ent-mcc-group-policy-hostname.png diff --git a/windows/deployment/do/images/emcc13.png b/windows/deployment/do/images/ent-mcc-installer-script.png similarity index 100% rename from windows/deployment/do/images/emcc13.png rename to windows/deployment/do/images/ent-mcc-installer-script.png diff --git a/windows/deployment/do/images/emcc23.png b/windows/deployment/do/images/ent-mcc-intune-do.png similarity index 100% rename from windows/deployment/do/images/emcc23.png rename to windows/deployment/do/images/ent-mcc-intune-do.png diff --git a/windows/deployment/do/images/emcc24.png b/windows/deployment/do/images/ent-mcc-iotedge-list.png similarity index 100% rename from windows/deployment/do/images/emcc24.png rename to windows/deployment/do/images/ent-mcc-iotedge-list.png diff --git a/windows/deployment/do/images/emcc25.png b/windows/deployment/do/images/ent-mcc-journalctl.png similarity index 100% rename from windows/deployment/do/images/emcc25.png rename to windows/deployment/do/images/ent-mcc-journalctl.png diff --git a/windows/deployment/do/images/emcc01.png b/windows/deployment/do/images/ent-mcc-overview.png similarity index 100% rename from windows/deployment/do/images/emcc01.png rename to windows/deployment/do/images/ent-mcc-overview.png diff --git a/windows/deployment/do/images/emcc19.png b/windows/deployment/do/images/ent-mcc-script-complete.png similarity index 100% rename from windows/deployment/do/images/emcc19.png rename to windows/deployment/do/images/ent-mcc-script-complete.png diff --git a/windows/deployment/do/images/emcc17.png b/windows/deployment/do/images/ent-mcc-script-device-code.png similarity index 100% rename from windows/deployment/do/images/emcc17.png rename to windows/deployment/do/images/ent-mcc-script-device-code.png diff --git a/windows/deployment/do/images/emcc16.png b/windows/deployment/do/images/ent-mcc-script-dynamic-address.png similarity index 100% rename from windows/deployment/do/images/emcc16.png rename to windows/deployment/do/images/ent-mcc-script-dynamic-address.png diff --git a/windows/deployment/do/images/emcc15.png b/windows/deployment/do/images/ent-mcc-script-existing-switch.png similarity index 100% rename from windows/deployment/do/images/emcc15.png rename to windows/deployment/do/images/ent-mcc-script-existing-switch.png diff --git a/windows/deployment/do/images/emcc14.png b/windows/deployment/do/images/ent-mcc-script-new-switch.png similarity index 100% rename from windows/deployment/do/images/emcc14.png rename to windows/deployment/do/images/ent-mcc-script-new-switch.png diff --git a/windows/deployment/do/images/emcc18.png b/windows/deployment/do/images/ent-mcc-script-select-hub.png similarity index 100% rename from windows/deployment/do/images/emcc18.png rename to windows/deployment/do/images/ent-mcc-script-select-hub.png diff --git a/windows/deployment/do/images/emcc27.png b/windows/deployment/do/images/ent-mcc-store-example-download.png similarity index 100% rename from windows/deployment/do/images/emcc27.png rename to windows/deployment/do/images/ent-mcc-store-example-download.png diff --git a/windows/deployment/do/images/emcc22.png b/windows/deployment/do/images/ent-mcc-verify-server-powershell.png similarity index 100% rename from windows/deployment/do/images/emcc22.png rename to windows/deployment/do/images/ent-mcc-verify-server-powershell.png diff --git a/windows/deployment/do/images/emcc21.png b/windows/deployment/do/images/ent-mcc-verify-server-ssh.png similarity index 100% rename from windows/deployment/do/images/emcc21.png rename to windows/deployment/do/images/ent-mcc-verify-server-ssh.png diff --git a/windows/deployment/do/images/imcc07.png b/windows/deployment/do/images/imcc07.png deleted file mode 100644 index 31668ba8a1..0000000000 Binary files a/windows/deployment/do/images/imcc07.png and /dev/null differ diff --git a/windows/deployment/do/images/imcc21.png b/windows/deployment/do/images/imcc21.png deleted file mode 100644 index 5bd68d66c5..0000000000 Binary files a/windows/deployment/do/images/imcc21.png and /dev/null differ diff --git a/windows/deployment/do/images/imcc48.png b/windows/deployment/do/images/imcc48.png deleted file mode 100644 index eb53b7a5be..0000000000 Binary files a/windows/deployment/do/images/imcc48.png and /dev/null differ diff --git a/windows/deployment/do/images/imcc49.png b/windows/deployment/do/images/imcc49.png deleted file mode 100644 index eb53b7a5be..0000000000 Binary files a/windows/deployment/do/images/imcc49.png and /dev/null differ diff --git a/windows/deployment/do/images/imcc53.png b/windows/deployment/do/images/imcc53.png deleted file mode 100644 index ddec14d717..0000000000 Binary files a/windows/deployment/do/images/imcc53.png and /dev/null differ diff --git a/windows/deployment/do/images/imcc54.png b/windows/deployment/do/images/imcc54.png deleted file mode 100644 index c40ab0c5c9..0000000000 Binary files a/windows/deployment/do/images/imcc54.png and /dev/null differ diff --git a/windows/deployment/do/images/imcc24.png b/windows/deployment/do/images/mcc-isp-bash-allocate-space.png similarity index 100% rename from windows/deployment/do/images/imcc24.png rename to windows/deployment/do/images/mcc-isp-bash-allocate-space.png diff --git a/windows/deployment/do/images/imcc23.png b/windows/deployment/do/images/mcc-isp-bash-datadrive.png similarity index 100% rename from windows/deployment/do/images/imcc23.png rename to windows/deployment/do/images/mcc-isp-bash-datadrive.png diff --git a/windows/deployment/do/images/imcc20.png b/windows/deployment/do/images/mcc-isp-bash-device-code.png similarity index 100% rename from windows/deployment/do/images/imcc20.png rename to windows/deployment/do/images/mcc-isp-bash-device-code.png diff --git a/windows/deployment/do/images/imcc22.png b/windows/deployment/do/images/mcc-isp-bash-drive-number.png similarity index 100% rename from windows/deployment/do/images/imcc22.png rename to windows/deployment/do/images/mcc-isp-bash-drive-number.png diff --git a/windows/deployment/do/images/imcc25.png b/windows/deployment/do/images/mcc-isp-bash-iot-prompt.png similarity index 100% rename from windows/deployment/do/images/imcc25.png rename to windows/deployment/do/images/mcc-isp-bash-iot-prompt.png diff --git a/windows/deployment/do/images/imcc08.png b/windows/deployment/do/images/mcc-isp-cache-nodes-option.png similarity index 100% rename from windows/deployment/do/images/imcc08.png rename to windows/deployment/do/images/mcc-isp-cache-nodes-option.png diff --git a/windows/deployment/do/images/imcc19.png b/windows/deployment/do/images/mcc-isp-copy-install-script.png similarity index 100% rename from windows/deployment/do/images/imcc19.png rename to windows/deployment/do/images/mcc-isp-copy-install-script.png diff --git a/windows/deployment/do/images/imcc10.png b/windows/deployment/do/images/mcc-isp-create-cache-node-fields.png similarity index 100% rename from windows/deployment/do/images/imcc10.png rename to windows/deployment/do/images/mcc-isp-create-cache-node-fields.png diff --git a/windows/deployment/do/images/imcc09.png b/windows/deployment/do/images/mcc-isp-create-cache-node-option.png similarity index 100% rename from windows/deployment/do/images/imcc09.png rename to windows/deployment/do/images/mcc-isp-create-cache-node-option.png diff --git a/windows/deployment/do/images/imcc12.png b/windows/deployment/do/images/mcc-isp-create-new-node.png similarity index 100% rename from windows/deployment/do/images/imcc12.png rename to windows/deployment/do/images/mcc-isp-create-new-node.png diff --git a/windows/deployment/do/images/imcc13.png b/windows/deployment/do/images/mcc-isp-create-node-form.png similarity index 100% rename from windows/deployment/do/images/imcc13.png rename to windows/deployment/do/images/mcc-isp-create-node-form.png diff --git a/windows/deployment/do/images/imcc02.png b/windows/deployment/do/images/mcc-isp-create-resource.png similarity index 100% rename from windows/deployment/do/images/imcc02.png rename to windows/deployment/do/images/mcc-isp-create-resource.png diff --git a/windows/deployment/do/images/imcc04.png b/windows/deployment/do/images/mcc-isp-create.png similarity index 100% rename from windows/deployment/do/images/imcc04.png rename to windows/deployment/do/images/mcc-isp-create.png diff --git a/windows/deployment/do/images/mcc-isp-deploy-cache-node-numbered.png b/windows/deployment/do/images/mcc-isp-deploy-cache-node-numbered.png new file mode 100644 index 0000000000..17fb6a18f1 Binary files /dev/null and b/windows/deployment/do/images/mcc-isp-deploy-cache-node-numbered.png differ diff --git a/windows/deployment/do/images/imcc06.png b/windows/deployment/do/images/mcc-isp-deployment-complete.png similarity index 100% rename from windows/deployment/do/images/imcc06.png rename to windows/deployment/do/images/mcc-isp-deployment-complete.png diff --git a/windows/deployment/do/images/imcc01.png b/windows/deployment/do/images/mcc-isp-diagram.png similarity index 100% rename from windows/deployment/do/images/imcc01.png rename to windows/deployment/do/images/mcc-isp-diagram.png diff --git a/windows/deployment/do/images/imcc27.png b/windows/deployment/do/images/mcc-isp-edge-journalctl.png similarity index 100% rename from windows/deployment/do/images/imcc27.png rename to windows/deployment/do/images/mcc-isp-edge-journalctl.png diff --git a/windows/deployment/do/images/imcc42.png b/windows/deployment/do/images/mcc-isp-gnu-grub.png similarity index 100% rename from windows/deployment/do/images/imcc42.png rename to windows/deployment/do/images/mcc-isp-gnu-grub.png diff --git a/windows/deployment/do/images/imcc31.png b/windows/deployment/do/images/mcc-isp-hyper-v-begin.png similarity index 100% rename from windows/deployment/do/images/imcc31.png rename to windows/deployment/do/images/mcc-isp-hyper-v-begin.png diff --git a/windows/deployment/do/images/imcc36.png b/windows/deployment/do/images/mcc-isp-hyper-v-disk.png similarity index 100% rename from windows/deployment/do/images/imcc36.png rename to windows/deployment/do/images/mcc-isp-hyper-v-disk.png diff --git a/windows/deployment/do/images/imcc33.png b/windows/deployment/do/images/mcc-isp-hyper-v-generation.png similarity index 100% rename from windows/deployment/do/images/imcc33.png rename to windows/deployment/do/images/mcc-isp-hyper-v-generation.png diff --git a/windows/deployment/do/images/imcc37.png b/windows/deployment/do/images/mcc-isp-hyper-v-installation-options.png similarity index 100% rename from windows/deployment/do/images/imcc37.png rename to windows/deployment/do/images/mcc-isp-hyper-v-installation-options.png diff --git a/windows/deployment/do/images/imcc34.png b/windows/deployment/do/images/mcc-isp-hyper-v-memory.png similarity index 100% rename from windows/deployment/do/images/imcc34.png rename to windows/deployment/do/images/mcc-isp-hyper-v-memory.png diff --git a/windows/deployment/do/images/imcc32.png b/windows/deployment/do/images/mcc-isp-hyper-v-name.png similarity index 100% rename from windows/deployment/do/images/imcc32.png rename to windows/deployment/do/images/mcc-isp-hyper-v-name.png diff --git a/windows/deployment/do/images/imcc35.png b/windows/deployment/do/images/mcc-isp-hyper-v-networking.png similarity index 100% rename from windows/deployment/do/images/imcc35.png rename to windows/deployment/do/images/mcc-isp-hyper-v-networking.png diff --git a/windows/deployment/do/images/imcc38.png b/windows/deployment/do/images/mcc-isp-hyper-v-summary.png similarity index 100% rename from windows/deployment/do/images/imcc38.png rename to windows/deployment/do/images/mcc-isp-hyper-v-summary.png diff --git a/windows/deployment/do/images/imcc41.png b/windows/deployment/do/images/mcc-isp-hyper-v-vm-processor.png similarity index 100% rename from windows/deployment/do/images/imcc41.png rename to windows/deployment/do/images/mcc-isp-hyper-v-vm-processor.png diff --git a/windows/deployment/do/images/imcc40.png b/windows/deployment/do/images/mcc-isp-hyper-v-vm-security.png similarity index 100% rename from windows/deployment/do/images/imcc40.png rename to windows/deployment/do/images/mcc-isp-hyper-v-vm-security.png diff --git a/windows/deployment/do/images/imcc39.png b/windows/deployment/do/images/mcc-isp-hyper-v-vm-settings.png similarity index 100% rename from windows/deployment/do/images/imcc39.png rename to windows/deployment/do/images/mcc-isp-hyper-v-vm-settings.png diff --git a/windows/deployment/do/images/imcc18.png b/windows/deployment/do/images/mcc-isp-installer-download.png similarity index 100% rename from windows/deployment/do/images/imcc18.png rename to windows/deployment/do/images/mcc-isp-installer-download.png diff --git a/windows/deployment/do/images/imcc16.png b/windows/deployment/do/images/mcc-isp-list-nodes.png similarity index 100% rename from windows/deployment/do/images/imcc16.png rename to windows/deployment/do/images/mcc-isp-list-nodes.png diff --git a/windows/deployment/do/images/imcc05.png b/windows/deployment/do/images/mcc-isp-location-west.png similarity index 100% rename from windows/deployment/do/images/imcc05.png rename to windows/deployment/do/images/mcc-isp-location-west.png diff --git a/windows/deployment/do/images/mcc-isp-metrics.png b/windows/deployment/do/images/mcc-isp-metrics.png new file mode 100644 index 0000000000..1ca9078f3e Binary files /dev/null and b/windows/deployment/do/images/mcc-isp-metrics.png differ diff --git a/windows/deployment/do/images/imcc30.png b/windows/deployment/do/images/mcc-isp-nmcli.png similarity index 100% rename from windows/deployment/do/images/imcc30.png rename to windows/deployment/do/images/mcc-isp-nmcli.png diff --git a/windows/deployment/do/images/imcc17.png b/windows/deployment/do/images/mcc-isp-node-configuration.png similarity index 100% rename from windows/deployment/do/images/imcc17.png rename to windows/deployment/do/images/mcc-isp-node-configuration.png diff --git a/windows/deployment/do/images/imcc15.png b/windows/deployment/do/images/mcc-isp-node-names.png similarity index 100% rename from windows/deployment/do/images/imcc15.png rename to windows/deployment/do/images/mcc-isp-node-names.png diff --git a/windows/deployment/do/images/imcc11.png b/windows/deployment/do/images/mcc-isp-node-server-ip.png similarity index 100% rename from windows/deployment/do/images/imcc11.png rename to windows/deployment/do/images/mcc-isp-node-server-ip.png diff --git a/windows/deployment/do/images/mcc-isp-operator-verification.png b/windows/deployment/do/images/mcc-isp-operator-verification.png new file mode 100644 index 0000000000..3641761e0a Binary files /dev/null and b/windows/deployment/do/images/mcc-isp-operator-verification.png differ diff --git a/windows/deployment/do/images/mcc-isp-provision-cache-node-numbered.png b/windows/deployment/do/images/mcc-isp-provision-cache-node-numbered.png new file mode 100644 index 0000000000..e61bb78fc4 Binary files /dev/null and b/windows/deployment/do/images/mcc-isp-provision-cache-node-numbered.png differ diff --git a/windows/deployment/do/images/imcc26.png b/windows/deployment/do/images/mcc-isp-running-containers.png similarity index 100% rename from windows/deployment/do/images/imcc26.png rename to windows/deployment/do/images/mcc-isp-running-containers.png diff --git a/windows/deployment/do/images/imcc03.png b/windows/deployment/do/images/mcc-isp-search-marketplace.png similarity index 100% rename from windows/deployment/do/images/imcc03.png rename to windows/deployment/do/images/mcc-isp-search-marketplace.png diff --git a/windows/deployment/do/images/mcc-isp-search.png b/windows/deployment/do/images/mcc-isp-search.png new file mode 100644 index 0000000000..4ab4f0b0d6 Binary files /dev/null and b/windows/deployment/do/images/mcc-isp-search.png differ diff --git a/windows/deployment/do/images/mcc-isp-sign-up.png b/windows/deployment/do/images/mcc-isp-sign-up.png new file mode 100644 index 0000000000..0bc62894c6 Binary files /dev/null and b/windows/deployment/do/images/mcc-isp-sign-up.png differ diff --git a/windows/deployment/do/images/imcc14.png b/windows/deployment/do/images/mcc-isp-success-instructions.png similarity index 100% rename from windows/deployment/do/images/imcc14.png rename to windows/deployment/do/images/mcc-isp-success-instructions.png diff --git a/windows/deployment/do/images/imcc45.png b/windows/deployment/do/images/mcc-isp-ubuntu-erase-disk.png similarity index 100% rename from windows/deployment/do/images/imcc45.png rename to windows/deployment/do/images/mcc-isp-ubuntu-erase-disk.png diff --git a/windows/deployment/do/images/imcc44.png b/windows/deployment/do/images/mcc-isp-ubuntu-keyboard.png similarity index 100% rename from windows/deployment/do/images/imcc44.png rename to windows/deployment/do/images/mcc-isp-ubuntu-keyboard.png diff --git a/windows/deployment/do/images/imcc43.png b/windows/deployment/do/images/mcc-isp-ubuntu-language.png similarity index 100% rename from windows/deployment/do/images/imcc43.png rename to windows/deployment/do/images/mcc-isp-ubuntu-language.png diff --git a/windows/deployment/do/images/imcc51.png b/windows/deployment/do/images/mcc-isp-ubuntu-restart.png similarity index 100% rename from windows/deployment/do/images/imcc51.png rename to windows/deployment/do/images/mcc-isp-ubuntu-restart.png diff --git a/windows/deployment/do/images/imcc47.png b/windows/deployment/do/images/mcc-isp-ubuntu-time-zone.png similarity index 100% rename from windows/deployment/do/images/imcc47.png rename to windows/deployment/do/images/mcc-isp-ubuntu-time-zone.png diff --git a/windows/deployment/do/images/imcc52.png b/windows/deployment/do/images/mcc-isp-ubuntu-upgrade.png similarity index 100% rename from windows/deployment/do/images/imcc52.png rename to windows/deployment/do/images/mcc-isp-ubuntu-upgrade.png diff --git a/windows/deployment/do/images/imcc50.png b/windows/deployment/do/images/mcc-isp-ubuntu-who.png similarity index 100% rename from windows/deployment/do/images/imcc50.png rename to windows/deployment/do/images/mcc-isp-ubuntu-who.png diff --git a/windows/deployment/do/images/imcc46.png b/windows/deployment/do/images/mcc-isp-ubuntu-write-changes.png similarity index 100% rename from windows/deployment/do/images/imcc46.png rename to windows/deployment/do/images/mcc-isp-ubuntu-write-changes.png diff --git a/windows/deployment/do/images/imcc55.PNG b/windows/deployment/do/images/mcc-isp-use-bgp.png similarity index 100% rename from windows/deployment/do/images/imcc55.PNG rename to windows/deployment/do/images/mcc-isp-use-bgp.png diff --git a/windows/deployment/do/images/imcc28.png b/windows/deployment/do/images/mcc-isp-wget.png similarity index 100% rename from windows/deployment/do/images/imcc28.png rename to windows/deployment/do/images/mcc-isp-wget.png diff --git a/windows/deployment/do/includes/get-azure-subscription.md b/windows/deployment/do/includes/get-azure-subscription.md new file mode 100644 index 0000000000..114671fd5e --- /dev/null +++ b/windows/deployment/do/includes/get-azure-subscription.md @@ -0,0 +1,17 @@ +--- +author: amymzhou +ms.author: amyzhou +manager: dougeby +ms.prod: w10 +ms.collection: M365-modern-desktop +ms.topic: include +ms.localizationpriority: medium +--- + + +1. Sign in to the [Azure portal](https://portal.azure.com). +1. Select **Subscriptions**. If you don't see **Subscriptions**, type **Subscriptions** in the search bar. As you begin typing, the list filters based on your input. +1. If you already have an Azure Subscription, skip to step 5. If you don't have an Azure Subscription, select **+ Add** on the top left. +1. Select the **Pay-As-You-Go** subscription. You'll be asked to enter credit card information, but you'll not be charged for using the MCC service. +1. On the **Subscriptions** page, you'll find details about your current subscription. Select the subscription name. +1. After you select the subscription name, you'll find the subscription ID in the **Overview** tab. Select the **Copy to clipboard** icon next to your Subscription ID to copy the value. \ No newline at end of file diff --git a/windows/deployment/do/includes/mcc-prerequisites.md b/windows/deployment/do/includes/mcc-prerequisites.md new file mode 100644 index 0000000000..f90bc995e6 --- /dev/null +++ b/windows/deployment/do/includes/mcc-prerequisites.md @@ -0,0 +1,17 @@ +--- +author: amyzhou +ms.author: amyzhou +manager: dougeby +ms.prod: w10 +ms.collection: M365-modern-desktop +ms.topic: include +ms.date: 11/09/2022 +ms.localizationpriority: medium +--- + + +Peak Egress | Hardware Specifications| +---|---| +< 5G Peak | VM with 8 cores, 16 GB memory, 1 SSD Drive 500GB| +10 - 20G Peak | VM with 16 cores, 32 GB memory, 2 - 3 SSD Drives 1 TB| +20 - 40G Peak | Hardware (sample hardware spec) with 32 cores, 64 GB memory, 4 - 6 SSDs 1 TB | \ No newline at end of file diff --git a/windows/deployment/do/index.yml b/windows/deployment/do/index.yml index c9373755d6..654cd9f309 100644 --- a/windows/deployment/do/index.yml +++ b/windows/deployment/do/index.yml @@ -6,12 +6,10 @@ summary: Set up peer to peer downloads for Windows Updates and learn about Micro metadata: title: Delivery Optimization # Required; page title displayed in search results. Include the brand. < 60 chars. description: Learn about using peer to peer downloads on Windows clients and learn about Microsoft Connected Cache. # Required; article description that is displayed in search results. < 160 chars. - services: windows-10 - ms.service: windows-10 #Required; service per approved list. service slug assigned to your service by ACOM. - ms.subservice: subservice - ms.topic: landing-page # Required + ms.topic: landing-page + ms.prod: windows-client + ms.technology: itpro-updates ms.collection: - - windows-10 - highpri author: aczechowski ms.author: aaroncz @@ -69,8 +67,8 @@ landingContent: linkLists: - linkListType: deploy links: - - text: MCC for Enterprise and Education (Private Preview) - url: mcc-enterprise.md + - text: MCC for Enterprise and Education (early preview) + url: waas-microsoft-connected-cache.md - text: Sign up url: https://aka.ms/MSConnectedCacheSignup @@ -79,10 +77,13 @@ landingContent: linkLists: - linkListType: deploy links: - - text: MCC for ISPs (Private Preview) - url: mcc-isp.md + - text: MCC for ISPs (public preview) + url: mcc-isp-signup.md - text: Sign up - url: https://aka.ms/MSConnectedCacheSignup + url: https://aka.ms/MCCForISPSurvey + - text: MCC for ISPs (early preview) + url: mcc-isp.md + # Card (optional) - title: Resources diff --git a/windows/deployment/do/mcc-enterprise-appendix.md b/windows/deployment/do/mcc-enterprise-appendix.md new file mode 100644 index 0000000000..83d2df61da --- /dev/null +++ b/windows/deployment/do/mcc-enterprise-appendix.md @@ -0,0 +1,117 @@ +--- +title: Appendix +manager: aaroncz +description: Appendix on Microsoft Connected Cache (MCC) for Enterprise and Education. +ms.prod: w10 +author: amymzhou +ms.author: amyzhou +ms.localizationpriority: medium +ms.collection: M365-modern-desktop +ms.topic: article +--- + +# Appendix + +## Diagnostics Script + +If you're having issues with your MCC, we included a diagnostics script. The script collects all your logs and zips them into a single file. You can then send us these logs via email for the MCC team to debug. + +To run this script: + +1. Navigate to the following folder in the MCC installation files: + + mccinstaller > Eflow > Diagnostics + +1. Run the following commands: + + ```powershell + Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope Process + .\collectMccDiagnostics.ps1 + ``` + +1. The script stores all the debug files into a folder and then creates a tar file. After the script is finished running, it will output the path of the tar file, which you can share with us. The location should be **\**\mccdiagnostics\support_bundle_\$timestamp.tar.gz + +1. [Email the MCC team](mailto:mccforenterprise@microsoft.com?subject=Debugging%20Help%20Needed%20for%20MCC%20for%20Enterprise) and attach this file asking for debugging support. Screenshots of the error along with any other warnings you saw will be helpful during out debugging process. + +## Steps to obtain an Azure Subscription ID + + +[!INCLUDE [Get Azure subscription](includes/get-azure-subscription.md)] + +## Troubleshooting + +If you're not able to sign up for a Microsoft Azure subscription with the error: **Account belongs to a directory that cannot be associated with an Azure subscription. Please sign in with a different account.** See [Can't sign up for a Microsoft Azure subscription](/troubleshoot/azure/general/cannot-sign-up-subscription). + +Also see [Troubleshoot issues when you sign up for a new account in the Azure portal](/azure/cost-management-billing/manage/troubleshoot-azure-sign-up). + +## IoT Edge runtime + +The Azure IoT Edge runtime enables custom and cloud logic on IoT Edge devices. +The runtime sits on the IoT Edge device, and performs management and +communication operations. The runtime performs several functions: + +- Installs and update workloads (Docker containers) on the device. +- Maintains Azure IoT Edge security standards on the device. +- Ensures that IoT Edge modules (Docker containers) are always running. +- Reports module (Docker containers) health to the cloud for remote monitoring. +- Manages communication between an IoT Edge device and the cloud. + +For more information on Azure IoT Edge, see the [Azure IoT Edge documentation](/azure/iot-edge/about-iot-edge). + +## EFLOW + +- [What is Azure IoT Edge for Linux on Windows](/azure/iot-edge/iot-edge-for-linux-on-windows) +- [Install Azure IoT Edge for Linux on Windows](/azure/iot-edge/how-to-provision-single-device-linux-on-windows-symmetric#install-iot-edge) +- [PowerShell functions for Azure IoT Edge for Linux on Windows](/azure/iot-edge/reference-iot-edge-for-linux-on-windows-functions) +- EFLOW FAQ and Support: [Support · Azure/iotedge-eflow Wiki (github.com)](https://github.com/Azure/iotedge-eflow/wiki/Support#how-can-i-apply-updates-to-eflow) +- [Now ready for Production: Linux IoT Edge Modules on Windows - YouTube](https://www.youtube.com/watch?v=pgqVCg6cxVU&ab_channel=MicrosoftIoTDevelopers) + +## Routing local Windows Clients to an MCC + +### Get the IP address of your MCC using ifconfig + +There are multiple methods that can be used to apply a policy to PCs that should participate in downloading from the MCC. + +#### Registry Key + +You can either set your MCC IP address or FQDN using: + +1. Registry Key (version 1709 and later): + `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization` +
+ "DOCacheHost"=" " + + From an elevated command prompt: + + ``` + reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization" /v DOCacheHost /t REG_SZ /d "10.137.187.38" /f + ``` + +1. MDM Path (version 1809 and later): + + `.Vendor/MSFT/Policy/Config/DeliveryOptimization/DOCacheHost` + +1. In Windows (release version 1809 and later), you can apply the policy via Group Policy Editor. The policy to apply is **DOCacheHost**. To configure the clients to pull content from the MCC using Group Policy, go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Delivery Optimization**. Set the **Cache Server Hostname** to the IP address of your MCC, such as `10.137.187.38`. + + :::image type="content" source="./images/ent-mcc-group-policy-hostname.png" alt-text="Screenshot of the Group Policy editor showing the Cache Server Hostname Group Policy setting." lightbox="./images/ent-mcc-group-policy-hostname.png"::: + + +**Verify Content using the DO Client** + +To verify that the Delivery Optimization client can download content using MCC, you can use the following steps: + +1. Download a game or application from the Microsoft Store. + + :::image type="content" source="./images/ent-mcc-store-example-download.png" alt-text="Screenshot of the Microsoft Store with the game, Angry Birds 2, selected."::: + + +1. Verify downloads came from MCC by one of two methods: + + - Using the PowerShell Cmdlet Get-DeliveryOptimizationStatus you should see *BytesFromCacheServer*. + + :::image type="content" source="./images/ent-mcc-get-deliveryoptimizationstatus.png" alt-text="Screenshot of the output of Get-DeliveryOptimization | FT from PowerShell." lightbox="./images/ent-mcc-get-deliveryoptimizationstatus.png"::: + + - Using the Delivery Optimization Activity Monitor + + :::image type="content" source="./images/ent-mcc-delivery-optimization-activity.png" alt-text="Screenshot of the Delivery Optimization Activity Monitor."::: + diff --git a/windows/deployment/do/mcc-enterprise-deploy.md b/windows/deployment/do/mcc-enterprise-deploy.md new file mode 100644 index 0000000000..74ef198811 --- /dev/null +++ b/windows/deployment/do/mcc-enterprise-deploy.md @@ -0,0 +1,325 @@ +--- +title: Deploying your cache node +manager: dougeby +description: How to deploy Microsoft Connected Cache (MCC) for Enterprise and Education cache node +ms.prod: w10 +author: amymzhou +ms.localizationpriority: medium +ms.author: amyzhou +ms.collection: M365-modern-desktop +ms.topic: article +--- + +# Deploying your cache node + +**Applies to** + +- Windows 10 +- Windows 11 + +## Steps to deploy MCC + +To deploy MCC to your server: + +1. [Provide Microsoft with the Azure subscription ID](#provide-microsoft-with-the-azure-subscription-id) +1. [Create the MCC Resource in Azure](#create-the-mcc-resource-in-azure) +1. [Create an MCC Node](#create-an-mcc-node-in-azure) +1. [Edit Cache Node Information](#edit-cache-node-information) +1. [Install MCC on a physical server or VM](#install-mcc-on-windows) +1. [Verify proper functioning MCC server](#verify-proper-functioning-mcc-server) +1. [Review common Issues](#common-issues) if needed. + +For questions regarding these instructions contact [msconnectedcache@microsoft.com](mailto:msconnectedcache@microsoft.com) + +### Provide Microsoft with the Azure Subscription ID + +As part of the MCC preview onboarding process an Azure subscription ID must be provided to Microsoft. + +> [!IMPORTANT] +> [Take this survey](https://aka.ms/MSConnectedCacheSignup) and provide your Azure subscription ID and contact information to be added to the allowlist for this preview. You will not be able to proceed if you skip this step. + +For information about creating or locating your subscription ID, see [Steps to obtain an Azure Subscription ID](mcc-enterprise-appendix.md#steps-to-obtain-an-azure-subscription-id). + +### Create the MCC resource in Azure + +The MCC Azure management portal is used to create and manage MCC nodes. An Azure Subscription ID is used to grant access to the preview and to create the MCC resource in Azure and Cache nodes. + +Once you take the survey above and the MCC team adds your subscription ID to the allowlist, you'll be given a link to the Azure portal where you can create the resource described below. + +1. In the Azure portal home page, choose **Create a resource**: + :::image type="content" source="./images/ent-mcc-create-azure-resource.png" alt-text="Screenshot of the Azure portal. The create a resource option is outlined in red."::: + +1. Type **Microsoft Connected Cache** into the search box, and hit **Enter** to show search results. + + > [!NOTE] + > You won't see Microsoft Connected Cache in the drop-down list. You'll need to type the string and press enter to see the result. + +1. Select **Microsoft Connected Cache Enterprise** and choose **Create** on the next screen to start the process of creating the MCC resource. + + :::image type="content" source="./images/ent-mcc-azure-search-result.png" alt-text="Screenshot of the Azure portal search results for Microsoft Connected Cache."::: + :::image type="content" source="./images/ent-mcc-azure-marketplace.png" alt-text="Screenshot of Microsoft Connected Cache Enterprise within the Azure Marketplace."::: + +1. Fill in the required fields to create the MCC resource. + + - Choose the subscription that you provided to Microsoft. + - Azure resource groups are logical groups of resources. Create a new resource group and choose a name for your resource group. + - Choose **(US) West US** for the location of the resource. This choice won't impact MCC if the physical location isn't in the West US, it's just a limitation of the preview. + + > [!IMPORTANT] + > Your MCC resource will not be created properly if you do not select **(US) West US** + + - Choose a name for the MCC resource. + - Your MCC resource must not contain the word **Microsoft** in it. + + :::image type="content" source="./images/ent-mcc-azure-create-connected-cache.png" alt-text="Screenshot of the Create a Connected Cache page within the Azure Marketplace."::: + +1. Once all the information has been entered, select the **Review + Create** button. Once validation is complete, select the **Create** button to start the + resource creation. + + :::image type="content" source="./images/ent-mcc-azure-cache-created.png" alt-text="Screenshot of the completed cache deployment within the Azure." lightbox="./images/ent-mcc-azure-cache-created.png"::: + +#### Error: Validation failed + +- If you get a Validation failed error message on your portal, it's likely because you selected the **Location** as **US West 2** or some other location that isn't **(US) West US**. + - To resolve this error, go to the previous step and choose **(US) West US**. + + :::image type="content" source="./images/ent-mcc-create-cache-failed.png" alt-text="Screenshot of a failed cache deployment due to an incorrect location."::: + +### Create an MCC node in Azure + +Creating an MCC node is a multi-step process and the first step is to access the MCC early preview management portal. + +1. After the successful resource creation, select **Go to resource**. +1. Under **Cache Node Management** section on the leftmost panel, select **Cache Nodes**. + + :::image type="content" source="./images/ent-mcc-cache-nodes.png" alt-text="Screenshot of the Cache Node Management section with the navigation link to the Cache Nodes page outlined in red."::: + +1. On the **Cache Nodes** blade, select the **Create Cache Node** button. + + :::image type="content" source="./images/ent-mcc-create-cache-node.png" alt-text="Screenshot of the Cache Nodes page with the Create Cache Node option outlined in red."::: + +1. Selecting the **Create Cache Node** button will open the **Create Cache Node** page; **Cache Node Name** is the only field required for cache node creation. + + | **Field Name**| **Expected Value**|**Description** | + |---|---|---| + | **Cache Node Name** | Alphanumeric name that doesn't include any spaces. | The name of the cache node. You may choose names based on location such as `Seattle-1`. This name must be unique and can't be changed later. | + +1. Enter the information for the **Cache Node** and select the **Create** button. + + :::image type="content" source="./images/ent-mcc-create-cache-node-name.png" alt-text="Screenshot of the Cache Nodes page displaying the Cache Node Name text entry during the creation process."::: + +If there are errors, the form will provide guidance on how to correct the errors. + +Once the MCC node has been created, the installer instructions will be exposed. More details on the installer instructions will be addressed later in this article, in the [Install Connected Cache](#install-mcc-on-windows) section. + +:::image type="content" source="./images/ent-mcc-connected-cache-installer-download.png" alt-text="Screenshot of the Connected Cache installer download button, installer instructions, and script."::: + +#### Edit cache node information + +Cache nodes can be deleted here by selecting the check box to the left of a **Cache Node Name** and then selecting the delete toolbar item. Be aware that if a cache node is deleted, there's no way to recover the cache node or any of the information related to the cache node. + +:::image type="content" source="./images/ent-mcc-delete-cache-node.png" alt-text="Screenshot of deleting a cache node from the Cache Nodes page."::: + +### Install MCC on Windows + +Installing MCC on your Windows device is a simple process. A PowerShell script performs the following tasks: + +- Installs the Azure CLI +- Downloads, installs, and deploys EFLOW +- Enables Microsoft Update so EFLOW can stay up to date +- Creates a virtual machine +- Enables the firewall and opens ports 80 and 22 for inbound and outbound traffic. Port 80 is used by MCC, and port 22 is used for SSH communications. +- Configures Connected Cache tuning settings. +- Creates the necessary *FREE* Azure resource - IoT Hub/IoT Edge. +- Deploys the MCC container to server. + +#### Run the installer + +1. Download and unzip `mccinstaller.zip` from the create cache node page or cache node configuration page, both of which contain the necessary installation files. + + :::image type="content" source="./images/ent-mcc-download-installer.png" alt-text="Screenshot of the download installer option on the Create Cache Node page."::: + + The following files are contained in the `mccinstaller.zip` file: + + - **installmcc.ps1**: Main installer file. + - **installEflow.ps1**: Installs the necessary prerequisites such as the Linux VM, IoT Edge runtime, and Docker, and makes necessary host OS settings to optimize caching performance. + - **resourceDeploymentForConnectedCache.ps1**: Creates Azure cloud resources required to support MCC control plane. + - **mccdeployment.json**: Deployment manifest used by IoT Edge to deploy the MCC container and configure settings on the container, such as cache drive location sizes. + - **updatemcc.ps1**: The update script used to upgrade MCC to a particular version. + - **mccupdate.json**: Used as part of the update script + +1. Open Windows PowerShell as administrator then navigate to the location of these files. + + > [!NOTE] + > Ensure that Hyper-V is enabled on your device. + > - **Windows 10:** [Enable Hyper-V on Windows 10](/virtualization/hyper-v-on-windows/quick-start/enable-hyper-v) + > - **Windows Server:** [Install the Hyper-V role on Windows Server](/windows-server/virtualization/hyper-v/get-started/install-the-hyper-v-role-on-windows-server)' + > + > Don't use PowerShell ISE, PowerShell 6.x, or PowerShell 7.x. Only Windows PowerShell version 5.x is supported. + +#### If you're installing MCC on a local virtual machine + +1. Turn the virtual machine **off** while you enable nested virtualization and MAC spoofing. + 1. Enable nested virtualization: + + ```powershell + Set -VMProcessor -VMName "VM name" -ExposeVirtualizationExtensions $true + ``` + + 1. Enable MAC spoofing: + + ```powershell + Get-VMNetworkAdapter -VMName "VM name" | Set-VMNetworkAdapter -MacAddressSpoofing On + ``` + +1. Set the execution policy. + + ```powershell + Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope Process + ``` + + > [!NOTE] + > After setting the execution policy, you'll see a warning asking if you wish to change the execution policy. Choose **[A] Yes to All**. + +1. Copy the command from the Azure portal and run it in Windows PowerShell. + + :::image type="content" source="./images/ent-mcc-installer-script.png" alt-text="Screenshot of the installer script for the connected cache node."::: + + > [!NOTE] + > After running the command, and multiple times throughout the installation process, you'll receive the following notice. Select **[R] Run once** to proceed. + >
+ >
Security warning + >
Run only scripts that you trust. While scripts from the internet can be useful, this script can potentially harm your computer. If you trust this script, use the Unblock-File cmdlet to allow the script to run without this warning message. Do you want to run C:\Users\mccinstaller\Eflow\installmcc.ps1? + >
+ >
[D] Do not run **[R] Run once** [S] Suspend [?] Help (default is "D"): + +1. Choose whether you would like to create a new virtual switch or select an existing one. Name your switch and select the Net Adapter to use for the switch. A computer restart will be required if you're creating a new switch. + + > [!NOTE] + > Restarting your computer after creating a switch is recommended. You'll notice network delays during installation if the computer has not been restarted. + + If you restarted your computer after creating a switch, start from Step 2 above and skip step 5. + + :::image type="content" source="./images/ent-mcc-script-new-switch.png" alt-text="Screenshot of the installer script running in PowerShell when a new switch is created." lightbox="./images/ent-mcc-script-new-switch.png"::: + +1. Rerun the script after the restart. This time, choose **No** when asked to create a new switch. Enter the number corresponding to the switch you previously created. + + :::image type="content" source="./images/ent-mcc-script-existing-switch.png" alt-text="Screenshot of the installer script running in PowerShell when using an existing switch." lightbox="./images/ent-mcc-script-existing-switch.png"::: + +1. Decide whether you would like to use dynamic or static address for the Eflow VM + + :::image type="content" source="./images/ent-mcc-script-dynamic-address.png" alt-text="Screenshot of the installer script running in PowerShell asking if you'd like to use a dynamic address." lightbox="./images/ent-mcc-script-dynamic-address.png"::: + + > [!NOTE] + > Choosing a dynamic IP address might assign a different IP address when the MCC restarts. A static IP address is recommended so you don't have to change this value in your management solution when MCC restarts. + +1. Choose where you would like to download, install, and store the virtual hard disk for EFLOW. You'll also be asked how much memory, storage, and how many cores you would like to allocate for the VM. For this example, we chose the default values for all prompts. + +1. Follow the Azure Device Login link and sign into the Azure portal. + + :::image type="content" source="./images/ent-mcc-script-device-code.png" alt-text="Screenshot of the installer script running in PowerShell displaying the code and URL to use for the Azure portal." lightbox="./images/ent-mcc-script-device-code.png"::: + +1. If this is your first MCC deployment, select **n** so that a new IoT Hub can be created. If you have already configured MCC before, choose **y** so that your MCCs are grouped in the same IoT Hub. + + 1. You'll be shown a list of existing IoT Hubs in your Azure Subscription. Enter the number corresponding to the IoT Hub to select it. **You'll likely have only 1 IoT Hub in your subscription, in which case you want to enter "1"** + + :::image type="content" source="./images/ent-mcc-script-select-hub.png" alt-text="Screenshot of the installer script running in PowerShell prompting you to select which IoT Hub to use." lightbox="./images/ent-mcc-script-select-hub.png"::: + :::image type="content" source="./images/ent-mcc-script-complete.png" alt-text="Screenshot of the installer script displaying the completion summary in PowerShell." lightbox="./images/ent-mcc-script-complete.png"::: + + +1. Your MCC deployment is now complete. + + 1. If you don't see any errors, continue to the next section to validate your MCC deployment. + 1. After validating your MCC is properly functional, review your management solution documentation, such as [Intune](/mem/intune/configuration/delivery-optimization-windows), to set the cache host policy to the IP address of your MCC. + 1. If you had errors during your deployment, see the [Common Issues](#common-issues) section in this article. + +## Verify proper functioning MCC server + +#### Verify Client Side + +Connect to the EFLOW VM and check if MCC is properly running: + +1. Open PowerShell as an Administrator. +2. Enter the following commands: + + ```powershell + Connect-EflowVm + sudo -s + iotedge list + ``` + + :::image type="content" source="./images/ent-mcc-connect-eflowvm.png" alt-text="Screenshot of running connect-EflowVm, sudo -s, and iotedge list from PowerShell." lightbox="./images/ent-mcc-connect-eflowvm.png"::: + +You should see MCC, edgeAgent, and edgeHub running. If you see edgeAgent or edgeHub but not MCC, try this command in a few minutes. The MCC container can take a few minutes to deploy. + +#### Verify server side + +For a validation of properly functioning MCC, execute the following command in the EFLOW VM or any device in the network. Replace with the IP address of the cache server. + +```powershell +wget [http:///mscomtest/wuidt.gif?cacheHostOrigin=au.download.windowsupdate.com] +``` + +A successful test result will display a status code of 200 along with additional information. + +:::image type="content" source="./images/ent-mcc-verify-server-ssh.png" alt-text="Screenshot of a successful wget with an SSH client." lightbox="./images/ent-mcc-verify-server-ssh.png"::: + + :::image type="content" source="./images/ent-mcc-verify-server-powershell.png" alt-text="Screenshot of a successful wget using PowerShell." lightbox="./images/ent-mcc-verify-server-powershell.png"::: + +Similarly, enter the following URL from a browser in the network: + +`http:///mscomtest/wuidt.gif?cacheHostOrigin=au.download.windowsupdate.com` + +If the test fails, see the [common issues](#common-issues) section for more information. + +### Intune (or other management software) configuration for MCC + +For an [Intune](/mem/intune/) deployment, create a **Configuration Profile** and include the Cache Host eFlow IP Address or FQDN: + +:::image type="content" source="./images/ent-mcc-intune-do.png" alt-text="Screenshot of Intune showing the Delivery Optimization cache server host names."::: + +## Common Issues + +#### PowerShell issues + +If you're seeing errors similar to this error: `The term Get- isn't recognized as the name of a cmdlet, function, script file, or operable program.` + +1. Ensure you're running Windows PowerShell version 5.x. + +1. Run \$PSVersionTable and ensure you're running version 5.x and *not version 6 or 7*. + +1. Ensure you have Hyper-V enabled: + + **Windows 10:** [Enable Hyper-V on Windows 10](/virtualization/hyper-v-on-windows/quick-start/enable-hyper-v) + + **Windows Server:** [Install the Hyper-V role on Windows Server](/windows-server/virtualization/hyper-v/get-started/install-the-hyper-v-role-on-windows-server) + +#### Verify Running MCC Container + +Connect to the Connected Cache server and check the list of running IoT Edge modules using the following commands: + +```bash +Connect-EflowVm +sudo iotedge list +``` + +:::image type="content" source="./images/ent-mcc-iotedge-list.png" alt-text="Screenshot of the iotedge list command." lightbox="./images/ent-mcc-iotedge-list.png"::: + +If edgeAgent and edgeHub containers are listed, but not "MCC", you may view the status of the IoT Edge security manager using the command: + +```bash +sudo journalctl -u iotedge -f +``` + +For example, this command will provide the current status of the starting, stopping of a container, or the container pull and start. + +:::image type="content" source="./images/ent-mcc-journalctl.png" alt-text="Screenshot of the output from journalctl -u iotedge -f." lightbox="./images/ent-mcc-journalctl.png"::: + +Use this command to check the IoT Edge Journal + +```bash +sudo journalctl -u iotedge -f +``` + +> [!NOTE] +> You should consult the IoT Edge troubleshooting guide ([Common issues and resolutions for Azure IoT Edge](/azure/iot-edge/troubleshoot)) for any issues you may encounter configuring IoT Edge, but we've listed a few issues that we encountered during our internal validation. diff --git a/windows/deployment/do/mcc-enterprise-prerequisites.md b/windows/deployment/do/mcc-enterprise-prerequisites.md new file mode 100644 index 0000000000..705448742b --- /dev/null +++ b/windows/deployment/do/mcc-enterprise-prerequisites.md @@ -0,0 +1,53 @@ +--- +title: Requirements for Microsoft Connected Cache (MCC) for Enterprise and Education +manager: dougeby +description: Overview of requirements for Microsoft Connected Cache (MCC) for Enterprise and Education. +ms.prod: w10 +author: amymzhou +ms.localizationpriority: medium +ms.author: amyzhou +ms.collection: M365-modern-desktop +ms.topic: article +--- + +# Requirements of Microsoft Connected Cache for Enterprise and Education (early preview) + +**Applies to** + +- Windows 10 +- Windows 11 + +## Enterprise requirements for MCC + +1. **Azure subscription**: MCC management portal is hosted within Azure and is used to create the Connected Cache [Azure resource](/azure/cloud-adoption-framework/govern/resource-consistency/resource-access-management) and IoT Hub resource. Both are free services. + + Your Azure subscription ID is first used to provision MCC services, and enable access to the preview. The MCC server requirement for an Azure subscription will cost you nothing. If you don't have an Azure subscription already, you can create an Azure [Pay-As-You-Go](https://azure.microsoft.com/offers/ms-azr-0003p/) account, which requires a credit card for verification purposes. For more information, see the [Azure Free Account FAQ](https://azure.microsoft.com/free/free-account-faq/). + + The resources used for the preview and in the future when this product is ready for production will be free to you, like other caching solutions. + +2. **Hardware to host MCC**: The recommended configuration will serve approximately 35000 managed devices, downloading a 2 GB payload in 24-hour timeframe at a sustained rate of 6.5 Gbps. + + **EFLOW Requires Hyper-V support** + - On Windows client, enable the Hyper-V feature + - On Windows Server, install the Hyper-V role and create a default network switch + + Disk recommendations: + - Using an SSD is recommended as cache read speed of SSD is superior to HDD + + NIC requirements: + - Multiple NICs on a single MCC instance aren't supported. + - 1 Gbps NIC is the minimum speed recommended but any NIC is supported. + - For best performance, NIC and BIOS should support SR-IOV + + VM networking: + - An external virtual switch to support outbound and inbound network communication (created during the installation process) + +## Sizing recommendations + +| Component | Branch Office / Small Enterprise | Large Enterprise | +| -- | --- | --- | +| OS| Windows Server 2019*/2022
Windows 10*/11 (Pro or Enterprise) with Hyper-V Support

* Windows 10 and Windows Server 2019 build 17763 or later | Same | +|NIC | 1 Gbps | 5 Gbps | +|Disk | SSD
1 drive
50 GB each |SSD
1 drive
200 GB each | +|Memory | 4 GB | 8 GB | +|Cores | 4 | 8 | diff --git a/windows/deployment/do/mcc-enterprise-update-uninstall.md b/windows/deployment/do/mcc-enterprise-update-uninstall.md new file mode 100644 index 0000000000..60d0df68e3 --- /dev/null +++ b/windows/deployment/do/mcc-enterprise-update-uninstall.md @@ -0,0 +1,45 @@ +--- +title: Update or uninstall Microsoft Connected Cache for Enterprise and Education +manager: dougeby +description: Details on updating or uninstalling Microsoft Connected Cache (MCC) for Enterprise and Education. +ms.prod: w10 +author: amymzhou +ms.localizationpriority: medium +ms.author: amyzhou +ms.collection: M365-modern-desktop +ms.topic: article +--- +# Update or uninstall Microsoft Connected Cache for Enterprise and Education + +Throughout the preview phase, we'll send you security and feature updates for MCC. Follow these steps to perform the update. + +## Update MCC + +Run the following command with the **arguments** we provided in the email to update your MCC: + +```powershell +# .\updatemcc.ps1 version="**\**" tenantid="**\**" customerid="**\**" cachenodeid="**\**" customerkey="**\**" +``` + +For example: + +```powershell +# .\updatemcc.ps1 version="msconnectedcacheprod.azurecr.io/mcc/linux/iot/mcc-ubuntu-iot-amd64:1.2.1.659" tenantid="799a999aa-99a1-99aa-99aa-9a9aa099db99" customerid="99a999aa-99a1-99aa-99aa-9aaa9aaa0saa" cachenodeid=" aa99aaaa-999a-9aas-99aa99daaa99 " customerkey="a99d999a-aaaa-aa99-0999aaaa99a" +``` + +## Uninstall MCC + +Please contact the MCC Team before uninstalling to let us know if you're facing issues. + +This script will remove the following items: + +1. EFLOW + Linux VM +1. IoT Edge +1. Edge Agent +1. Edge Hub +1. MCC +1. Moby CLI +1. Moby Engine + +To delete MCC, go to Control Panel \> Uninstall a program \> Select Azure IoT +Edge LTS \> Uninstall diff --git a/windows/deployment/do/mcc-enterprise.md b/windows/deployment/do/mcc-enterprise.md deleted file mode 100644 index 2063ed9e6c..0000000000 --- a/windows/deployment/do/mcc-enterprise.md +++ /dev/null @@ -1,545 +0,0 @@ ---- -title: Microsoft Connected Cache for Enterprise and Education (private preview) -manager: dougeby -description: Details on Microsoft Connected Cache (MCC) for Enterprise and Education. -ms.prod: windows-client -author: carmenf -ms.localizationpriority: medium -ms.author: carmenf -ms.collection: M365-modern-desktop -ms.topic: article -ms.technology: itpro-updates ---- - -# Microsoft Connected Cache for Enterprise and Education (private preview) - -**Applies to** - -- Windows 10 -- Windows 11 - -## Overview - -> [!IMPORTANT] -> Microsoft Connected Cache is currently a private preview feature. During this phase we invite customers to take part in early access for testing purposes. This phase does not include formal support, and should not be used for production workloads. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/). - -Microsoft Connected Cache (MCC) preview is a software-only caching solution that delivers Microsoft content within Enterprise networks. MCC can be deployed to as many physical servers or VMs as needed, and is managed from a cloud portal. Cache nodes are created in the cloud portal and are configured by applying a client policy using your management tool, such as [Intune](/mem/intune/). - -MCC is a hybrid (a mix of on-premises and cloud resources) SaaS solution built as an Azure IoT Edge module; it's a Docker compatible Linux container that is deployed to your Windows devices. IoT Edge for Linux on Windows (EFLOW) was chosen because it's a secure, reliable container management infrastructure. EFLOW is a Linux virtual machine, based on Microsoft's first party CBL-Mariner operating system. It’s built with the IoT Edge runtime and validated as a tier 1 supported environment for IoT Edge workloads. MCC will be a Linux IoT Edge module running on the Windows Host OS. - -Even though your MCC scenario isn't related to IoT, Azure IoT Edge is used as a more generic Linux container, deployment, and management infrastructure. The Azure IoT Edge runtime sits on your designated MCC device and performs management and communication operations. The runtime performs the following important functions to manage MCC on your edge device: - -1. Installs and updates MCC on your edge device. -2. Maintains Azure IoT Edge security standards on your edge device. -3. Ensures that MCC is always running. -4. Reports MCC health and usage to the cloud for remote monitoring. - -To deploy a functional MCC to your device, you must obtain the necessary keys that will provision the Connected Cache instance to communicate with Delivery Optimization services and enable the device to cache and deliver content. See [figure 1](#fig1) below for a summary of the architecture of MCC, built using IoT Edge. - -For more information about Azure IoT Edge, see [What is Azure IoT Edge](/azure/iot-edge/about-iot-edge). - -## How MCC works - -The following steps describe how MCC is provisioned and used. - -1. The Azure Management Portal is used to create MCC nodes. -2. The MCC container is deployed and provisioned to a server using the installer provided in the portal. -3. Client policy is configured in your management solution to point to the IP address or FQDN of the cache server. -4. Microsoft end-user devices make range requests for content from the MCC node. -5. An MCC node pulls content from the CDN, seeds its local cache stored on disk, and delivers content to the client. -6. Subsequent requests from end-user devices for content come from the cache. - -If an MCC node is unavailable, the client will pull content from CDN to ensure uninterrupted service for your subscribers. - - - -![eMCC img01](images/emcc01.png) - -Figure 1: **MCC processes**. Each number in the diagram corresponds to the steps described above. - - -## Enterprise requirements for MCC - -1. **Azure subscription**: MCC management portal is hosted within Azure and is used to create the Connected Cache [Azure resource](/azure/cloud-adoption-framework/govern/resource-consistency/resource-access-management) and IoT Hub resource. Both are free services. - - Your Azure subscription ID is first used to provision MCC services, and enable access to the preview. The MCC server requirement for an Azure subscription will cost you nothing. If you do not have an Azure subscription already, you can create an Azure [Pay-As-You-Go](https://azure.microsoft.com/offers/ms-azr-0003p/) account which requires a credit card for verification purposes. For more information, see the [Azure Free Account FAQ](https://azure.microsoft.com/free/free-account-faq/). - - The resources used for the preview and in the future when this product is ready for production will be completely free to you, like other caching solutions. - -2. **Hardware to host MCC**: The recommended configuration will serve approximately 35000 managed devices, downloading a 2GB payload in 24-hour timeframe at a sustained rate of 6.5 Gbps. - - **EFLOW Requires Hyper-V support** - - On Windows client, enable the Hyper-V feature - - On Windows Server, install the Hyper-V role and create a default network switch - - Disk recommendations: - - Using an SSD is recommended as cache read speed of SSD is superior to HDD - - NIC requirements: - - Multiple NICs on a single MCC instance aren't supported. - - 1 Gbps NIC is the minimum speed recommended but any NIC is supported. - - For best performance, NIC and BIOS should support SR-IOV - - VM networking: - - An external virtual switch to support outbound and inbound network communication (created during the installation process) - -### Sizing recommendations - -| Component | Branch Office / Small Enterprise | Large Enterprise | -| -- | --- | --- | -| OS| Windows Server 2019*/2022
Windows 10*/11 (Pro or Enterprise) with Hyper-V Support

* Windows 10 and Windows Server 2019 build 17763 or later | Same | -|NIC | 1 Gbps | 5 Gbps | -|Disk | SSD
1 drive
50GB each |SSD
1 drive
200GB each | -|Memory | 4GB | 8GB | -|Cores | 4 | 8 | - -## Steps to deploy MCC - -To deploy MCC to your server: - -1. [Provide Microsoft with the Azure subscription ID](#provide-microsoft-with-the-azure-subscription-id) -2. [Create the MCC Resource in Azure](#create-the-mcc-resource-in-azure) -3. [Create an MCC Node](#create-an-mcc-node-in-azure) -4. [Edit Cache Node Information](#edit-cache-node-information) -5. [Install MCC on a physical server or VM](#install-mcc-on-windows) -6. [Verify proper functioning MCC server](#verify-proper-functioning-mcc-server) -7. [Review common Issues](#common-issues) if needed. - -For questions regarding these instructions contact [msconnectedcache@microsoft.com](mailto:msconnectedcache@microsoft.com) - -### Provide Microsoft with the Azure Subscription ID - -As part of the MCC preview onboarding process an Azure subscription ID must be provided to Microsoft. - -> [!IMPORTANT] -> [Take this survey](https://aka.ms/MSConnectedCacheSignup) and provide your Azure subscription ID and contact information to be added to the allowlist for this preview. You will not be able to proceed if you skip this step. - -For information about creating or locating your subscription ID, see [Steps to obtain an Azure Subscription ID](#steps-to-obtain-an-azure-subscription-id). - -### Create the MCC resource in Azure - -The MCC Azure management portal is used to create and manage MCC nodes. An Azure Subscription ID is used to grant access to the preview and to create the MCC resource in Azure and Cache nodes. - -Once you take the survey above and the MCC team adds your subscription ID to the allowlist, you will be given a link to the Azure portal where you can create the resource described below. - -1. On the Azure portal home page, choose **Create a resource**: - ![eMCC img02](images/emcc02.png) - -2. Type **Microsoft Connected Cache** into the search box, and hit **Enter** to show search results. - -> [!NOTE] -> You'll not see Microsoft Connected Cache in the drop-down list. You need to type it and press enter to see the result. - -3. Select **Microsoft Connected Cache** and choose **Create** on the next screen to start the process of creating the MCC resource. - - ![eMCC img03](images/emcc03.png) - ![eMCC img04](images/emcc04.png) - -4. Fill in the required fields to create the MCC resource. - - - Choose the subscription that you provided to Microsoft. - - Azure resource groups are logical groups of resources. Create a new resource group and choose a name for your resource group. - - Choose **(US) West US** for the location of the resource. This choice will not impact MCC if the physical location isn't in the West US, it's just a limitation of the preview. - - > [!NOTE] - > Your MCC resource will not be created properly if you do not select **(US) West US** - - - Choose a name for the MCC resource. - - > [!NOTE] - > Your MCC resource must not contain the word **Microsoft** in it. - - ![eMCC img05](images/emcc05.png) - -5. Once all the information has been entered, click the **Review + Create** button. Once validation is complete, click the **Create** button to start the - resource creation. - - ![eMCC img06](images/emcc06.png) - -#### Error: Validation failed - -- If you get a Validation failed error message on your portal, it's likely because you selected the **Location** as **US West 2** or some other location that isn't **(US) West US**. -- To resolve this error, go to the previous step and choose **(US) West US**. - - ![eMCC img07](images/emcc07.png) - -### Create an MCC node in Azure - -Creating an MCC node is a multi-step process and the first step is to access the MCC private preview management portal. - -1. After the successful resource creation click on the **Go to resource**. -2. Under **Cache Node Management** section on the leftmost panel, click on **Cache Nodes**. - - ![eMCC img08](images/emcc08.png) - -3. On the **Cache Nodes** blade, click on the **Create Cache Node** button. - - ![eMCC img09](images/emcc09.png) - -4. Clicking the **Create Cache Node** button will open the **Create Cache Node** page; **Cache Node Name** is the only field required for cache node creation. - -| **Field Name** | **Expected Value** | **Description** | -|---------------------|--------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------| -| **Cache Node Name** | Alphanumeric name that includes no spaces. | The name of the cache node. You may choose names based on location like Seattle-1. This name must be unique and cannot be changed later. | - -5. Enter the information for the **Cache Node** and click the **Create** button. - -![eMCC img9.5](images/emcc09.5.png) - -If there are errors, the form will provide guidance on how to correct the errors. - -Once the MCC node has been created, the installer instructions will be exposed. More details on the installer instructions will be addressed later in this article, in the [Install Connected Cache](#install-mcc-on-windows) section. - -![eMCC img10](images/emcc10.png) - -#### Edit cache node information - -Cache nodes can be deleted here by clicking the check box to the left of a **Cache Node Name** and then clicking the delete toolbar item. Be aware that if a cache node is deleted, there is no way to recover the cache node or any of the information related to the cache node. - -![eMCC img11](images/emcc11.png) - -### Install MCC on Windows - -Installing MCC on your Windows device is a simple process. A PowerShell script performs the following tasks: - - - Installs the Azure CLI - - Downloads, installs, and deploys EFLOW - - Enables Microsoft Update so EFLOW can stay up to date - - Creates a virtual machine - - Enables the firewall and opens ports 80 and 22 for inbound and outbound traffic. Port 80 is used by MCC, and port 22 is used for SSH communications. - - Configures Connected Cache tuning settings. - - Creates the necessary *FREE* Azure resource - IoT Hub/IoT Edge. - - Deploys the MCC container to server. - -#### Run the installer - -1. Download and unzip mccinstaller.zip from the create cache node page or cache node configuration page which contains the necessary installation files. - - ![eMCC img12](images/emcc12.png) - -Files contained in the mccinstaller.zip file: - - - **installmcc.ps1**: Main installer file. - - **installEflow.ps1**: Installs the necessary prerequisites such as the Linux VM, IoT Edge runtime, and Docker, and makes necessary host OS settings to optimize caching performance. - - **resourceDeploymentForConnectedCache.ps1**: Creates Azure cloud resources required to support MCC control plane. - - **mccdeployment.json**: Deployment manifest used by IoT Edge to deploy the MCC container and configure settings on the container, such as cache drive location sizes. - - **updatemcc.ps1**: The update script used to upgrade MCC to a particular version. - - **mccupdate.json**: Used as part of the update script - -1. Open Windows PowerShell as administrator and navigate to the location of these files. - -> [!NOTE] -> Ensure that Hyper-V is enabled on your device. -> Do not use PowerShell ISE, PowerShell 6.x, or PowerShell 7.x. Only Windows PowerShell version 5.x is supported. - - **Windows 10:** [Enable Hyper-V on Windows 10](/virtualization/hyper-v-on-windows/quick-start/enable-hyper-v) - - **Windows Server:** [Install the Hyper-V role on Windows Server](/windows-server/virtualization/hyper-v/get-started/install-the-hyper-v-role-on-windows-server) - -#### If you're installing MCC on a local virtual machine: - -1. Enable Nested Virtualization - - ```powershell - Set-VMProcessor -VMName "VM name" -ExposeVirtualizationExtensions $true - ``` -2. Enable Mac Spoofing - ```powershell - Get-VMNetworkAdapter -VMName "VM name" | Set-VMNetworkAdapter -MacAddressSpoofing On - ``` - **Virtual machine should be in the OFF state while enabling Nested Virtualization and Mac Spoofing** - -3. Set the execution policy - - ```powershell - Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope Process - ``` - > [!NOTE] - > After setting the execution policy, you'll see a warning asking if you wish to change the execution policy. Choose **[A] Yes to All**. - -4. Copy the command from the portal and run it in Windows PowerShell - - ![eMCC img13](images/emcc13.png) - - > [!NOTE] - > After running the command, and multiple times throughout the installation process, you'll receive the following notice. **Please select [R] Run once to proceed**. - >
- >
Security warning - >
Run only scripts that you trust. While scripts from the internet can be useful, this script can potentially harm your computer. If you trust this script, use the Unblock-File cmdlet to allow the script to run without this warning message. Do you want to run C:\\Users\\mccinstaller\\Eflow\\installmcc.ps1? - >
- >
[D] Do not run **[R] Run once** [S] Suspend [?] Help (default is "D"): - -3. Choose whether you would like to create a new virtual switch or select an existing one. Name your switch and select the Net Adapter to use for the switch. A computer restart will be required if you're creating a new switch. - - > [!NOTE] - > Restarting your computer after creating a switch is recommended. You'll notice network delays during installation if the computer has not been restarted. - - If you restarted your computer after creating a switch, start from Step 2 above and skip step 5. - - ![eMCC img14](images/emcc14.png) - -4. Re-run the script after the restart. This time, choose **No** when asked to create a new switch. Enter the number corresponding to the switch you previously created. - - ![eMCC img15](images/emcc15.png) - -5. Decide whether you would like to use dynamic or static address for the Eflow VM - - ![eMCC img16](images/emcc16.png) - - > [!NOTE] - > Choosing a dynamic IP address might assign a different IP address when the MCC restarts. - >
A static IP address is recommended so you do not have to change this value in your management solution when MCC restarts. - -6. Choose where you would like to download, install, and store the virtual hard disk for EFLOW. You'll also be asked how much memory, storage, and cores you would like to allocate for the VM. In this example, we chose the default values for all prompts. - -7. Follow the Azure Device Login link and sign into the Azure portal. - - ![eMCC img17](images/emcc17.png) - -8. If this is your first MCC deployment, please select **n** so that a new IoT Hub can be created. If you have already configured MCC before, choose **y** so that your MCCs are grouped in the same IoT Hub. - - 1. You'll be shown a list of existing IoT Hubs in your Azure Subscription; Enter the number corresponding to the IoT Hub to select it. **You'll likely have only 1 IoT Hub in your subscription, in which case you want to enter “1”** - - ![eMCC img18](images/emcc18.png) - ![eMCC img19](images/emcc19.png) - -9. Your MCC deployment is now complete. - - 1. If you do not see any errors, please continue to the next section to validate your MCC deployment. - 2. After validating your MCC is properly functional, please review your management solution documentation, such as [Intune](/mem/intune/configuration/delivery-optimization-windows), to set the cache host policy to the IP address of your MCC. - 3. If you had errors during your deployment, see the [Troubleshooting](#troubleshooting) section in this article. - -### Verify proper functioning MCC server - -#### Verify Client Side - -Connect to the EFLOW VM and check if MCC is properly running: - -1. Open PowerShell as an Administrator -2. Enter the following commands: - -```powershell -Connect-EflowVm -sudo -s -iotedge list -``` - -![eMCC img20](images/emcc20.png) - -You should see MCC, edgeAgent, and edgeHub running. If you see edgeAgent or edgeHub but not MCC, please try this command in a few minutes. The MCC container can take a few minutes to deploy - -#### Verify server side - -For a validation of properly functioning MCC, execute the following command in the EFLOW VM or any device in the network. Replace with the IP address of the cache server. - -```powershell -wget [http:///mscomtest/wuidt.gif?cacheHostOrigin=au.download.windowsupdate.com] -``` - -A successful test result will look like this: - -![eMCC img21](images/emcc21.png) - -OR - -![eMCC img22](images/emcc22.png) - -Similarly, enter this URL from a browser in the network: - -[http://YourCacheServerIP/mscomtest/wuidt.gif?cacheHostOrigin=au.download.windowsupdate.com]() - -If the test fails, see the common issues section for more information. - -### Intune (or other management software) configuration for MCC - -For an Intune deployment, create a Configuration Profile and include the Cache Host eFlow IP Address or FQDN: - -![eMCC img23](images/emcc23.png) - -### Common Issues - -#### PowerShell issues - -If you're seeing errors similar to this: “The term ‘Get-Something’ isn't recognized as the name of a cmdlet, function, script file, or operable program.” - -1. Ensure you're running Windows PowerShell version 5.x. - -2. Run \$PSVersionTable and ensure you’re running version 5.x and *not version 6 or 7*. - -3. Ensure you have Hyper-V enabled: - - **Windows 10:** [Enable Hyper-V on Windows 10](/virtualization/hyper-v-on-windows/quick-start/enable-hyper-v) - - **Windows Server:** [Install the Hyper-V role on Windows Server](/windows-server/virtualization/hyper-v/get-started/install-the-hyper-v-role-on-windows-server) - -#### Verify Running MCC Container - -Connect to the Connected Cache server and check the list of running IoT Edge modules using the following commands: - -```bash -Connect-EflowVm -sudo iotedge list​ -``` - -![eMCC img24](images/emcc24.png) - -If edgeAgent and edgeHub containers are listed, but not “MCC”, you may view the status of the IoT Edge security manager using the command: - -```bash -sudo journalctl -u iotedge -f -``` - -For example, this command will provide the current status of the starting, stopping of a container, or the container pull and start as is shown in the sample below: - -![eMCC img25](images/emcc25.png) - -Use this command to check the IoT Edge Journal - -```bash -sudo journalctl -u iotedge –f -``` - -Please note: You should consult the IoT Edge troubleshooting guide ([Common issues and resolutions for Azure IoT Edge](/azure/iot-edge/troubleshoot)) for any issues you may encounter configuring IoT Edge, but we have listed a few issues below that we hit during our internal validation. - -## Diagnostics Script - -If you're having issues with your MCC, we included a diagnostics script which will collect all your logs and zip them into a single file. You can then send us these logs via email for the MCC team to debug. - -To run this script: - -1. Navigate to the following folder in the MCC installation files: - - mccinstaller \> Eflow \> Diagnostics - -2. Run the following commands: - -```powershell -Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope Process -.\collectMccDiagnostics.ps1 -``` - -3. The script stores all the debug files into a folder and then creates a tar file. After the script is finished running, it will output the path of the tar file which you can share with us (should be “**\**\\mccdiagnostics\\support_bundle_\$timestamp.tar.gz”) - -4. [Email the MCC team](mailto:mccforenterprise@microsoft.com?subject=Debugging%20Help%20Needed%20for%20MCC%20for%20Enterprise) and attach this file asking for debugging support. Screenshots of the error along with any other warnings you saw will be helpful during out debugging process. - -## Update MCC - -Throughout the private preview phase, we will send you security and feature updates for MCC. Please follow these steps to perform the update. - -Run the following command with the **arguments** we provided in the email to update your MCC: - -```powershell -# .\updatemcc.ps1 version="**\**" tenantid="**\**" customerid="**\**" cachenodeid="**\**" customerkey="**\**" -``` -For example: -```powershell -# .\updatemcc.ps1 version="msconnectedcacheprod.azurecr.io/mcc/linux/iot/mcc-ubuntu-iot-amd64:1.2.1.659" tenantid="799a999aa-99a1-99aa-99aa-9a9aa099db99" customerid="99a999aa-99a1-99aa-99aa-9aaa9aaa0saa" cachenodeid=" aa99aaaa-999a-9aas-99aa99daaa99 " customerkey="a99d999a-aaaa-aa99-0999aaaa99a” -``` - -## Uninstall MCC - -Please contact the MCC Team before uninstalling to let us know if you're facing -issues. - -This script will remove the following: - -1. EFLOW + Linux VM -2. IoT Edge -3. Edge Agent -4. Edge Hub -5. MCC -6. Moby CLI -7. Moby Engine - -To delete MCC, go to Control Panel \> Uninstall a program \> Select Azure IoT -Edge LTS \> Uninstall - -## Appendix - -### Steps to obtain an Azure Subscription ID - -1. Sign in to https://portal.azure.com/ and navigate to the Azure services section. -2. Click on **Subscriptions**. If you do not see **Subscriptions**, click on the **More Services** arrow and search for **Subscriptions**. -3. If you already have an Azure Subscription, skip to step 5. If you do not have an Azure Subscription, select **+ Add** on the top left. -4. Select the **Pay-As-You-Go** subscription. You'll be asked to enter credit card information, but you'll not be charged for using the MCC service. -5. On the **Subscriptions** blade, you'll find details about your current subscription. Click on the subscription name. -6. After you select the subscription name, you'll find the subscription ID in the **Overview** tab. Click on the **Copy to clipboard** icon next to your Subscription ID to copy the value. - -### Troubleshooting - -If you’re not able to sign up for a Microsoft Azure subscription with the error: **Account belongs to a directory that cannot be associated with an Azure subscription. Please sign in with a different account.** See [Can't sign up for a Microsoft Azure subscription](/troubleshoot/azure/general/cannot-sign-up-subscription). - -Also see [Troubleshoot issues when you sign up for a new account in the Azure portal](/azure/cost-management-billing/manage/troubleshoot-azure-sign-up). - -### IoT Edge runtime - -The Azure IoT Edge runtime enables custom and cloud logic on IoT Edge devices. -The runtime sits on the IoT Edge device, and performs management and -communication operations. The runtime performs several functions: - -- Installs and update workloads (Docker containers) on the device. -- Maintains Azure IoT Edge security standards on the device. -- Ensures that IoT Edge modules (Docker containers) are always running. -- Reports module (Docker containers) health to the cloud for remote monitoring. -- Manages communication between an IoT Edge device and the cloud. - -For more information on Azure IoT Edge, please see the [Azure IoT Edge documentation](/azure/iot-edge/about-iot-edge). - -### EFLOW - -- [What is Azure IoT Edge for Linux on Windows](/azure/iot-edge/iot-edge-for-linux-on-windows) -- [Install Azure IoT Edge for Linux on Windows](/azure/iot-edge/how-to-provision-single-device-linux-on-windows-symmetric#install-iot-edge) -- [PowerShell functions for Azure IoT Edge for Linux on Windows](/azure/iot-edge/reference-iot-edge-for-linux-on-windows-functions) -- EFLOW FAQ and Support: [Support · Azure/iotedge-eflow Wiki (github.com)](https://github.com/Azure/iotedge-eflow/wiki/Support#how-can-i-apply-updates-to-eflow) -- [Now ready for Production: Linux IoT Edge Modules on Windows - YouTube](https://www.youtube.com/watch?v=pgqVCg6cxVU&ab_channel=MicrosoftIoTDevelopers) - -### Routing local Windows Clients to an MCC - -#### Get the IP address of your MCC using ifconfig - -There are multiple methods that can be used to apply a policy to PCs that should participate in downloading from the MCC. - -##### Registry Key - -You can either set your MCC IP address or FQDN using: - -1. Registry Key in 1709 and higher - - [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization]
- "DOCacheHost"=" " - - From an elevated command prompt: - - ``` - reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization" /v DOCacheHost /t REG_SZ /d "10.137.187.38" /f - ``` - -2. MDM Path in 1809 or higher: - - .Vendor/MSFT/Policy/Config/DeliveryOptimization/DOCacheHost - -3. In Windows release version 1809 and later, you can apply the policy via Group Policy Editor. The policy to apply is **DOCacheHost**. To configure the clients to pull content from the MCC using Group Policy, set the Cache Server Hostname (Setting found under Computer Configuration, Administrative Templates, Windows Components, Delivery Optimization) to the IP address of your MCC. For example 10.137.187.38. - - ![eMCC img26](images/emcc26.png) - -**Verify Content using the DO Client** - -To verify that the Delivery Optimization client can download content using MCC, you can use the following steps: - -1. Download a game or application from the Microsoft Store. - - ![eMCC img27](images/emcc27.png) - -2. Verify downloads came from MCC by one of two methods: - - - Using PowerShell Cmdlet Get-DeliveryOptimizationStatus you should see BytesFromCacheServer test - - ![eMCC img28](images/emcc28.png) - - - Looking at the Delivery Optimization Activity Monitor - - ![eMCC img29](images/emcc29.png) - -## Also see - -[Microsoft Connected Cache for ISPs](mcc-isp.md)
-[Introducing Microsoft Connected Cache](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/introducing-microsoft-connected-cache-microsoft-s-cloud-managed/ba-p/963898) diff --git a/windows/deployment/do/mcc-isp-cache-node-configuration.md b/windows/deployment/do/mcc-isp-cache-node-configuration.md new file mode 100644 index 0000000000..ae5404b2ae --- /dev/null +++ b/windows/deployment/do/mcc-isp-cache-node-configuration.md @@ -0,0 +1,43 @@ +--- +title: Cache node configuration +manager: aaroncz +description: Configuring a cache node on Azure portal +keywords: updates, downloads, network, bandwidth +ms.prod: w10 +ms.mktglfcycl: deploy +audience: itpro +author: amyzhou +ms.localizationpriority: medium +ms.author: amyzhou +ms.collection: M365-modern-desktop +ms.topic: article +--- + +# Cache node configuration + +All cache node configuration will take place within Azure portal. This article outlines all of the settings that you'll be able to configure. + +## Settings + +| Field Name | Expected Value| Description | +| -- | --- | --- | +| **Cache node name** | Alphanumeric string that contains no spaces | The name of the cache node. You may choose names based on location like Seattle-1. This name must be unique and can't be changed later. | +| **Server IP address** | IPv4 address | IP address of your MCC server. This address is used to route end-user devices in your network to the server for Microsoft content downloads. The IP address must be publicly accessible. | +| **Max allowable egress (Mbps)** | Integer in Mbps | The maximum egress (Mbps) of your MCC based on the specifications of your hardware. For example, 10,000 Mbps.| +| **Enable cache node** | Enable or Disable | You can choose to enable or disable a cache node at any time. | + +## Storage + +| Field Name | Expected Value| Description | +| -- | --- | --- | +| **Cache drive** | File path string | Up to 9 drives can be configured for each cache node to configure cache storage. Enter the file path to each drive. For example: /dev/folder/ | +| **Cache drive size in gigabytes** | Integer in GB | Set the size of each drive configured for the cache node. | + +## Client routing + +| Field Name | Expected Value| Description | +| -- | --- | --- | +| **Manual routing - Address range/CIDR blocks** | IPv4 CIDR notation | The IP address range (CIDR blocks) that should be routed to the MCC server as a comma separated list. For example: 2.21.234.0/24, 3.22.235.0/24, 4.23.236.0/24 | +| **BGP - Neighbor ASN** | ASN | When configuring BGP, enter the ASN(s) of your neighbors that you want to establish. | +| **BGP - Neighbor IP address** | IPv4 address | When configuring BGP, enter the IP address(es) of neighbors that you want to establish. | + diff --git a/windows/deployment/do/mcc-isp-create-provision-deploy.md b/windows/deployment/do/mcc-isp-create-provision-deploy.md new file mode 100644 index 0000000000..e41c225b67 --- /dev/null +++ b/windows/deployment/do/mcc-isp-create-provision-deploy.md @@ -0,0 +1,148 @@ +--- +title: Create, provision, and deploy the cache node in Azure portal +manager: aaroncz +description: Instructions for creating, provisioning, and deploying Microsoft Connected Cache for ISP on Azure portal +keywords: updates, downloads, network, bandwidth +ms.prod: w10 +ms.mktglfcycl: deploy +audience: itpro +author: nidos +ms.localizationpriority: medium +ms.author: nidos +ms.collection: M365-modern-desktop +ms.topic: article +--- + +# Create, Configure, provision, and deploy the cache node in Azure portal + +**Applies to** + +- Windows 10 +- Windows 11 + +This article outlines how to create, provision, and deploy your Microsoft Connected Cache nodes. The creation and provisioning of your cache node takes place in Azure portal. The deployment of your cache node will require downloading an installer script that will be run on your cache server. + +> [!IMPORTANT] +> Before you can create your Microsoft Connected Cache, you will need to complete the [sign up process](mcc-isp-signup.md). You cannot proceed without signing up for our service. + +## Create cache node + +1. Open [Azure portal](https://www.portal.azure.com) and navigate to the **Microsoft Connected Cache** resource. + +1. Navigate to **Settings** > **Cache nodes** and select **Create Cache Node**. + +1. Provide a name for your cache node and select **Create** to create your cache node. + +## Configure cache node + +During the configuration of your cache node, there are many fields for you to configure your cache node. To learn more about the definitions of each field, review the [Configuration fields](#general-configuration-fields) at the bottom of this article. + +### Client routing + +Before serving traffic to your customers, client routing configuration is needed. During the configuration of your cache node in Azure portal, you'll be able to route your clients to your cache node. + +Microsoft Connected Cache offers two ways for you to route your clients to your cache node. The first method of manual entry involves uploading a comma-separated list of CIDR blocks that represents the clients. The second method of setting BGP (Border Gateway Protocol) is more automatic and dynamic, which is set up by establishing neighborships with other ASNs. All routing methods are set up within Azure portal. + +Once client routing and other settings are configured, your cache node will be able to download content and serve traffic to your customers. + +At this time, only IPv4 addresses are supported. IPv6 addresses aren't supported. + +#### Manual routing + +You can manually upload a list of your CIDR blocks in Azure portal to enable manual routing of your customers to your cache node. + +#### BGP routing + +BGP (Border Gateway Protocol) routing is another method offered for client routing. BGP dynamically retrieves CIDR ranges by exchanging information with routers to understand reachable networks. For an automatic method of routing traffic, you can choose to configure BGP routing in Azure portal. + +1. Navigate to **Settings** > **Cache nodes**. Select the cache node you wish to provision. + + :::image type="content" source="images/mcc-isp-provision-cache-node-numbered.png" alt-text="Screenshot of the Azure portal depicting the cache node configuration page of a cache node. This screenshot shows all of the fields you can choose to configure the cache node." lightbox="./images/mcc-isp-provision-cache-node-numbered.png"::: + +1. Enter the max allowable egress that your hardware can support. + +1. Under **Cache storage**, specify the location of the cache drives to store content along with the size of the cache drives in Gigabytes. +**Note:** Up to nine cache drives are supported. + +1. Under **Routing information**, select the routing method you would like to use. For more information, see [Client routing](#client-routing). + + - If you choose **Manual routing**, enter your address range/CIDR blocks. + - If you choose **BGP routing**, enter the ASN and IP addresses of the neighborship. + > [!NOTE] + > **Prefix count** and **IP Space** will stop displaying `0` when BGP is successfully established. + +## Deploy cache node software to server + +Once the user executes the cache server provisioning script, resources are created behind the scenes resulting in the successful cache node installation. The script takes the input of different IDs outlined below to register the server as an Azure IoT Edge device. Even though Microsoft Connected Cache scenario isn't related to IoT, Azure IoT Edge is installed for container management and communication operation purposes. + +### Components installed during provisioning + +#### IoT Edge + +IoT Edge performs several functions important to manage MCC on your edge device: + +1. Installs and updates MCC on your edge device. +1. Maintains Azure IoT Edge security standards on your edge device. +1. Ensures that MCC is always running. +1. Reports MCC health and usage to the cloud for remote monitoring. + +#### Docker container engine + +Azure IoT Edge relies on an OCI-compatible container runtime. The Moby engine is the only container engine officially supported with IoT Edge and is installed as part of the server provisioning process. + +### Components of the device provisioning script + +There are five IDs that the device provisioning script takes as input in order to successfully provision and install your cache server. The provisioning script will automatically include these keys, with no input necessary from the user. + +| ID | Description | +|---|---| +| Customer ID | A unique alphanumeric ID that the cache nodes are associated with. | +| Cache node ID | The unique alphanumeric ID of the cache node being provisioned. | +| Customer Key | The unique alphanumeric ID that provides secure authentication of the cache node to Delivery Optimization services. | +| Cache node name | The name of the cache node. | +| Tenant ID | The unique ID associated with the Azure account. | + +:::image type="content" source="images/mcc-isp-deploy-cache-node-numbered.png" alt-text="Screenshot of the server provisioning tab within cache node configuration in Azure portal."::: + +1. After completing cache node provisioning, navigate to the **Server provisioning** tab. Select **Download provisioning package** to download the installation package to your server. + +1. Open a terminal window in the directory where you would like to deploy your cache node and run the following command to change the access permission to the Bash script: + + ```bash + sudo chmod +x provisionmcc.sh + ``` + +1. Copy and paste the script command line shown in the Azure portal. + +1. Run the script in your server terminal for your cache node by . The script may take a few minutes to run. If there were no errors, you have set up your cache node successfully. To verify the server is set up correctly, follow the [verification steps](mcc-isp-verify-cache-node.md). + + > [!NOTE] + > The same script can be used to provision multiple cache nodes, but the command line is unique per cache node. Additionally, if you need to reprovision your server or provision a new server or VM for the cache node, you must copy the command line from the Azure portal again as the "registrationkey" value is unique for each successful execution of the provisioning script. + +### General configuration fields + +| Field Name | Expected Value| Description | +|---|---|---| +| **Cache node name** | Alphanumeric string that contains no spaces | The name of the cache node. You may choose names based on location like Seattle-1. This name must be unique and can't be changed later. | +| **Server IP address** | IPv4 address | IP address of your MCC server. This address is used to route end-user devices in your network to the server for Microsoft content downloads. The IP address must be publicly accessible. | +| **Max allowable egress (Mbps)** | Integer in Mbps | The maximum egress (Mbps) of your MCC based on the specifications of your hardware. For example, 10,000 Mbps.| +| **Enable cache node** | Enable or Disable | You can choose to enable or disable a cache node at any time. | + +### Storage fields + +> [!IMPORTANT] +> All cache drives must have read/write permissions set or the cache node will not function. +> For example, in a terminal you can run: `sudo chmod 777 /path/to/cachedrive` + +| Field Name | Expected Value| Description | +|---|---|---| +| **Cache drive** | File path string | Up to 9 drives can be configured for each cache node to configure cache storage. Enter the file path to each drive. For example: `/dev/folder/` Each cache drive should have read/write permissions configured. | +| **Cache drive size in gigabytes** | Integer in GB | Set the size of each drive configured for the cache node. | + +### Client routing fields + +| Field Name | Expected Value| Description | +|---|---|---| +| **Manual routing - Address range/CIDR blocks** | IPv4 CIDR notation | The IP address range (CIDR blocks) that should be routed to the MCC server as a comma separated list. For example: 2.21.234.0/24, 3.22.235.0/24, 4.23.236.0/24 | +| **BGP - Neighbor ASN** | ASN | When configuring BGP, enter the ASN(s) of your neighbors that you want to establish. | +| **BGP - Neighbor IP address** | IPv4 address | When configuring BGP, enter the IP address(es) of neighbors that you want to establish. | diff --git a/windows/deployment/do/mcc-isp-faq.yml b/windows/deployment/do/mcc-isp-faq.yml new file mode 100644 index 0000000000..19f6da7226 --- /dev/null +++ b/windows/deployment/do/mcc-isp-faq.yml @@ -0,0 +1,83 @@ +### YamlMime:FAQ +metadata: + title: Microsoft Connected Cache Frequently Asked Questions + description: The following article is a list of frequently asked questions for Microsoft Connected Cache. + ms.sitesec: library + ms.pagetype: security + ms.localizationpriority: medium + author: amymzhou + ms.author: amymzhou + manager: aaroncz + audience: ITPro + ms.collection: + - M365-security-compliance + - highpri + ms.topic: faq + ms.date: 09/30/2022 + ms.custom: seo-marvel-apr2020 +title: Microsoft Connected Cache Frequently Asked Questions +summary: | + **Applies to** + - Windows 10 + - Windows 11 + +sections: + - name: Ignored + questions: + - question: Is this product a free service? + answer: Yes. Microsoft Connected Cache is a free service. + - question: What will Microsoft Connected Cache do for me? How will it impact our customers? + answer: As an ISP, your network can benefit from reduced load on your backbone and improve customer download experience for supported Microsoft static content. It will also help you save on CDN costs. + - question: Is there a non-disclosure agreement to sign? + answer: No, a non-disclosure agreement isn't required. + - question: What are the prerequisites and hardware requirements? + answer: | + - Azure subscription + - Hardware to host Microsoft Connected Cache: + + + [!INCLUDE [Microsoft Connected Cache Prerequisites](includes/mcc-prerequisites.md)] + + We have one customer who is able to achieve 40-Gbps egress rate using the following hardware specification: + - Dell PowerEdge R330 + - 2 x Intel(R) Xeon(R) CPU E5-2630 v3 @ 2.40 GHz, total 32 core + - 48 GB, Micron Technology 18ASF1G72PDZ-2G1A1, Speed: 2133 MT/s + - 4 - Transcend SSD230s 1 TB SATA Drives + Intel Corporation Ethernet 10G 2P X520 Adapter (Link Aggregated) + - question: Will I need to provide hardware BareMetal server or VM? + answer: Microsoft Connected Cache is a software-only caching solution and will require you to provide your own server to host the software. + - question: Can we use hard drives instead of SSDs? + answer: We highly recommend using SSDs as Microsoft Connected Cache is a read intensive application. We also recommend using multiple drives to improve performance. + - question: Will I need to manually enter the CIDR blocks? If I have multiple cache nodes, should I configure a subset of CIDR blocks to each cache node? + answer: You can choose to route your traffic using manual CIDR blocks or BGP. If you have multiple Microsoft Connected Cache(s), you can allocate subsets of CIDR blocks to each cache node if you wish. However, since Microsoft Connected Cache has automatic load balancing, we recommend adding all of your traffic to all of your cache nodes. + - question: Should I add any load balancing mechanism? + answer: You don't need to add any load balancing. Our service will take care of routing traffic if you have multiple cache nodes serving the same CIDR blocks based on the reported health of the cache node. + - question: How many Microsoft Connected Cache instances will I need? How do we set up if we support multiple countries? + answer: As stated in the table above, the recommended configuration will achieve near the maximum possible egress of 40 Gbps with a two-port link aggregated NIC and four cache drives. We have a feature coming soon that will help you estimate the number of cache nodes needed. If your ISP spans multiple countries, you can set up separate cache nodes per country. + - question: Where should we install Microsoft Connected Cache? + answer: You are in control of your hardware and you can pick the location based on your traffic and end customers. You can choose the location where you have your routers or where you have dense traffic or any other parameters. + - question: How long would a piece of content live within the Microsoft Connected Cache? Is content purged from the cache? + answer: Once a request for said content is made, NGINX will look at the cache control headers from the original acquisition. If that content has expired, NGINX will continue to serve the stale content while it's downloading the new content. We cache the content for 30 days. The content will be in the hot cache path (open handles and such) for 24 hrs, but will reside on disk for 30 days. The drive fills up and nginx will start to delete content based on its own algorithm, probably some combination of least recently used. + - question: What content is cached by Microsoft Connected Cache? + answer: For more information about content cached, see [Delivery Optimization and Microsoft Connected Cache content endpoints - Windows Deployment](delivery-optimization-endpoints.md). + - question: Does Microsoft Connected Cache support Xbox or Teams content? + answer: Currently, Microsoft Connected Cache doesn't support Xbox or Teams content. However, supporting Xbox content is of high priority, and we expect this feature soon. We'll let you know as soon as it becomes available! + - question: Is IPv6 supported? + answer: No, we don't currently support IPV6. We plan to support it in the future. + - question: Is Microsoft Connected Cache stable and reliable? + answer: We have already successfully onboarded ISPs in many countries around the world and have received positive feedback! However, you can always start off with a portion of your CIDR blocks to test out the performance of MCC before expanding to more customers. + - question: How does Microsoft Connected Cache populate its content? + answer: Microsoft Connected Cache is a cold cache warmed by client requests. The client requests content and that is what fills up the cache. There's no off-peak cache fill necessary. Microsoft Connected Cache will reach out to different CDN providers just like a client device would. The traffic flow from Microsoft Connected Cache will vary depending on how you currently transit to each of these CDN providers. The content can come from third party CDNs or from AFD. + - question: What do I do if I need more support and have more questions even after reading this FAQ page? + answer: For further support for Microsoft Connected Cache, visit [Troubleshooting Issues for Microsoft Connected Cache for ISP (public preview)](mcc-isp-support.md). + - question: What CDNs will Microsoft Connected Cache pull content from? + answer: | + Microsoft relies on a dynamic mix of 1st and 3rd party CDN providers to ensure enough capacity, redundancy, and performance for the delivery of Microsoft served content. Though we don't provide lists of the CDN vendors we utilize as they can change without notice, our endpoints are public knowledge. If someone were to perform a series of DNS lookups against our endpoints (tlu.dl.delivery.mp.microsoft.com for example), they would be able to determine which CDN or CDNs were in rotation at a given point in time: + + $ dig +noall +answer tlu.dl.delivery.mp.microsoft.com | grep -P "IN\tA" + + c-0001.c-msedge.net. 20 IN A 13.107.4.50 + + $ whois 13.107.4.50|grep "Organization:" + + Organization: Microsoft Corporation (MSFT) diff --git a/windows/deployment/do/mcc-isp-signup.md b/windows/deployment/do/mcc-isp-signup.md new file mode 100644 index 0000000000..352d4402b4 --- /dev/null +++ b/windows/deployment/do/mcc-isp-signup.md @@ -0,0 +1,86 @@ +--- +title: Operator sign up and service onboarding +manager: aaroncz +description: Service onboarding for Microsoft Connected Cache for ISP +keywords: updates, downloads, network, bandwidth +ms.prod: w10 +ms.mktglfcycl: deploy +audience: itpro +author: nidos +ms.localizationpriority: medium +ms.author: nidos +ms.collection: M365-modern-desktop +ms.topic: article +--- + +# Operator sign up and service onboarding for Microsoft Connected Cache + +**Applies to** + +- Windows 10 +- Windows 11 + +This article details the process of signing up for Microsoft Connected Cache for Internet Service Providers (public preview). + +## Resource creation and sign up process + +1. Navigate to the [Azure portal](https://www.portal.azure.com). In the top search bar, search for **Microsoft Connected Cache**. + + :::image type="content" source="./images/mcc-isp-search.png" alt-text="Screenshot of the Azure portal that shows the Microsoft Connected Cache resource in Azure marketplace."::: + +1. Select **Create** to create a **Microsoft Connected Cache**. When prompted, enter a name for your cache resource. + + > [!IMPORTANT] + > After your resource has been created, we need some information to verify your network operator status and approve you to host Microsoft Connected Cache nodes. Please ensure that your [Peering DB](https://www.peeringdb.com/) organization information is up to date as this information will be used for verification. The NOC contact email will be used to send verification information. +1. Navigate to **Settings** > **Sign up**. Enter your organization ASN. Indicate whether you're a transit provider. If so, additionally, include any ASN(s) for downstream network operators that you may transit traffic for. + + :::image type="content" source="./images/mcc-isp-sign-up.png" alt-text="Screenshot of the sign up page in the Microsoft Connected Cache resource page in Azure portal." lightbox="./images/mcc-isp-sign-up.png"::: + +1. Once we verify the information entered, a verification code will be sent to the NOC email address provided on [Peering DB](https://www.peeringdb.com/). Once you receive the email, navigate to your Azure portal > **Microsoft Connected Cache** > **Settings** > **Verify operator**, and enter the verification code sent to the NOC email address. + + > [!NOTE] + > Verification codes expire in 24 hours. You will need to generate a new code if it expires. + + :::image type="content" source="images/mcc-isp-operator-verification.png" alt-text="Screenshot of the sign up verification page on Azure portal for Microsoft Connected Cache." lightbox="./images/mcc-isp-operator-verification.png"::: + +1. Once verified, follow the instructions in [Create, provision, and deploy cache node](mcc-isp-create-provision-deploy.md) to create your cache node. + + + +### Cache performance + +To make sure you're maximizing the performance of your cache node, review the following information: + +#### OS requirements + +The Microsoft Connected Cache module is optimized for Ubuntu 20.04 LTS. Install Ubuntu 20.04 LTS on a physical server or VM of your choice. + +#### NIC requirements + +- Multiple NICs on a single MCC instance are supported using a *link aggregated* configuration. +- 10 Gbps NIC is the minimum speed recommended, but any NIC is supported. + +#### Drive performance + +The maximum number of disks supported is 9. When configuring your drives, we recommend SSD drives as cache read speed of SSD is superior to HDD. In addition, using multiple disks is recommended to improve cache performance. + +RAID disk configurations are discouraged as cache performance will be impacted. If using RAID disk configurations, ensure striping. + +### Hardware configuration example + +There are many hardware configurations that suit Microsoft Connected Cache. As an example, a customer has deployed the following hardware configuration and is able to achieve a peak egress of about 35 Gbps: + +**Dell PowerEdge R330** + +- 2 x Intel(R) Xeon(R) CPU E5-2630 v3 @ 2.40 GHz, total 32 core +- 48 GB, Micron Technology 18ASF1G72PDZ-2G1A1, Speed: 2133 MT/s +- 4 - Transcend SSD230s 1 TB SATA Drives +- Intel Corporation Ethernet 10G 2P X520 Adapter (Link Aggregated) + +### Virtual machines + +Microsoft Connected Cache supports both physical and virtual machines as cache servers. If you're using a virtual machine as your server, refer to [VM performance](mcc-isp-vm-performance.md) for tips on how to improve your VM performance. \ No newline at end of file diff --git a/windows/deployment/do/mcc-isp-support.md b/windows/deployment/do/mcc-isp-support.md new file mode 100644 index 0000000000..a321ac671c --- /dev/null +++ b/windows/deployment/do/mcc-isp-support.md @@ -0,0 +1,51 @@ +--- +title: Support and troubleshooting +manager: aaroncz +description: Troubleshooting issues for Microsoft Connected Cache for ISP +keywords: updates, downloads, network, bandwidth +ms.prod: w10 +audience: itpro +author: nidos +ms.localizationpriority: medium +ms.author: nidos +ms.collection: M365-modern-desktop +ms.topic: reference +--- + +# Support and troubleshooting + +**Applies to** + +- Windows 10 +- Windows 11 + +This article provides information on how to troubleshoot common issues with Microsoft Connected Cache for ISPs. +## Sign up errors + +### Cannot verify account + +During sign-up, we verify the information you provide against what is present in [Peering DB](https://www.peeringdb.com/). Make sure the information for your ISP entry on [Peering DB](https://www.peeringdb.com/) is up to date and matches what you provide during sign-up. + +### Invalid verification code + +During sign-up, a verification code is sent to your NOC email address present in [Peering DB](https://www.peeringdb.com/). This code expires in 24 hours. If it's expired, you'll need to request a new verification code to complete the sign-up. + +## Cache Node Errors + +### Cannot find my cache node + +Did you previously had access to your cache nodes but it's now no longer accessible? If so, it may be because you had a trial subscription, and its trial period ended. To resolve this issue, complete the following two steps: + +1. Create a new Azure Pay-As-You-Go subscription +1. Recreate the cache nodes using the new subscription + +## Steps to obtain an Azure subscription ID + + +[!INCLUDE [Get Azure subscription](includes/get-azure-subscription.md)] + +## Recommended resources + +- [Pay-as-you-go-subscription](https://azure.microsoft.com/offers/ms-azr-0003p/) +- [Azure free account FAQs](https://azure.microsoft.com/free/free-account-faq/) + diff --git a/windows/deployment/do/mcc-isp-update.md b/windows/deployment/do/mcc-isp-update.md new file mode 100644 index 0000000000..c6bdfe27c8 --- /dev/null +++ b/windows/deployment/do/mcc-isp-update.md @@ -0,0 +1,58 @@ +--- +title: Update or uninstall your cache node +manager: aaroncz +description: How to update or uninstall your cache node +keywords: updates, downloads, network, bandwidth +ms.prod: w10 +ms.mktglfcycl: deploy +audience: itpro +author: amyzhou +ms.localizationpriority: medium +ms.author: amyzhou +ms.collection: M365-modern-desktop +ms.topic: article +--- + +# Update or uninstall your cache node + +This article details how to update or uninstall your cache node. + +## Update cache node + +Microsoft will release updates for Microsoft Connected Cache periodically to improve performance, functionality, and security. Updates won't require any action from the customer. Instead, when an update is available, your cache node will automatically update during low traffic hours with minimal to no impact to your end customers. + +To view which version your cache nodes are currently on, navigate to the **Cache nodes** tab to view the versions in the list view. + +## Uninstall cache node + +There are two main steps required to uninstall your cache node: + +1. Remove your cache node from Azure portal +1. Run the uninstall script to cleanly remove MCC from your server + +You must complete both steps to ensure a clean uninstall of your cache node. + +### Remove your cache node from Azure portal + +Within the [Azure portal](https://www.portal.azure.com), navigate to **Cache Nodes**, then select the cache node you wish to delete. Once selected, select **Delete** on the top bar to remove this cache node from your account. + +### Run the uninstall script to cleanly remove Microsoft Connected Cache from your server + +In the installer zip file, you'll find the file **uninstallmcc.sh**. This script uninstalls Microsoft Connected Cache and all the related components. Only run it if you're facing issues with Microsoft Connected Cache installation. + +The **uninstallmcc.sh** script removes the following components: + +- IoT Edge +- Edge Agent +- Edge Hub +- MCC +- Moby CLI +- Moby engine + +To run the script, use the following commands: + +```bash +sudo chmod +x uninstallmcc.sh +sudo ./uninstallmcc.sh + +``` diff --git a/windows/deployment/do/mcc-isp-verify-cache-node.md b/windows/deployment/do/mcc-isp-verify-cache-node.md new file mode 100644 index 0000000000..22f8b3de86 --- /dev/null +++ b/windows/deployment/do/mcc-isp-verify-cache-node.md @@ -0,0 +1,80 @@ +--- +title: Verify cache node functionality and monitor health and performance +manager: aaroncz +description: How to verify the functionality of a cache node +keywords: updates, downloads, network, bandwidth +ms.prod: w10 +ms.mktglfcycl: deploy +audience: itpro +author: amyzhou +ms.localizationpriority: medium +ms.author: amyzhou +ms.collection: M365-modern-desktop +ms.topic: article +--- + +# Verify cache node functionality and monitor health and performance + +This article details how to verify that your cache node(s) are functioning properly and serving traffic. This article also details how to monitor your cache nodes. + +## Verify functionality on Azure portal + +Sign into the [Azure portal](https://www.portal.azure.com) and navigate to the **Overview** page. Select the **Monitoring** tab to verify the functionality of your server(s) by validating the number of healthy nodes shown. If you see any **Unhealthy nodes**, select the **Diagnose and Solve** link to troubleshoot and resolve the issue. + +## Verify functionality on the server + +It can take a few minutes for the container to deploy after you've saved the configuration. + +To validate a properly functioning MCC, run the following command in the terminal of the cache server or any device in the network. Replace `` with the IP address of the cache server. + +```bash +wget http:///mscomtest/wuidt.gif?cacheHostOrigin=au.download.windowsupdate.com +``` + +If successful, you'll see a terminal output similar to the following output: + +```bash +HTTP request sent, awaiting response... 200 OK +Length: 969710 (947K) [image/gif] +Saving to: 'wuidt.gif?cacheHostOrigin=au.download.windowsupdate.com' + +wuidt.gif?cacheHostOrigin=au.download.windowsupdate.com 100%[========================] +``` + +Similarly, enter the following URL into a web browser on any device on the network: + +```http +http:///mscomtest/wuidt.gif?cacheHostOrigin=au.download.windowsupdate.com +``` + +If the test fails, for more information, see the [FAQ](mcc-isp-faq.yml) article. + +## Monitor cache node health and performance + +Within Azure portal, there are many charts and graphs that are available to monitor cache node health and performance. + +### Available Metrics + +Within Azure portal, you're able to build your custom charts and graphs using the following available metrics: + +| Metric name | Description | +|---|---| +| **Cache Efficiency** | Cache efficiency is defined as the total cache hit bytes divided by all bytes requested. The higher this value (0 - 100%), the more efficient the cache node is. | +| **Healthy nodes** | The number of cache nodes that are reporting as healthy| +| **Unhealthy nodes**| The number of cache nodes that are reporting as unhealthy| +| **Maximum in**| The maximum egress (in Gbps) of inbound traffic| +| **Maximum out**| The maximum egress (in Gbps) of outbound traffic| +| **Average in**| The average egress (in Gbps) of inbound traffic| +| **Average out**| The average egress (in Gbps) of outbound traffic| + +For more information about how to build your custom charts and graphs, see [Azure Monitor](/azure/azure-monitor/essentials/data-platform-metrics). + +### Monitoring your metrics + +To view the metrics associated with your cache nodes, navigate to the **Overview** > **Monitoring** tab within the Azure portal. + +:::image type="content" source="./images/mcc-isp-metrics.png" alt-text="Screenshot of the Azure portal displaying the metrics view in the Overview tab."::: + +You can choose to monitor the health and performance of all cache nodes or one at a time by using the dropdown menu. The **Egress bits per second** graph shows your inbound and outbound traffic of your cache nodes over time. You can change the time range (1 hour, 12 hours, 1 day, 7 days, 14 days, and 30 days) by selecting the time range of choice on the top bar. + +If you're unable to view metrics for your cache node, it may be that your cache node is unhealthy, inactive, or hasn't been fully configured. diff --git a/windows/deployment/do/mcc-isp-vm-performance.md b/windows/deployment/do/mcc-isp-vm-performance.md new file mode 100644 index 0000000000..6cb5ab9b45 --- /dev/null +++ b/windows/deployment/do/mcc-isp-vm-performance.md @@ -0,0 +1,36 @@ +--- +title: Enhancing VM performance +manager: aaroncz +description: How to enhance performance on a virtual machine used with Microsoft Connected Cache for ISPs +keywords: updates, downloads, network, bandwidth +ms.prod: w10 +ms.mktglfcycl: deploy +audience: itpro +author: amyzhou +ms.localizationpriority: medium +ms.author: amyzhou +ms.collection: M365-modern-desktop +ms.topic: reference +--- + +# Enhancing virtual machine performance + +In virtual environments, the cache server egress peaks at around 1.1 Gbps. If you want to maximize the egress in virtual environments, it's critical to change two settings. + +## Virtual machine settings + +Change the following settings to maximize the egress in virtual environments: + +1. Enable **Single Root I/O Virtualization (SR-IOV)** in the following three locations: + + - The BIOS of the MCC virtual machine + - The network card properties of the MCC virtual machine + - The hypervisor for the MCC virtual machine + + Microsoft has found these settings to double egress when using a Microsoft Hyper-V deployment. + +2. Enable high performance in the BIOS instead of energy savings. Microsoft has found this setting to also nearly double egress in a Microsoft Hyper-V deployment. + +## Next steps + +[Support and troubleshooting](mcc-isp-support.md) diff --git a/windows/deployment/do/mcc-isp.md b/windows/deployment/do/mcc-isp.md index 9ac74d0930..055f86b888 100644 --- a/windows/deployment/do/mcc-isp.md +++ b/windows/deployment/do/mcc-isp.md @@ -5,17 +5,17 @@ ms.prod: windows-client ms.technology: itpro-updates ms.localizationpriority: medium author: amymzhou -ms.author: aaroncz +ms.author: amyzhou ms.reviewer: carmenf -manager: dougeby +manager: aaroncz ms.collection: M365-modern-desktop ms.topic: how-to ms.date: 05/20/2022 --- -# Microsoft Connected Cache for Internet Service Providers (ISPs) +# Microsoft Connected Cache for Internet Service Providers (early preview) -_Applies to_ +*Applies to* - Windows 10 - Windows 11 @@ -23,7 +23,7 @@ _Applies to_ ## Overview > [!IMPORTANT] -> Microsoft Connected Cache is currently a private preview feature. During this phase we invite customers to take part in early access for testing purposes. This phase doesn't include formal support. Instead, you'll be working directly with the product team to provide feedback on Microsoft Connected Cache. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/). +> This document is for Microsoft Connected Cache (early preview). During this phase we invite customers to take part in early access for testing purposes. This phase doesn't include formal support. Instead, you'll be working directly with the product team to provide feedback on Microsoft Connected Cache. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/). Microsoft Connected Cache (MCC) preview is a software-only caching solution that delivers Microsoft content within operator networks. MCC can be deployed to as many physical servers or VMs as needed and is managed from a cloud portal. Microsoft cloud services handle routing of consumer devices to the cache server for content downloads. @@ -31,15 +31,15 @@ Microsoft Connected Cache is a hybrid application, in that it's a mix of on-prem ## How MCC works -:::image type="content" source="images/imcc01.png" alt-text="Data flow diagram of how Microsoft Connected Cache works." lightbox="images/imcc01.png"::: +:::image type="content" source="./images/mcc-isp-diagram.png" alt-text="Data flow diagram of how Microsoft Connected Cache works." lightbox="./images/mcc-isp-diagram.png"::: The following steps describe how MCC is provisioned and used: 1. The Azure Management Portal is used to create and manage MCC nodes. -2. A shell script is used to provision the server and deploy the MCC application. +1. A shell script is used to provision the server and deploy the MCC application. -3. A combination of the Azure Management Portal and shell script is used to configure Microsoft Delivery Optimization Services to route traffic to the MCC server. +1. A combination of the Azure Management Portal and shell script is used to configure Microsoft Delivery Optimization Services to route traffic to the MCC server. - The publicly accessible IPv4 address of the server is configured on the portal. @@ -50,31 +50,31 @@ The following steps describe how MCC is provisioned and used: > [!NOTE] > Only IPv4 addresses are supported at this time. Entering IPv6 addresses will result in an error. -4. Microsoft end-user devices (clients) periodically connect with Microsoft Delivery Optimization Services, and the services match the IP address of the client with the IP address of the corresponding MCC node. +1. Microsoft end-user devices (clients) periodically connect with Microsoft Delivery Optimization Services, and the services match the IP address of the client with the IP address of the corresponding MCC node. -5. Microsoft clients make the range requests for content from the MCC node. +1. Microsoft clients make the range requests for content from the MCC node. -6. A MCC node gets content from the CDN, seeds its local cache stored on disk, and delivers the content to the client. +1. An MCC node gets content from the CDN, seeds its local cache stored on disk, and delivers the content to the client. -7. Subsequent requests from end-user devices for content will be served from cache. +1. Subsequent requests from end-user devices for content will be served from cache. -8. If the MCC node is unavailable, the client gets content from the CDN to ensure uninterrupted service for your subscribers. +1. If the MCC node is unavailable, the client gets content from the CDN to ensure uninterrupted service for your subscribers. ## ISP requirements for MCC ### Azure subscription -The MCC management portal is hosted within Azure. It's used to create the Connected Cache Azure resource and IoT Hub resource. Both are _free_ services. +The MCC management portal is hosted within Azure. It's used to create the Connected Cache Azure resource and IoT Hub resource. Both are *free* services. > [!NOTE] > If you request Exchange or Public peering in the future, business email addresses must be used to register ASNs. Microsoft doesn't accept Gmail or other non-business email addresses. -Your Azure subscription ID is first used to provision MCC services and enable access to the preview. The MCC server requirement for an Azure subscription will cost you nothing. If you don't have an Azure subscription already, you can create an Azure [Pay-As-You-Go](https://azure.microsoft.com/offers/ms-azr-0003p/) account, which requires a credit card for verification purposes. For more information, see the [Azure free account FAQ](https://azure.microsoft.com/free/free-account-faq/). _Don't submit a trial subscription_ as you'll lose access to your Azure resources after the trial period ends. +Your Azure subscription ID is first used to provision MCC services and enable access to the preview. The MCC server requirement for an Azure subscription will cost you nothing. If you don't have an Azure subscription already, you can create an Azure [Pay-As-You-Go](https://azure.microsoft.com/offers/ms-azr-0003p/) account, which requires a credit card for verification purposes. For more information, see the [Azure free account FAQ](https://azure.microsoft.com/free/free-account-faq/). *Don't submit a trial subscription* as you'll lose access to your Azure resources after the trial period ends. The resources used for the preview, and in the future when this product is ready for production, will be free to you - like other caching solutions. > [!IMPORTANT] -> To join the Microsoft Connected Cache private preview, provide your Azure subscription ID by filling out [this survey](https://aka.ms/MCCForISPSurvey). +> To join the Microsoft Connected Cache early preview, provide your Azure subscription ID by filling out [this survey](https://aka.ms/MCCForISPSurvey). ### Hardware to host the MCC @@ -89,7 +89,7 @@ This recommended configuration can egress at a rate of 9 Gbps with a 10 Gbps NIC #### NIC requirements -- Multiple NICs on a single MCC instance are supported using a _link aggregated_ configuration. +- Multiple NICs on a single MCC instance are supported using a *link aggregated* configuration. - 10 Gbps NIC is the minimum speed recommended, but any NIC is supported. ### Sizing recommendations @@ -97,10 +97,10 @@ This recommended configuration can egress at a rate of 9 Gbps with a 10 Gbps NIC The MCC module is optimized for Ubuntu 20.04 LTS. Install Ubuntu 20.04 LTS on a physical server or VM of your choice. The following recommended configuration can egress at a rate of 9 Gbps with a 10 Gbps NIC. | Component | Minimum | Recommended | -| -- | --- | --- | +|---|---|---| | OS | Ubuntu 20.04 LTS VM or physical server | Ubuntu 20.04 LTS VM or physical server (preferred) | | NIC | 10 Gbps| at least 10 Gbps | -| Disk | SSD
1 drive
2 TB each |SSD
2-4 drives
at least 2 TB each | +| Disk | SSD
1 drive
2 TB each |SSD
2-4 drives
at least 2 TB each | | Memory | 8 GB | 32 GB or greater | | Cores | 4 | 8 or more | @@ -110,8 +110,8 @@ To deploy MCC: 1. [Provide Microsoft with your Azure subscription ID](#provide-microsoft-with-your-azure-subscription-id) 2. [Create the MCC Resource in Azure](#create-the-mcc-resource-in-azure) -3. [Create a Cache Node](#create-a-mcc-node-in-azure) -4. [Configure Cache Node Routing](#edit-cache-node-information) +3. [Create a Cache Node](#create-an-mcc-node-in-azure) +4. [Configure Cache Node Routing](#edit-cache-node-information) 5. [Install MCC on a physical server or VM](#install-mcc) 6. [Verify properly functioning MCC server](#verify-properly-functioning-mcc-server) 7. [Review common issues if needed](#common-issues) @@ -135,20 +135,20 @@ Operators who have been given access to the program will be sent a link to the A 1. Choose **Create a resource**. - :::image type="content" source="images/imcc02.png" alt-text="Select the option to 'Create a resource' in the Azure portal."::: + :::image type="content" source="./images/mcc-isp-create-resource.png" alt-text="Screenshot of the option to 'Create a resource' in the Azure portal."::: 1. Type **Microsoft Connected Cache** into the search box and press **Enter** to show the search results. 1. Select **Microsoft Connected Cache**. - :::image type="content" source="images/imcc03.png" alt-text="Search the Azure Marketplace for 'Microsoft Connected Cache'."::: + :::image type="content" source="./images/mcc-isp-search-marketplace.png" alt-text="Screenshot of searching the Azure Marketplace for 'Microsoft Connected Cache'."::: > [!IMPORTANT] - > Don't select _Connected Cache Resources_, which is different from **Microsoft Connected Cache**. + > Don't select *Connected Cache Resources*, which is different from **Microsoft Connected Cache**. 1. Select **Create** on the next screen to start the process of creating the MCC resource. - :::image type="content" source="images/imcc04.png" alt-text="Select the option to Create the Microsoft Connected Cache service."::: + :::image type="content" source="./images/mcc-isp-create.png" alt-text="Screenshot of the Create option for the Microsoft Connected Cache service."::: 1. Fill in the following required fields to create the MCC resource: @@ -163,11 +163,11 @@ Operators who have been given access to the program will be sent a link to the A - Specify a **Connected Cache Resource Name**. - :::image type="content" source="images/imcc05.png" alt-text="Enter the required information to create a Connected Cache in Azure."::: + :::image type="content" source="./images/mcc-isp-location-west.png" alt-text="Screenshot of entering the required information, including the West US location, to create a Connected Cache in Azure."::: 1. Select **Review + Create**. Once validation is complete, select **Create** to start the resource creation. - :::image type="content" source="images/imcc06.png" alt-text="'Your deployment is complete' message displaying deployment details."::: + :::image type="content" source="./images/mcc-isp-deployment-complete.png" alt-text="'Screenshot of the 'Your deployment is complete' message displaying deployment details."::: #### Common Resource Creation Errors @@ -175,58 +175,55 @@ Operators who have been given access to the program will be sent a link to the A If you get the error message "Validation failed" in the Azure portal, it's likely because you selected the **Location** as **US West 2** or another unsupported location. To resolve this error, go to the previous step and choose **(US) West US** for the **Location**. -:::image type="content" source="images/imcc07.png" alt-text="'Validation failed' error message for Connected Cache in an unsupported location."::: - ##### Error: Could not create Marketplace item If you get the error message "Could not create marketplace item" in the Azure portal, use the following steps to troubleshoot: -- Make sure that you've selected **Microsoft Connected Cache** and not _Connected Cache resources_ while trying to create a MCC resource. +- Make sure that you've selected **Microsoft Connected Cache** and not *Connected Cache resources* while trying to create an MCC resource. - Make sure that you're using the same subscription that you provided to Microsoft and you have privileges to create an Azure resource. - If the issue persists, clear your browser cache and start in a new window. -### Create a MCC node in Azure +### Create an MCC node in Azure 1. After you successfully create the resource, select **Go to resource**. 1. Under the **Cache Node Management** section in the left panel, select **Cache Nodes**. - :::image type="content" source="images/imcc08.png" alt-text="The 'Cache Nodes' option in the Cache Node Management menu section."::: + :::image type="content" source="./images/mcc-isp-cache-nodes-option.png" alt-text="Screenshot of the 'Cache Nodes' option in the Cache Node Management menu section."::: 1. On the **Cache Nodes** section, select **Create Cache Node**. - :::image type="content" source="images/imcc09.png" alt-text="Select the 'Create Cache Node' option."::: + :::image type="content" source="./images/mcc-isp-create-cache-node-option.png" alt-text="Screenshot of the selecting the 'Create Cache Node' option."::: 1. This action opens the **Create Cache Node** page. The only required fields are **Cache Node Name** and **Max Allowable Egress (Mbps)**. | Field name | Expected value | Description | |--|--|--| | **Cache Node Name** | Alphanumeric name that includes no spaces. | The name of the cache node. You may choose names based on location like Seattle-1. This name must be unique and can't be changed later. | - | **Server IP Address** | IPv4 Address | IP address of your MCC server. This address is used to route end-user devices in your network to the server for Microsoft content downloads. _The IP address must be publicly accessible._ | + | **Server IP Address** | IPv4 Address | IP address of your MCC server. This address is used to route end-user devices in your network to the server for Microsoft content downloads. *The IP address must be publicly accessible.* | | **Max Allowable Egress (Mbps)** | Integer in Mbps | The maximum egress (Mbps) of your MCC based on the specifications of your hardware. For example, `10,000` Mbps. | | **Address Range/CIDR Blocks** | IPv4 CIDR notation | The IP address range (CIDR blocks) that should be routed to the MCC server as a comma separated list. For example: `2.21.234.0/24, 3.22.235.0/24, 4.23.236.0/24` | - | **Enable Cache Node** | Enable or Disable | **Enable** permits the cache node to receive content requests.
**Disable** prevents the cache node from receiving content requests.
Cache nodes are enabled by default. | + | **Enable Cache Node** | Enable or Disable | **Enable** permits the cache node to receive content requests.
**Disable** prevents the cache node from receiving content requests.
Cache nodes are enabled by default. | - :::image type="content" source="images/imcc10.png" alt-text="Available fields on the Create Cache Node page."::: + :::image type="content" source="./images/mcc-isp-create-cache-node-fields.png" alt-text="Screenshot of the available fields on the Create Cache Node page."::: > [!TIP] > The information icon next to each field provides a description. > - > :::image type="content" source="images/imcc11.png" alt-text="Create Cache Node page showing the description for the Server IP Address field."::: + > :::image type="content" source="./images/mcc-isp-node-server-ip.png" alt-text="Screenshot of the Create Cache Node page showing the description for the Server IP Address field."::: - > [!NOTE] - > After you create the cache node, if you return to this page, it populates the values for the two read-only fields: - > - > | Field name | Description | - > |--|--| - > | **IP Space** | Number of IP addresses that will be routed to your cache server. | - > | **Activation Keys** | Set of keys to activate your cache node with the MCC services. Copy the keys for use during install. The CustomerID is your Azure subscription ID. | + After you create the cache node, if you return to this page, it populates the values for the two read-only fields: + + | Field name | Description | + |--|--| + | **IP Space** | Number of IP addresses that will be routed to your cache server. | + | **Activation Keys** | Set of keys to activate your cache node with the MCC services. Copy the keys for use during install. The CustomerID is your Azure subscription ID. | 1. Enter the information to create the cache node, and then select **Create**. - :::image type="content" source="images/imcc12.png" alt-text="Select 'Create' on the Create Cache Node page."::: + :::image type="content" source="./images/mcc-isp-create-new-node.png" alt-text="Screenshot of selecting 'Create' on the Create Cache Node page."::: If there are errors, the page gives you guidance on how to correct the errors. For example: @@ -236,11 +233,11 @@ If there are errors, the page gives you guidance on how to correct the errors. F See the following example with all information entered: -:::image type="content" source="images/imcc13.png" alt-text="Create Cache Node page with all information entered."::: +:::image type="content" source="./images/mcc-isp-create-node-form.png" alt-text="Screenshot of the Create Cache Node page with all information entered."::: Once you create the MCC node, it will display the installer instructions. For more information on the installer instructions, see the [Install Connected Cache](#install-mcc) section. -:::image type="content" source="images/imcc14.png" alt-text="Cache node successfully created with Connected Cache installer instructions."::: +:::image type="content" source="./images/mcc-isp-success-instructions.png" alt-text="Screenshot of the Cache node successfully created with Connected Cache installer instructions."::: ### IP address space approval @@ -258,15 +255,15 @@ There are three states for IP address space. MCC configuration supports BGP and If your IP address space has this status, contact Microsoft for more information. -:::image type="content" source="images/imcc15.png" alt-text="A list of cache node names with example IP address space statuses."::: +:::image type="content" source="./images/mcc-isp-node-names.png" alt-text="Screenshot of a list of cache node names with example IP address space statuses."::: ## Edit cache node information -:::image type="content" source="images/imcc16.png" alt-text="Cache Nodes list in the Azure portal."::: +:::image type="content" source="./images/mcc-isp-list-nodes.png" alt-text="Screenshot of the Cache Nodes list in the Azure portal."::: To modify the configuration for existing MCC nodes in the portal, select the cache node name in the cache nodes list. This action opens the **Cache Node Configuration** page. You can edit the **Server IP Address** or **Address Range/CIDR Blocks** field. You can also enable or disable the cache node. -:::image type="content" source="images/imcc17.png" alt-text="Cache Node Configuration page, highlighting editable fields."::: +:::image type="content" source="./images/mcc-isp-node-configuration.png" alt-text="Screenshot of the Cache Node Configuration page, highlighting editable fields."::: To delete a cache node, select it in the cache nodes list, and then select **Delete** in the toolbar. If you delete a cache node, there's no way to recover it or any of the information related to the cache node. @@ -298,7 +295,7 @@ Before you start, make sure that you have a data drive configured on your server 1. From either **Create Cache Node** or **Cache Node Configuration** pages, select **Download Installer** to download the installer file. - :::image type="content" source="images/imcc18.png" alt-text="The Create Cache Node page highlighting the Download Installer action."::: + :::image type="content" source="./images/mcc-isp-installer-download.png" alt-text="Screenshot of the Create Cache Node page highlighting the Download Installer action."::: Unzip the **mccinstaller.zip** file, which includes the following installation files and folders: @@ -322,19 +319,19 @@ Before you start, make sure that you have a data drive configured on your server 1. In the Azure portal, in the Connected Cache installer instructions, copy the cache node installer Bash script command. Run the Bash script from the terminal. - :::image type="content" source="images/imcc19.png" alt-text="Copy the cache node installer Bash script in the Connected Cache installer instructions."::: + :::image type="content" source="./images/mcc-isp-copy-install-script.png" alt-text="Screenshot of the Copy option for the cache node installer Bash script in the Connected Cache installer instructions."::: 1. Sign in to the Azure portal with a device code. - :::image type="content" source="images/imcc20.png" alt-text="Bash script prompt to sign in to the Azure portal with a device code."::: + :::image type="content" source="./images/mcc-isp-bash-device-code.png" alt-text="Screenshot of the Bash script prompt to sign in to the Azure portal with a device code." lightbox="./images/mcc-isp-bash-device-code.png"::: 1. Specify the number of drives to configure. Use an integer value less than 10. - :::image type="content" source="images/imcc22.png" alt-text="Bash script prompt to enter the number of cache drives to configure."::: + :::image type="content" source="./images/mcc-isp-bash-drive-number.png" alt-text="Screenshot of the Bash script prompt to enter the number of cache drives to configure." lightbox="./images/mcc-isp-bash-drive-number.png"::: 1. Specify the location of the cache drives. For example, `/datadrive/` - :::image type="content" source="images/imcc23.png" alt-text="Bash script prompt to enter the location for cache drive."::: + :::image type="content" source="./images/mcc-isp-bash-datadrive.png" alt-text="Screenshot of the Bash script prompt to enter the location for cache drive." lightbox="./images/mcc-isp-bash-datadrive.png"::: > [!IMPORTANT] > The script changes the permission and ownership on the cache drive to **everyone** with the command `chmod 777`. @@ -350,15 +347,15 @@ Before you start, make sure that you have a data drive configured on your server 1. Specify an integer value as the size in GB for each cache drive. The minimum is `100` GB. - :::image type="content" source="images/imcc24.png" alt-text="Bash script prompt to enter the amount of space to allocate to the cache drive."::: + :::image type="content" source="./images/mcc-isp-bash-allocate-space.png" alt-text="Screenshot of the Bash script prompt to enter the amount of space to allocate to the cache drive." lightbox="./images/mcc-isp-bash-allocate-space.png"::: 1. Specify whether you have an existing IoT Hub. - - If this process is for your _first MCC deployment_, enter `n`. + - If this process is for your *first MCC deployment*, enter `n`. - - If you already have a MCC deployment, you can use an existing IoT Hub from your previous installation. Select `Y` to see your existing IoT Hubs. You can copy and paste the resulting IoT Hub name to continue. + - If you already have an MCC deployment, you can use an existing IoT Hub from your previous installation. Select `Y` to see your existing IoT Hubs. You can copy and paste the resulting IoT Hub name to continue. - :::image type="content" source="images/imcc25.png" alt-text="Bash script output with steps for existing IoT Hub."::: + :::image type="content" source="./images/mcc-isp-bash-iot-prompt.png" alt-text="Screenshot of the Bash script output with steps for existing IoT Hub." lightbox="./images/mcc-isp-bash-iot-prompt.png"::: 1. If you want to configure BGP, enter `y`. If you want to use manual entered prefixes for routing, enter `n` and skip to Step 16. You can always configure BGP at a later time using the Update Script. @@ -394,7 +391,7 @@ Before you start, make sure that you have a data drive configured on your server 1. To start routing using BGP, change the **Prefix Source** from **Manually Entered** to **Use BGP**. - :::image type="content" source="images/imcc55.PNG" alt-text="Cache node configuration with the Prefix Source set to Use BGP."::: + :::image type="content" source="./images/mcc-isp-use-bgp.png" alt-text="Screenshot of the Cache Node Configuration page with the Prefix Source set to Use BGP."::: 1. If there are no errors, go to the next section to verify the MCC server. @@ -415,7 +412,7 @@ Sign in to the Connected Cache server or use SSH. Run the following command from sudo iotedge list ``` -:::image type="content" source="images/imcc26.png" alt-text="Terminal output of iotedge list command, showing the running containers."::: +:::image type="content" source="./images/mcc-isp-running-containers.png" alt-text="Screenshot of the terminal output of iotedge list command, showing the running containers." lightbox="./images/mcc-isp-running-containers.png"::: If it lists the **edgeAgent** and **edgeHub** containers, but doesn't include **MCC**, view the status of the IoT Edge security manager using the command: @@ -425,7 +422,7 @@ sudo journalctl -u iotedge -f For example, this command provides the current status of the starting and stopping of a container, or the container pull and start: -:::image type="content" source="images/imcc27.png" alt-text="Terminal output of journalctl command for iotedge."::: +:::image type="content" source="./images/mcc-isp-edge-journalctl.png" alt-text="Terminal output of journalctl command for iotedge." lightbox="./images/mcc-isp-edge-journalctl.png"::: ### Verify server side @@ -439,7 +436,7 @@ wget http:///mscomtest/wuidt.gif?cacheHostOrigin=au.download.wind The following screenshot shows a successful test result: -:::image type="content" source="images/imcc28.png" alt-text="Terminal output of successful test result with wget command to validate a MCC."::: +:::image type="content" source="./images/mcc-isp-wget.png" alt-text="Screenshot of the terminal output of successful test result with wget command to validate a Microsoft Connected Cache." lightbox="./images/mcc-isp-wget.png"::: Similarly, enter the following URL into a web browser on any device on the network: @@ -484,7 +481,7 @@ To configure the device to work with your DNS, use the following steps: nmcli device show eno1 ``` - :::image type="content" source="images/imcc30.png" alt-text="Sample output of nmcli command to show network adapter information."::: + :::image type="content" source="images/mcc-isp-nmcli.png" alt-text="Screenshot of a sample output of nmcli command to show network adapter information." lightbox="./images/mcc-isp-nmcli.png"::: 1. Open or create the Docker configuration file used to configure the DNS server. @@ -535,7 +532,7 @@ To run the script: ## Updating your MCC -Throughout the private preview phase, Microsoft will release security and feature updates for MCC. Follow these steps to update your MCC. +Throughout the early preview phase, Microsoft will release security and feature updates for MCC. Follow these steps to update your MCC. Run the following commands, replacing the variables with the values provided in the email to update your MCC: @@ -553,7 +550,7 @@ sudo ./updatemcc.sh version="msconnectedcacheprod.azurecr.io/mcc/linux/iot/mcc-u ### Configure BGP on an Existing MCC -If you have a MCC that's already active and running, follow the steps below to configure BGP. +If you have an MCC that's already active and running, follow the steps below to configure BGP. 1. Run the Update commands as described above. @@ -585,20 +582,12 @@ sudo ./uninstallmcc.sh ``` ## Appendix - + ### Steps to obtain an Azure subscription ID -1. Sign in to the [Azure portal](https://portal.azure.com/) and go to the **Azure services** section. + +[!INCLUDE [Get Azure subscription](includes/get-azure-subscription.md)] -2. Select **Subscriptions**. If you don't see **Subscriptions**, select the **More Services** arrow and search for **Subscriptions**. - -3. If you already have an Azure subscription, skip to step 5. If you don't have an Azure Subscription, select **+ Add** on the top left. - -4. Select the **Pay-As-You-Go** subscription. You'll be asked to enter credit card information, but you won't be charged for using the MCC service. - -5. On the **Subscriptions** section, you'll find details about your current subscription. Select the subscription name. - -6. After you select the subscription name, you'll find the subscription ID in the **Overview** tab. To copy the value, select the **Copy to clipboard** icon next to your subscription ID. ### Performance of MCC in virtual environments @@ -618,7 +607,7 @@ In virtual environments, the cache server egress peaks at around 1.1 Gbps. If yo More users can be given access to manage Microsoft Connected Cache, even if they don't have an Azure account. Once you've created the first cache node in the portal, you can add other users as **Owners** of the Microsoft Connected Cache resource group and the Microsoft Connected Cache resource. -For more information on how to add other users as an owner, see [Grant a user access to Azure resources using the Azure portal](/azure/role-based-access-control/quickstart-assign-role-user-portal). Make sure to do this action for both the _MCC resource_ and _MCC resource group_. +For more information on how to add other users as an owner, see [Grant a user access to Azure resources using the Azure portal](/azure/role-based-access-control/quickstart-assign-role-user-portal). Make sure to do this action for both the *MCC resource* and *MCC resource group*. ### Setting up a VM on Windows Server @@ -631,93 +620,93 @@ You can use hardware that will natively run Ubuntu 20.04 LTS, or you can run an 1. Start the **New Virtual Machine Wizard** in Hyper-V. - :::image type="content" source="images/imcc31.png" alt-text="The Before You Begin page of the Hyper-V New Virtual Machine Wizard."::: + :::image type="content" source="./images/mcc-isp-hyper-v-begin.png" alt-text="Screenshot of the Before You Begin page of the Hyper-V New Virtual Machine Wizard."::: 1. Specify a name and choose a location. - :::image type="content" source="images/imcc32.png" alt-text="The Specify Name and Location page of the Hyper-V New Virtual Machine Wizard."::: + :::image type="content" source="./images/mcc-isp-hyper-v-name.png" alt-text="Screenshot of the Specify Name and Location page in the Hyper-V New Virtual Machine Wizard."::: 1. Select **Generation 2**. You can't change this setting later. - :::image type="content" source="images/imcc33.png" alt-text="The Specify Generation page of the Hyper-V New Virtual Machine Wizard."::: + :::image type="content" source="./images/mcc-isp-hyper-v-generation.png" alt-text="Screenshot of the Specify Generation page in the Hyper-V New Virtual Machine Wizard."::: 1. Specify the startup memory. - :::image type="content" source="images/imcc34.png" alt-text="The Assign Memory page of the Hyper-V New Virtual Machine Wizard."::: + :::image type="content" source="./images/mcc-isp-hyper-v-memory.png" alt-text="Screenshot of the Assign Memory page of the Hyper-V New Virtual Machine Wizard."::: 1. Choose the network adapter connection. - :::image type="content" source="images/imcc35.png" alt-text="The Configure Networking page of the Hyper-V New Virtual Machine Wizard."::: + :::image type="content" source="./images/mcc-isp-hyper-v-networking.png" alt-text="Screenshot of the Configure Networking page of the Hyper-V New Virtual Machine Wizard."::: 1. Set the virtual hard disk parameters. You should specify enough space for the OS and the content that will be cached. For example, `1024` GB is 1 terabyte. - :::image type="content" source="images/imcc36.png" alt-text="The Connect Virtual Hard Disk page of the Hyper-V New Virtual Machine Wizard."::: + :::image type="content" source="./images/mcc-isp-hyper-v-disk.png" alt-text="Screenshot of the Connect Virtual Hard Disk page of the Hyper-V New Virtual Machine Wizard."::: 1. Select **Install an OS from a bootable image file** and browse to the ISO for Ubuntu 20.04 LTS that you previously downloaded. - :::image type="content" source="images/imcc37.png" alt-text="The Installation Options page of the Hyper-V New Virtual Machine Wizard."::: + :::image type="content" source="./images/mcc-isp-hyper-v-installation-options.png" alt-text="Screenshot of the Installation Options page of the Hyper-V New Virtual Machine Wizard."::: 1. Review the settings and select **Finish** to create the Ubuntu VM. - :::image type="content" source="images/imcc38.png" alt-text="Completing the New Virtual Machine Wizard on Hyper-V."::: + :::image type="content" source="./images/mcc-isp-hyper-v-summary.png" alt-text="Screenshot of completing the New Virtual Machine Wizard on Hyper-V."::: 1. Before you start the Ubuntu VM, disable **Secure Boot** and allocate multiple cores to the VM. 1. In Hyper-V Manager, open the **Settings** for the VM. - :::image type="content" source="images/imcc39.png" alt-text="Open Settings for a VM in Hyper-V Manager."::: + :::image type="content" source="./images/mcc-isp-hyper-v-vm-settings.png" alt-text="Screenshot of the settings for a VM in Hyper-V Manager."::: 1. Select **Security**. Disable the option to **Enable Secure Boot**. - :::image type="content" source="images/imcc40.png" alt-text="Security page of VM settings in Hyper-V Manager."::: + :::image type="content" source="./images/mcc-isp-hyper-v-vm-security.png" alt-text="Screenshot of the security page from VM settings in Hyper-V Manager."::: 1. Select **Processor**. Increase the number of virtual processors. This example shows `12`, but your configuration may vary. - :::image type="content" source="images/imcc41.png" alt-text="Processor page of VM settings in Hyper-V Manager."::: + :::image type="content" source="./images/mcc-isp-hyper-v-vm-processor.png" alt-text="Screenshot of the processor page from VM settings in Hyper-V Manager."::: 1. Start the VM and select **Install Ubuntu**. - :::image type="content" source="images/imcc42.png" alt-text="GNU GRUB screen, select Install Ubuntu."::: + :::image type="content" source="./images/mcc-isp-gnu-grub.png" alt-text="Screenshot of the GNU GRUB screen, with Install Ubuntu selected."::: 1. Choose your default language. - :::image type="content" source="images/imcc43.png" alt-text="Ubuntu install, Welcome page, select language."::: + :::image type="content" source="./images/mcc-isp-ubuntu-language.png" alt-text="Screenshot of the Ubuntu install's language selection page."::: 1. Choose the options for installing updates and third party hardware. For example, download updates and install third party software drivers. 1. Select **Erase disk and install Ubuntu**. If you had a previous version of Ubuntu installed, we recommend erasing and installing Ubuntu 16.04. - :::image type="content" source="images/imcc45.png" alt-text="Ubuntu install, Installation type page, Erase disk and install Ubuntu."::: + :::image type="content" source="./images/mcc-isp-ubuntu-erase-disk.png" alt-text="Screenshot of the Ubuntu install Installation type page with the Erase disk and install Ubuntu option selected."::: Review the warning about writing changes to disk, and select **Continue**. - :::image type="content" source="images/imcc46.png" alt-text="Ubuntu install, 'Write the changes to disks' warning."::: + :::image type="content" source="./images/mcc-isp-ubuntu-write-changes.png" alt-text="Screenshot of the Ubuntu install's 'Write the changes to disks' warning."::: 1. Choose the time zone. - :::image type="content" source="images/imcc47.png" alt-text="Ubuntu install, 'Where are you page' to specify time zone."::: + :::image type="content" source="./images/mcc-isp-ubuntu-time-zone.png" alt-text="Screenshot of the Ubuntu install's 'Where are you page' to specify time zone."::: 1. Choose the keyboard layout. - :::image type="content" source="images/imcc48.png" alt-text="Ubuntu install, Keyboard layout page."::: + :::image type="content" source="./images/mcc-isp-ubuntu-keyboard.png" alt-text="Screenshot of the Ubuntu install's Keyboard layout page."::: 1. Specify your name, a name for the computer, a username, and a strong password. Select the option to **Require my password to log in**. > [!TIP] > Everything is case sensitive in Linux. - :::image type="content" source="images/imcc50.png" alt-text="Ubuntu install, 'Who are you' screen."::: + :::image type="content" source="./images/mcc-isp-ubuntu-who.png" alt-text="Screenshot of the Ubuntu install's, 'Who are you' screen."::: 1. To complete the installation, select **Restart now**. - :::image type="content" source="images/imcc51.png" alt-text="Ubuntu install, installation complete, restart now."::: + :::image type="content" source="./images/mcc-isp-ubuntu-restart.png" alt-text="Screenshot of the Ubuntu install's installation complete, restart now screen."::: 1. After the computer restarts, sign in with the username and password. > [!IMPORTANT] > If it shows that an upgrade is available, select **Don't upgrade**. > - > :::image type="content" source="images/imcc52.png" alt-text="Ubuntu install, Upgrade Available prompt, Don't Upgrade."::: + > :::image type="content" source="./images/mcc-isp-ubuntu-upgrade.png" alt-text="Screenshot of the Ubuntu install's Upgrade Available prompt with Don't Upgrade selected."::: Your Ubuntu VM is now ready to [Install MCC](#install-mcc). @@ -735,6 +724,6 @@ For more information on Azure IoT Edge, see the [Azure IoT Edge documentation](/ ## Related articles -[Microsoft Connected Cache for enterprise and education](mcc-enterprise.md) +[Microsoft Connected Cache overview](waas-microsoft-connected-cache.md) [Introducing Microsoft Connected Cache](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/introducing-microsoft-connected-cache-microsoft-s-cloud-managed/ba-p/963898) diff --git a/windows/deployment/do/waas-microsoft-connected-cache.md b/windows/deployment/do/waas-microsoft-connected-cache.md index d492d18d11..8888c9ec94 100644 --- a/windows/deployment/do/waas-microsoft-connected-cache.md +++ b/windows/deployment/do/waas-microsoft-connected-cache.md @@ -22,41 +22,40 @@ ms.technology: itpro-updates - Windows 11 > [!IMPORTANT] -> Microsoft Connected Cache is currently a private preview feature. During this phase we invite customers to take part in early access for testing purposes. This phase does not include formal support, and should not be used for production workloads. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/). +> Microsoft Connected Cache is currently a preview feature. To view our early preview documentation, visit [Microsoft Connected Cache for Internet Service Providers (ISPs)](mcc-isp.md). For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/). Microsoft Connected Cache (MCC) preview is a software-only caching solution that delivers Microsoft content within Enterprise networks. MCC can be deployed to as many bare-metal servers or VMs as needed, and is managed from a cloud portal. Cache nodes are created in the cloud portal and are configured by applying the client policy using management tools such as Intune. -MCC is a hybrid (mix of on-prem and cloud resources) SaaS solution built as an Azure IoT Edge module and Docker compatible Linux container deployed to your Windows devices. The Delivery Optimization team chose IoT Edge for Linux on Windows (EFLOW) as a secure, reliable container management infrastructure. EFLOW is a Linux virtual machine, based on Microsoft's first party CBL-Mariner operating system. It’s built with the IoT Edge runtime and validated as a tier 1 supported environment for IoT Edge workloads. MCC will be a Linux IoT Edge module running on the Windows Host OS. +MCC is a hybrid (mix of on-premises and cloud resources) SaaS solution built as an Azure IoT Edge module and Docker compatible Linux container deployed to your Windows devices. The Delivery Optimization team chose IoT Edge for Linux on Windows (EFLOW) as a secure, reliable container management infrastructure. EFLOW is a Linux virtual machine, based on Microsoft's first party CBL-Mariner operating system. It’s built with the IoT Edge runtime and validated as a tier 1 supported environment for IoT Edge workloads. MCC will be a Linux IoT Edge module running on the Windows Host OS. -Even though your MCC scenario is not related to IoT, Azure IoT Edge is used as a more generic Linux container deployment and management infrastructure. The Azure IoT Edge runtime sits on your designated MCC device and performs management and communication operations. The runtime performs several functions important to manage MCC on your edge device: +Even though your MCC scenario isn't related to IoT, Azure IoT Edge is used as a more generic Linux container deployment and management infrastructure. The Azure IoT Edge runtime sits on your designated MCC device and performs management and communication operations. The runtime performs several functions important to manage MCC on your edge device: 1. Installs and updates MCC on your edge device. -2. Maintains Azure IoT Edge security standards on your edge device. -3. Ensures that MCC is always running. -4. Reports MCC health and usage to the cloud for remote monitoring. +1. Maintains Azure IoT Edge security standards on your edge device. +1. Ensures that MCC is always running. +1. Reports MCC health and usage to the cloud for remote monitoring. To deploy a functional MCC to your device, you must obtain the necessary keys to provision the Connected Cache instance that communicates with Delivery Optimization services, and enable the device to cache and deliver content. The architecture of MCC is described below. -For more details information on Azure IoT Edge, please see the Azure IoT Edge [documentation](/azure/iot-edge/about-iot-edge). +For more information on Azure IoT Edge, see the Azure IoT Edge [documentation](/azure/iot-edge/about-iot-edge). ## How MCC Works 1. The Azure Management Portal is used to create MCC nodes. -2. The MCC container is deployed and provisioned to the server using the installer provided in the portal. -3. Client policy is set in your management solution to point to the IP address or FQDN of the cache server. -4. Microsoft end-user devices make range requests for content from the MCC node. -5. The MCC node pulls content from the CDN, seeds its local cache stored on disk, and delivers the content to the client. -6. Subsequent requests from end-user devices for content will now come from cache. -7. If the MCC node is unavailable, the client will pull content from CDN to ensure uninterrupted service for your subscribers. +1. The MCC container is deployed and provisioned to the server using the installer provided in the portal. +1. Client policy is set in your management solution to point to the IP address or FQDN of the cache server. +1. Microsoft end-user devices make range requests for content from the MCC node. +1. The MCC node pulls content from the CDN, seeds its local cache stored on disk, and delivers the content to the client. +1. Subsequent requests from end-user devices for content will now come from cache. +1. If the MCC node is unavailable, the client will pull content from CDN to ensure uninterrupted service for your subscribers. -See the following diagram. +The following diagram displays and overview of how MCC functions: -![MCC Overview](images/waas-mcc-diag-overview.png#lightbox) +:::image type="content" source="./images/waas-mcc-diag-overview.png" alt-text="Diagram displaying the components of MCC." lightbox="./images/waas-mcc-diag-overview.png"::: -For more information about MCC, see the following articles: -- [Microsoft Connected Cache for Enterprise and Education](mcc-enterprise.md) -- [Microsoft Connected Cache for ISPs](mcc-isp.md) -## Also see -[Introducing Microsoft Connected Cache](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/introducing-microsoft-connected-cache-microsoft-s-cloud-managed/ba-p/963898) \ No newline at end of file +## Next steps + +- [Microsoft Connected Cache for Enterprise and Education](mcc-enterprise-prerequisites.md) +- [Microsoft Connected Cache for ISPs](mcc-isp-signup.md) diff --git a/windows/deployment/do/whats-new-do.md b/windows/deployment/do/whats-new-do.md index 3609de6b15..35b2652d61 100644 --- a/windows/deployment/do/whats-new-do.md +++ b/windows/deployment/do/whats-new-do.md @@ -21,7 +21,7 @@ ms.technology: itpro-updates - Windows 10 - Windows 11 -## Microsoft Connected Cache (private preview) +## Microsoft Connected Cache (early preview) Microsoft Connected Cache (MCC) is a software-only caching solution that delivers Microsoft content within Enterprise networks. MCC can be deployed to as many bare-metal servers or VMs as needed, and is managed from a cloud portal. Cache nodes are created in the cloud portal and are configured by applying the client policy using management tools such as Intune. diff --git a/windows/deployment/index.yml b/windows/deployment/index.yml index 7c6b7cb6ed..58bb72052d 100644 --- a/windows/deployment/index.yml +++ b/windows/deployment/index.yml @@ -6,12 +6,10 @@ summary: Learn about deploying and keeping Windows client devices up to date. # metadata: title: Windows client deployment resources and documentation # Required; page title displayed in search results. Include the brand. < 60 chars. description: Learn about deploying Windows 10 and keeping it up to date in your organization. # Required; article description that is displayed in search results. < 160 chars. - services: windows-10 - ms.service: windows-10 #Required; service per approved list. service slug assigned to your service by ACOM. - ms.subservice: subservice - ms.topic: landing-page # Required + ms.topic: landing-page + ms.technology: itpro-apps + ms.prod: windows-client ms.collection: - - windows-10 - highpri author: frankroj ms.author: frankroj diff --git a/windows/deployment/mbr-to-gpt.md b/windows/deployment/mbr-to-gpt.md index 5bae3977a7..eb154e5d93 100644 --- a/windows/deployment/mbr-to-gpt.md +++ b/windows/deployment/mbr-to-gpt.md @@ -4,7 +4,7 @@ description: Use MBR2GPT.EXE to convert a disk from the Master Boot Record (MBR) ms.prod: windows-client author: frankroj ms.author: frankroj -ms.date: 10/31/2022 +ms.date: 11/23/2022 manager: aaroncz ms.localizationpriority: high ms.topic: article @@ -15,18 +15,19 @@ ms.technology: itpro-deploy # MBR2GPT.EXE -**Applies to** -- Windows 10 +*Applies to:* -**MBR2GPT.EXE** converts a disk from the Master Boot Record (MBR) to the GUID Partition Table (GPT) partition style without modifying or deleting data on the disk. The tool runs from a Windows Preinstallation Environment (Windows PE) command prompt, but can also be run from the full Windows 10 operating system (OS) by using the **/allowFullOS** option. +- Windows 10 -MBR2GPT.EXE is located in the **Windows\\System32** directory on a computer running Windows 10 version 1703 (also known as the Creator's Update) or later. +**MBR2GPT.EXE** converts a disk from the Master Boot Record (MBR) to the GUID Partition Table (GPT) partition style without modifying or deleting data on the disk. The tool runs from a Windows Preinstallation Environment (Windows PE) command prompt, but can also be run from the full Windows 10 operating system (OS) by using the **`/allowFullOS`** option. + +MBR2GPT.EXE is located in the **`Windows\System32`** directory on a computer running Windows 10 version 1703 or later. The tool is available in both the full OS environment and Windows PE. To use this tool in a deployment task sequence with Configuration Manager or Microsoft Deployment Toolkit (MDT), you must first update the Windows PE image (winpe.wim, boot.wim) with the [Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit) 1703, or a later version. See the following video for a detailed description and demonstration of MBR2GPT. - +> [!VIDEO https://www.youtube-nocookie.com/embed/hfJep4hmg9o] You can use MBR2GPT to: @@ -45,6 +46,7 @@ Offline conversion of system disks with earlier versions of Windows installed, s ## Disk Prerequisites Before any change to the disk is made, MBR2GPT validates the layout and geometry of the selected disk to ensure that: + - The disk is currently using MBR - There's enough space not occupied by partitions to store the primary and secondary GPTs: - 16 KB + 2 sectors at the front of the disk @@ -66,21 +68,21 @@ If any of these checks fails, the conversion won't proceed, and an error will be | Option | Description | |----|-------------| -|/validate| Instructs MBR2GPT.exe to perform only the disk validation steps and report whether the disk is eligible for conversion. | -|/convert| Instructs MBR2GPT.exe to perform the disk validation and to proceed with the conversion if all validation tests pass. | -|/disk:\| Specifies the disk number of the disk to be converted to GPT. If not specified, the system disk is used. The mechanism used is the same as used by the diskpart.exe tool **SELECT DISK SYSTEM** command.| -|/logs:\| Specifies the directory where MBR2GPT.exe logs should be written. If not specified, **%windir%** is used. If specified, the directory must already exist, it will not be automatically created or overwritten.| -|/map:\=\| Specifies other partition type mappings between MBR and GPT. The MBR partition number is specified in decimal notation, not hexadecimal. The GPT GUID can contain brackets, for example: **/map:42={af9b60a0-1431-4f62-bc68-3311714a69ad}**. Multiple /map options can be specified if multiple mappings are required. | -|/allowFullOS| By default, MBR2GPT.exe is blocked unless it's run from Windows PE. This option overrides this block and enables disk conversion while running in the full Windows environment.
**Note**: Since the existing MBR system partition is in use while running the full Windows environment, it can't be reused. In this case, a new ESP is created by shrinking the OS partition.| +|**/validate**| Instructs `MBR2GPT.exe` to perform only the disk validation steps and report whether the disk is eligible for conversion. | +|**/convert**| Instructs `MBR2GPT.exe` to perform the disk validation and to proceed with the conversion if all validation tests pass. | +|**/disk:*\***| Specifies the disk number of the disk to be converted to GPT. If not specified, the system disk is used. The mechanism used is the same as used by the diskpart.exe tool **SELECT DISK SYSTEM** command.| +|**/logs:*\***| Specifies the directory where `MBR2GPT.exe` logs should be written. If not specified, **%windir%** is used. If specified, the directory must already exist, it will not be automatically created or overwritten.| +|**/map:*\*=*\***| Specifies other partition type mappings between MBR and GPT. The MBR partition number is specified in decimal notation, not hexadecimal. The GPT GUID can contain brackets, for example: **/map:42={af9b60a0-1431-4f62-bc68-3311714a69ad}**. Multiple /map options can be specified if multiple mappings are required. | +|**/allowFullOS**| By default, `MBR2GPT.exe` is blocked unless it's run from Windows PE. This option overrides this block and enables disk conversion while running in the full Windows environment.
**Note**: Since the existing MBR system partition is in use while running the full Windows environment, it can't be reused. In this case, a new ESP is created by shrinking the OS partition.| ## Examples ### Validation example -In the following example, disk 0 is validated for conversion. Errors and warnings are logged to the default location, **%windir%**. +In the following example, disk 0 is validated for conversion. Errors and warnings are logged to the default location of **`%windir%`**. -```console -X:\>mbr2gpt /validate /disk:0 +```cmd +X:\>mbr2gpt.exe /validate /disk:0 MBR2GPT: Attempting to validate disk 0 MBR2GPT: Retrieving layout of disk MBR2GPT: Validating layout, disk sector size is: 512 @@ -92,16 +94,25 @@ MBR2GPT: Validation completed successfully In the following example: 1. Using DiskPart, the current disk partition layout is displayed prior to conversion - three partitions are present on the MBR disk (disk 0): a system reserved partition, a Windows partition, and a recovery partition. A DVD-ROM is also present as volume 0. + 2. The OS volume is selected, partitions are listed, and partition details are displayed for the OS partition. The [MBR partition type](/windows/win32/fileio/disk-partition-types) is **07** corresponding to the installable file system (IFS) type. -2. The MBR2GPT tool is used to convert disk 0. -3. The DiskPart tool displays that disk 0 is now using the GPT format. -4. The new disk layout is displayed - four partitions are present on the GPT disk: three are identical to the previous partitions and one is the new EFI system partition (volume 3). -5. The OS volume is selected again, and detail displays that it has been converted to the [GPT partition type](/windows/win32/api/winioctl/ns-winioctl-partition_information_gpt) of **ebd0a0a2-b9e5-4433-87c0-68b6b72699c7** corresponding to the **PARTITION_BASIC_DATA_GUID** type. + +3. The MBR2GPT tool is used to convert disk 0. + +4. The DiskPart tool displays that disk 0 is now using the GPT format. + +5. The new disk layout is displayed - four partitions are present on the GPT disk: three are identical to the previous partitions and one is the new EFI system partition (volume 3). + +6. The OS volume is selected again, and detail displays that it has been converted to the [GPT partition type](/windows/win32/api/winioctl/ns-winioctl-partition_information_gpt) of **ebd0a0a2-b9e5-4433-87c0-68b6b72699c7** corresponding to the **PARTITION_BASIC_DATA_GUID** type. As noted in the output from the MBR2GPT tool, you must make changes to the computer firmware so that the new EFI system partition will boot properly. -```console -X:\>DiskPart +
+
+ Expand to show MBR2GPT example + +```cmd +X:\>DiskPart.exe Microsoft DiskPart version 10.0.15048.0 @@ -219,6 +230,8 @@ Offset in Bytes: 524288000 * Volume 1 D Windows NTFS Partition 58 GB Healthy ``` +
+ ## Specifications ### Disk conversion workflow @@ -259,17 +272,18 @@ Since GPT partitions use a different set of type IDs than MBR partitions, each p 4. All other MBR partitions recognized by Windows are converted to GPT partitions of type PARTITION_BASIC_DATA_GUID (ebd0a0a2-b9e5-4433-87c0-68b6b72699c7). In addition to applying the correct partition types, partitions of type PARTITION_MSFT_RECOVERY_GUID also have the following GPT attributes set: + - GPT_ATTRIBUTE_PLATFORM_REQUIRED (0x0000000000000001) - GPT_BASIC_DATA_ATTRIBUTE_NO_DRIVE_LETTER (0x8000000000000000) For more information about partition types, see: + - [GPT partition types](/windows/win32/api/winioctl/ns-winioctl-partition_information_gpt) - [MBR partition types](/windows/win32/fileio/disk-partition-types) - ### Persisting drive letter assignments -The conversion tool will attempt to remap all drive letter assignment information contained in the registry that corresponds to the volumes of the converted disk. If a drive letter assignment can't be restored, an error will be displayed at the console and in the log, so that you can manually perform the correct assignment of the drive letter. +The conversion tool will attempt to remap all drive letter assignment information contained in the registry that corresponds to the volumes of the converted disk. If a drive letter assignment can't be restored, an error will be displayed at the console and in the log, so that you can manually perform the correct assignment of the drive letter. > [!IMPORTANT] > This code runs after the layout conversion has taken place, so the operation cannot be undone at this stage. @@ -293,7 +307,7 @@ Four log files are created by the MBR2GPT tool: - setupact.log - setuperr.log -These files contain errors and warnings encountered during disk validation and conversion. Information in these files can be helpful in diagnosing problems with the tool. The setupact.log and setuperr.log files will have the most detailed information about disk layouts, processes, and other information pertaining to disk validation and conversion. +These files contain errors and warnings encountered during disk validation and conversion. Information in these files can be helpful in diagnosing problems with the tool. The setupact.log and setuperr.log files will have the most detailed information about disk layouts, processes, and other information pertaining to disk validation and conversion. > [!NOTE] > The setupact*.log files are different than the Windows Setup files that are found in the %Windir%\Panther directory. @@ -302,12 +316,12 @@ The default location for all these log files in Windows PE is **%windir%**. ### Interactive help -To view a list of options available when using the tool, type **mbr2gpt /?** +To view a list of options available when using the tool, enter **`mbr2gpt.exe /?`** The following text is displayed: -```console -C:\> mbr2gpt /? +```cmd +C:\> mbr2gpt.exe /? Converts a disk from MBR to GPT partitioning without modifying or deleting data on the disk. @@ -348,19 +362,18 @@ MBR2GPT has the following associated return codes: | Return code | Description | |----|-------------| -|0| Conversion completed successfully.| -|1| Conversion was canceled by the user.| -|2| Conversion failed due to an internal error.| -|3| Conversion failed due to an initialization error.| -|4| Conversion failed due to invalid command-line parameters. | -|5| Conversion failed due to error reading the geometry and layout of the selected disk.| -|6| Conversion failed because one or more volumes on the disk is encrypted.| -|7| Conversion failed because the geometry and layout of the selected disk don't meet requirements.| -|8| Conversion failed due to error while creating the EFI system partition.| -|9| Conversion failed due to error installing boot files.| -|10| Conversion failed due to error while applying GPT layout.| -|100| Conversion to GPT layout succeeded, but some boot configuration data entries couldn't be restored.| - +|**0**| Conversion completed successfully.| +|**1**| Conversion was canceled by the user.| +|**2**| Conversion failed due to an internal error.| +|**3**| Conversion failed due to an initialization error.| +|**4**| Conversion failed due to invalid command-line parameters. | +|**5**| Conversion failed due to error reading the geometry and layout of the selected disk.| +|**6**| Conversion failed because one or more volumes on the disk is encrypted.| +|**7**| Conversion failed because the geometry and layout of the selected disk don't meet requirements.| +|**8**| Conversion failed due to error while creating the EFI system partition.| +|**9**| Conversion failed due to error installing boot files.| +|**10**| Conversion failed due to error while applying GPT layout.| +|**100**| Conversion to GPT layout succeeded, but some boot configuration data entries couldn't be restored.| ### Determining the partition type @@ -381,8 +394,8 @@ You can also view the partition type of a disk by opening the Disk Management to If Windows PowerShell and Disk Management aren't available, such as when you're using Windows PE, you can determine the partition type at a command prompt with the DiskPart tool. To determine the partition style from a command line, type **diskpart** and then type **list disk**. See the following example: -```console -X:\>DiskPart +```cmd +X:\>DiskPart.exe Microsoft DiskPart version 10.0.15048.0 @@ -405,15 +418,15 @@ In this example, Disk 0 is formatted with the MBR partition style, and Disk 1 is When you start a Windows 10, version 1903-based computer in the Windows Preinstallation Environment (Windows PE), you encounter the following issues: -**Issue 1** When you run the MBR2GPT.exe command, the process exits without converting the drive. +**Issue 1** When you run the `MBR2GPT.exe` command, the process exits without converting the drive. -**Issue 2** When you manually run the MBR2GPT.exe command in a Command Prompt window, there's no output from the tool. +**Issue 2** When you manually run the `MBR2GPT.exe` command in a Command Prompt window, there's no output from the tool. -**Issue 3** When MBR2GPT.exe runs inside an imaging process such as a Microsoft Configuration Manager task sequence, an MDT task sequence, or by using a script, you receive the following exit code: 0xC0000135/3221225781. +**Issue 3** When `MBR2GPT.exe` runs inside an imaging process such as a Microsoft Configuration Manager task sequence, an MDT task sequence, or by using a script, you receive the following exit code: 0xC0000135/3221225781. #### Cause -This issue occurs because in Windows 10, version 1903 and later versions, MBR2GPT.exe requires access to the ReAgent.dll file. However, this dll file and its associated libraries are currently not included in the Windows PE boot image for Windows 10, version 1903 and later. +This issue occurs because in Windows 10, version 1903 and later versions, `MBR2GPT.exe` requires access to the ReAgent.dll file. However, this dll file and its associated libraries are currently not included in the Windows PE boot image for Windows 10, version 1903 and later. #### Workaround @@ -430,31 +443,31 @@ To fix this issue, mount the Windows PE image (WIM), copy the missing file from **Command 1:** - ```console + ```cmd copy "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Setup\amd64\Sources\ReAgent*.*" "C:\WinPE_Mount\Windows\System32" ``` - + This command copies three files: - * ReAgent.admx - * ReAgent.dll - * ReAgent.xml + - ReAgent.admx + - ReAgent.dll + - ReAgent.xml **Command 2:** - ```console + ```cmd copy "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Setup\amd64\Sources\En-Us\ReAgent*.*" "C:\WinPE_Mount\Windows\System32\En-Us" ``` - + This command copies two files: - * ReAgent.adml - * ReAgent.dll.mui + - ReAgent.adml + - ReAgent.dll.mui > [!NOTE] > If you aren't using an English version of Windows, replace "En-Us" in the path with the appropriate string that represents the system language. -3. After you copy all the files, commit the changes and unmount the Windows PE WIM. MBR2GPT.exe now functions as expected in Windows PE. For information about how to unmount WIM files while committing changes, see [Unmounting an image](/windows-hardware/manufacture/desktop/mount-and-modify-a-windows-image-using-dism#unmounting-an-image). +3. After you copy all the files, commit the changes and unmount the Windows PE WIM. `MBR2GPT.exe` now functions as expected in Windows PE. For information about how to unmount WIM files while committing changes, see [Unmounting an image](/windows-hardware/manufacture/desktop/mount-and-modify-a-windows-image-using-dism#unmounting-an-image). ## Related articles diff --git a/windows/deployment/planning/windows-10-enterprise-faq-itpro.yml b/windows/deployment/planning/windows-10-enterprise-faq-itpro.yml index bf3c38f95e..853855b43b 100644 --- a/windows/deployment/planning/windows-10-enterprise-faq-itpro.yml +++ b/windows/deployment/planning/windows-10-enterprise-faq-itpro.yml @@ -3,7 +3,8 @@ metadata: title: Windows 10 Enterprise FAQ for IT pros (Windows 10) description: Get answers to common questions around compatibility, installation, and support for Windows 10 Enterprise. keywords: Windows 10 Enterprise, download, system requirements, drivers, appcompat, manage updates, Windows as a service, servicing channels, deployment tools - ms.prod: w10 + ms.prod: windows-client + ms.technology: itpro-deploy ms.mktglfcycl: plan ms.localizationpriority: medium ms.sitesec: library diff --git a/windows/deployment/planning/windows-to-go-frequently-asked-questions.yml b/windows/deployment/planning/windows-to-go-frequently-asked-questions.yml index 848e407d94..c234ad4992 100644 --- a/windows/deployment/planning/windows-to-go-frequently-asked-questions.yml +++ b/windows/deployment/planning/windows-to-go-frequently-asked-questions.yml @@ -8,7 +8,8 @@ metadata: ms.author: frankroj manager: aaroncz keywords: FAQ, mobile, device, USB - ms.prod: w10 + ms.prod: windows-client + ms.technology: itpro-deploy ms.mktglfcycl: deploy ms.pagetype: mobility ms.sitesec: library diff --git a/windows/deployment/s-mode.md b/windows/deployment/s-mode.md index eaba8cdb52..3fc8a55190 100644 --- a/windows/deployment/s-mode.md +++ b/windows/deployment/s-mode.md @@ -8,7 +8,7 @@ author: frankroj ms.author: frankroj ms.topic: article ms.custom: seo-marvel-apr2020 -ms.date: 10/31/2022 +ms.date: 11/23/2022 ms.technology: itpro-deploy --- @@ -20,15 +20,15 @@ S mode is an evolution of the S SKU introduced with Windows 10 April 2018 Update ## S mode key features -**Microsoft-verified security** +### Microsoft-verified security With Windows 10 in S mode, you'll find your favorite applications, such as Office, Evernote, and Spotify in the Microsoft Store where they're Microsoft-verified for security. You can also feel secure when you're online. Microsoft Edge, your default browser, gives you protection against phishing and socially engineered malware. -**Performance that lasts** +### Performance that lasts Start-ups are quick, and S mode is built to keep them that way. With Microsoft Edge as your browser, your online experience is fast and secure. Plus, you'll enjoy a smooth, responsive experience, whether you're streaming HD video, opening apps, or being productive on the go. -**Choice and flexibility** +### Choice and flexibility Save your files to your favorite cloud, like OneDrive or Dropbox, and access them from any device you choose. Browse the Microsoft Store for thousands of apps, and if you don't find exactly what you want, you can easily [switch out of S mode](./windows-10-pro-in-s-mode.md) to Windows 10 Home, Pro, or Enterprise editions at any time and search the web for more choices, as shown below. @@ -49,6 +49,6 @@ The [MSIX Packaging Tool](/windows/application-management/msix-app-packaging-too ## Related links - [Consumer applications for S mode](https://www.microsoft.com/windows/s-mode) -- [S mode devices](https://www.microsoft.com/en-us/windows/view-all-devices) +- [S mode devices](https://www.microsoft.com/windows/view-all-devices) - [Windows Defender Application Control deployment guide](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide) -- [Microsoft Defender for Endpoint](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp) +- [Microsoft Defender for Endpoint](/microsoft-365/windows/microsoft-defender-atp) diff --git a/windows/deployment/update/images/update-terminology.png b/windows/deployment/update/images/update-terminology.png index 803c35d447..81e1b28320 100644 Binary files a/windows/deployment/update/images/update-terminology.png and b/windows/deployment/update/images/update-terminology.png differ diff --git a/windows/deployment/update/images/wufb-do-overview.png b/windows/deployment/update/images/wufb-do-overview.png new file mode 100644 index 0000000000..bacdb44d25 Binary files /dev/null and b/windows/deployment/update/images/wufb-do-overview.png differ diff --git a/windows/deployment/update/servicing-stack-updates.md b/windows/deployment/update/servicing-stack-updates.md index b1549aa4b9..69b46485fc 100644 --- a/windows/deployment/update/servicing-stack-updates.md +++ b/windows/deployment/update/servicing-stack-updates.md @@ -40,7 +40,9 @@ Servicing stack update are released depending on new issues or vulnerabilities. Both Windows client and Windows Server use the cumulative update mechanism, in which many fixes to improve the quality and security of Windows are packaged into a single update. Each cumulative update includes the changes and fixes from all previous updates. -Servicing stack updates must ship separately from the cumulative updates because they modify the component that installs Windows updates. The servicing stack is released separately because the servicing stack itself requires an update. For example, the cumulative update [KB4284880](https://support.microsoft.com/help/4284880/windows-10-update-kb4284880) requires the [May 17, 2018 servicing stack update](https://support.microsoft.com/help/4132216), which includes updates to Windows Update. +Servicing stack updates improve the reliability of the update process to mitigate potential issues while installing the latest quality updates and feature updates. If you don't install the latest servicing stack update, there's a risk that your device can't be updated with the latest Microsoft security fixes. + +Beginning with the February 2021 LCU, Microsoft will publish all future cumulative updates and SSUs for Windows 10, version 2004 and later together as one cumulative monthly update to the normal release category in WSUS. ## Is there any special guidance? diff --git a/windows/deployment/update/waas-manage-updates-wufb.md b/windows/deployment/update/waas-manage-updates-wufb.md index 2737ca60d1..ce28b14f14 100644 --- a/windows/deployment/update/waas-manage-updates-wufb.md +++ b/windows/deployment/update/waas-manage-updates-wufb.md @@ -48,7 +48,7 @@ Windows Update for Business enables an IT administrator to receive and manage a Windows Update for Business provides management policies for several types of updates to Windows 10 devices: - **Feature updates:** Previously referred to as "upgrades," feature updates contain not only security and quality revisions, but also significant feature additions and changes. Feature updates are released as soon as they become available. -- **Quality updates:** Quality updates are traditional operating system updates, typically released on the second Tuesday of each month (though they can be released at any time). These include security, critical, and driver updates. Windows Update for Business also treats non-Windows updates (such as updates for Microsoft Office or Visual Studio) as quality updates. These non-Windows Updates are known as "Microsoft updates" and you can set devices to receive such updates (or not) along with their Windows updates. +- **Quality updates:** Quality updates are traditional operating system updates, typically released on the second Tuesday of each month (though they can be released at any time). These include security, critical, and driver updates. - **Driver updates:** Updates for non-Microsoft drivers that are relevant to your devices. Driver updates are on by default, but you can use Windows Update for Business policies to turn them off if you prefer. - **Microsoft product updates**: Updates for other Microsoft products, such as versions of Office that are installed by using Windows Installer (MSI). Versions of Office that are installed by using Click-to-Run can't be updated by using Windows Update for Business. Product updates are off by default. You can turn them on by using Windows Update for Business policies. diff --git a/windows/deployment/update/wufb-reports-overview.md b/windows/deployment/update/wufb-reports-overview.md index 6315bbdd8c..f4206b0189 100644 --- a/windows/deployment/update/wufb-reports-overview.md +++ b/windows/deployment/update/wufb-reports-overview.md @@ -40,10 +40,11 @@ Currently, Windows Update for Business reports contains the following features: - UCClientReadinessStatus - UCClientUpdateStatus - UCDeviceAlert + - UCDOAggregatedStatus + - UCDOStatus - UCServiceUpdateStatus - UCUpdateAlert - - UCDOStatus - - UCDOAggregatedStatus + - Client data collection to populate the Windows Update for Business reports tables :::image type="content" source="media/wufb-reports-query-table.png" alt-text="Screenshot of using a custom Kusto (KQL) query on Windows Update for Business reports data in Log Analytics." lightbox="media/wufb-reports-query-table.png"::: diff --git a/windows/deployment/update/wufb-reports-schema-ucdoaggregatedstatus.md b/windows/deployment/update/wufb-reports-schema-ucdoaggregatedstatus.md new file mode 100644 index 0000000000..7fae5b9b00 --- /dev/null +++ b/windows/deployment/update/wufb-reports-schema-ucdoaggregatedstatus.md @@ -0,0 +1,35 @@ +--- +title: Windows Update for Business reports Data Schema - UCDOAggregatedStatus +ms.reviewer: +manager: naengler +description: UCDOAggregatedStatus schema +ms.prod: windows-client +author: cmknox +ms.author: carmenf +ms.collection: M365-analytics +ms.topic: reference +ms.date: 11/17/2022 +ms.technology: itpro-updates +--- + +# UCDOAggregatedStatus + +***(Applies to: Windows 11 & Windows 10)*** + +UCDOAggregatedStatus is an aggregation of all individual UDDOStatus records across the tenant and summarizes bandwidth savings across all devices enrolled using [Delivery Optimization and Microsoft Connected Cache](/windows/deployment/do). + +|Field |Type |Example |Description | +|---|---|---|---| +| **AzureADDeviceId** | [string](/azure/kusto/query/scalar-data-types/string) | `71db1a1a-f1a6-4a25-b88f-79c2f513dae0` | Azure AD Device ID | +| **AzureADTenantId** | [string](/azure/kusto/query/scalar-data-types/string) | `69ca04b0-703d-4b3a-9184-c4e3c15d6f5e` | Azure AD Tenant ID | +| **BWOptPercent28Days** | [real](/azure/kusto/query/scalar-data-types/real) | `10.61` | Bandwidth optimization (as a percentage of savings of total bandwidth otherwise incurred) for this device. A rolling 28-day basis.| +| **BytesFromCache** | [long](/azure/kusto/query/scalar-data-types/long) | `285212672` | Total number of bytes that were delivered from Microsoft Connected Cache (MCC). | +| **BytesFromCDN** | [long](/azure/kusto/query/scalar-data-types/long) | `11463008693388` | Total number of bytes that were delivered from a Content Delivery Network (CDN). | +| **BytesFromGroupPeers** | [long](/azure/kusto/query/scalar-data-types/long) | `30830657175` | Total number of bytes that were delivered from Group peers, sharing the same GroupId. | +| **BytesFromIntPeers** | [long](/azure/kusto/query/scalar-data-types/long) | `285212672` | Total number of bytes that were delivered from Internet peers. | +| **BytesFromPeers** | [long](/azure/kusto/query/scalar-data-types/long) | `285212672` | Total number of bytes delivered via all peers. | +| **ContentType** | [string](/azure/kusto/query/scalar-data-types/string) | `Driver Updates` | One of the supported types of content. | +| **DeviceCount** | [long](/azure/kusto/query/scalar-data-types/long) | `27077` | Number of devices. | +| **TenantId** | [string](/azure/kusto/query/scalar-data-types/string) | `6yy5y416-2d35-3yyf-ab5f-aea713e489d2` | Tenant ID | +| **TimeGenerated** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2022-11-17T22:11:40.1132971Z` | The time the snapshot generated this specific record. This is to determine to which batch snapshot this record belongs. | +| **Type** | [string](/azure/kusto/query/scalar-data-types/string) | `UCDOAggregatedStatus` | The entity type. | diff --git a/windows/deployment/update/wufb-reports-schema-ucdostatus.md b/windows/deployment/update/wufb-reports-schema-ucdostatus.md new file mode 100644 index 0000000000..01ad6b186a --- /dev/null +++ b/windows/deployment/update/wufb-reports-schema-ucdostatus.md @@ -0,0 +1,55 @@ +--- +title: Windows Update for Business reports Data Schema - UCDOStatus +ms.reviewer: +manager: naengler +description: UCDOStatus schema +ms.prod: windows-client +author: cmknox +ms.author: carmenf +ms.collection: M365-analytics +ms.topic: reference +ms.date: 11/17/2022 +ms.technology: itpro-updates +--- + +# UCDOStatus + +***(Applies to: Windows 11 & Windows 10)*** + +UCDOStatus provides information, for a single device, on its bandwidth utilization across content types in the event they use [Delivery Optimization and Microsoft Connected Cache](/windows/deployment/do). + +|Field |Type |Example |Description | +|---|---|---|---| +| **AzureADDeviceId** | [string](/azure/kusto/query/scalar-data-types/string) | `71db1a1a-f1a6-4a25-b88f-79c2f513dae0` | Azure AD Device ID | +| **AzureADTenantId** | [string](/azure/kusto/query/scalar-data-types/string) | `69ca04b0-703d-4b3a-9184-c4e3c15d6f5e` | Azure AD Tenant ID | +| **BWOptPercent28Days** | [real](/azure/kusto/query/scalar-data-types/real) | `10.61` | Bandwidth optimization (as a percentage of savings of total bandwidth otherwise incurred) for this device. A rolling 28-day basis.| +| **BWOptPercent7Days** | [real](/azure/kusto/query/scalar-data-types/real) | `10.61` | Bandwidth optimization (as a percentage of savings of total bandwidth otherwise incurred) for this device. A rolling 7-day basis.| +| **BytesFromCache** | [long](/azure/kusto/query/scalar-data-types/long) | `285212672` | Total number of bytes that were delivered from Microsoft Connected Cache (MCC). | +| **BytesFromCDN** | [long](/azure/kusto/query/scalar-data-types/long) | `11463008693388` | Total number of bytes that were delivered from a Content Delivery Network (CDN). | +| **BytesFromGroupPeers** | [long](/azure/kusto/query/scalar-data-types/long) | `30830657175` | Total number of bytes that were delivered from Group peers, sharing the same GroupId. | +| **BytesFromIntPeers** | [long](/azure/kusto/query/scalar-data-types/long) | `285212672` | Total number of bytes that were delivered from Internet peers. | +| **BytesFromPeers** | [long](/azure/kusto/query/scalar-data-types/long) | `285212672` | Total number of bytes delivered via all peers. | +| **City** | [string](/azure/kusto/query/scalar-data-types/string) | `Redmond` | Approximate city where device was located while downloading content, based on IP address. | +| **ContentDownloadMode** | [int](/azure/kusto/query/scalar-data-types/int) | `1` | Device's Delivery Optimization Download Mode used to download content. | +| **ContentType** | [string](/azure/kusto/query/scalar-data-types/string) | `Driver Updates` | One of the supported types of content. | +| **Country** | [string](/azure/kusto/query/scalar-data-types/string) | `US` | Approximate country where device was located while downloading content, based on IP address. | +| **DeviceName** | [string](/azure/kusto/query/scalar-data-types/string) | `DESKTOP-DO` | User or organization provided device name. If the value appears as '#', configure the device to send device name. | +| **DOStatusDescription** | [string](/azure/kusto/query/scalar-data-types/string) | `Downloading` | A short description of Delivery Optimization status, if any. | +| **DownloadMode** | [string](/azure/kusto/query/scalar-data-types/string) | `LAN (1)` | Delivery Optimization Download Mode configured on the device. | +| **DownloadModeSrc** | [string](/azure/kusto/query/scalar-data-types/string) | `MDM` | The source of the Download Mode configuration. | +| **GlobalDeviceId** | [string](/azure/kusto/query/scalar-data-types/string) | `g:9832741921341` | Microsoft global device identifier. This identifier is used by Microsoft internally. | +| **GroupID** | [string](/azure/kusto/query/scalar-data-types/string) | `3suvw1efol0nmy8y9g8tfhtj1onwpsk9g9swpwnvfra=` | Delivery Optimization Group ID GUID value. | +| **ISP** | [string](/azure/kusto/query/scalar-data-types/string) | `Microsoft Corporation` | Internet Service Provider estimation. | +| **LastCensusSeenTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | The last time this device performed a successful census scan, if any. | +| **NoPeersCount** | [long](/azure/kusto/query/scalar-data-types/long) | `4` | Count of peers device interacted with. | +| **OSVersion** | [string](/azure/kusto/query/scalar-data-types/string) | `1909` | The Windows 10/11 operating system version currently installed on the device, such as 20H1, 21H2. | +| **PeerEligibleTransfers** | [long](/azure/kusto/query/scalar-data-types/long) | `5` | Total count of eligible transfers by peers. | +| **PeeringStatus** | [string](/azure/kusto/query/scalar-data-types/string) | `On` | Delivery Optimization peering status. | +| **PeersCannotConnectCount** | [long](/azure/kusto/query/scalar-data-types/long) | `1` | Count of peers Delivery Optimization couldn't connect to. | +| **PeersSuccessCount** | [long](/azure/kusto/query/scalar-data-types/long) | `2` | Count of peers Delivery Optimization successfully connected to. | +| **PeersUnknownCount** | [long](/azure/kusto/query/scalar-data-types/long) | `0` | Count of peers with an unknown relation. | +| **TenantId** | [string](/azure/kusto/query/scalar-data-types/string) |`6yy5y416-2d35-3yyf-ab5f-aea713e489d2` | Tenant ID | +| **TimeGenerated** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2022-11-17T22:11:40.1132971Z` | The time the snapshot generated this specific record. This is to determine to which batch snapshot this record belongs. | +| **TotalTimeForDownload** | [string](/azure/kusto/query/scalar-data-types/string) | `00:02:11` | Total time to download content. | +| **TotalTransfers** | [long](/azure/kusto/query/scalar-data-types/long) | `304` | Total count of data transfers needed to download content. | +| **Type** | [string](/azure/kusto/query/scalar-data-types/string) | `UCDOAggregatedStatus` | The entity type. | diff --git a/windows/deployment/update/wufb-reports-schema.md b/windows/deployment/update/wufb-reports-schema.md index 8b2936c9bc..27d15d676a 100644 --- a/windows/deployment/update/wufb-reports-schema.md +++ b/windows/deployment/update/wufb-reports-schema.md @@ -31,5 +31,7 @@ The following table summarizes the different tables that are part of the Windows |[**UCClientReadinessStatus**](wufb-reports-schema-ucclientreadinessstatus.md) | Device record | UCClientReadinessStatus is an individual device's record about its readiness for updating to Windows 11. If the device isn't capable of running Windows 11, the record includes which Windows 11 hardware requirements the device doesn't meet.| | [**UCClientUpdateStatus**](wufb-reports-schema-ucclientupdatestatus.md) | Device record | Update Event that combines the latest client-based data with the latest service-based data to create a complete picture for one device (client) and one update. | | [**UCDeviceAlert**](wufb-reports-schema-ucdevicealert.md)| Service and device record | These alerts are activated as a result of an issue that is device-specific. It isn't specific to the combination of a specific update and a specific device. Like UpdateAlerts, the AlertType indicates where the Alert comes from such as a ServiceDeviceAlert or ClientDeviceAlert. | +| [**UCDOAggregatedStatus**](wufb-reports-schema-ucdoaggregatedstatus.md)| Device record | UCDOAggregatedStatus is an aggregation of all individual UDDOStatus records across the tenant and summarizes bandwidth savings across all devices enrolled using Delivery Optimization and Microsoft Connected Cache. | +| [**UCDOStatus**](wufb-reports-schema-ucdostatus.md)| Device record | UCDOStatus provides information, for a single device, on its bandwidth utilization across content types in the event they use Delivery Optimization and Microsoft Connected Cache. | | [**UCServiceUpdateStatus**](wufb-reports-schema-ucserviceupdatestatus.md) | Service record | Update Event that comes directly from the service-side. The event has only service-side information for one device (client), and one update, in one deployment. | | [**UCUpdateAlert**](wufb-reports-schema-ucupdatealert.md) | Service and device records | Alert for both client and service update. Contains information that needs attention, relative to one device (client), one update, and one deployment, if relevant. Certain fields may be blank depending on the UpdateAlert's AlertType field. For example, ServiceUpdateAlert won't necessarily contain client-side statuses and may be blank. | diff --git a/windows/deployment/update/wufb-reports-workbook.md b/windows/deployment/update/wufb-reports-workbook.md index 3d1083467a..cdaf2834c6 100644 --- a/windows/deployment/update/wufb-reports-workbook.md +++ b/windows/deployment/update/wufb-reports-workbook.md @@ -141,7 +141,7 @@ The **Device status** group for feature updates contains the following items: ## Delivery Optimization (preview tab) -The **Delivery Optimization** tab provides a summarized view of bandwidth efficiencies. This new revised report also includes Microsoft Connected Cache (MCC) information. +The **Delivery Optimization** tab provides a summarized view of bandwidth efficiencies. This new revised report also includes [Microsoft Connected Cache](/windows/deployment/do/waas-microsoft-connected-cache) information. At the top of the report, tiles display the following information: @@ -156,6 +156,8 @@ The Delivery Optimization tab is further divided into the following groups: - **Content Distribution**: Includes charts showing percentage volumes and GB volumes by source by content types. All content types are linked to a table for deeper filtering by **ContentType**, **AzureADTenantId**, and **GroupID**. - **Efficiency By Group**: This view provides filters commonly used ways of grouping devices. The provided filters include: **GroupID**, **City**, **Country**, and **ISP**. +:::image type="content" source="images/wufb-do-overview.png" alt-text="Screenshot of the summary tab in the Windows Update for Business reports workbook for Delivery Optimization." lightbox="images/wufb-do-overview.png"::: + ## Customize the workbook Since the Windows Update for Business reports workbook is an [Azure Workbook template](/azure/azure-monitor/visualize/workbooks-templates), it can be customized to suit your needs. If you open a template, make some adjustments, and save it, the template is saved as a workbook. This workbook appears in green. The original template is left untouched. For more information about workbooks, see [Get started with Azure Workbooks](/azure/azure-monitor/visualize/workbooks-getting-started). diff --git a/windows/deployment/usmt/getting-started-with-the-user-state-migration-tool.md b/windows/deployment/usmt/getting-started-with-the-user-state-migration-tool.md index a5d392e636..d9550203d8 100644 --- a/windows/deployment/usmt/getting-started-with-the-user-state-migration-tool.md +++ b/windows/deployment/usmt/getting-started-with-the-user-state-migration-tool.md @@ -34,7 +34,7 @@ This article outlines the general process that you should follow to migrate file 6. Create a [Config.xml File](usmt-configxml-file.md) if you want to exclude any components from the migration. To create this file, use the [ScanState Syntax](usmt-scanstate-syntax.md) option together with the other .xml files when you use the `ScanState.exe` command. For example, the following command creates a `Config.xml` file by using the `MigDocs.xml` and `MigApp.xml` files: - ``` syntax + ```cmd ScanState.exe /genconfig:Config.xml /i:MigDocs.xml /i:MigApp.xml /v:13 /l:ScanState.log ``` @@ -51,7 +51,7 @@ This article outlines the general process that you should follow to migrate file 3. Run the `ScanState.exe` command on the source computer to collect files and settings. You should specify all of the .xml files that you want the `ScanState.exe` command to use. For example, - ``` syntax + ```cmd ScanState.exe \\server\migration\mystore /config:Config.xml /i:MigDocs.xml /i:MigApp.xml /v:13 /l:ScanState.log ``` @@ -78,7 +78,7 @@ This article outlines the general process that you should follow to migrate file For example, the following command migrates the files and settings: - ``` syntax + ```cmd LoadState.exe \\server\migration\mystore /config:Config.xml /i:MigDocs.xml /i:MigApp.xml /v:13 /l:LoadState.log ``` diff --git a/windows/deployment/usmt/migrate-application-settings.md b/windows/deployment/usmt/migrate-application-settings.md index 4b4868af71..677f59ca0c 100644 --- a/windows/deployment/usmt/migrate-application-settings.md +++ b/windows/deployment/usmt/migrate-application-settings.md @@ -131,7 +131,7 @@ On a test computer, install the operating system that will be installed on the d To speed up the time it takes to collect and migrate the data, you can migrate only one user at a time, and you can exclude all other components from the migration except the application that you're testing. To specify only **User1** in the migration, enter: -``` syntax +```cmd /ue:*\* /ui:user1 ``` diff --git a/windows/deployment/usmt/offline-migration-reference.md b/windows/deployment/usmt/offline-migration-reference.md index fb362c9ab3..390cc4ad37 100644 --- a/windows/deployment/usmt/offline-migration-reference.md +++ b/windows/deployment/usmt/offline-migration-reference.md @@ -61,7 +61,7 @@ The following table defines the supported combination of online and offline oper User-group membership isn't preserved during offline migrations. You must configure a **<ProfileControl>** section in the `Config.xml` file to specify the groups that the migrated users should be made members of. The following example places all migrated users into the Users group: -``` xml +```xml @@ -146,7 +146,7 @@ Syntax: `0` The following XML example illustrates some of the elements discussed earlier in this article. -``` xml +```xml C:\Windows diff --git a/windows/deployment/usmt/understanding-migration-xml-files.md b/windows/deployment/usmt/understanding-migration-xml-files.md index bbfd70227a..64fe549a96 100644 --- a/windows/deployment/usmt/understanding-migration-xml-files.md +++ b/windows/deployment/usmt/understanding-migration-xml-files.md @@ -6,7 +6,7 @@ manager: aaroncz ms.author: frankroj ms.prod: windows-client author: frankroj -ms.date: 11/01/2022 +ms.date: 11/23/2022 ms.topic: article ms.technology: itpro-deploy --- @@ -136,6 +136,9 @@ The default `MigUser.xml` file migrates the following data: > [!NOTE] > The asterisk (`*`) stands for zero or more characters. + > [!NOTE] + > The OpenDocument extensions (`*.odt`, `*.odp`, `*.ods`) that Microsoft Office applications can use aren't migrated by default. + The default `MigUser.xml` file doesn't migrate the following data: - Files tagged with both the **Hidden** and **System** attributes. @@ -164,7 +167,7 @@ You can use multiple XML files with the ScanState and LoadState tools. Each of t For example, you can use all of the XML migration file types for a single migration, as in the following example: -``` syntax +```cmd ScanState.exe /config:c:\myFolder\Config.xml /i:migapps.xml /i:MigDocs.xml /i:CustomRules.xml ``` @@ -194,14 +197,14 @@ To generate the XML migration rules file for a source computer: 4. At the command prompt, enter: - ``` syntax + ```cmd cd /d ScanState.exe /genmigxml: ``` Where *<USMTpath>* is the location on your source computer where you've saved the USMT files and tools, and *<filepath.xml>* is the full path to a file where you can save the report. For example, enter: - ``` syntax + ```cmd cd /d c:\USMT ScanState.exe /genmigxml:"C:\Documents and Settings\USMT Tester\Desktop\genMig.xml" ``` @@ -230,13 +233,13 @@ The `MigDocs.xml` file calls the `GenerateDocPatterns` function, which takes thr **Usage:** -``` syntax +```cmd MigXmlHelper.GenerateDocPatterns ("", "", "") ``` To create include data patterns for only the system drive: -``` xml +```xml @@ -246,7 +249,7 @@ To create include data patterns for only the system drive: To create an include rule to gather files for registered extensions from the %PROGRAMFILES% directory: -``` xml +```xml @@ -256,7 +259,7 @@ To create an include rule to gather files for registered extensions from the %PR To create exclude data patterns: -``` xml +```xml @@ -339,7 +342,7 @@ To exclude the new text document.txt file and any .txt files in "new folder", yo To exclude Rule 1, there needs to be an exact match of the file name. However, for Rule 2, you can create a pattern to exclude files by using the file name extension. -``` xml +```xml D:\Newfolder\[new text document.txt] @@ -352,7 +355,7 @@ To exclude Rule 1, there needs to be an exact match of the file name. However, f If you don't know the file name or location of the file, but you do know the file name extension, you can use the `GenerateDrivePatterns` function. However, the rule will be less specific than the default include rule generated by the `MigDocs.xml` file, so it will not have precedence. You must use the <UnconditionalExclude> element to give this rule precedence over the default include rule. For more information about the order of precedence for XML migration rules, see [Conflicts and Precedence](usmt-conflicts-and-precedence.md). -``` xml +```xml @@ -364,7 +367,7 @@ If you don't know the file name or location of the file, but you do know the fil If you want the **<UnconditionalExclude>** element to apply to both the system and user context, you can create a third component using the **UserandSystem** context. Rules in this component will be run in both contexts. -``` xml +```xml MigDocExcludes @@ -389,7 +392,7 @@ The application data directory is the most common location that you would need t This rule will include .pst files that are located in the default location, but aren't linked to Microsoft Outlook. Use the user context to run this rule for each user on the computer. -``` xml +```xml %CSIDL_LOCAL_APPDATA%\Microsoft\Outlook\*[*.pst] @@ -401,7 +404,7 @@ This rule will include .pst files that are located in the default location, but For locations outside the user profile, such as the Program Files folder, you can add the rule to the system context component. -``` xml +```xml %CSIDL_PROGRAM_FILES%\*[*.pst] diff --git a/windows/deployment/usmt/usmt-best-practices.md b/windows/deployment/usmt/usmt-best-practices.md index e1f6f61c40..cebdc6bf49 100644 --- a/windows/deployment/usmt/usmt-best-practices.md +++ b/windows/deployment/usmt/usmt-best-practices.md @@ -91,7 +91,7 @@ As the authorized administrator, it is your responsibility to protect the privac Although it isn't a requirement, it's good practice for **<CustomFileName>** to match the name of the file. For example, the following example is from the `MigApp.xml` file: - ``` xml + ```xml ``` diff --git a/windows/deployment/usmt/usmt-common-issues.md b/windows/deployment/usmt/usmt-common-issues.md index 6262d58456..e5164ba2e5 100644 --- a/windows/deployment/usmt/usmt-common-issues.md +++ b/windows/deployment/usmt/usmt-common-issues.md @@ -107,7 +107,7 @@ To remove encryption from files that have already been migrated incorrectly, you **Resolution:** You can use the `/mu` option when you run the **LoadState** tool to specify a new name for the user. For example, -``` syntax +```cmd LoadState.exe /i:MigApp.xml /i:MigDocs.xml \\server\share\migration\mystore /progress:Progress.log /l:LoadState.log /mu:fareast\user1:farwest\user1 ``` @@ -138,7 +138,7 @@ The following sections describe common XML file problems. Expand the section to **Resolution:** Install all of the desired applications on the computer before running the `/genconfig` option. Then run `ScanState.exe` with all of the .xml files. For example, run the following command: -``` syntax +```cmd ScanState.exe /genconfig:Config.xml /i:MigDocs.xml /i:MigApp.xml /v:5 /l:ScanState.log ``` @@ -248,7 +248,7 @@ The following sections describe common offline migration problems. Expand the se **Resolution:** Use a Security Identifier (SID) to include a user when running the **ScanState** tool. For example: -``` syntax +```cmd ScanState.exe /ui:S1-5-21-124525095-708259637-1543119021* ``` @@ -262,7 +262,7 @@ You can also use patterns for SIDs that identify generic users or groups. For ex **Resolution:** Reboot the computer or unload the registry hive at the command prompt after the **ScanState** tool has finished running. For example, at a command prompt, enter: -``` syntax +```cmd reg.exe unload hklm\$dest$software ``` @@ -282,7 +282,7 @@ The following sections describe common hard-link migration problems. Expand the **Resolution:** Use the UsmtUtils tool to delete the store or change the store name. For example, at a command prompt, enter: -``` syntax +```cmd UsmtUtils.exe /rd ``` diff --git a/windows/deployment/usmt/usmt-configxml-file.md b/windows/deployment/usmt/usmt-configxml-file.md index 4d4f72d27c..96846a8e88 100644 --- a/windows/deployment/usmt/usmt-configxml-file.md +++ b/windows/deployment/usmt/usmt-configxml-file.md @@ -50,7 +50,7 @@ The following example specifies that all locked files, regardless of their locat Additionally, the order in the **<ErrorControl>** section implies priority. In this example, the first **<nonFatal>** tag takes precedence over the second **<fatal>** tag. This precedence is applied, regardless of how many tags are listed. -``` xml +```xml * [*] @@ -152,7 +152,7 @@ The **<HardLinkStoreControl>** sample code below specifies that hard links > [!IMPORTANT] > The **<ErrorControl>** section can be configured to conditionally ignore file access errors, based on the file's location. -``` xml +```xml diff --git a/windows/deployment/usmt/usmt-conflicts-and-precedence.md b/windows/deployment/usmt/usmt-conflicts-and-precedence.md index d6433d0ca6..e12ed6ff62 100644 --- a/windows/deployment/usmt/usmt-conflicts-and-precedence.md +++ b/windows/deployment/usmt/usmt-conflicts-and-precedence.md @@ -37,7 +37,7 @@ If you have an **<include>** rule in one component and a **<locationMod The following .xml file migrates all files from C:\\Userdocs, including .mp3 files, because the **<exclude>** rule is specified in a separate component. -``` xml +```xml User Documents @@ -71,7 +71,7 @@ The following .xml file migrates all files from C:\\Userdocs, including .mp3 fil Specifying `migrate="no"` in the `Config.xml` file is the same as deleting the corresponding component from the migration .xml file. However, if you set `migrate="no"` for My Documents, but you have a rule similar to the one shown below in a migration .xml file (which includes all of the .doc files from My Documents), then only the .doc files will be migrated, and all other files will be excluded. -``` xml +```xml %CSIDL_PERSONAL%\* [*.doc] @@ -103,7 +103,7 @@ If there are conflicting rules within a component, the most specific rule is app In the following example, mp3 files won't be excluded from the migration. The mp3 files won't be excluded because directory names take precedence over the file extensions. -``` xml +```xml C:\Data\* [*] @@ -181,7 +181,7 @@ The destination computer contains the following files: You have a custom .xml file that contains the following code: -``` xml +```xml c:\data\* [*] diff --git a/windows/deployment/usmt/usmt-custom-xml-examples.md b/windows/deployment/usmt/usmt-custom-xml-examples.md index 40514b888a..88db104333 100644 --- a/windows/deployment/usmt/usmt-custom-xml-examples.md +++ b/windows/deployment/usmt/usmt-custom-xml-examples.md @@ -22,7 +22,7 @@ The following template is a template for the sections that you need to migrate y
Expand to show Example 1 application template: -``` xml +```xml @@ -161,7 +161,7 @@ The sample patterns describe the behavior in the following example .xml file.
Expand to show Example 3 XML file: -``` xml +```xml File Migration Test @@ -203,7 +203,7 @@ The behavior for this custom .xml file is described within the `` t
Expand to show Example 4 XML file: -``` xml +```xml diff --git a/windows/deployment/usmt/usmt-estimate-migration-store-size.md b/windows/deployment/usmt/usmt-estimate-migration-store-size.md index 45c30d631c..2e1ddfc773 100644 --- a/windows/deployment/usmt/usmt-estimate-migration-store-size.md +++ b/windows/deployment/usmt/usmt-estimate-migration-store-size.md @@ -47,7 +47,7 @@ To run the ScanState tool on the source computer with USMT installed: 2. Navigate to the USMT tools. For example, enter: - ``` syntax + ```cmd cd /d "C:\Program Files (x86)\Windows Kits\8.0\Assessment and Deployment Kit\User State Migration Tool\" ``` @@ -55,13 +55,13 @@ To run the ScanState tool on the source computer with USMT installed: 3. Run the **ScanState** tool to generate an XML report of the space requirements. At the command prompt, enter: - ``` syntax + ```cmd ScanState.exe /p: ``` Where *<StorePath>* is a path to a directory where the migration store will be saved and *<path to a file>* is the path and filename where the XML report for space requirements will be saved. For example: - ``` syntax + ```cmd ScanState.exe c:\store /p:c:\spaceRequirements.xml ``` diff --git a/windows/deployment/usmt/usmt-exclude-files-and-settings.md b/windows/deployment/usmt/usmt-exclude-files-and-settings.md index 3821597500..0956d47d63 100644 --- a/windows/deployment/usmt/usmt-exclude-files-and-settings.md +++ b/windows/deployment/usmt/usmt-exclude-files-and-settings.md @@ -50,7 +50,7 @@ The migration .xml files, `MigApp.xml`, `MigDocs.xml`, and `MigUser.xml`, contai The following .xml file migrates all files located on the C: drive, except any .mp3 files. -``` xml +```xml @@ -77,7 +77,7 @@ The following .xml file migrates all files located on the C: drive, except any . The following .xml file migrates all files and subfolders in `C:\Data`, except the files and subfolders in `C:\Data\tmp`. -``` xml +```xml Test component @@ -103,7 +103,7 @@ The following .xml file migrates all files and subfolders in `C:\Data`, except t The following .xml file migrates any subfolders in `C:\`EngineeringDrafts`, but excludes all files that are in `C:\EngineeringDrafts`. -``` xml +```xml Component to migrate all Engineering Drafts Documents without subfolders @@ -129,7 +129,7 @@ The following .xml file migrates any subfolders in `C:\`EngineeringDrafts`, but The following .xml file migrates all files and subfolders in `C:\EngineeringDrafts`, except for the `Sample.doc` file in `C:\EngineeringDrafts`. -``` xml +```xml Component to migrate all Engineering Drafts Documents except Sample.doc @@ -155,13 +155,13 @@ The following .xml file migrates all files and subfolders in `C:\EngineeringDraf To exclude a Sample.doc file from any location on the C: drive, use the **<pattern>** element. If multiple files exist with the same name on the C: drive, all of these files will be excluded. -``` xml +```xml C:\* [Sample.doc] ``` To exclude a Sample.doc file from any drive on the computer, use the **<script>** element. If multiple files exist with the same name, all of these files will be excluded. -``` xml +```xml ``` @@ -173,7 +173,7 @@ Here are some examples of how to use XML to exclude files, folders, and registry The following .xml file excludes all `.mp3` files from the migration: -``` xml +```xml Test @@ -194,7 +194,7 @@ The following .xml file excludes all `.mp3` files from the migration: The following .xml file excludes only the files located on the C: drive. -``` xml +```xml Test @@ -215,7 +215,7 @@ The following .xml file excludes only the files located on the C: drive. The following .xml file unconditionally excludes the `HKEY_CURRENT_USER` registry key and all of its subkeys. -``` xml +```xml @@ -242,7 +242,7 @@ The following .xml file unconditionally excludes the `HKEY_CURRENT_USER` registr The following .xml file unconditionally excludes the system folders of `C:\Windows` and `C:\Program Files`. Note that all `*.docx`, `*.xls` and `*.ppt` files won't be migrated because the **<unconditionalExclude>** element takes precedence over the **<include>** element. -``` xml +```xml diff --git a/windows/deployment/usmt/usmt-extract-files-from-a-compressed-migration-store.md b/windows/deployment/usmt/usmt-extract-files-from-a-compressed-migration-store.md index 20b48b006b..f1a46e9c78 100644 --- a/windows/deployment/usmt/usmt-extract-files-from-a-compressed-migration-store.md +++ b/windows/deployment/usmt/usmt-extract-files-from-a-compressed-migration-store.md @@ -29,7 +29,7 @@ In addition, you can specify the file patterns that you want to extract by using To extract files from the compressed migration store onto the destination computer, use the following UsmtUtils syntax: -``` syntax +```cmd UsmtUtils.exe /extract [/i:] [/e:] [/l:] [/decrypt[:] {/key: | /keyfile:}] [/o] ``` @@ -57,7 +57,7 @@ Where the placeholders have the following values: To extract everything from a compressed migration store to a file on the `C:\` drive, enter: -``` syntax +```cmd UsmtUtils.exe /extract D:\MyMigrationStore\USMT\store.mig C:\ExtractedStore ``` @@ -65,7 +65,7 @@ UsmtUtils.exe /extract D:\MyMigrationStore\USMT\store.mig C:\ExtractedStore To extract specific files, such as `.txt` and `.pdf` files, from an encrypted compressed migration store, enter: -``` syntax +```cmd UsmtUtils.exe /extract D:\MyMigrationStore\USMT\store.mig /i:"*.txt,*.pdf" C:\ExtractedStore /decrypt /keyfile:D:\encryptionKey.txt ``` @@ -75,7 +75,7 @@ In this example, the file is encrypted and the encryption key is located in a te To extract all files except for one file type, such as `.exe` files, from an encrypted compressed migration store, enter: -``` syntax +```cmd UsmtUtils.exe /extract D:\MyMigrationStore\USMT\store.mig /e:*.exe C:\ExtractedStore /decrypt:AES_128 /key:password /l:C:\usmtutilslog.txt ``` @@ -83,7 +83,7 @@ UsmtUtils.exe /extract D:\MyMigrationStore\USMT\store.mig /e:*.exe C:\ExtractedS To extract files from a compressed migration store, and to exclude files of one type (such as .exe files) while including only specific files, use both the include pattern and the exclude pattern, as in this example: -``` syntax +```cmd UsmtUtils.exe /extract D:\MyMigrationStore\USMT\store.mig /i:myProject.* /e:*.exe C:\ExtractedStore /o ``` diff --git a/windows/deployment/usmt/usmt-faq.yml b/windows/deployment/usmt/usmt-faq.yml index f058fa2a8d..f22b052e29 100644 --- a/windows/deployment/usmt/usmt-faq.yml +++ b/windows/deployment/usmt/usmt-faq.yml @@ -3,11 +3,11 @@ metadata: title: 'Frequently Asked Questions (Windows 10)' description: 'Learn about frequently asked questions and recommended solutions for migrations using User State Migration Tool (USMT) 10.0.' ms.assetid: 813c13a7-6818-4e6e-9284-7ee49493241b - ms.reviewer: + ms.prod: windows-client + ms.technology: itpro-deploy author: frankroj ms.author: frankroj manager: aaroncz - ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library audience: itpro diff --git a/windows/deployment/usmt/usmt-general-conventions.md b/windows/deployment/usmt/usmt-general-conventions.md index ffa159f0c3..98148b856d 100644 --- a/windows/deployment/usmt/usmt-general-conventions.md +++ b/windows/deployment/usmt/usmt-general-conventions.md @@ -55,13 +55,13 @@ You can use the XML helper functions in the [XML elements library](usmt-xml-elem As with parameters with a default value convention, if you have a NULL parameter at the end of a list, you can leave it out. For example, the following function: - ``` syntax + ```cmd SomeFunction("My String argument",NULL,NULL) ``` is equivalent to: - ``` syntax + ```cmd SomeFunction("My String argument") ``` diff --git a/windows/deployment/usmt/usmt-hard-link-migration-store.md b/windows/deployment/usmt/usmt-hard-link-migration-store.md index 2c3791c771..b4790b2a5a 100644 --- a/windows/deployment/usmt/usmt-hard-link-migration-store.md +++ b/windows/deployment/usmt/usmt-hard-link-migration-store.md @@ -92,7 +92,7 @@ It isn't necessary to estimate the size of a hard-link migration store since har Separate hard-link migration stores are created on each NTFS volume that contain data being migrated. In this scenario, the primary migration-store location will be specified on the command line, and should be the operating-system volume. Migration stores with identical names and directory names will be created on every volume containing data being migrated. For example: - ``` syntax + ```cmd ScanState.exe /hardlink c:\USMTMIG […] ``` @@ -144,7 +144,7 @@ A new section in the `Config.xml` file allows optional configuration of some of The following XML sample specifies that files locked by an application under the `\Users` directory can remain in place during the migration. It also specifies that locked files that aren't located in the `\Users` directory should result in the **File in Use** error. It's important to exercise caution when specifying the paths using the ``** tag in order to minimize scenarios that make the hard-link migration store more difficult to delete. -``` xml +```xml diff --git a/windows/deployment/usmt/usmt-include-files-and-settings.md b/windows/deployment/usmt/usmt-include-files-and-settings.md index 52126c877e..7249c768be 100644 --- a/windows/deployment/usmt/usmt-include-files-and-settings.md +++ b/windows/deployment/usmt/usmt-include-files-and-settings.md @@ -19,7 +19,7 @@ When you specify the migration .xml files, User State Migration Tool (USMT) 10.0 The following .xml file migrates a single registry key. -``` xml +```xml Component to migrate only registry value string @@ -44,7 +44,7 @@ The following examples show how to migrate a folder from a specific drive, and f - **Including subfolders.** The following .xml file migrates all files and subfolders from `C:\EngineeringDrafts` to the destination computer. - ``` xml + ```xml Component to migrate all Engineering Drafts Documents including subfolders @@ -63,7 +63,7 @@ The following examples show how to migrate a folder from a specific drive, and f - **Excluding subfolders.** The following .xml file migrates all files from `C:\EngineeringDrafts`, but it doesn't migrate any subfolders within `C:\EngineeringDrafts`. - ``` xml + ```xml Component to migrate all Engineering Drafts Documents without subfolders @@ -84,7 +84,7 @@ The following examples show how to migrate a folder from a specific drive, and f The following .xml file migrates all files and subfolders of the `EngineeringDrafts` folder from any drive on the computer. If multiple folders exist with the same name, then all files with this name are migrated. -``` xml +```xml Component to migrate all Engineering Drafts Documents folder on any drive on the computer @@ -104,7 +104,7 @@ The following .xml file migrates all files and subfolders of the `EngineeringDra The following .xml file migrates all files and subfolders of the `EngineeringDrafts` folder from any location on the `C:\` drive. If multiple folders exist with the same name, they're all migrated. -``` xml +```xml Component to migrate all Engineering Drafts Documents EngineeringDrafts folder from where ever it exists on the C: drive @@ -126,7 +126,7 @@ The following .xml file migrates all files and subfolders of the `EngineeringDra The following .xml file migrates `.mp3` files located in the specified drives on the source computer into the `C:\Music` folder on the destination computer. -``` xml +```xml All .mp3 files to My Documents @@ -155,7 +155,7 @@ The following examples show how to migrate a file from a specific folder, and ho - **To migrate a file from a folder.** The following .xml file migrates only the `Sample.doc` file from `C:\EngineeringDrafts` on the source computer to the destination computer. - ``` xml + ```xml Component to migrate all Engineering Drafts Documents @@ -174,13 +174,13 @@ The following examples show how to migrate a file from a specific folder, and ho - **To migrate a file from any location.** To migrate the `Sample.doc` file from any location on the `C:\` drive, use the **<pattern>** element, as the following example shows. If multiple files exist with the same name on the `C:\` drive, all of files with this name are migrated. - ``` xml + ```xml C:\* [Sample.doc] ``` To migrate the Sample.doc file from any drive on the computer, use <script> as the following example shows. If multiple files exist with the same name, all files with this name are migrated. - ``` xml + ```xml ``` diff --git a/windows/deployment/usmt/usmt-log-files.md b/windows/deployment/usmt/usmt-log-files.md index e15edd680e..06ccc91749 100644 --- a/windows/deployment/usmt/usmt-log-files.md +++ b/windows/deployment/usmt/usmt-log-files.md @@ -104,7 +104,7 @@ The following examples describe common scenarios in which you can use the diagno Let's imagine that we have the following directory structure and that we want the **data** directory to be included in the migration along with the **New Text Document.txt** file in the **New Folder**. The directory of `C:\data` contains: -``` console +```console 01/21/2009 10:08 PM . 01/21/2009 10:08 PM .. 01/21/2009 10:08 PM New Folder @@ -115,7 +115,7 @@ Let's imagine that we have the following directory structure and that we want th The directory of `C:\data\New Folder` contains: -``` console +```console 01/21/2009 10:08 PM . 01/21/2009 10:08 PM .. 01/21/2009 10:08 PM 0 New Text Document.txt @@ -198,7 +198,7 @@ This diagnostic log confirms that the modified **<pattern>** value enables In this scenario, you have the following directory structure and you want all files in the **Data** directory to migrate, except for text files. The `C:\Data` folder contains: -``` console +```console Directory of C:\Data 01/21/2009 10:08 PM . @@ -211,7 +211,7 @@ Directory of C:\Data The `C:\Data\New Folder\` contains: -``` console +```console 01/21/2009 10:08 PM . 01/21/2009 10:08 PM .. 01/21/2009 10:08 PM 0 New Text Document.txt diff --git a/windows/deployment/usmt/usmt-migrate-efs-files-and-certificates.md b/windows/deployment/usmt/usmt-migrate-efs-files-and-certificates.md index f7f5a3ff7f..7b8526be55 100644 --- a/windows/deployment/usmt/usmt-migrate-efs-files-and-certificates.md +++ b/windows/deployment/usmt/usmt-migrate-efs-files-and-certificates.md @@ -34,7 +34,7 @@ Before using the **ScanState** tool for a migration that includes encrypted file You can run the [Cipher.exe](/windows-server/administration/windows-commands/cipher) tool at a Windows command prompt to review and change encryption settings on files and folders. For example, to remove encryption from a folder, at a command prompt enter: -``` syntax +```cmd cipher.exe /D /S: ``` diff --git a/windows/deployment/usmt/usmt-migrate-user-accounts.md b/windows/deployment/usmt/usmt-migrate-user-accounts.md index 8c124420e9..b0b1ba2611 100644 --- a/windows/deployment/usmt/usmt-migrate-user-accounts.md +++ b/windows/deployment/usmt/usmt-migrate-user-accounts.md @@ -23,7 +23,7 @@ Links to detailed explanations of commands are available in the [Related article 2. Enter the following `ScanState.exe` command line in a command prompt window: - ``` syntax + ```cmd ScanState.exe \\server\share\migration\mystore /i:MigDocs.xml /i:MigApp.xml /o ```` @@ -33,13 +33,13 @@ Links to detailed explanations of commands are available in the [Related article - If you're migrating domain accounts, enter: - ``` syntax + ```cmd LoadState.exe \\server\share\migration\mystore /i:MigDocs.xml /i:MigApp.xml ``` - If you're migrating local accounts along with domain accounts, enter: - ``` syntax + ```cmd LoadState.exe \\server\share\migration\mystore /i:MigDocs.xml /i:MigApp.xml /lac /lae ``` @@ -54,7 +54,7 @@ Links to detailed explanations of commands are available in the [Related article 2. Enter the following `ScanState.exe` command line in a command prompt window: - ``` syntax + ```cmd ScanState.exe \\server\share\migration\mystore /ue:*\* /ui:contoso\user1 /ui:fabrikam\user2 /i:MigDocs.xml /i:MigApp.xml /o ``` @@ -62,7 +62,7 @@ Links to detailed explanations of commands are available in the [Related article 4. Enter the following `LoadState.exe ` command line in a command prompt window: - ``` syntax + ```cmd LoadState.exe \\server\share\migration\mystore /i:MigDocs.xml /i:MigApp.xml ``` @@ -74,7 +74,7 @@ Links to detailed explanations of commands are available in the [Related article 2. Enter the following `ScanState.exe` command line in a command prompt window: - ``` syntax + ```cmd ScanState.exe \\server\share\migration\mystore /ue:*\* /ui:contoso\user1 /ui:contoso\user2 /i:MigDocs.xml /i:MigApp.xml /o ``` @@ -82,7 +82,7 @@ Links to detailed explanations of commands are available in the [Related article 4. Enter the following `LoadState.exe ` command line in a command prompt window: - ``` syntax + ```cmd LoadState.exe \\server\share\migration\mystore /mu:contoso\user1:fabrikam\user2 /i:MigDocs.xml /i:MigApp.xml ``` diff --git a/windows/deployment/usmt/usmt-reroute-files-and-settings.md b/windows/deployment/usmt/usmt-reroute-files-and-settings.md index ba1aa306c6..026a457ea7 100644 --- a/windows/deployment/usmt/usmt-reroute-files-and-settings.md +++ b/windows/deployment/usmt/usmt-reroute-files-and-settings.md @@ -19,7 +19,7 @@ To reroute files and settings, create a custom .xml file and specify the .xml fi The following custom .xml file migrates the directories and files from `C:\EngineeringDrafts` into the **My Documents** folder of every user. **%CSIDL_PERSONAL%** is the virtual folder representing the **My Documents** desktop item, which is equivalent to **CSIDL_MYDOCUMENTS**. -``` xml +```xml Engineering Drafts Documents to Personal Folder @@ -47,7 +47,7 @@ The following custom .xml file migrates the directories and files from `C:\Engin The following custom .xml file reroutes .mp3 files located in the fixed drives on the source computer into the `C:\Music` folder on the destination computer. -``` xml +```xml All .mp3 files to My Documents @@ -74,7 +74,7 @@ The following custom .xml file reroutes .mp3 files located in the fixed drives o The following custom .xml file migrates the `Sample.doc` file from `C:\EngineeringDrafts` into the **My Documents** folder of every user. **%CSIDL_PERSONAL%** is the virtual folder representing the **My Documents** desktop item, which is equivalent to **CSIDL_MYDOCUMENTS**. -``` xml +```xml Sample.doc into My Documents diff --git a/windows/deployment/usmt/usmt-scanstate-syntax.md b/windows/deployment/usmt/usmt-scanstate-syntax.md index a05ce994e0..e8fd16c69f 100644 --- a/windows/deployment/usmt/usmt-scanstate-syntax.md +++ b/windows/deployment/usmt/usmt-scanstate-syntax.md @@ -43,7 +43,7 @@ The `ScanState.exe` command's syntax is: For example, to create a `Config.xml` file in the current directory, use: -``` syntax +```cmd ScanState.exe /i:MigApp.xml /i:MigDocs.xml /genconfig:Config.xml /v:13 ``` diff --git a/windows/deployment/usmt/usmt-what-does-usmt-migrate.md b/windows/deployment/usmt/usmt-what-does-usmt-migrate.md index b4964f369a..9fac4ebca3 100644 --- a/windows/deployment/usmt/usmt-what-does-usmt-migrate.md +++ b/windows/deployment/usmt/usmt-what-does-usmt-migrate.md @@ -6,7 +6,7 @@ manager: aaroncz ms.author: frankroj ms.prod: windows-client author: frankroj -ms.date: 11/01/2022 +ms.date: 11/23/2022 ms.topic: article ms.technology: itpro-deploy --- @@ -78,6 +78,9 @@ This section describes the user data that USMT migrates by default, using the `M > [!NOTE] > The asterisk (`*`) stands for zero or more characters. + > [!NOTE] + > The OpenDocument extensions (`*.odt`, `*.odp`, `*.ods`) that Microsoft Office applications can use aren't migrated by default. + - **Access control lists.** USMT migrates access control lists (ACLs) for specified files and folders from computers running both Windows® XP and Windows Vista. For example, if you migrate a file named `File1.txt` that is **read-only** for **User1** and **read/write** for **User2**, these settings will still apply on the destination computer after the migration. > [!IMPORTANT] diff --git a/windows/deployment/usmt/verify-the-condition-of-a-compressed-migration-store.md b/windows/deployment/usmt/verify-the-condition-of-a-compressed-migration-store.md index 5bb2cf2322..2f004c83ff 100644 --- a/windows/deployment/usmt/verify-the-condition-of-a-compressed-migration-store.md +++ b/windows/deployment/usmt/verify-the-condition-of-a-compressed-migration-store.md @@ -59,7 +59,7 @@ Where the placeholders have the following values: To verify whether the migration store is intact or whether it contains corrupted files or a corrupted catalog, enter: -``` syntax +```cmd UsmtUtils.exe /verify D:\MyMigrationStore\store.mig ``` @@ -69,7 +69,7 @@ Because no report type is specified, **UsmtUtils** displays the default summary To verify whether the catalog file is corrupted or intact, enter: -``` syntax +```cmd UsmtUtils.exe /verify:catalog D:\MyMigrationStore\store.mig ``` @@ -77,7 +77,7 @@ UsmtUtils.exe /verify:catalog D:\MyMigrationStore\store.mig To verify whether there are any corrupted files in the compressed migration store, and to specify the name and location of the log file, enter: -``` syntax +```cmd UsmtUtils.exe /verify:all D:\MyMigrationStore\store.mig /decrypt /l:D:\UsmtUtilsLog.txt` ``` @@ -87,7 +87,7 @@ In addition to verifying the status of all files, this example decrypts the file In this example, the log file will only list the files that became corrupted during the **ScanState** process. This list will include the catalog file if it's also corrupted. -``` syntax +```cmd UsmtUtils.exe /verify:failureonly D:\MyMigrationStore\USMT\store.mig /decrypt:AES_192 /keyfile:D:\encryptionKey.txt ``` diff --git a/windows/deployment/usmt/xml-file-requirements.md b/windows/deployment/usmt/xml-file-requirements.md index e717e950c9..156809cb6d 100644 --- a/windows/deployment/usmt/xml-file-requirements.md +++ b/windows/deployment/usmt/xml-file-requirements.md @@ -17,20 +17,20 @@ When creating custom .xml files, note the following requirements: - **The file must be in Unicode Transformation Format-8 (UTF-8).** Save the file in this format, and you must specify the following syntax at the beginning of each .xml file: - ``` xml + ```xml ``` - **The file must have a unique migration URL ID**. The URL ID of each file that you specify on the command line must be different. If two migration .xml files have the same URL ID, the second .xml file that is specified on the command line won't be processed. The second file won't be processed because USMT uses the URL ID to define the components within the file. For example, you must specify the following syntax at the beginning of each file: - ``` xml + ```xml ``` - **Each component in the file must have a display name in order for it to appear in the Config.xml file.** This condition is because the `Config.xml` file defines the components by the display name and the migration URL ID. For example, specify the following syntax: - ``` xml + ```xml My Application ``` diff --git a/windows/deployment/vda-subscription-activation.md b/windows/deployment/vda-subscription-activation.md index 1316467395..fbbf1013ee 100644 --- a/windows/deployment/vda-subscription-activation.md +++ b/windows/deployment/vda-subscription-activation.md @@ -11,12 +11,12 @@ ms.technology: itpro-fundamentals ms.localizationpriority: medium ms.topic: how-to ms.collection: M365-modern-desktop -ms.date: 10/31/2022 +ms.date: 11/23/2022 --- # Configure VDA for Windows subscription activation -Applies to: +*Applies to:* - Windows 10 - Windows 11 @@ -61,42 +61,55 @@ For examples of activation issues, see [Troubleshoot the user experience](./depl ## Active Directory-joined VMs 1. Use the following instructions to prepare the VM for Azure: [Prepare a Windows VHD or VHDX to upload to Azure](/azure/virtual-machines/windows/prepare-for-upload-vhd-image) -2. (Optional) To disable network level authentication, type the following command at an elevated command prompt: + +2. (Optional) To disable network level authentication, enter the following command at an elevated command prompt: ```cmd - REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0 /f + REG.exe ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0 /f ``` -3. At an elevated command prompt, type **sysdm.cpl** and press ENTER. +3. At an elevated command prompt, enter **sysdm.cpl**. + 4. On the Remote tab, choose **Allow remote connections to this computer** and then select **Select Users**. -5. Select **Add**, type **Authenticated users**, and then select **OK** three times. + +5. Select **Add**, enter **Authenticated users**, and then select **OK** three times. + 6. Follow the instructions to use sysprep at [Steps to generalize a VHD](/azure/virtual-machines/windows/prepare-for-upload-vhd-image#generalize-a-vhd) and then start the VM again. + 7. If you must activate Windows Pro as described for [scenario 3](#scenario-3), complete the following steps to use Windows Configuration Designer and inject an activation key. Otherwise, skip to step 8. 1. [Install Windows Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd). - 1. Open Windows Configuration Designer and select **Provision desktop services**. - 1. Under **Name**, type **Desktop AD Enrollment Pro GVLK**, select **Finish**, and then on the **Set up device** page enter a device name. + + 2. Open Windows Configuration Designer and select **Provision desktop services**. + + 3. Under **Name**, enter **Desktop AD Enrollment Pro GVLK**, select **Finish**, and then on the **Set up device** page enter a device name. > [!NOTE] > You can use a different project name, but this name is also used with dism.exe in a later step. - 1. Under **Enter product key** type the Pro GVLK key: `W269N-WFGWX-YVC9B-4J6C9-T83GX`. - 1. On the Set up network page, choose **Off**. - 1. On the Account Management page, choose **Enroll into Active Directory** and then enter the account details. + 4. Under **Enter product key** enter the Pro GVLK key: `W269N-WFGWX-YVC9B-4J6C9-T83GX`. + + 5. On the Set up network page, choose **Off**. + + 6. On the Account Management page, choose **Enroll into Active Directory** and then enter the account details. > [!NOTE] > This step is different for [Azure AD-joined VMs](#azure-active-directory-joined-vms). - 1. On the Add applications page, add applications if desired. This step is optional. - 1. On the Add certificates page, add certificates if desired. This step is optional. - 1. On the Finish page, select **Create**. - 1. In file explorer, open the VHD to mount the disk image. Determine the drive letter of the mounted image. - 1. Type the following command at an elevated command prompt. Replace the letter `G` with the drive letter of the mounted image, and enter the project name you used if it's different than the one suggested: + 7. On the Add applications page, add applications if desired. This step is optional. + + 8. On the Add certificates page, add certificates if desired. This step is optional. + + 9. On the Finish page, select **Create**. + + 10. In file explorer, open the VHD to mount the disk image. Determine the drive letter of the mounted image. + + 11. Enter the following command at an elevated command prompt. Replace the letter `G` with the drive letter of the mounted image, and enter the project name you used if it's different than the one suggested: ```cmd Dism.exe /Image=G:\ /Add-ProvisioningPackage /PackagePath: "Desktop AD Enrollment Pro GVLK.ppkg" ``` - 1. Right-click the mounted image in file explorer and select **Eject**. + 12. Right-click the mounted image in file explorer and select **Eject**. 8. See the instructions at [Upload and create VM from generalized VHD](/azure/virtual-machines/windows/upload-generalized-managed#upload-the-vhd) to sign in to Azure, get your storage account details, upload the VHD, and create a managed image. @@ -107,33 +120,50 @@ For examples of activation issues, see [Troubleshoot the user experience](./depl For Azure AD-joined VMs, follow the same instructions as for [Active Directory-joined VMs](#active-directory-joined-vms) with the following exceptions: -- During setup with Windows Configuration Designer, under **Name**, type a name for the project that indicates it isn't for Active Directory-joined VMs, such as **Desktop Bulk Enrollment Token Pro GVLK**. +- During setup with Windows Configuration Designer, under **Name**, enter a name for the project that indicates it isn't for Active Directory-joined VMs, such as **Desktop Bulk Enrollment Token Pro GVLK**. + - During setup with Windows Configuration Designer, on the Account Management page, instead of enrolling in Active Directory, choose **Enroll in Azure AD**, select **Get Bulk Token**, sign in, and add the bulk token using your organization's credentials. + - When entering the PackagePath, use the project name you previously entered. For example, **Desktop Bulk Enrollment Token Pro GVLK.ppkg** + - When attempting to access the VM using remote desktop, you'll need to create a custom RDP settings file as described below in [Create custom RDP settings for Azure](#create-custom-rdp-settings-for-azure). ## Azure Gallery VMs -1. (Optional) To disable network level authentication, type the following command at an elevated command prompt: +1. (Optional) To disable network level authentication, enter the following command at an elevated command prompt: ```cmd - REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0 /f + REG.exe ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0 /f ``` -2. At an elevated command prompt, type `sysdm.cpl` and press ENTER. +2. At an elevated command prompt, enter `sysdm.cpl`. + 3. On the Remote tab, choose **Allow remote connections to this computer** and then select **Select Users**. -4. Select **Add**, type **Authenticated users**, and then select **OK** three times. + +4. Select **Add**, enter **Authenticated users**, and then select **OK** three times. + 5. [Install Windows Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd). + 6. Open Windows Configuration Designer and select **Provision desktop services**. + 7. If you must activate Windows Pro as described for [scenario 3](#scenario-3), complete the following steps. Otherwise, skip to step 8. - 1. Under **Name**, type **Desktop Bulk Enrollment Token Pro GVLK**, select **Finish**, and then on the **Set up device** page enter a device name. - 2. Under **Enter product key** type the Pro GVLK key: `W269N-WFGWX-YVC9B-4J6C9-T83GX`. -8. Under **Name**, type **Desktop Bulk Enrollment**, select **Finish**, and then on the **Set up device** page enter a device name. + + 1. Under **Name**, enter **Desktop Bulk Enrollment Token Pro GVLK**, select **Finish**, and then on the **Set up device** page enter a device name. + + 2. Under **Enter product key** enter the Pro GVLK key: `W269N-WFGWX-YVC9B-4J6C9-T83GX`. + +8. Under **Name**, enter **Desktop Bulk Enrollment**, select **Finish**, and then on the **Set up device** page enter a device name. + 9. On the Set up network page, choose **Off**. + 10. On the Account Management page, choose **Enroll in Azure AD**, select **Get Bulk Token**, sign in, and add the bulk token using your organizations credentials. + 11. On the Add applications page, add applications if desired. This step is optional. + 12. On the Add certificates page, add certificates if desired. This step is optional. + 13. On the Finish page, select **Create**. + 14. Copy the PPKG file to the remote virtual machine. Open the provisioning package to install it. This process will restart the system. > [!NOTE] @@ -142,9 +172,13 @@ For Azure AD-joined VMs, follow the same instructions as for [Active Directory-j ## Create custom RDP settings for Azure 1. Open Remote Desktop Connection and enter the IP address or DNS name for the remote host. + 2. Select **Show Options**, and then under Connection settings select **Save As**. Save the RDP file to the location where you'll use it. + 3. Close the Remote Desktop Connection window and open Notepad. + 4. Open the RDP file in Notepad to edit it. + 5. Enter or replace the line that specifies authentication level with the following two lines of text: ```text @@ -162,4 +196,4 @@ For Azure AD-joined VMs, follow the same instructions as for [Active Directory-j [Recommended settings for VDI desktops](/windows-server/remote/remote-desktop-services/rds-vdi-recommendations) -[Whitepaper on licensing the Windows desktop for VDI environments](https://download.microsoft.com/download/9/8/d/98d6a56c-4d79-40f4-8462-da3ecba2dc2c/licensing_windows_desktop_os_for_virtual_machines.pdf) \ No newline at end of file +[Whitepaper on licensing the Windows desktop for VDI environments](https://download.microsoft.com/download/9/8/d/98d6a56c-4d79-40f4-8462-da3ecba2dc2c/licensing_windows_desktop_os_for_virtual_machines.pdf) diff --git a/windows/deployment/volume-activation/activate-forest-by-proxy-vamt.md b/windows/deployment/volume-activation/activate-forest-by-proxy-vamt.md index cec3e17944..b5ccb893f4 100644 --- a/windows/deployment/volume-activation/activate-forest-by-proxy-vamt.md +++ b/windows/deployment/volume-activation/activate-forest-by-proxy-vamt.md @@ -33,18 +33,31 @@ Before performing proxy activation, ensure that the network and the VAMT install ### To perform an Active Directory forest proxy activation 1. Open VAMT. + 2. In the left-side pane, select the **Active Directory-Based Activation** node. + 3. In the right-side **Actions** pane, select **Proxy activate forest** to open the **Install Product Key** dialog box. + 4. In the **Install Product Key** dialog box, select the KMS Host key (CSVLK) that you want to activate. + 5. If you want to rename the ADBA object, enter a new Active Directory-Based Activation Object name. If you want to rename the ADBA object, you must do it now. After you select **Install Key**, the name can't be changed. + 6. Enter the name of the file where you want to save the offline installation ID, or browse to the file location and then select **Open**. If you're activating an AD forest in an isolated workgroup, save the `.cilx` file to a removable media device. + 7. Select **Install Key**. VAMT displays the **Activating Active Directory** dialog box until it completes the requested action. The activated object and the date that it was created appear in the **Active Directory-Based Activation** node in the center pane. + 8. Insert the removable media into the VAMT host that has Internet access. Make sure that you are on the root node, and that the **Volume Activation Management Tool** view is displayed in the center pane. + 9. In the right-side **Actions** pane, select **Acquire confirmation IDs for CILX** to open the **Acquire confirmation IDs for file** dialog box. + 10. In the **Acquire confirmation IDs for file** dialog box, browse to where the `.cilx` file you exported from the isolated workgroup host computer is located. Select the file, and then select **Open**. VAMT displays an **Acquiring Confirmation IDs** message while it contacts Microsoft and acquires the CIDs. + 11. When the CID collection process is complete, VAMT displays a **Volume Activation Management Tool** message that shows how many confirmation IDs were successfully acquired, and the name of the file to which the IDs were saved. Select **OK** to close the message. + 12. Remove the storage device that contains the `.cilx` file from the Internet-connected VAMT host computer and insert it into the VAMT host computer in the isolated workgroup. + 13. Open VAMT and then select the **Active Directory-Based Activation** node in the left-side pane. + 14. In the right-side **Actions** pane, select **Apply confirmation ID to Active Directory domain**, browse to the `.cilx` file and then select **Open**. VAMT displays the **Activating Active Directory** dialog box until it completes the requested action. The activated object and the date that it was created appear in the **Active Directory-Based Activation** node in the center pane. diff --git a/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md b/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md index c19e08bdbc..3892da1105 100644 --- a/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md +++ b/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md @@ -14,7 +14,11 @@ ms.collection: highpri # Activate using Active Directory-based activation -(*Applies to: Windows, Windows Server, Office*) +*Applies to:* + +- Windows +- Windows Server +- Office > [!TIP] > Are you looking for information on retail activation? diff --git a/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md b/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md index 0d3d2d93aa..e136dd82b5 100644 --- a/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md +++ b/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md @@ -14,7 +14,15 @@ ms.technology: itpro-fundamentals # Activate using Key Management Service -(*Applies to: Windows 10, Windows 8.1, Windows 8, Windows 7, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2*) +*Applies to:* + +- Windows 10 +- Windows 8.1 +- Windows 8 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2012 +- Windows Server 2008 R2 > [!TIP] > Are you looking for information on retail activation? @@ -39,14 +47,20 @@ To enable KMS functionality, a KMS key is installed on a KMS host; then, the hos ### Configure KMS in Windows 10 -To activate, use the slmgr.vbs command. Open an elevated command prompt and run one of the following commands: +To activate, use the `slmgr.vbs` command. Open an elevated command prompt and run one of the following commands: + +- To install the KMS key, run the command `slmgr.vbs /ipk `. + +- To activate online, run the command `slmgr.vbs /ato`. -- To install the KMS key, type `slmgr.vbs /ipk `. -- To activate online, type `slmgr.vbs /ato`. - To activate by telephone, follow these steps: + 1. Run `slmgr.vbs /dti` and confirm the installation ID. + 2. Call [Microsoft Licensing Activation Centers worldwide telephone numbers](https://www.microsoft.com/licensing/existing-customer/activation-centers) and follow the voice prompts to enter the installation ID that you obtained in step 1 on your telephone. + 3. Follow the voice prompts and write down the responded 48-digit confirmation ID for OS activation. + 4. Run `slmgr.vbs /atp \`. For more information, see the information for Windows 7 in [Deploy KMS Activation](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn502531(v=ws.11)). @@ -58,42 +72,43 @@ Installing a KMS host key on a computer running Windows Server allows you to act > [!NOTE] > You cannot install a client KMS key into the KMS in Windows Server. -This scenario is commonly used in larger organizations that do not find the overhead of using a server a burden. +This scenario is commonly used in larger organizations that don't find the overhead of using a server a burden. > [!NOTE] -> If you receive error 0xC004F015 when trying to activate Windows 10 Enterprise, see [KB 3086418](/troubleshoot/windows-server/deployment/error-0xc004f015-activate-windows-10). +> If you receive error 0xC004F015 when trying to activate Windows 10 Enterprise, see [Error 0xC004F015 when you activate Windows 10 Enterprise on a Windows Server 2012 R2 KMS host](/troubleshoot/windows-server/deployment/error-0xc004f015-activate-windows-10). ### Configure KMS in Windows Server 2012 R2 1. Sign in to a computer running Windows Server 2012 R2 with an account that has local administrative credentials. + 2. Launch Server Manager. + 3. Add the Volume Activation Services role, as shown in Figure 4. ![Adding the Volume Activation Services role in Server Manager.](../images/volumeactivationforwindows81-04.jpg) **Figure 4**. Adding the Volume Activation Services role in Server Manager -4. When the role installation is complete, click the link to launch the Volume Activation Tools (Figure 5). +4. When the role installation is complete, select the link to launch the Volume Activation Tools (Figure 5). ![Launching the Volume Activation Tools.](../images/volumeactivationforwindows81-05.jpg) **Figure 5**. Launching the Volume Activation Tools -5. Select the **Key Management Service (KMS)** option, and specify the computer that will act as the KMS host (Figure 6). - This can be the same computer on which you installed the role or another computer. For example, it can be a client computer running Windows 10. +5. Select the **Key Management Service (KMS)** option, and specify the computer that will act as the KMS host (Figure 6). This computer can be the same computer on which you installed the role or another computer. For example, it can be a client computer running Windows 10. ![Configuring the computer as a KMS host.](../images/volumeactivationforwindows81-06.jpg) **Figure 6**. Configuring the computer as a KMS host -6. Install your KMS host key by typing it in the text box, and then click **Commit** (Figure 7). +6. Install your KMS host key by typing it in the text box, and then select **Commit** (Figure 7). ![Installing your KMS host key.](../images/volumeactivationforwindows81-07.jpg) **Figure 7**. Installing your KMS host key -7. If asked to confirm replacement of an existing key, click **Yes**. -8. After the product key is installed, you must activate it. Click **Next** (Figure 8). +7. If asked to confirm replacement of an existing key, select **Yes**. +8. After the product key is installed, you must activate it. Select **Next** (Figure 8). ![Activating the software.](../images/volumeactivationforwindows81-08.jpg) @@ -109,7 +124,7 @@ Now that the KMS host is configured, it will begin to listen for activation requ ## Verifying the configuration of Key Management Service -You can verify KMS volume activation from the KMS host server or from the client computer. KMS volume activation requires a minimum threshold of 25 computers before activation requests will be processed. The verification process described here will increment the activation count each time a client computer contacts the KMS host, but unless the activation threshold is reached, the verification will take the form of an error message rather than a confirmation message. +KMS volume activation can be verified from the KMS host server or from the client computer. KMS volume activation requires a minimum threshold of 25 computers before activation requests will be processed. The verification process described here will increment the activation count each time a client computer contacts the KMS host, but unless the activation threshold is reached, the verification will take the form of an error message rather than a confirmation message. > [!NOTE] > If you configured Active Directory-based activation before configuring KMS activation, you must use a client computer that will not first try to activate itself by using Active Directory-based activation. You could use a workgroup computer that is not joined to a domain or a computer running Windows 7 or Windows Server 2008 R2. @@ -117,18 +132,20 @@ You can verify KMS volume activation from the KMS host server or from the client To verify that KMS volume activation works, complete the following steps: 1. On the KMS host, open the event log and confirm that DNS publishing is successful. -2. On a client computer, open a Command Prompt window, type `Slmgr.vbs /ato`, and then press ENTER. + +2. On a client computer, open a Command Prompt window and run the command `Slmgr.vbs /ato`. The `/ato` command causes the operating system to attempt activation by using whichever key has been installed in the operating system. The response should show the license state and detailed Windows version information. -3. On a client computer or the KMS host, open an elevated Command Prompt window, type `Slmgr.vbs /dlv`, and then press ENTER. - The `/dlv` command displays the detailed licensing information. The response should return an error that states that the KMS activation count is too low. This confirms that KMS is functioning correctly, even though the client has not been activated. +3. On a client computer or the KMS host, open an elevated Command Prompt window and run the command `Slmgr.vbs /dlv`. + + The `/dlv` command displays the detailed licensing information. The response should return an error that states that the KMS activation count is too low. This test confirms that KMS is functioning correctly, even though the client hasn't been activated. For more information about the use and syntax of slmgr.vbs, see [Slmgr.vbs Options](/windows-server/get-started/activation-slmgr-vbs-options). ## Key Management Service in earlier versions of Windows -If you have already established a KMS infrastructure in your organization for an earlier version of Windows, you may want to continue using that infrastructure to activate computers running Windows 10 or Windows Server 2012 R2. Your existing KMS host must be running Windows 7 or later. To upgrade your KMS host, complete the following steps: +If you've already established a KMS infrastructure in your organization for an earlier version of Windows, you may want to continue using that infrastructure to activate computers running Windows 10 or Windows Server 2012 R2. Your existing KMS host must be running Windows 7 or later. To upgrade your KMS host, complete the following steps: 1. Download and install the correct update for your current KMS host operating system. Restart the computer as directed. 2. Request a new KMS host key from the Volume Licensing Service Center. diff --git a/windows/deployment/volume-activation/activate-windows-10-clients-vamt.md b/windows/deployment/volume-activation/activate-windows-10-clients-vamt.md index 3becdf4dae..9be66de526 100644 --- a/windows/deployment/volume-activation/activate-windows-10-clients-vamt.md +++ b/windows/deployment/volume-activation/activate-windows-10-clients-vamt.md @@ -14,7 +14,15 @@ ms.technology: itpro-fundamentals # Activate clients running Windows 10 -(*Applies to: Windows 10, Windows 8.1, Windows 8, Windows 7, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2*) +*Applies to:* + +- Windows 10 +- Windows 8.1 +- Windows 8 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2012 +- Windows Server 2008 R2 > [!TIP] > Are you looking for information on retail activation? diff --git a/windows/deployment/volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md b/windows/deployment/volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md index 07a8a62eaf..bb61a1db81 100644 --- a/windows/deployment/volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md +++ b/windows/deployment/volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md @@ -14,7 +14,15 @@ ms.topic: article # Appendix: Information sent to Microsoft during activation -(*Applies to: Windows 10, Windows 8.1, Windows 8, Windows 7, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2*) +*Applies to:* + +- Windows 10 +- Windows 8.1 +- Windows 8 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2012 +- Windows Server 2008 R2 **Looking for retail activation?** diff --git a/windows/deployment/volume-activation/configure-client-computers-vamt.md b/windows/deployment/volume-activation/configure-client-computers-vamt.md index 392c89d4bf..382a9b53d3 100644 --- a/windows/deployment/volume-activation/configure-client-computers-vamt.md +++ b/windows/deployment/volume-activation/configure-client-computers-vamt.md @@ -99,7 +99,7 @@ There are several options for organizations to configure the WMI firewall except - **Image.** Add the configurations to the master Windows image deployed to all clients. -- **Group Policy.** If the clients are part of a domain, then all clients can be configured using Group Policy. The Group Policy setting for the WMI firewall exception is found in GPMC.MSC at: **Computer Configuration\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Inbound Rules**. +- **Group Policy.** If the clients are part of a domain, then all clients can be configured using Group Policy. The Group Policy setting for the WMI firewall exception is found in GPMC.MSC at: **Computer Configuration** > **Windows Settings** > **Security Settings** > **Windows Firewall with Advanced Security** > **Windows Firewall with Advanced Security** > **Inbound Rules**. - **Script.** Execute a script using Microsoft Configuration Manager or a third-party remote script execution facility. diff --git a/windows/deployment/volume-activation/monitor-activation-client.md b/windows/deployment/volume-activation/monitor-activation-client.md index 0f48de80b8..d811b9bb87 100644 --- a/windows/deployment/volume-activation/monitor-activation-client.md +++ b/windows/deployment/volume-activation/monitor-activation-client.md @@ -14,7 +14,15 @@ ms.date: 11/07/2022 # Monitor activation -(*Applies to: Windows 10, Windows 8.1, Windows 8, Windows 7, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2*) +*Applies to:* + +- Windows 10 +- Windows 8.1 +- Windows 8 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2012 +- Windows Server 2008 R2 > [!TIP] > Are you looking for information on retail activation? diff --git a/windows/deployment/volume-activation/plan-for-volume-activation-client.md b/windows/deployment/volume-activation/plan-for-volume-activation-client.md index e9969efbf8..43a1c717d5 100644 --- a/windows/deployment/volume-activation/plan-for-volume-activation-client.md +++ b/windows/deployment/volume-activation/plan-for-volume-activation-client.md @@ -14,7 +14,15 @@ ms.date: 11/07/2022 # Plan for volume activation -(*Applies to: Windows 10, Windows 8.1, Windows 8, Windows 7, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2*) +*Applies to:* + +- Windows 10 +- Windows 8.1 +- Windows 8 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2012 +- Windows Server 2008 R2 > [!TIP] > Are you looking for information on retail activation? diff --git a/windows/deployment/volume-activation/use-the-volume-activation-management-tool-client.md b/windows/deployment/volume-activation/use-the-volume-activation-management-tool-client.md index e742b9f498..b733a5046e 100644 --- a/windows/deployment/volume-activation/use-the-volume-activation-management-tool-client.md +++ b/windows/deployment/volume-activation/use-the-volume-activation-management-tool-client.md @@ -14,7 +14,15 @@ ms.technology: itpro-fundamentals # Use the Volume Activation Management Tool -(*Applies to: Windows 10, Windows 8.1, Windows 8, Windows 7, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2*) +*Applies to:* + +- Windows 10 +- Windows 8.1 +- Windows 8 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2012 +- Windows Server 2008 R2 > [!TIP] > Are you looking for information on retail activation? diff --git a/windows/deployment/volume-activation/use-vamt-in-windows-powershell.md b/windows/deployment/volume-activation/use-vamt-in-windows-powershell.md index 35886bbb64..71e97c1a03 100644 --- a/windows/deployment/volume-activation/use-vamt-in-windows-powershell.md +++ b/windows/deployment/volume-activation/use-vamt-in-windows-powershell.md @@ -43,7 +43,7 @@ To open PowerShell with administrative credentials, select **Start** and enter ` For all supported operating systems, you can use the VAMT PowerShell module included with the Windows ADK. By default, the module is installed with the Windows ADK in the VAMT folder. Change directories to the directory where VAMT is located. For example, if the Windows ADK is installed in the default location of `C:\Program Files(x86)\Windows Kits\10`, enter: - ``` powershell + ```powershell cd "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\VAMT 3.0" ``` @@ -51,7 +51,7 @@ For all supported operating systems, you can use the VAMT PowerShell module incl To import the VAMT PowerShell module, enter the following command at a PowerShell command prompt: - ``` powershell + ```powershell Import-Module .\VAMT.psd1 ``` @@ -61,13 +61,13 @@ To import the VAMT PowerShell module, enter the following command at a PowerShel You can view all of the help sections for a VAMT PowerShell cmdlet, or you can view only the section that you're interested in. To view all of the Help content for a VAMT cmdlet, enter: -``` powershell +```powershell get-help -all ``` For example, enter: -``` powershell +```powershell get-help get-VamtProduct -all ``` @@ -78,24 +78,24 @@ get-help get-VamtProduct -all 1. To get the syntax to use with a cmdlet, enter the following command at a PowerShell command prompt: - ``` powershell + ```powershell get-help ``` For example, enter: - ``` powershell + ```powershell get-help get-VamtProduct ``` 2. To see examples using a cmdlet, enter: - ``` powershell + ```powershell get-help -examples ``` For example, enter: - ``` powershell + ```powershell get-help get-VamtProduct -examples ``` diff --git a/windows/deployment/volume-activation/vamt-known-issues.md b/windows/deployment/volume-activation/vamt-known-issues.md index 948e4f2def..0507f060c7 100644 --- a/windows/deployment/volume-activation/vamt-known-issues.md +++ b/windows/deployment/volume-activation/vamt-known-issues.md @@ -46,13 +46,13 @@ On the KMS host computer, perform the following steps: 3. To extract the contents of the update, run the following command: - ``` syntax + ```cmd expand c:\KB3058168\Windows8.1-KB3058168-x64.msu -f:* C:\KB3058168\ ``` 4. To extract the contents of Windows8.1-KB3058168-x64.cab, run the following command: - ``` syntax + ```cmd expand c:\KB3058168\Windows8.1-KB3058168-x64.cab -f:pkeyconfig-csvlk.xrm-ms c:\KB3058168 ``` diff --git a/windows/deployment/volume-activation/volume-activation-windows-10.md b/windows/deployment/volume-activation/volume-activation-windows-10.md index a56f8ed301..3cc524e10f 100644 --- a/windows/deployment/volume-activation/volume-activation-windows-10.md +++ b/windows/deployment/volume-activation/volume-activation-windows-10.md @@ -14,7 +14,15 @@ ms.technology: itpro-fundamentals # Volume Activation for Windows 10 -(*Applies to: Windows 10, Windows 8.1, Windows 8, Windows 7, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2*) +*Applies to:* + +- Windows 10 +- Windows 8.1 +- Windows 8 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2012 +- Windows Server 2008 R2 > [!TIP] > Are you looking for volume licensing information? diff --git a/windows/deployment/wds-boot-support.md b/windows/deployment/wds-boot-support.md index dfab934f9d..c0fe80dccc 100644 --- a/windows/deployment/wds-boot-support.md +++ b/windows/deployment/wds-boot-support.md @@ -8,14 +8,15 @@ ms.author: frankroj manager: aaroncz ms.topic: article ms.custom: seo-marvel-apr2020 -ms.date: 10/31/2022 +ms.date: 11/23/2022 ms.technology: itpro-deploy --- # Windows Deployment Services (WDS) boot.wim support -Applies to: -- Windows 10 +*Applies to:* + +- Windows 10 - Windows 11 The operating system deployment functionality of [Windows Deployment Services](/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh831764(v=ws.11)) (WDS) is being partially deprecated. Starting with Windows 11, workflows that rely on **boot.wim** from installation media or on running Windows Setup in WDS mode will no longer be supported. @@ -38,7 +39,7 @@ The table below provides support details for specific deployment scenarios (Boot ## Reason for the change -Alternatives to WDS, such as [Microsoft Configuration Manager](/mem/configmgr/) and [Microsoft Deployment Toolkit](/mem/configmgr/mdt/) (MDT) provide a better, more flexible, and feature-rich experience for deploying Windows images. +Alternatives to WDS, such as [Microsoft Configuration Manager](/mem/configmgr/) and [Microsoft Deployment Toolkit](/mem/configmgr/mdt/) (MDT) provide a better, more flexible, and feature-rich experience for deploying Windows images. ## Not affected @@ -53,7 +54,7 @@ You can still run Windows Setup from a network share. Workflows that use a custo - Windows Server 2022 workflows that rely on **boot.wim** from installation media will show a non-blocking deprecation notice. The notice can be dismissed, and currently the workflow isn't blocked. - Windows Server workflows after Windows Server 2022 that rely on **boot.wim** from installation media are blocked. -If you currently use WDS with **boot.wim** from installation media for end-to-end operating system deployment, and your OS version isn't supported, deprecated, or blocked, it's recommended that you use deployment tools such as MDT, Configuration Manager, or a non-Microsoft solution with a custom boot.wim image. +If you currently use WDS with **boot.wim** from installation media for end-to-end operating system deployment, and your OS version isn't supported, deprecated, or blocked, it's recommended that you use deployment tools such as MDT, Configuration Manager, or a non-Microsoft solution with a custom boot.wim image. ## Also see diff --git a/windows/deployment/windows-10-deployment-posters.md b/windows/deployment/windows-10-deployment-posters.md index d7d8c65cc3..677807d5c7 100644 --- a/windows/deployment/windows-10-deployment-posters.md +++ b/windows/deployment/windows-10-deployment-posters.md @@ -9,13 +9,14 @@ ms.prod: windows-client ms.technology: itpro-deploy ms.localizationpriority: medium ms.topic: reference -ms.date: 10/31/2022 +ms.date: 11/23/2022 --- # Windows 10 deployment process posters -**Applies to** -- Windows 10 +*Applies to:* + +- Windows 10 The following posters step through various options for deploying Windows 10 with Windows Autopilot or Microsoft Configuration Manager. diff --git a/windows/deployment/windows-10-deployment-scenarios.md b/windows/deployment/windows-10-deployment-scenarios.md index 4627e3d824..18e44ca25b 100644 --- a/windows/deployment/windows-10-deployment-scenarios.md +++ b/windows/deployment/windows-10-deployment-scenarios.md @@ -7,15 +7,15 @@ author: frankroj ms.prod: windows-client ms.localizationpriority: medium ms.topic: article -ms.date: 10/31/2022 +ms.date: 11/23/2022 ms.technology: itpro-deploy --- # Windows 10 deployment scenarios -**Applies to** +*Applies to:* -- Windows 10 +- Windows 10 To successfully deploy the Windows 10 operating system in your organization, it's important to understand the different ways that it can be deployed, especially now that there are new scenarios to consider. Key tasks include choosing among these scenarios and understanding the capabilities and limitations of each. @@ -55,9 +55,9 @@ The following tables summarize various Windows 10 deployment scenarios. The scen |[Refresh](#computer-refresh)|Also called wipe and load. Redeploy a device by saving the user state, wiping the disk, then restoring the user state. | [Refresh a Windows 7 computer with Windows 10](/windows/deployment/deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10)
[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](/windows/deployment/deploy-windows-cm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager)| |[Replace](#computer-replace)|Replace an existing device with a new one by saving the user state on the old device and then restoring it to the new device.| [Replace a Windows 7 computer with a Windows 10 computer](/windows/deployment/deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer)
[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](/windows/deployment/deploy-windows-cm/replace-a-windows-7-client-with-windows-10-using-configuration-manager)| ->[!IMPORTANT] ->The Windows Autopilot and Subscription Activation scenarios require that the beginning OS be Windows 10 version 1703, or later.
->Except for clean install scenarios such as traditional bare metal and Windows Autopilot, all the methods described can optionally migrate apps and settings to the new OS. +> [!IMPORTANT] +> The Windows Autopilot and Subscription Activation scenarios require that the beginning OS be Windows 10 version 1703, or later.
+> Except for clean install scenarios such as traditional bare metal and Windows Autopilot, all the methods described can optionally migrate apps and settings to the new OS. ## Modern deployment methods @@ -86,19 +86,19 @@ Scenarios that support in-place upgrade with some other procedures include chang - **Legacy BIOS to UEFI booting**: To perform an in-place upgrade on a UEFI-capable system that currently boots using legacy BIOS, first perform the in-place upgrade to Windows 10, maintaining the legacy BIOS boot mode. Windows 10 doesn't require UEFI, so it will work fine to upgrade a system using legacy BIOS emulation. After the upgrade, if you wish to enable Windows 10 features that require UEFI (such as Secure Boot), you can convert the system disk to a format that supports UEFI boot using the [MBR2GPT](./mbr-to-gpt.md) tool. Note: [UEFI specification](http://www.uefi.org/specifications) requires GPT disk layout. After the disk has been converted, you must also configure the firmware to boot in UEFI mode. -- **Non-Microsoft disk encryption software**: While devices encrypted with BitLocker can easily be upgraded, more work is necessary for non-Microsoft disk encryption tools. Some ISVs will provide instructions on how to integrate their software into the in-place upgrade process. Check with your ISV to see if they have instructions. The following articles provide details on how to provision encryption drivers for use during Windows Setup via the ReflectDrivers setting: - - [Windows Setup Automation Overview](/windows-hardware/manufacture/desktop/windows-setup-automation-overview) - - [Windows Setup Command-Line Options](/windows-hardware/manufacture/desktop/windows-setup-command-line-options) +- **Non-Microsoft disk encryption software**: While devices encrypted with BitLocker can easily be upgraded, more work is necessary for non-Microsoft disk encryption tools. Some ISVs will provide instructions on how to integrate their software into the in-place upgrade process. Check with your ISV to see if they have instructions. The following articles provide details on how to provision encryption drivers for use during Windows Setup via the ReflectDrivers setting: + - [Windows Setup Automation Overview](/windows-hardware/manufacture/desktop/windows-setup-automation-overview) + - [Windows Setup Command-Line Options](/windows-hardware/manufacture/desktop/windows-setup-command-line-options) There are some situations where you can't use in-place upgrade; in these situations, you can use traditional deployment (wipe-and-load) instead. Examples of these situations include: -- Changing from Windows 7, Windows 8, or Windows 8.1 x86 to Windows 10 x64. The upgrade process can't change from a 32-bit operating system to a 64-bit operating system, because of possible complications with installed applications and drivers. +- Changing from Windows 7, Windows 8, or Windows 8.1 x86 to Windows 10 x64. The upgrade process can't change from a 32-bit operating system to a 64-bit operating system, because of possible complications with installed applications and drivers. -- Windows To Go and Boot from VHD installations. The upgrade process is unable to upgrade these installations. Instead, new installations would need to be performed. +- Windows To Go and Boot from VHD installations. The upgrade process is unable to upgrade these installations. Instead, new installations would need to be performed. -- Updating existing images. It can be tempting to try to upgrade existing Windows 7, Windows 8, or Windows 8.1 images to Windows 10 by installing the old image, upgrading it, and then recapturing the new Windows 10 image. But, it's not supported. Preparing an upgraded OS via `Sysprep.exe` before capturing an image isn't supported and won't work. When `Sysprep.exe` detects the upgraded OS, it will fail. +- Updating existing images. It can be tempting to try to upgrade existing Windows 7, Windows 8, or Windows 8.1 images to Windows 10 by installing the old image, upgrading it, and then recapturing the new Windows 10 image. But, it's not supported. Preparing an upgraded OS via `Sysprep.exe` before capturing an image isn't supported and won't work. When `Sysprep.exe` detects the upgraded OS, it will fail. -- Dual-boot and multi-boot systems. The upgrade process is designed for devices running a single OS. If you use dual-boot or multi-boot systems with multiple operating systems (not using virtual machines for the second and subsequent operating systems), then extra care should be taken. +- Dual-boot and multi-boot systems. The upgrade process is designed for devices running a single OS. If you use dual-boot or multi-boot systems with multiple operating systems (not using virtual machines for the second and subsequent operating systems), then extra care should be taken. ## Dynamic provisioning @@ -106,7 +106,7 @@ For new PCs, organizations have historically replaced the version of Windows inc The goal of dynamic provisioning is to take a new PC out of the box, turn it on, and transform it into a productive organization device, with minimal time and effort. The types of transformations that are available include: -### Windows 10 Subscription Activation +### Windows 10 Subscription Activation Windows 10 Subscription Activation is a dynamic deployment method that enables you to change the SKU from Pro to Enterprise with no keys and no reboots. For more information about Subscription Activation, see [Windows 10 Subscription Activation](/windows/deployment/windows-10-enterprise-subscription-activation). @@ -122,17 +122,17 @@ These scenarios can be used to enable "choose your own device" (CYOD) programs. While the initial Windows 10 release includes various provisioning settings and deployment mechanisms, provisioning settings and deployment mechanisms will continue to be enhanced and extended based on feedback from organizations. As with all Windows features, organizations can submit suggestions for more features through the Windows Feedback app or through their Microsoft Support contacts. -## Traditional deployment: +## Traditional deployment -New versions of Windows have typically been deployed by organizations using an image-based process built on top of tools provided in the [Windows Assessment and Deployment Kit](windows-adk-scenarios-for-it-pros.md), Windows Deployment Services, the [Deploy Windows 10 with the Microsoft Deployment Toolkit](./deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md), and [Microsoft Configuration Manager](deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md). +New versions of Windows have typically been deployed by organizations using an image-based process built on top of tools provided in the [Windows Assessment and Deployment Kit](windows-adk-scenarios-for-it-pros.md), Windows Deployment Services, the [Microsoft Deployment Toolkit](./deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md), and [Microsoft Configuration Manager](deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md). With the release of Windows 10, all of these tools are being updated to fully support Windows 10. Although newer scenarios such as in-place upgrade and dynamic provisioning may reduce the need for traditional deployment capabilities in some organizations, these traditional methods remain important, and will continue to be available to organizations that need them. The traditional deployment scenario can be divided into different sub-scenarios. These sub-scenarios are explained in detail in the following sections, but the following list provides a brief summary: -- **New computer.** A bare-metal deployment of a new machine. -- **Computer refresh.** A reinstall of the same machine (with user-state migration and an optional full Windows Imaging (WIM) image backup). -- **Computer replace.** A replacement of the old machine with a new machine (with user-state migration and an optional full WIM image backup). +- **New computer**: A bare-metal deployment of a new machine. +- **Computer refresh**: A reinstall of the same machine (with user-state migration and an optional full Windows Imaging (WIM) image backup). +- **Computer replace**: A replacement of the old machine with a new machine (with user-state migration and an optional full WIM image backup). ### New computer @@ -140,13 +140,13 @@ Also called a "bare metal" deployment. This scenario occurs when you have a blan The deployment process for the new machine scenario is as follows: -1. Start the setup from boot media (CD, USB, ISO, or PXE). +1. Start the setup from boot media (CD, USB, ISO, or PXE). -2. Wipe the hard disk clean and create new volume(s). +2. Wipe the hard disk clean and create new volume(s). -3. Install the operating system image. +3. Install the operating system image. -4. Install other applications (as part of the task sequence). +4. Install other applications (as part of the task sequence). After you follow these steps, the computer is ready for use. @@ -156,17 +156,17 @@ A refresh is sometimes called wipe-and-load. The process is normally initiated i The deployment process for the wipe-and-load scenario is as follows: -1. Start the setup on a running operating system. +1. Start the setup on a running operating system. -2. Save the user state locally. +2. Save the user state locally. -3. Wipe the hard disk clean (except for the folder containing the backup). +3. Wipe the hard disk clean (except for the folder containing the backup). -4. Install the operating system image. +4. Install the operating system image. -5. Install other applications. +5. Install other applications. -6. Restore the user state. +6. Restore the user state. After you follow these steps, the machine is ready for use. @@ -176,9 +176,9 @@ A computer replace is similar to the refresh scenario. However, since we're repl The deployment process for the replace scenario is as follows: -1. Save the user state (data and settings) on the server through a backup job on the running operating system. +1. Save the user state (data and settings) on the server through a backup job on the running operating system. -2. Deploy the new computer as a bare-metal deployment. +2. Deploy the new computer as a bare-metal deployment. > [!NOTE] > In some situations, you can use the replace scenario even if the target is the same machine. For example, you can use replace if you want to modify the disk layout from the master boot record (MBR) to the GUID partition table (GPT), which will allow you to take advantage of the Unified Extensible Firmware Interface (UEFI) functionality. You can also use replace if the disk needs to be repartitioned since user data needs to be transferred off the disk. diff --git a/windows/deployment/windows-10-enterprise-e3-overview.md b/windows/deployment/windows-10-enterprise-e3-overview.md index 67864fbe6c..972ef1adaf 100644 --- a/windows/deployment/windows-10-enterprise-e3-overview.md +++ b/windows/deployment/windows-10-enterprise-e3-overview.md @@ -3,7 +3,7 @@ title: Windows 10/11 Enterprise E3 in CSP description: Describes Windows 10/11 Enterprise E3, an offering that delivers, by subscription, the features of Windows 10/11 Enterprise edition. ms.prod: windows-client ms.localizationpriority: medium -ms.date: 10/31/2022 +ms.date: 11/23/2022 author: frankroj ms.author: frankroj manager: aaroncz @@ -15,16 +15,17 @@ ms.technology: itpro-deploy # Windows 10/11 Enterprise E3 in CSP -Applies to: +*Applies to:* + - Windows 10 - Windows 11 -Windows 10 Enterprise E3 launched in the Cloud Solution Provider (CSP) channel on September 1, 2016. With the release of Windows 11, Windows 10/11 Enterprise E3 in CSP is available. +Windows 10 Enterprise E3 launched in the Cloud Solution Provider (CSP) channel on September 1, 2016. With the release of Windows 11, Windows 10/11 Enterprise E3 in CSP is available. Windows 10/11 Enterprise E3 in CSP delivers, by subscription, exclusive features reserved for Windows 10 or Windows 11 Enterprise editions. This offering is available through the Cloud Solution Provider (CSP) channel via the Partner Center as an online service. Windows 10/11 Enterprise E3 in CSP provides a flexible, per-user subscription for small and medium-sized organizations (from one to hundreds of users). To take advantage of this offering, you must have the following prerequisites: -- Windows 10 Pro, version 1607 (Windows 10 Anniversary Update) or later (or Windows 11), installed and activated, on the devices to be upgraded. -- Azure Active Directory (Azure AD) available for identity management +- Windows 10 Pro, version 1607 (Windows 10 Anniversary Update) or later (or Windows 11), installed and activated, on the devices to be upgraded. +- Azure Active Directory (Azure AD) available for identity management You can move from Windows 10 Pro or Windows 11 Pro to Windows 10 Enterprise or Windows 11 Enterprise more easily than ever before with no keys and no reboots. After one of your users enters the Azure AD credentials associated with a Windows 10/11 Enterprise E3 license, the operating system turns from Windows 10 Pro to Windows 10 Enterprise or Windows 11 Pro to Windows 11 Enterprise, and all the appropriate Enterprise features are unlocked. When a subscription license expires or is transferred to another user, the Enterprise device seamlessly steps back down to Windows 10 Pro or Windows 11 Pro. @@ -32,22 +33,22 @@ Previously, only organizations with a Microsoft Volume Licensing Agreement could When you purchase Windows 10/11 Enterprise E3 via a partner, you get the following benefits: -- **Windows 10/11 Enterprise edition**. Devices currently running Windows 10 Pro or Windows 11 Pro can get Windows 10/11 Enterprise Current Branch (CB) or Current Branch for Business (CBB). This benefit doesn't include Long Term Service Branch (LTSB). -- **Support from one to hundreds of users**. Although the Windows 10/11 Enterprise E3 in CSP program doesn't have a limitation on the number of licenses an organization can have, the program is designed for small- and medium-sized organizations. -- **Deploy on up to five devices**. For each user covered by the license, you can deploy Windows 10 Enterprise edition on up to five devices. -- **Roll back to Windows 10/11 Pro at any time**. When a user's subscription expires or is transferred to another user, the Windows 10/11 Enterprise device reverts seamlessly to Windows 10/11 Pro edition (after a grace period of up to 90 days). -- **Monthly, per-user pricing model**. This makes Windows 10/11 Enterprise E3 affordable for any organization. -- **Move licenses between users**. Licenses can be quickly and easily reallocated from one user to another user, allowing you to optimize your licensing investment against changing needs. +- **Windows 10/11 Enterprise edition**. Devices currently running Windows 10 Pro or Windows 11 Pro can get Windows 10/11 Enterprise Current Branch (CB) or Current Branch for Business (CBB). This benefit doesn't include Long Term Service Branch (LTSB). +- **Support from one to hundreds of users**. Although the Windows 10/11 Enterprise E3 in CSP program doesn't have a limitation on the number of licenses an organization can have, the program is designed for small- and medium-sized organizations. +- **Deploy on up to five devices**. For each user covered by the license, you can deploy Windows 10 Enterprise edition on up to five devices. +- **Roll back to Windows 10/11 Pro at any time**. When a user's subscription expires or is transferred to another user, the Windows 10/11 Enterprise device reverts seamlessly to Windows 10/11 Pro edition (after a grace period of up to 90 days). +- **Monthly, per-user pricing model**. This makes Windows 10/11 Enterprise E3 affordable for any organization. +- **Move licenses between users**. Licenses can be quickly and easily reallocated from one user to another user, allowing you to optimize your licensing investment against changing needs. How does the Windows 10/11 Enterprise E3 in CSP program compare with Microsoft Volume Licensing Agreements and Software Assurance? -- [Microsoft Volume Licensing](https://www.microsoft.com/licensing/default.aspx) programs are broader in scope, providing organizations with access to licensing for all Microsoft products. -- [Software Assurance](https://www.microsoft.com/Licensing/licensing-programs/software-assurance-default.aspx) provides organizations with the following categories of benefits: +- [Microsoft Volume Licensing](https://www.microsoft.com/licensing/default.aspx) programs are broader in scope, providing organizations with access to licensing for all Microsoft products. +- [Software Assurance](https://www.microsoft.com/Licensing/licensing-programs/software-assurance-default.aspx) provides organizations with the following categories of benefits: - - **Deployment and management**. These benefits include planning services, Microsoft Desktop Optimization (MDOP), Windows Virtual Desktop Access Rights, Windows-To-Go Rights, Windows Roaming Use Rights, Windows Thin PC, Windows RT Companion VDA Rights, and other benefits. - - **Training**. These benefits include training vouchers, online e-learning, and a home use program. - - **Support**. These benefits include 24x7 problem resolution support, backup capabilities for disaster recovery, System Center Global Service Monitor, and a passive secondary instance of SQL Server. - - **Specialized**. These benefits include step-up licensing availability (which enables you to migrate software from an earlier edition to a higher-level edition) and to spread license and Software Assurance payments across three equal, annual sums. + - **Deployment and management**. These benefits include planning services, Microsoft Desktop Optimization (MDOP), Windows Virtual Desktop Access Rights, Windows-To-Go Rights, Windows Roaming Use Rights, Windows Thin PC, Windows RT Companion VDA Rights, and other benefits. + - **Training**. These benefits include training vouchers, online e-learning, and a home use program. + - **Support**. These benefits include 24x7 problem resolution support, backup capabilities for disaster recovery, System Center Global Service Monitor, and a passive secondary instance of SQL Server. + - **Specialized**. These benefits include step-up licensing availability (which enables you to migrate software from an earlier edition to a higher-level edition) and to spread license and Software Assurance payments across three equal, annual sums. In addition, in Windows 10/11 Enterprise E3 in CSP, a partner can manage your licenses for you. With Software Assurance, you, the customer, manage your own licenses. @@ -60,15 +61,15 @@ In summary, the Windows 10/11 Enterprise E3 in CSP program is an upgrade offerin Windows 10 Enterprise edition has many features that are unavailable in Windows 10 Pro. Table 1 lists the Windows 10 Enterprise features not found in Windows 10 Pro. Many of these features are security-related, whereas others enable finer-grained device management. -*Table 1. Windows 10 Enterprise features not found in Windows 10 Pro* +### Table 1. Windows 10 Enterprise features not found in Windows 10 Pro |Feature|Description| |--- |--- | -|Credential Guard|Credential Guard uses virtualization-based security to help protect security secrets so that only privileged system software can access them. Examples of security secrets that can be protected include NTLM password hashes and Kerberos Ticket Granting Tickets. This protection helps prevent Pass-the-Hash or Pass-the-Ticket attacks.

Credential Guard has the following features:

  • **Hardware-level security**. Credential Guard uses hardware platform security features (such as Secure Boot and virtualization) to help protect derived domain credentials and other secrets.
  • **Virtualization-based security**. Windows services that access derived domain credentials and other secrets run in a virtualized, protected environment that is isolated.
  • **Improved protection against persistent threats**. Credential Guard works with other technologies (for example, Device Guard) to help provide further protection against attacks, no matter how persistent.
  • **Improved manageability**. Credential Guard can be managed through Group Policy, Windows Management Instrumentation (WMI), or Windows PowerShell.

    For more information, see [Protect derived domain credentials with Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard).

    *Credential Guard requires UEFI 2.3.1 or greater with Trusted Boot; Virtualization Extensions such as Intel VT-x, AMD-V, and SLAT must be enabled; x64 version of Windows; IOMMU, such as Intel VT-d, AMD-Vi; BIOS Lockdown; TPM 2.0 recommended for device health attestation (will use software if TPM 2.0 not present)*| -|Device Guard|This feature is a combination of hardware and software security features that allows only trusted applications to run on a device. Even if an attacker manages to get control of the Windows kernel, they'll be much less likely to run executable code. Device Guard can use virtualization-based security (VBS) in Windows 10 Enterprise edition to isolate the Code Integrity service from the Windows kernel itself. With VBS, even if malware gains access to the kernel, the effects can be severely limited, because the hypervisor can prevent the malware from executing code.

    Device Guard protects in the following ways:

  • Helps protect against malware
  • Helps protect the Windows system core from vulnerability and zero-day exploits
  • Allows only trusted apps to run

    For more information, see [Introduction to Device Guard](/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control).| -|AppLocker management|This feature helps IT pros determine which applications and files users can run on a device. The applications and files that can be managed include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers.

    For more information, see [AppLocker](/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview).| -|Application Virtualization (App-V)|This feature makes applications available to end users without installing the applications directly on users' devices. App-V transforms applications into centrally managed services that are never installed and don't conflict with other applications. This feature also helps ensure that applications are kept current with the latest security updates.

    For more information, see [Getting Started with App-V for Windows 10](/windows/application-management/app-v/appv-getting-started).| -|User Experience Virtualization (UE-V)|With this feature, you can capture user-customized Windows and application settings and store them on a centrally managed network file share.

    When users log on, their personalized settings are applied to their work session, regardless of which device or virtual desktop infrastructure (VDI) sessions they log on to.

    UE-V provides the following features:

  • Specify which application and Windows settings synchronize across user devices
  • Deliver the settings anytime and anywhere users work throughout the enterprise
  • Create custom templates for your third-party or line-of-business applications
  • Recover settings after hardware replacement or upgrade, or after re-imaging a virtual machine to its initial state

    For more information, see [User Experience Virtualization (UE-V) for Windows 10 overview](/windows/configuration/ue-v/uev-for-windows).| +|Credential Guard|Credential Guard uses virtualization-based security to help protect security secrets so that only privileged system software can access them. Examples of security secrets that can be protected include NTLM password hashes and Kerberos Ticket Granting Tickets. This protection helps prevent Pass-the-Hash or Pass-the-Ticket attacks.

    Credential Guard has the following features:

  • **Hardware-level security** - Credential Guard uses hardware platform security features (such as Secure Boot and virtualization) to help protect derived domain credentials and other secrets.
  • **Virtualization-based security** - Windows services that access derived domain credentials and other secrets run in a virtualized, protected environment that is isolated.
  • **Improved protection against persistent threats** - Credential Guard works with other technologies (for example, Device Guard) to help provide further protection against attacks, no matter how persistent.
  • **Improved manageability** - Credential Guard can be managed through Group Policy, Windows Management Instrumentation (WMI), or Windows PowerShell.

    For more information, see [Protect derived domain credentials with Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard).

    *Credential Guard requires UEFI 2.3.1 or greater with Trusted Boot; Virtualization Extensions such as Intel VT-x, AMD-V, and SLAT must be enabled; x64 version of Windows; IOMMU, such as Intel VT-d, AMD-Vi; BIOS Lockdown; TPM 2.0 recommended for device health attestation (will use software if TPM 2.0 not present)*| +|Device Guard|This feature is a combination of hardware and software security features that allows only trusted applications to run on a device. Even if an attacker manages to get control of the Windows kernel, they'll be much less likely to run executable code. Device Guard can use virtualization-based security (VBS) in Windows 10 Enterprise edition to isolate the Code Integrity service from the Windows kernel itself. With VBS, even if malware gains access to the kernel, the effects can be severely limited, because the hypervisor can prevent the malware from executing code.

    Device Guard protects in the following ways:
  • Helps protect against malware
  • Helps protect the Windows system core from vulnerability and zero-day exploits
  • Allows only trusted apps to run

    For more information, see [Introduction to Device Guard](/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control).| +|AppLocker management|This feature helps IT pros determine which applications and files users can run on a device. The applications and files that can be managed include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers.

    For more information, see [AppLocker](/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview).| +|Application Virtualization (App-V)|This feature makes applications available to end users without installing the applications directly on users' devices. App-V transforms applications into centrally managed services that are never installed and don't conflict with other applications. This feature also helps ensure that applications are kept current with the latest security updates.

    For more information, see [Getting Started with App-V for Windows 10](/windows/application-management/app-v/appv-getting-started).| +|User Experience Virtualization (UE-V)|With this feature, you can capture user-customized Windows and application settings and store them on a centrally managed network file share.

    When users log on, their personalized settings are applied to their work session, regardless of which device or virtual desktop infrastructure (VDI) sessions they log on to.

    UE-V provides the following features:
  • Specify which application and Windows settings synchronize across user devices
  • Deliver the settings anytime and anywhere users work throughout the enterprise
  • Create custom templates for your third-party or line-of-business applications
  • Recover settings after hardware replacement or upgrade, or after re-imaging a virtual machine to its initial state

    For more information, see [User Experience Virtualization (UE-V) for Windows 10 overview](/windows/configuration/ue-v/uev-for-windows).| |Managed User Experience|This feature helps customize and lock down a Windows device's user interface to restrict it to a specific task. For example, you can configure a device for a controlled scenario such as a kiosk or classroom device. The user experience would be automatically reset once a user signs off. You can also restrict access to services including Cortana or the Windows Store, and manage Start layout options, such as:
  • Removing and preventing access to the Shut Down, Restart, Sleep, and Hibernate commands
  • Removing Log Off (the User tile) from the Start menu
  • Removing frequent programs from the Start menu
  • Removing the All Programs list from the Start menu
  • Preventing users from customizing their Start screen
  • Forcing Start menu to be either full-screen size or menu size
  • Preventing changes to Taskbar and Start menu settings| ## Deployment of Windows 10/11 Enterprise E3 licenses @@ -88,41 +89,39 @@ The following sections provide you with the high-level tasks that need to be per You can implement Credential Guard on Windows 10 Enterprise devices by turning on Credential Guard on these devices. Credential Guard uses Windows 10/11 virtualization-based security features (Hyper-V features) that must be enabled on each device before you can turn on Credential Guard. You can turn on Credential Guard by using one of the following methods: -- **Automated**. You can automatically turn on Credential Guard for one or more devices by using Group Policy. The Group Policy settings automatically add the virtualization-based security features and configure the Credential Guard registry settings on managed devices. +- **Automated**. You can automatically turn on Credential Guard for one or more devices by using Group Policy. The Group Policy settings automatically add the virtualization-based security features and configure the Credential Guard registry settings on managed devices. -- **Manual**. You can manually turn on Credential Guard by taking one of the following actions: +- **Manual**. You can manually turn on Credential Guard by taking one of the following actions: - - Add the virtualization-based security features by using Programs and Features or Deployment Image Servicing and Management (DISM). + - Add the virtualization-based security features by using Programs and Features or Deployment Image Servicing and Management (DISM). - - Configure Credential Guard registry settings by using the Registry Editor or the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337). + - Configure Credential Guard registry settings by using the Registry Editor or the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337). You can automate these manual steps by using a management tool such as Microsoft Configuration Manager. For more information about implementing Credential Guard, see the following resources: -- [Protect derived domain credentials with Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard) -- [PC OEM requirements for Device Guard and Credential Guard](/windows-hardware/design/device-experiences/oem-security-considerations) -- [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337) - - +- [Protect derived domain credentials with Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard) +- [PC OEM requirements for Device Guard and Credential Guard](/windows-hardware/design/device-experiences/oem-security-considerations) +- [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337) ### Device Guard Now that the devices have Windows 10/11 Enterprise, you can implement Device Guard on the Windows 10 Enterprise devices by performing the following steps: -1. **Optionally, create a signing certificate for code integrity policies**. As you deploy code integrity policies, you might need to sign catalog files or code integrity policies internally. To sign catalog files or code integrity policies internally, you'll either need a publicly issued code signing certificate (that you purchase) or an internal certificate authority (CA). If you choose to use an internal CA, you'll need to create a code signing certificate. +1. **Optionally, create a signing certificate for code integrity policies**. As you deploy code integrity policies, you might need to sign catalog files or code integrity policies internally. To sign catalog files or code integrity policies internally, you'll either need a publicly issued code signing certificate (that you purchase) or an internal certificate authority (CA). If you choose to use an internal CA, you'll need to create a code signing certificate. -2. **Create code integrity policies from "golden" computers**. When you have identified departments or roles that use distinctive or partly distinctive sets of hardware and software, you can set up "golden" computers containing that software and hardware. In this respect, creating and managing code integrity policies to align with the needs of roles or departments can be similar to managing corporate images. From each "golden" computer, you can create a code integrity policy and decide how to manage that policy. You can merge code integrity policies to create a broader policy or a master policy, or you can manage and deploy each policy individually. +2. **Create code integrity policies from "golden" computers**. When you have identified departments or roles that use distinctive or partly distinctive sets of hardware and software, you can set up "golden" computers containing that software and hardware. In this respect, creating and managing code integrity policies to align with the needs of roles or departments can be similar to managing corporate images. From each "golden" computer, you can create a code integrity policy and decide how to manage that policy. You can merge code integrity policies to create a broader policy or a master policy, or you can manage and deploy each policy individually. -3. **Audit the code integrity policy and capture information about applications that are outside the policy**. We recommend that you use "audit mode" to carefully test each code integrity policy before you enforce it. With audit mode, no application is blocked—the policy just logs an event whenever an application outside the policy is started. Later, you can expand the policy to allow these applications, as needed. +3. **Audit the code integrity policy and capture information about applications that are outside the policy**. We recommend that you use "audit mode" to carefully test each code integrity policy before you enforce it. With audit mode, no application is blocked—the policy just logs an event whenever an application outside the policy is started. Later, you can expand the policy to allow these applications, as needed. -4. **Create a "catalog file" for unsigned line-of-business (LOB) applications**. Use the Package Inspector tool to create and sign a catalog file for your unsigned LOB applications. In later steps, you can merge the catalog file's signature into your code integrity policy so that applications in the catalog will be allowed by the policy. +4. **Create a "catalog file" for unsigned line-of-business (LOB) applications**. Use the Package Inspector tool to create and sign a catalog file for your unsigned LOB applications. In later steps, you can merge the catalog file's signature into your code integrity policy so that applications in the catalog will be allowed by the policy. -5. **Capture needed policy information from the event log, and merge information into the existing policy as needed**. After a code integrity policy has been running for a time in audit mode, the event log will contain information about applications that are outside the policy. To expand the policy so that it allows for these applications, use Windows PowerShell commands to capture the needed policy information from the event log, and then merge that information into the existing policy. You can merge code integrity policies from other sources also, for flexibility in how you create your final code integrity policies. +5. **Capture needed policy information from the event log, and merge information into the existing policy as needed**. After a code integrity policy has been running for a time in audit mode, the event log will contain information about applications that are outside the policy. To expand the policy so that it allows for these applications, use Windows PowerShell commands to capture the needed policy information from the event log, and then merge that information into the existing policy. You can merge code integrity policies from other sources also, for flexibility in how you create your final code integrity policies. -6. **Deploy code integrity policies and catalog files**. After you confirm that you've completed all the preceding steps, you can begin deploying catalog files and taking code integrity policies out of audit mode. We strongly recommend that you begin this process with a test group of users. This provides a final quality-control validation before you deploy the catalog files and code integrity policies more broadly. +6. **Deploy code integrity policies and catalog files**. After you confirm that you've completed all the preceding steps, you can begin deploying catalog files and taking code integrity policies out of audit mode. We strongly recommend that you begin this process with a test group of users. This provides a final quality-control validation before you deploy the catalog files and code integrity policies more broadly. -7. **Enable desired hardware security features**. Hardware-based security features—also called virtualization-based security (VBS) features—strengthen the protections offered by code integrity policies. +7. **Enable desired hardware security features**. Hardware-based security features—also called virtualization-based security (VBS) features—strengthen the protections offered by code integrity policies. For more information about implementing Device Guard, see: @@ -139,19 +138,20 @@ For more information about AppLocker management by using Group Policy, see [AppL App-V requires an App-V server infrastructure to support App-V clients. The primary App-V components that you must have are as follows: -- **App-V server**. The App-V server provides App-V management, virtualized app publishing, app streaming, and reporting services. Each of these services can be run on one server or can be run individually on multiple servers. For example, you could have multiple streaming servers. App-V clients contact App-V servers to determine which apps are published to the user or device, and then run the virtualized app from the server. +- **App-V server**. The App-V server provides App-V management, virtualized app publishing, app streaming, and reporting services. Each of these services can be run on one server or can be run individually on multiple servers. For example, you could have multiple streaming servers. App-V clients contact App-V servers to determine which apps are published to the user or device, and then run the virtualized app from the server. -- **App-V sequencer**. The App-V sequencer is a typical client device that is used to sequence (capture) apps and prepare them for hosting from the App-V server. You install apps on the App-V sequencer, and the App-V sequencer software determines the files and registry settings that are changed during app installation. Then the sequencer captures these settings to create a virtualized app. +- **App-V sequencer**. The App-V sequencer is a typical client device that is used to sequence (capture) apps and prepare them for hosting from the App-V server. You install apps on the App-V sequencer, and the App-V sequencer software determines the files and registry settings that are changed during app installation. Then the sequencer captures these settings to create a virtualized app. -- **App-V client**. The App-V client must be enabled on any client device on which apps will be run from the App-V server. These will be the Windows 10/11 Enterprise E3 devices. +- **App-V client**. The App-V client must be enabled on any client device on which apps will be run from the App-V server. These will be the Windows 10/11 Enterprise E3 devices. For more information about implementing the App-V server, App-V sequencer, and App-V client, see the following resources: -- [Getting Started with App-V for Windows 10](/windows/application-management/app-v/appv-getting-started) -- [Deploying the App-V server](/windows/application-management/app-v/appv-deploying-the-appv-server) -- [Deploying the App-V Sequencer and Configuring the Client](/windows/application-management/app-v/appv-deploying-the-appv-sequencer-and-client) +- [Getting Started with App-V for Windows 10](/windows/application-management/app-v/appv-getting-started) +- [Deploying the App-V server](/windows/application-management/app-v/appv-deploying-the-appv-server) +- [Deploying the App-V Sequencer and Configuring the Client](/windows/application-management/app-v/appv-deploying-the-appv-sequencer-and-client) ### UE-V + UE-V requires server and client-side components that you'll need to download, activate, and install. These components include: - **UE-V service**. The UE-V service (when enabled on devices) monitors registered applications and Windows for any settings changes, then synchronizes those settings between devices. @@ -174,16 +174,16 @@ For more information about deploying UE-V, see the following resources: The Managed User Experience feature is a set of Windows 10 Enterprise edition features and corresponding settings that you can use to manage user experience. Table 2 describes the Managed User Experience settings (by category), which are only available in Windows 10 Enterprise edition. The management methods used to configure each feature depend on the feature. Some features are configured by using Group Policy, while others are configured by using Windows PowerShell, Deployment Image Servicing and Management (DISM), or other command-line tools. For the Group Policy settings, you must have AD DS with the Windows 10 Enterprise devices joined to your AD DS domain. -*Table 2. Managed User Experience features* +#### Table 2. Managed User Experience features | Feature | Description | |------------------|-----------------| | Start layout customization | You can deploy a customized Start layout to users in a domain. No reimaging is required, and the Start layout can be updated simply by overwriting the .xml file that contains the layout. The XML file enables you to customize Start layouts for different departments or organizations, with minimal management overhead.
    For more information on these settings, see [Customize Windows 10 Start and taskbar with Group Policy](/windows/configuration/customize-windows-10-start-screens-by-using-group-policy). | -| Unbranded boot | You can suppress Windows elements that appear when Windows starts or resumes and can suppress the crash screen when Windows encounters an error from which it can't recover.
    For more information on these settings, see [Unbranded Boot](/windows-hardware/customize/enterprise/unbranded-boot). | -| Custom logon | You can use the Custom Logon feature to suppress Windows 10 UI elements that relate to the Welcome screen and shutdown screen. For example, you can suppress all elements of the Welcome screen UI and provide a custom logon UI. You can also suppress the Blocked Shutdown Resolver (BSDR) screen and automatically end applications while the OS waits for applications to close before a shutdown.
    For more information on these settings, see [Custom Logon](/windows-hardware/customize/enterprise/custom-logon). | -| Shell launcher | Enables Assigned Access to run only a classic Windows app via Shell Launcher to replace the shell.
    For more information on these settings, see [Shell Launcher](/windows-hardware/customize/enterprise/shell-launcher). | -| Keyboard filter | You can use Keyboard Filter to suppress undesirable key presses or key combinations. Normally, users can use certain Windows key combinations like Ctrl+Alt+Delete or Ctrl+Shift+Tab to control a device by locking the screen or using Task Manager to close a running application. This isn't desirable on devices intended for a dedicated purpose.
    For more information on these settings, see [Keyboard Filter](/windows-hardware/customize/enterprise/keyboardfilter). | -| Unified write filter | You can use Unified Write Filter (UWF) on your device to help protect your physical storage media, including most standard writable storage types that are supported by Windows, such as physical hard disks, solid-state drives, internal USB devices, external SATA devices, and so on. You can also use UWF to make read-only media appear to the OS as a writable volume.
    For more information on these settings, see [Unified Write Filter](/windows-hardware/customize/enterprise/unified-write-filter). | +| Unbranded boot | You can suppress Windows elements that appear when Windows starts or resumes and can suppress the crash screen when Windows encounters an error from which it can't recover.
    For more information on these settings, see [Unbranded Boot](/windows-hardware/customize/enterprise/unbranded-boot). | +| Custom logon | You can use the Custom Logon feature to suppress Windows 10 UI elements that relate to the Welcome screen and shutdown screen. For example, you can suppress all elements of the Welcome screen UI and provide a custom logon UI. You can also suppress the Blocked Shutdown Resolver (BSDR) screen and automatically end applications while the OS waits for applications to close before a shutdown.
    For more information on these settings, see [Custom Logon](/windows-hardware/customize/enterprise/custom-logon). | +| Shell launcher | Enables Assigned Access to run only a classic Windows app via Shell Launcher to replace the shell.
    For more information on these settings, see [Shell Launcher](/windows-hardware/customize/enterprise/shell-launcher). | +| Keyboard filter | You can use Keyboard Filter to suppress undesirable key presses or key combinations. Normally, users can use certain Windows key combinations like Ctrl+Alt+Delete or Ctrl+Shift+Tab to control a device by locking the screen or using Task Manager to close a running application. This isn't desirable on devices intended for a dedicated purpose.
    For more information on these settings, see [Keyboard Filter](/windows-hardware/customize/enterprise/keyboardfilter). | +| Unified write filter | You can use Unified Write Filter (UWF) on your device to help protect your physical storage media, including most standard writable storage types that are supported by Windows, such as physical hard disks, solid-state drives, internal USB devices, external SATA devices, and so on. You can also use UWF to make read-only media appear to the OS as a writable volume.
    For more information on these settings, see [Unified Write Filter](/windows-hardware/customize/enterprise/unified-write-filter). | ## Related articles diff --git a/windows/deployment/windows-10-media.md b/windows/deployment/windows-10-media.md index 6668d42e52..66d08877b8 100644 --- a/windows/deployment/windows-10-media.md +++ b/windows/deployment/windows-10-media.md @@ -3,7 +3,7 @@ title: Windows 10 volume license media description: Learn about volume license media in Windows 10, and channels such as the Volume License Service Center (VLSC). ms.prod: windows-client ms.localizationpriority: medium -ms.date: 10/31/2022 +ms.date: 11/23/2022 ms.reviewer: manager: aaroncz ms.author: frankroj @@ -14,9 +14,9 @@ ms.technology: itpro-deploy # Windows 10 volume license media -**Applies to** +*Applies to:* -- Windows 10 +- Windows 10 With each release of Windows 10, volume license media is made available on the [Volume Licensing Service Center](https://www.microsoft.com/vlsc) (VLSC) and other relevant channels such as Windows Update for Business, Windows Server Update Services (WSUS), and Visual Studio Subscriptions. This article provides a description of volume license media, and describes some of the changes that have been implemented with the current release of Windows 10. @@ -29,7 +29,7 @@ When you select a product, for example "Windows 10 Enterprise" or "Windows 10 Ed > [!NOTE] > If you do not see a Windows 10 release available in the list of downloads, verify the [release date](https://technet.microsoft.com/windows/release-info.aspx). -Instead of having separate media and packages for Windows 10 Pro (volume licensing version), Windows 10 Enterprise, and Windows 10 Education, all three are bundled together. +Instead of having separate media and packages for Windows 10 Pro (volume licensing version), Windows 10 Enterprise, and Windows 10 Education, all three are bundled together. ### Language packs @@ -47,4 +47,4 @@ Features on demand is a method for adding features to your Windows 10 image that
    [Volume Activation for Windows 10](./volume-activation/volume-activation-windows-10.md)
    [Plan for volume activation](./volume-activation/plan-for-volume-activation-client.md)
    [VLSC downloads FAQ](https://www.microsoft.com/Licensing/servicecenter/Help/FAQDetails.aspx?id=150) -
    [Download and burn an ISO file on the volume licensing site (VLSC)](/troubleshoot/windows-client/deployment/iso-file-on-vlsc) \ No newline at end of file +
    [Download and burn an ISO file on the volume licensing site (VLSC)](/troubleshoot/windows-client/deployment/iso-file-on-vlsc) diff --git a/windows/deployment/windows-10-missing-fonts.md b/windows/deployment/windows-10-missing-fonts.md index 3c0da5a490..364c23a213 100644 --- a/windows/deployment/windows-10-missing-fonts.md +++ b/windows/deployment/windows-10-missing-fonts.md @@ -7,12 +7,12 @@ author: frankroj ms.author: frankroj manager: aaroncz ms.topic: article -ms.date: 10/31/2022 +ms.date: 11/23/2022 ms.technology: itpro-deploy --- # How to install fonts that are missing after upgrading to Windows client -**Applies to** +*Applies to:* - Windows 10 - Windows 11 @@ -36,7 +36,7 @@ For example, if you've an English, French, German, or Spanish version of Windows If you want to use these fonts, you can enable the optional feature to add them back to your system. The removal of these fonts is a permanent change in behavior for Windows client, and it will remain this way in future releases. -## Installing language-associated features via language settings: +## Installing language-associated features via language settings If you want to use the fonts from the optional feature and you know that you'll want to view Web pages, edit documents, or use apps in the language associated with that feature, add that language into your user profile. Use the Settings app. @@ -57,7 +57,7 @@ Once you've added Hebrew to your language list, then the optional Hebrew font fe > [!NOTE] > The optional features are installed by Windows Update. You need to be online for the Windows Update service to work. -## Install optional fonts manually without changing language settings: +## Install optional fonts manually without changing language settings If you want to use fonts in an optional feature but don't need to search web pages, edit documents, or use apps in the associated language, you can install the optional font features manually without changing your language settings. diff --git a/windows/deployment/windows-10-poc-mdt.md b/windows/deployment/windows-10-poc-mdt.md index 89f8d25fe4..3741412fbb 100644 --- a/windows/deployment/windows-10-poc-mdt.md +++ b/windows/deployment/windows-10-poc-mdt.md @@ -3,7 +3,7 @@ title: Step by step - Deploy Windows 10 in a test lab using MDT description: In this article, you'll learn how to deploy Windows 10 in a test lab using Microsoft Deployment Toolkit (MDT). ms.prod: windows-client ms.localizationpriority: medium -ms.date: 10/31/2022 +ms.date: 11/23/2022 ms.reviewer: manager: aaroncz ms.author: frankroj @@ -14,23 +14,26 @@ ms.technology: itpro-deploy # Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit -**Applies to** +*Applies to:* -- Windows 10 +- Windows 10 > [!IMPORTANT] -> This guide leverages the proof of concept (PoC) environment configured using procedures in the following guide: -- [Step by step guide: Configure a test lab to deploy Windows 10](windows-10-poc.md) - -Complete all steps in the prerequisite guide before starting this guide. This guide requires about 5 hours to complete, but can require less time or more time depending on the speed of the Hyper-V host. After completing the current guide, also see the companion guide: -- [Deploy Windows 10 in a test lab using Microsoft Configuration Manager](windows-10-poc-sc-config-mgr.md) +> This guide leverages the proof of concept (PoC) environment configured using procedures in the following guide: +> +> [Step by step guide: Configure a test lab to deploy Windows 10](windows-10-poc.md) +> +> Complete all steps in the prerequisite guide before starting this guide. This guide requires about 5 hours to complete, but can require less time or more time depending on the speed of the Hyper-V host. After completing the current guide, also see the companion guide: +> +> [Deploy Windows 10 in a test lab using Microsoft Configuration Manager](windows-10-poc-sc-config-mgr.md) The PoC environment is a virtual network running on Hyper-V with three virtual machines (VMs): + - **DC1**: A contoso.com domain controller, DNS server, and DHCP server. - **SRV1**: A dual-homed contoso.com domain member server, DNS server, and default gateway providing NAT service for the PoC network. - **PC1**: A contoso.com member computer running Windows 7, Windows 8, or Windows 8.1 that has been shadow-copied from a physical computer on your corporate network. -This guide uses the Hyper-V server role. If you don't complete all steps in a single session, consider using [checkpoints](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn818483(v=ws.11)) and [saved states](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee247418(v=ws.10)) to pause, resume, or restart your work. +This guide uses the Hyper-V server role. If you don't complete all steps in a single session, consider using [checkpoints](/virtualization/hyper-v-on-windows/user-guide/checkpoints) to pause, resume, or restart your work. ## In this guide @@ -50,10 +53,13 @@ Topics and procedures in this guide are summarized in the following table. An es ## About MDT -MDT performs deployments by using the Lite Touch Installation (LTI), Zero Touch Installation (ZTI), and User-Driven Installation (UDI) deployment methods. +MDT performs deployments by using the Lite Touch Installation (LTI), Zero Touch Installation (ZTI), and User-Driven Installation (UDI) deployment methods. + - LTI is the deployment method used in the current guide, requiring only MDT and performed with a minimum amount of user interaction. + - ZTI is fully automated, requiring no user interaction and is performed using MDT and Microsoft Configuration Manager. After completing the steps in the current guide, see [Step by step: Deploy Windows 10 in a test lab using Microsoft Configuration Manager](windows-10-poc-sc-config-mgr.md) to use the ZTI deployment method in the PoC environment. -- UDI requires manual intervention to respond to installation prompts such as machine name, password and language settings. UDI requires MDT and Microsoft Configuration Manager. + +- UDI requires manual intervention to respond to installation prompts such as machine name, password and language settings. UDI requires MDT and Microsoft Configuration Manager. ## Install MDT @@ -80,11 +86,12 @@ MDT performs deployments by using the Lite Touch Installation (LTI), Zero Touch A reference image serves as the foundation for Windows 10 devices in your organization. -1. In [Step by step guide: Configure a test lab to deploy Windows 10](windows-10-poc.md), the Windows 10 Enterprise .iso file was saved to the c:\VHD directory as **c:\VHD\w10-enterprise.iso**. The first step in creating a deployment share is to mount this file on SRV1. To mount the Windows 10 Enterprise DVD on SRV1, open an elevated Windows PowerShell prompt on the Hyper-V host computer and type the following command: +1. In [Step by step guide: Configure a test lab to deploy Windows 10](windows-10-poc.md), the Windows 10 Enterprise .iso file was saved to the c:\VHD directory as **c:\VHD\w10-enterprise.iso**. The first step in creating a deployment share is to mount this file on SRV1. To mount the Windows 10 Enterprise DVD on SRV1, open an elevated Windows PowerShell prompt on the Hyper-V host computer and enter the following command: ```powershell Set-VMDvdDrive -VMName SRV1 -Path c:\VHD\w10-enterprise.iso ``` + 2. On SRV1, verify that the Windows Enterprise installation DVD is mounted as drive letter D. 3. The Windows 10 Enterprise installation files will be used to create a deployment share on SRV1 using the MDT deployment workbench. To open the deployment workbench, select **Start**, type **deployment**, and then select **Deployment Workbench**. @@ -108,7 +115,7 @@ A reference image serves as the foundation for Windows 10 devices in your organi 9. Right-click the **Windows 10** folder created in the previous step, and then select **Import Operating System**. -10. Use the following settings for the Import Operating System Wizard: +10. Use the following settings for the Import Operating System Wizard: - OS Type: **Full set of source files**
    - Source: **D:\\**
    - Destination: **W10Ent_x64**
    @@ -119,6 +126,7 @@ A reference image serves as the foundation for Windows 10 devices in your organi For purposes of this test lab, we'll only add the prerequisite .NET Framework feature. Commercial applications (ex: Microsoft Office) won't be added to the deployment share. For information about adding applications, see the [Add applications](./deploy-windows-mdt/create-a-windows-10-reference-image.md#add-applications) section of the [Create a Windows 10 reference image](deploy-windows-mdt/create-a-windows-10-reference-image.md) article. 11. The next step is to create a task sequence to reference the operating system that was imported. To create a task sequence, right-click the **Task Sequences** node and then select **New Task Sequence**. Use the following settings for the New Task Sequence Wizard: + - Task sequence ID: **REFW10X64-001**
    - Task sequence name: **Windows 10 Enterprise x64 Default Image**
    - Task sequence comments: **Reference Build**
    @@ -143,7 +151,7 @@ A reference image serves as the foundation for Windows 10 devices in your organi 16. Under **Select the roles and features that should be installed**, select **.NET Framework 3.5 (includes .NET 2.0 and 3.0)** and then select **Apply**. 17. Enable Windows Update in the task sequence by clicking the **Windows Update (Post-Application Installation)** step, clicking the **Options** tab, and clearing the **Disable this step** checkbox. - + > [!NOTE] > Since we are not installing applications in this test lab, there is no need to enable the Windows Update Pre-Application Installation step. However, you should enable this step if you are also installing applications. @@ -153,7 +161,7 @@ A reference image serves as the foundation for Windows 10 devices in your organi 20. Replace the default rules with the following text: - ```text + ```ini [Settings] Priority=Default @@ -188,7 +196,7 @@ A reference image serves as the foundation for Windows 10 devices in your organi 21. Select **Apply** and then select **Edit Bootstrap.ini**. Replace the contents of the Bootstrap.ini file with the following text, and save the file: - ```text + ```ini [Settings] Priority=Default @@ -211,7 +219,7 @@ A reference image serves as the foundation for Windows 10 devices in your organi > [!TIP] > To copy the file, right-click the **LiteTouchPE_x86.iso** file and click **Copy** on SRV1, then open the **c:\VHD** folder on the Hyper-V host, right-click inside the folder and click **Paste**. -26. Open a Windows PowerShell prompt on the Hyper-V host computer and type the following commands: +26. Open a Windows PowerShell prompt on the Hyper-V host computer and enter the following commands: ```powershell New-VM REFW10X64-001 -SwitchName poc-internal -NewVHDPath "c:\VHD\REFW10X64-001.vhdx" -NewVHDSizeBytes 60GB @@ -221,21 +229,21 @@ A reference image serves as the foundation for Windows 10 devices in your organi vmconnect localhost REFW10X64-001 ``` - The VM will require a few minutes to prepare devices and boot from the LiteTouchPE_x86.iso file. + The VM will require a few minutes to prepare devices and boot from the LiteTouchPE_x86.iso file. 27. In the Windows Deployment Wizard, select **Windows 10 Enterprise x64 Default Image**, and then select **Next**. 28. Accept the default values on the Capture Image page, and select **Next**. Operating system installation will complete after 5 to 10 minutes, and then the VM will reboot automatically. Allow the system to boot normally (don't press a key). The process is fully automated. - Additional system restarts will occur to complete updating and preparing the operating system. Setup will complete the following procedures: + Additional system restarts will occur to complete updating and preparing the operating system. Setup will complete the following procedures: - - Install the Windows 10 Enterprise operating system. - - Install added applications, roles, and features. - - Update the operating system using Windows Update (or WSUS if optionally specified). - - Stage Windows PE on the local disk. - - Run System Preparation (Sysprep) and reboot into Windows PE. - - Capture the installation to a Windows Imaging (WIM) file. - - Turn off the virtual machine.

    + - Install the Windows 10 Enterprise operating system. + - Install added applications, roles, and features. + - Update the operating system using Windows Update (or WSUS if optionally specified). + - Stage Windows PE on the local disk. + - Run System Preparation (Sysprep) and reboot into Windows PE. + - Capture the installation to a Windows Imaging (WIM) file. + - Turn off the virtual machine.

    This step requires from 30 minutes to 2 hours, depending on the speed of the Hyper-V host. After some time, you'll have a Windows 10 Enterprise x64 image that is fully patched and has run through Sysprep. The image is located in the C:\MDTBuildLab\Captures folder on your deployment server (SRV1). The file name is **REFW10X64-001.wim**. @@ -244,6 +252,7 @@ A reference image serves as the foundation for Windows 10 devices in your organi This procedure will demonstrate how to deploy the reference image to the PoC environment using MDT. 1. On SRV1, open the MDT Deployment Workbench console, right-click **Deployment Shares**, and then select **New Deployment Share**. Use the following values in the New Deployment Share Wizard: + - **Deployment share path**: C:\MDTProd - **Share name**: MDTProd$ - **Deployment share description**: MDT Production @@ -259,7 +268,7 @@ This procedure will demonstrate how to deploy the reference image to the PoC env 6. On the Image page, browse to the **C:\MDTBuildLab\Captures\REFW10X64-001.wim** file created in the previous procedure, select **Open**, and then select **Next**. -7. On the Setup page, select **Copy Windows 7, Windows Server 2008 R2, or later setup files from the specified path**. +7. On the Setup page, select **Copy Windows 7, Windows Server 2008 R2, or later setup files from the specified path**. 8. Under **Setup source directory**, browse to **C:\MDTBuildLab\Operating Systems\W10Ent_x64** select **OK** and then select **Next**. @@ -274,6 +283,7 @@ This procedure will demonstrate how to deploy the reference image to the PoC env 1. Using the Deployment Workbench, right-click **Task Sequences** under the **MDT Production** node, select **New Folder** and create a folder with the name: **Windows 10**. 2. Right-click the **Windows 10** folder created in the previous step, and then select **New Task Sequence**. Use the following settings for the New Task Sequence Wizard: + - Task sequence ID: W10-X64-001 - Task sequence name: Windows 10 Enterprise x64 Custom Image - Task sequence comments: Production Image @@ -282,22 +292,23 @@ This procedure will demonstrate how to deploy the reference image to the PoC env - Specify Product Key: Don't specify a product key at this time - Full Name: Contoso - Organization: Contoso - - Internet Explorer home page: http://www.contoso.com - - Admin Password: pass@word1 - + - Internet Explorer home page: `http://www.contoso.com` + - Admin Password: pass@word1 + ### Configure the MDT production deployment share -1. On SRV1, open an elevated Windows PowerShell prompt and type the following commands: +1. On SRV1, open an elevated Windows PowerShell prompt and enter the following commands: ```powershell copy-item "C:\Program Files\Microsoft Deployment Toolkit\Templates\Bootstrap.ini" C:\MDTProd\Control\Bootstrap.ini -Force copy-item "C:\Program Files\Microsoft Deployment Toolkit\Templates\CustomSettings.ini" C:\MDTProd\Control\CustomSettings.ini -Force - ``` + ``` + 2. In the Deployment Workbench console on SRV1, right-click the **MDT Production** deployment share and then select **Properties**. 3. Select the **Rules** tab and replace the rules with the following text (don't select OK yet): - ```text + ```ini [Settings] Priority=Default @@ -341,13 +352,13 @@ This procedure will demonstrate how to deploy the reference image to the PoC env If desired, edit the following line to include or exclude other users when migrating settings. Currently, the command is set to user exclude (`ue`) all users except for CONTOSO users specified by the user include option (ui): - ```console + ```cmd ScanStateArgs=/ue:*\* /ui:CONTOSO\* ``` For example, to migrate **all** users on the computer, replace this line with the following line: - ```console + ```cmd ScanStateArgs=/all ``` @@ -355,7 +366,7 @@ This procedure will demonstrate how to deploy the reference image to the PoC env 4. Select **Edit Bootstap.ini** and replace text in the file with the following text: - ```text + ```ini [Settings] Priority=Default @@ -367,7 +378,7 @@ This procedure will demonstrate how to deploy the reference image to the PoC env SkipBDDWelcome=YES ``` -5. Select **OK** when finished. +5. Select **OK** when finished. ### Update the deployment share @@ -391,9 +402,9 @@ This procedure will demonstrate how to deploy the reference image to the PoC env 1. Initialize Windows Deployment Services (WDS) by typing the following command at an elevated Windows PowerShell prompt on SRV1: - ```powershell - WDSUTIL /Verbose /Progress /Initialize-Server /Server:SRV1 /RemInst:"C:\RemoteInstall" - WDSUTIL /Set-Server /AnswerClients:All + ```cmd + WDSUTIL.exe /Verbose /Progress /Initialize-Server /Server:SRV1 /RemInst:"C:\RemoteInstall" + WDSUTIL.exe /Set-Server /AnswerClients:All ``` 2. Select **Start**, type **Windows Deployment**, and then select **Windows Deployment Services**. @@ -404,12 +415,12 @@ This procedure will demonstrate how to deploy the reference image to the PoC env ### Deploy the client image -1. Before using WDS to deploy a client image, you must temporarily disable the external network adapter on SRV1. This configuration is just an artifact of the lab environment. In a typical deployment environment WDS wouldn't be installed on the default gateway. +1. Before using WDS to deploy a client image, you must temporarily disable the external network adapter on SRV1. This configuration is just an artifact of the lab environment. In a typical deployment environment WDS wouldn't be installed on the default gateway. > [!NOTE] - > Do not disable the *internal* network interface. To quickly view IP addresses and interface names configured on the VM, type **Get-NetIPAddress | ft interfacealias, ipaddress** + > Do not disable the *internal* network interface. To quickly view IP addresses and interface names configured on the VM, enter **`Get-NetIPAddress | ft interfacealias, ipaddress** in a PowerShell prompt. - Assuming the external interface is named "Ethernet 2", to disable the *external* interface on SRV1, open a Windows PowerShell prompt on SRV1 and type the following command: + Assuming the external interface is named "Ethernet 2", to disable the *external* interface on SRV1, open a Windows PowerShell prompt on SRV1 and enter the following command: ```powershell Disable-NetAdapter "Ethernet 2" -Confirm:$false @@ -417,7 +428,7 @@ This procedure will demonstrate how to deploy the reference image to the PoC env >Wait until the disable-netadapter command completes before proceeding. -2. Next, switch to the Hyper-V host and open an elevated Windows PowerShell prompt. Create a generation 2 VM on the Hyper-V host that will load its OS using PXE. To create this VM, type the following commands at an elevated Windows PowerShell prompt: +2. Next, switch to the Hyper-V host and open an elevated Windows PowerShell prompt. Create a generation 2 VM on the Hyper-V host that will load its OS using PXE. To create this VM, enter the following commands at an elevated Windows PowerShell prompt: ```powershell New-VM -Name "PC2" -NewVHDPath "c:\vhd\pc2.vhdx" -NewVHDSizeBytes 60GB -SwitchName poc-internal -BootDevice NetworkAdapter -Generation 2 @@ -437,7 +448,7 @@ This procedure will demonstrate how to deploy the reference image to the PoC env 5. In the Windows Deployment Wizard, choose the **Windows 10 Enterprise x64 Custom Image** and then select **Next**. -6. After MDT lite touch installation has started, be sure to re-enable the external network adapter on SRV1. Re-enabling the external network adapter is needed so the client can use Windows Update after operating system installation is complete. To re-enable the external network interface, open an elevated Windows PowerShell prompt on SRV1 and type the following command: +6. After MDT lite touch installation has started, be sure to re-enable the external network adapter on SRV1. Re-enabling the external network adapter is needed so the client can use Windows Update after operating system installation is complete. To re-enable the external network interface, open an elevated Windows PowerShell prompt on SRV1 and enter the following command: ```powershell Enable-NetAdapter "Ethernet 2" @@ -453,7 +464,7 @@ This completes the demonstration of how to deploy a reference image to the netwo ## Refresh a computer with Windows 10 -This section will demonstrate how to export user data from an existing client computer, wipe the computer, install a new operating system, and then restore user data and settings. The scenario will use PC1, a computer that was cloned from a physical device to a VM, as described in [Step by step guide: Deploy Windows 10 in a test lab](windows-10-poc.md). +This section will demonstrate how to export user data from an existing client computer, wipe the computer, install a new operating system, and then restore user data and settings. The scenario will use PC1, a computer that was cloned from a physical device to a VM, as described in [Step by step guide: Deploy Windows 10 in a test lab](windows-10-poc.md). 1. If the PC1 VM isn't already running, then start and connect to it: @@ -462,7 +473,7 @@ This section will demonstrate how to export user data from an existing client co vmconnect localhost PC1 ``` -2. Switch back to the Hyper-V host and create a checkpoint for the PC1 VM so that it can easily be reverted to its current state for troubleshooting purposes and performing additional scenarios. Checkpoints are also known as snapshots. To create a checkpoint for the PC1 VM, type the following command at an elevated Windows PowerShell prompt on the Hyper-V host: +2. Switch back to the Hyper-V host and create a checkpoint for the PC1 VM so that it can easily be reverted to its current state for troubleshooting purposes and performing additional scenarios. Checkpoints are also known as snapshots. To create a checkpoint for the PC1 VM, enter the following command at an elevated Windows PowerShell prompt on the Hyper-V host: ```powershell Checkpoint-VM -Name PC1 -SnapshotName BeginState @@ -472,10 +483,10 @@ This section will demonstrate how to export user data from an existing client co Specify **contoso\administrator** as the user name to ensure you don't sign on using the local administrator account. You must sign in with this account so that you have access to the deployment share. -4. Open an elevated command prompt on PC1 and type the following command: +4. Open an elevated command prompt on PC1 and enter the following command: - ```console - cscript \\SRV1\MDTProd$\Scripts\Litetouch.vbs + ```cmd + cscript.exe \\SRV1\MDTProd$\Scripts\Litetouch.vbs ``` > [!NOTE] @@ -498,13 +509,13 @@ This section will demonstrate how to export user data from an existing client co 8. Sign in with the CONTOSO\Administrator account and verify that all CONTOSO domain user accounts and data have been migrated to the new operating system, or other user accounts as specified [previously](#configure-the-mdt-production-deployment-share). -9. Create another checkpoint for the PC1 VM so that you can review results of the computer refresh later. To create a checkpoint, type the following command at an elevated Windows PowerShell prompt on the Hyper-V host: +9. Create another checkpoint for the PC1 VM so that you can review results of the computer refresh later. To create a checkpoint, enter the following command at an elevated Windows PowerShell prompt on the Hyper-V host: ```powershell Checkpoint-VM -Name PC1 -SnapshotName RefreshState ``` -10. Restore the PC1 VM to its previous state in preparation for the replace procedure. To restore a checkpoint, type the following command at an elevated Windows PowerShell prompt on the Hyper-V host: +10. Restore the PC1 VM to its previous state in preparation for the replace procedure. To restore a checkpoint, enter the following command at an elevated Windows PowerShell prompt on the Hyper-V host: ```powershell Restore-VMSnapshot -VMName PC1 -Name BeginState -Confirm:$false @@ -516,15 +527,18 @@ This section will demonstrate how to export user data from an existing client co ## Replace a computer with Windows 10 -At a high level, the computer replace process consists of:
    +At a high level, the computer replace process consists of: + - A special replace task sequence that runs the USMT backup and an optional full Windows Imaging (WIM) backup.
    - A standard OS deployment on a new computer. At the end of the deployment, the USMT backup from the old computer is restored. ### Create a backup-only task sequence 1. On SRV1, in the deployment workbench console, right-click the MDT Production deployment share, select **Properties**, select the **Rules** tab, and change the line **SkipUserData=YES** to **SkipUserData=NO**. + 2. Select **OK**, right-click **MDT Production**, select **Update Deployment Share** and accept the default options in the wizard to update the share. -3. Type the following commands at an elevated Windows PowerShell prompt on SRV1: + +3. enter the following commands at an elevated Windows PowerShell prompt on SRV1: ```powershell New-Item -Path C:\MigData -ItemType directory @@ -533,45 +547,56 @@ At a high level, the computer replace process consists of:
    ``` 4. On SRV1 in the deployment workbench, under **MDT Production**, right-click the **Task Sequences** node, and select **New Folder**. + 5. Name the new folder **Other**, and complete the wizard using default options. + 6. Right-click the **Other** folder and then select **New Task Sequence**. Use the following values in the wizard: + - **Task sequence ID**: REPLACE-001 - **Task sequence name**: Backup Only Task Sequence - **Task sequence comments**: Run USMT to back up user data and settings - **Template**: Standard Client Replace Task Sequence (note: this template isn't the default template) + 7. Accept defaults for the rest of the wizard and then select **Finish**. The replace task sequence will skip OS selection and settings. -8. Open the new task sequence that was created and review it. Note the type of capture and backup tasks that are present. Select **OK** when you're finished reviewing the task sequence. + +8. Open the new task sequence that was created and review it. Note the enter of capture and backup tasks that are present. Select **OK** when you're finished reviewing the task sequence. ### Run the backup-only task sequence -1. If you aren't already signed on to PC1 as **contoso\administrator**, sign in using this account. To verify the currently signed in account, type the following command at an elevated command prompt: +1. If you aren't already signed on to PC1 as **contoso\administrator**, sign in using this account. To verify the currently signed in account, enter the following command at an elevated command prompt: - ```console - whoami + ```cmd + whoami.exe ``` -2. To ensure a clean environment before running the backup task sequence, type the following commands at an elevated Windows PowerShell prompt on PC1: + +2. To ensure a clean environment before running the backup task sequence, enter the following commands at an elevated Windows PowerShell prompt on PC1: ```powershell Remove-Item c:\minint -recurse Remove-Item c:\_SMSTaskSequence -recurse Restart-Computer ``` -3. Sign in to PC1 using the contoso\administrator account, and then type the following command at an elevated command prompt: - ```console - cscript \\SRV1\MDTProd$\Scripts\Litetouch.vbs +3. Sign in to PC1 using the contoso\administrator account, and then enter the following command at an elevated command prompt: + + ```cmd + cscript.exe \\SRV1\MDTProd$\Scripts\Litetouch.vbs ``` 4. Complete the deployment wizard using the following settings: + - **Task Sequence**: Backup Only Task Sequence - **User Data**: Specify a location: **\\\\SRV1\MigData$\PC1** - **Computer Backup**: Don't back up the existing computer. + 5. While the task sequence is running on PC1, open the deployment workbench console on SRV1 and select the **Monitoring* node. Press F5 to refresh the console, and view the status of current tasks. + 6. On PC1, verify that **The user state capture was completed successfully** is displayed, and select **Finish** when the capture is complete. + 7. On SRV1, verify that the file **USMT.MIG** was created in the **C:\MigData\PC1\USMT** directory. See the following example: - ```powershell - PS C:\> dir C:\MigData\PC1\USMT + ```cmd + dir C:\MigData\PC1\USMT Directory: C:\MigData\PC1\USMT @@ -580,16 +605,16 @@ At a high level, the computer replace process consists of:
    -a--- 9/6/2016 11:34 AM 14248685 USMT.MIG ``` -### Deploy PC3 +### Deploy PC3 -1. On the Hyper-V host, type the following commands at an elevated Windows PowerShell prompt: +1. On the Hyper-V host, enter the following commands at an elevated Windows PowerShell prompt: ```powershell New-VM -Name "PC3" -NewVHDPath "c:\vhd\pc3.vhdx" -NewVHDSizeBytes 60GB -SwitchName poc-internal -BootDevice NetworkAdapter -Generation 2 Set-VMMemory -VMName "PC3" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes 2048MB -Buffer 20 ``` -2. Temporarily disable the external network adapter on SRV1 again, so that we can successfully boot PC3 from WDS. To disable the adapter, type the following command at an elevated Windows PowerShell prompt on SRV1: +2. Temporarily disable the external network adapter on SRV1 again, so that we can successfully boot PC3 from WDS. To disable the adapter, enter the following command at an elevated Windows PowerShell prompt on SRV1: ```powershell Disable-NetAdapter "Ethernet 2" -Confirm:$false @@ -628,6 +653,7 @@ At a high level, the computer replace process consists of:
    ## Troubleshooting logs, events, and utilities Deployment logs are available on the client computer in the following locations: + - Before the image is applied: X:\MININT\SMSOSD\OSDLOGS - After the system drive has been formatted: C:\MININT\SMSOSD\OSDLOGS - After deployment: %WINDIR%\TEMP\DeploymentLogs diff --git a/windows/deployment/windows-10-poc-sc-config-mgr.md b/windows/deployment/windows-10-poc-sc-config-mgr.md index f7ecaa8853..46c6a2b39c 100644 --- a/windows/deployment/windows-10-poc-sc-config-mgr.md +++ b/windows/deployment/windows-10-poc-sc-config-mgr.md @@ -9,16 +9,16 @@ manager: aaroncz ms.author: frankroj author: frankroj ms.topic: tutorial -ms.date: 10/31/2022 +ms.date: 11/23/2022 --- # Deploy Windows 10 in a test lab using Configuration Manager -*Applies to* +*Applies to:* - Windows 10 -> [!Important] +> [!IMPORTANT] > This guide uses the proof of concept (PoC) environment, and some settings that are configured in the following guides: > > - [Step by step guide: Deploy Windows 10 in a test lab](windows-10-poc.md) @@ -59,7 +59,7 @@ The procedures in this guide are summarized in the following table. An estimate ## Install prerequisites -1. Before installing Microsoft Configuration Manager, we must install prerequisite services and features. Type the following command at an elevated Windows PowerShell prompt on SRV1: +1. Before installing Microsoft Configuration Manager, we must install prerequisite services and features. Enter the following command at an elevated Windows PowerShell prompt on SRV1: ```powershell Install-WindowsFeature Web-Windows-Auth,Web-ISAPI-Ext,Web-Metabase,Web-WMI,BITS,RDC,NET-Framework-Features,Web-Asp-Net,Web-Asp-Net45,NET-HTTP-Activation,NET-Non-HTTP-Activ @@ -69,7 +69,7 @@ The procedures in this guide are summarized in the following table. An estimate > If the request to add features fails, retry the installation by typing the command again. 2. Download [SQL Server 2014 SP2](https://www.microsoft.com/evalcenter/evaluate-sql-server-2014-sp2) from the Microsoft Evaluation Center as an .ISO file on the Hyper-V host computer. Save the file to the **C:\VHD** directory. -3. When you've downloaded the file **SQLServer2014SP2-FullSlipstream-x64-ENU.iso** and placed it in the C:\VHD directory, type the following command at an elevated Windows PowerShell prompt on the Hyper-V host: +3. When you've downloaded the file **SQLServer2014SP2-FullSlipstream-x64-ENU.iso** and placed it in the C:\VHD directory, enter the following command at an elevated Windows PowerShell prompt on the Hyper-V host: ```powershell Set-VMDvdDrive -VMName SRV1 -Path c:\VHD\SQLServer2014SP2-FullSlipstream-x64-ENU.iso @@ -77,15 +77,15 @@ The procedures in this guide are summarized in the following table. An estimate This command mounts the .ISO file to drive D on SRV1. -4. Type the following command at an elevated Windows PowerShell prompt on SRV1 to install SQL Server: +4. Enter the following command at an elevated Windows PowerShell prompt on SRV1 to install SQL Server: - ```powershell + ```cmd D:\setup.exe /q /ACTION=Install /ERRORREPORTING="False" /FEATURES=SQLENGINE,RS,IS,SSMS,TOOLS,ADV_SSMS,CONN /INSTANCENAME=MSSQLSERVER /INSTANCEDIR="C:\Program Files\Microsoft SQL Server" /SQLSVCACCOUNT="NT AUTHORITY\System" /SQLSYSADMINACCOUNTS="BUILTIN\ADMINISTRATORS" /SQLSVCSTARTUPTYPE=Automatic /AGTSVCACCOUNT="NT AUTHORITY\SYSTEM" /AGTSVCSTARTUPTYPE=Automatic /RSSVCACCOUNT="NT AUTHORITY\System" /RSSVCSTARTUPTYPE=Automatic /ISSVCACCOUNT="NT AUTHORITY\System" /ISSVCSTARTUPTYPE=Disabled /ASCOLLATION="Latin1_General_CI_AS" /SQLCOLLATION="SQL_Latin1_General_CP1_CI_AS" /TCPENABLED="1" /NPENABLED="1" /IAcceptSQLServerLicenseTerms ``` Installation will take several minutes. When installation is complete, the following output will be displayed: - ```dos + ```console Microsoft (R) SQL Server 2014 12.00.5000.00 Copyright (c) Microsoft Corporation. All rights reserved. @@ -99,10 +99,9 @@ The procedures in this guide are summarized in the following table. An estimate Success One or more affected files have operations pending. You should restart your computer to complete this process. - PS C:\> ``` -5. Type the following commands at an elevated Windows PowerShell prompt on SRV1: +5. Enter the following commands at an elevated Windows PowerShell prompt on SRV1: ```powershell New-NetFirewallRule -DisplayName "SQL Server" -Direction Inbound -Protocol TCP -LocalPort 1433 -Action allow @@ -124,13 +123,13 @@ The procedures in this guide are summarized in the following table. An estimate Stop-Process -Name Explorer ``` -1. Download [Microsoft Configuration Manager (current branch)](https://www.microsoft.com/evalcenter/evaluate-microsoft-endpoint-configuration-manager) and extract the contents on SRV1. +2. Download [Microsoft Configuration Manager (current branch)](https://www.microsoft.com/evalcenter/evaluate-microsoft-endpoint-configuration-manager) and extract the contents on SRV1. -1. Open the file, enter **C:\configmgr** for **Unzip to folder**, and select **Unzip**. The `C:\configmgr` directory will be automatically created. Select **OK** and then close the **WinZip Self-Extractor** dialog box when finished. +3. Open the file, enter **C:\configmgr** for **Unzip to folder**, and select **Unzip**. The `C:\configmgr` directory will be automatically created. Select **OK** and then close the **WinZip Self-Extractor** dialog box when finished. -1. Before starting the installation, verify that WMI is working on SRV1. See the following examples. Verify that **Running** is displayed under **Status** and **True** is displayed next to **TcpTestSucceeded**: +4. Before starting the installation, verify that WMI is working on SRV1. See the following examples. Verify that **Running** is displayed under **Status** and **True** is displayed next to **TcpTestSucceeded**: - ```dos + ```powershell Get-Service Winmgmt Status Name DisplayName @@ -157,36 +156,48 @@ The procedures in this guide are summarized in the following table. An estimate If the WMI service isn't started, attempt to start it or reboot the computer. If WMI is running but errors are present, see [WMIDiag](https://blogs.technet.microsoft.com/askperf/2015/05/12/wmidiag-2-2-is-here/) for troubleshooting information. -1. To extend the Active Directory schema, type the following command at an elevated Windows PowerShell prompt: +5. To extend the Active Directory schema, enter the following command at an elevated Windows PowerShell prompt: - ```powershell - cmd /c C:\configmgr\SMSSETUP\BIN\X64\extadsch.exe + ```cmd + C:\configmgr\SMSSETUP\BIN\X64\extadsch.exe ``` -1. Temporarily switch to the DC1 VM, and type the following command at an elevated command prompt on DC1: +6. Temporarily switch to the DC1 VM, and enter the following command at an elevated command prompt on DC1: - ```dos + ```cmd adsiedit.msc ``` -1. Right-click **ADSI Edit**, select **Connect to**, select **Default (Domain or server that you logged in to)** under **Computer** and then select **OK**. -1. Expand **Default naming context**>**DC=contoso,DC=com**, and then in the console tree right-click **CN=System**, point to **New**, and then select **Object**. -1. Select **container** and then select **Next**. -1. Next to **Value**, type **System Management**, select **Next**, and then select **Finish**. -1. Right-click **CN=system Management** and then select **Properties**. -1. On the **Security** tab, select **Add**, select **Object Types**, select **Computers**, and select **OK**. -1. Under **Enter the object names to select**, type **SRV1** and select **OK**. -1. The **SRV1** computer account will be highlighted, select **Allow** next to **Full control**. -1. Select **Advanced**, select **SRV1 (CONTOSO\SRV1$)** and select **Edit**. -1. Next to **Applies to**, choose **This object and all descendant objects**, and then select **OK** three times. -1. Close the ADSI Edit console and switch back to SRV1. -1. To start Configuration Manager installation, type the following command at an elevated Windows PowerShell prompt on SRV1: +7. Right-click **ADSI Edit**, select **Connect to**, select **Default (Domain or server that you logged in to)** under **Computer** and then select **OK**. - ```powershell - cmd /c C:\configmgr\SMSSETUP\BIN\X64\Setup.exe +8. Expand **Default naming context**>**DC=contoso,DC=com**, and then in the console tree right-click **CN=System**, point to **New**, and then select **Object**. + +9. Select **container** and then select **Next**. + +10. Next to **Value**, enter **System Management**, select **Next**, and then select **Finish**. + +11. Right-click **CN=system Management** and then select **Properties**. + +12. On the **Security** tab, select **Add**, select **Object Types**, select **Computers**, and select **OK**. + +13. Under **Enter the object names to select**, enter **SRV1** and select **OK**. + +14. The **SRV1** computer account will be highlighted, select **Allow** next to **Full control**. + +15. Select **Advanced**, select **SRV1 (CONTOSO\SRV1$)** and select **Edit**. + +16. Next to **Applies to**, choose **This object and all descendant objects**, and then select **OK** three times. + +17. Close the ADSI Edit console and switch back to SRV1. + +18. To start Configuration Manager installation, enter the following command at an elevated Windows PowerShell prompt on SRV1: + + ```cmd + C:\configmgr\SMSSETUP\BIN\X64\Setup.exe ``` -1. Provide the following information in the Configuration Manager Setup Wizard: +19. Provide the following information in the Configuration Manager Setup Wizard: + - **Before You Begin**: Read the text and select *Next*. - **Getting Started**: Choose **Install a Configuration Manager primary site** and select the **Use typical installation options for a stand-alone primary site** checkbox. - Select **Yes** in response to the popup window. @@ -206,7 +217,7 @@ The procedures in this guide are summarized in the following table. An estimate Depending on the speed of the Hyper-V host and resources allocated to SRV1, installation can require approximately one hour. Select **Close** when installation is complete. -1. If desired, re-enable IE Enhanced Security Configuration at this time on SRV1: +20. If desired, re-enable IE Enhanced Security Configuration at this time on SRV1: ```powershell Set-ItemProperty -Path $AdminKey -Name "IsInstalled" -Value 1 @@ -217,24 +228,30 @@ The procedures in this guide are summarized in the following table. An estimate > [!IMPORTANT] > This step requires an MSDN subscription or volume licence agreement. For more information, see [Ready for Windows 10: MDOP 2015 and more tools are now available](https://blogs.technet.microsoft.com/windowsitpro/2015/08/17/ready-for-windows-10-mdop-2015-and-more-tools-are-now-available/). + 1. Download the [Microsoft Desktop Optimization Pack 2015](https://msdn.microsoft.com/subscriptions/downloads/#ProductFamilyId=597) to the Hyper-V host using an MSDN subscription. Download the .ISO file (mu_microsoft_desktop_optimization_pack_2015_x86_x64_dvd_5975282.iso, 2.79 GB) to the C:\VHD directory on the Hyper-V host. -2. Type the following command at an elevated Windows PowerShell prompt on the Hyper-V host to mount the MDOP file on SRV1: +2. Enter the following command at an elevated Windows PowerShell prompt on the Hyper-V host to mount the MDOP file on SRV1: ```powershell Set-VMDvdDrive -VMName SRV1 -Path c:\VHD\mu_microsoft_desktop_optimization_pack_2015_x86_x64_dvd_5975282.iso ``` -3. Type the following command at an elevated Windows PowerShell prompt on SRV1: +3. Enter the following command at an elevated Windows PowerShell prompt on SRV1: - ```powershell - cmd /c "D:\DaRT\DaRT 10\Installers\en-us\x64\MSDaRT100.msi" + ```cmd + D:\DaRT\DaRT 10\Installers\en-us\x64\MSDaRT100.msi ``` 4. Install DaRT 10 using default settings. -5. Type the following commands at an elevated Windows PowerShell prompt on SRV1: + +5. Enter the following commands at an elevated Windows PowerShell prompt on SRV1: ```powershell Copy-Item "C:\Program Files\Microsoft DaRT\v10\Toolsx64.cab" -Destination "C:\Program Files\Microsoft Deployment Toolkit\Templates\Distribution\Tools\x64" @@ -247,7 +264,7 @@ This section contains several procedures to support Zero Touch installation with ### Create a folder structure -1. Type the following commands at a Windows PowerShell prompt on SRV1: +1. Enter the following commands at a Windows PowerShell prompt on SRV1: ```powershell New-Item -ItemType Directory -Path "C:\Sources\OSD\Boot" @@ -262,56 +279,78 @@ This section contains several procedures to support Zero Touch installation with ### Enable MDT ConfigMgr integration -1. On SRV1, select **Start**, type `configmgr`, and then select **Configure ConfigMgr Integration**. -2. Type `PS1` as the **Site code**, and then select **Next**. +1. On SRV1, select **Start**, enter `configmgr`, and then select **Configure ConfigMgr Integration**. + +2. Enter `PS1` as the **Site code**, and then select **Next**. + 3. Verify **The process completed successfully** is displayed, and then select **Finish**. ### Configure client settings -1. On SRV1, select **Start**, type **configuration manager**, right-click **Configuration Manager Console**, and then select **Pin to Taskbar**. +1. On SRV1, select **Start**, enter **configuration manager**, right-click **Configuration Manager Console**, and then select **Pin to Taskbar**. + 2. Select **Desktop**, and then launch the Configuration Manager console from the taskbar. + 3. If the console notifies you that an update is available, select **OK**. It isn't necessary to install updates to complete this lab. + 4. In the console tree, open the **Administration** workspace (in the lower left corner) and select **Client Settings**. + 5. In the display pane, double-click **Default Client Settings**. -6. Select **Computer Agent**, next to **Organization name displayed in Software Center** type **Contoso**, and then select **OK**. + +6. Select **Computer Agent**, next to **Organization name displayed in Software Center** enter **Contoso**, and then select **OK**. ### Configure the network access account -1. In the Administration workspace, expand **Site Configuration** and select **Sites**. +1. in the **Administration** workspace, expand **Site Configuration** and select **Sites**. + 2. On the **Home** ribbon at the top of the console window, select **Configure Site Components** and then select **Software Distribution**. + 3. On the **Network Access Account** tab, choose **Specify the account that accesses network locations**. + 4. Select the yellow starburst and then select **New Account**. -5. Select **Browse** and then under **Enter the object name to select**, type **CM_NAA** and select **OK**. -6. Next to **Password** and **Confirm Password**, type **pass\@word1**, and then select **OK** twice. + +5. Select **Browse** and then under **Enter the object name to select**, enter **CM_NAA** and select **OK**. + +6. Next to **Password** and **Confirm Password**, enter **pass\@word1**, and then select **OK** twice. ### Configure a boundary group -1. In the Administration workspace, expand **Hierarchy Configuration**, right-click **Boundaries** and then select **Create Boundary**. -2. Next to **Description**, type **PS1**, next to **Type** choose **Active Directory Site**, and then select **Browse**. +1. in the **Administration** workspace, expand **Hierarchy Configuration**, right-click **Boundaries** and then select **Create Boundary**. + +2. Next to **Description**, enter **PS1**, next to **Type** choose **Active Directory Site**, and then select **Browse**. + 3. Choose **Default-First-Site-Name** and then select **OK** twice. -4. In the Administration workspace, right-click **Boundary Groups** and then select **Create Boundary Group**. -5. Next to **Name**, type **PS1 Site Assignment and Content Location**, select **Add**, select the **Default-First-Site-Name** boundary and then select **OK**. + +4. in the **Administration** workspace, right-click **Boundary Groups** and then select **Create Boundary Group**. + +5. Next to **Name**, enter **PS1 Site Assignment and Content Location**, select **Add**, select the **Default-First-Site-Name** boundary and then select **OK**. + 6. On the **References** tab in the **Create Boundary Group** window, select the **Use this boundary group for site assignment** checkbox. + 7. Select **Add**, select the **\\\SRV1.contoso.com** checkbox, and then select **OK** twice. ### Add the state migration point role -1. In the Administration workspace, expand **Site Configuration**, select **Sites**, and then in on the **Home** ribbon at the top of the console select **Add Site System Roles**. +1. in the **Administration** workspace, expand **Site Configuration**, select **Sites**, and then in on the **Home** ribbon at the top of the console select **Add Site System Roles**. + 2. In the Add site System Roles Wizard, select **Next** twice and then on the Specify roles for this server page, select the **State migration point** checkbox. -3. Select **Next**, select the yellow starburst, type **C:\MigData** for the **Storage folder**, and select **OK**. + +3. Select **Next**, select the yellow starburst, enter **C:\MigData** for the **Storage folder**, and select **OK**. + 4. Select **Next**, and then verify under **Boundary groups** that **PS1 Site Assignment and Content Location** is displayed. + 5. Select **Next** twice and then select **Close**. ### Enable PXE on the distribution point > [!IMPORTANT] -> Before enabling PXE in Configuration Manager, ensure that any previous installation of WDS does not cause conflicts. Configuration Manager will automatically configure the WDS service to manage PXE requests. To disable a previous installation, if it exists, type the following commands at an elevated Windows PowerShell prompt on SRV1: +> Before enabling PXE in Configuration Manager, ensure that any previous installation of WDS does not cause conflicts. Configuration Manager will automatically configure the WDS service to manage PXE requests. To disable a previous installation, if it exists, enter the following commands at an elevated Windows PowerShell prompt on SRV1: -```powershell -WDSUTIL /Set-Server /AnswerClients:None +```cmd +WDSUTIL.exe /Set-Server /AnswerClients:None ``` -1. Determine the MAC address of the internal network adapter on SRV1. Type the following command at an elevated Windows PowerShell prompt on SRV1: +1. Determine the MAC address of the internal network adapter on SRV1. Enter the following command at an elevated Windows PowerShell prompt on SRV1: ```powershell (Get-NetAdapter "Ethernet").MacAddress @@ -321,8 +360,11 @@ WDSUTIL /Set-Server /AnswerClients:None > If the internal network adapter, assigned an IP address of 192.168.0.2, isn't named "Ethernet" then replace the name "Ethernet" in the previous command with the name of this network adapter. You can review the names of network adapters and the IP addresses assigned to them by typing **ipconfig**. 2. In the Configuration Manager console, in the **Administration** workspace, select **Distribution Points**. + 3. In the display pane, right-click **SRV1.CONTOSO.COM** and then select **Properties**. + 4. On the PXE tab, select the following settings: + - **Enable PXE support for clients**. Select **Yes** in the popup that appears. - **Allow this distribution point to respond to incoming PXE requests** - **Enable unknown computer support**. Select **OK** in the popup that appears. @@ -334,10 +376,11 @@ WDSUTIL /Set-Server /AnswerClients:None ![Config Mgr PXE.](images/configmgr-pxe.png) 5. Select **OK**. -6. Wait for a minute, then type the following command at an elevated Windows PowerShell prompt on SRV1, and verify that the files displayed are present: - ```powershell - cmd /c dir /b C:\RemoteInstall\SMSBoot\x64 +6. Wait for a minute, then enter the following command at an elevated Windows PowerShell prompt on SRV1, and verify that the files displayed are present: + + ```cmd + dir /b C:\RemoteInstall\SMSBoot\x64 abortpxe.com bootmgfw.efi @@ -349,12 +392,12 @@ WDSUTIL /Set-Server /AnswerClients:None ``` > [!NOTE] - > If these files aren't present in the C:\RemoteInstall directory, verify that the REMINST share is configured as C:\RemoteInstall. You can view the properties of this share by typing `net share REMINST` at a command prompt. If the share path is set to a different value, then replace C:\RemoteInstall with your REMINST share path. + > If these files aren't present in the C:\RemoteInstall directory, verify that the REMINST share is configured as C:\RemoteInstall. You can view the properties of this share by typing `net.exe share REMINST` at a command prompt. If the share path is set to a different value, then replace C:\RemoteInstall with your REMINST share path. > - > You can also type the following command at an elevated Windows PowerShell prompt to open the CMTrace. In the tool, select **File**, select **Open**, and then open the **distmgr.log** file. If errors are present, they will be highlighted in red: + > You can also enter the following command at an elevated Windows PowerShell prompt to open CMTrace. In the tool, select **File**, select **Open**, and then open the **distmgr.log** file. If errors are present, they will be highlighted in red: > - > ```powershell - > Invoke-Item 'C:\Program Files\Microsoft Configuration Manager\tools\cmtrace.exe' + > ```cmd + > "C:\Program Files\Microsoft Configuration Manager\tools\cmtrace.exe" > ``` > > The log file is updated continuously while Configuration Manager is running. Wait for Configuration Manager to repair any issues that are present, and periodically recheck that the files are present in the REMINST share location. Close CMTrace when done. You'll see the following line in distmgr.log that indicates the REMINST share is being populated with necessary files: @@ -366,7 +409,8 @@ WDSUTIL /Set-Server /AnswerClients:None ### Create a branding image file 1. If you have a bitmap (.BMP) image for suitable use as a branding image, copy it to the C:\Sources\OSD\Branding folder on SRV1. Otherwise, use the following step to copy a branding image. -2. Type the following command at an elevated Windows PowerShell prompt: + +2. Enter the following command at an elevated Windows PowerShell prompt: ```powershell Copy-Item -Path "C:\ProgramData\Microsoft\User Account Pictures\user.bmp" -Destination "C:\Sources\OSD\Branding\contoso.bmp" @@ -378,16 +422,26 @@ WDSUTIL /Set-Server /AnswerClients:None ### Create a boot image for Configuration Manager 1. In the Configuration Manager console, in the **Software Library** workspace, expand **Operating Systems**, right-click **Boot Images**, and then select **Create Boot Image using MDT**. -2. On the Package Source page, under **Package source folder to be created (UNC Path):**, type **\\\SRV1\Sources$\OSD\Boot\Zero Touch WinPE x64**, and then select **Next**. + +2. On the Package Source page, under **Package source folder to be created (UNC Path):**, enter **\\\SRV1\Sources$\OSD\Boot\Zero Touch WinPE x64**, and then select **Next**. + - The Zero Touch WinPE x64 folder doesn't yet exist. The folder will be created later. -3. On the General Settings page, type **Zero Touch WinPE x64** next to **Name**, and select **Next**. + +3. On the General Settings page, enter **Zero Touch WinPE x64** next to **Name**, and select **Next**. + 4. On the Options page, under **Platform** choose **x64**, and select **Next**. + 5. On the Components page, in addition to the default selection of **Microsoft Data Access Components (MDAC/ADO) support**, select the **Microsoft Diagnostics and Recovery Toolkit (DaRT)** checkbox, and select **Next**. -6. On the Customization page, select the **Use a custom background bitmap file** checkbox, and under **UNC path**, type or browse to **\\\SRV1\Sources$\OSD\Branding\contoso.bmp**, and then select **Next** twice. It will take a few minutes to generate the boot image. + +6. On the Customization page, select the **Use a custom background bitmap file** checkbox, and under **UNC path**, enter or browse to **\\\SRV1\Sources$\OSD\Branding\contoso.bmp**, and then select **Next** twice. It will take a few minutes to generate the boot image. + 7. Select **Finish**. + 8. In the console display pane, right-click the **Zero Touch WinPE x64** boot image, and then select **Distribute Content**. + 9. In the Distribute Content Wizard, select **Next**, select **Add** and select **Distribution Point**, select the **SRV1.CONTOSO.COM** checkbox, select **OK**, select **Next** twice, and then select **Close**. -10. Use the CMTrace application to view the **distmgr.log** file again and verify that the boot image has been distributed. To open CMTrace, type the following command at an elevated Windows PowerShell prompt on SRV1: + +10. Use the CMTrace application to view the **distmgr.log** file again and verify that the boot image has been distributed. To open CMTrace, enter the following command at an elevated Windows PowerShell prompt on SRV1: ```powershell Invoke-Item 'C:\Program Files\Microsoft Configuration Manager\tools\cmtrace.exe' @@ -400,12 +454,15 @@ WDSUTIL /Set-Server /AnswerClients:None ``` 11. You can also review status by clicking the **Zero Touch WinPE x64** image, and then clicking **Content Status** under **Related Objects** in the bottom right-hand corner of the console, or by entering **\Monitoring\Overview\Distribution Status\Content Status** on the location bar in the console. Double-click **Zero Touch WinPE x64** under **Content Status** in the console tree and verify that a status of **Successfully distributed content** is displayed on the **Success** tab. + 12. Next, in the **Software Library** workspace, double-click **Zero Touch WinPE x64** and then select the **Data Source** tab. + 13. Select the **Deploy this boot image from the PXE-enabled distribution point** checkbox, and select **OK**. + 14. Review the distmgr.log file again for "**STATMSG: ID=2301**" and verify that there are three folders under **C:\RemoteInstall\SMSImages** with boot images. See the following example: - ```console - cmd /c dir /s /b C:\RemoteInstall\SMSImages + ```cmd + dir /s /b C:\RemoteInstall\SMSImages C:\RemoteInstall\SMSImages\PS100004 C:\RemoteInstall\SMSImages\PS100005 @@ -422,19 +479,19 @@ WDSUTIL /Set-Server /AnswerClients:None If you've already completed steps in [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md) then you've already created a Windows 10 reference image. In this case, skip to the next procedure in this guide: [Add a Windows 10 OS image](#add-a-windows-10-os-image). If you've not yet created a Windows 10 reference image, complete the steps in this section. -1. In [Step by step guide: Deploy Windows 10 in a test lab](windows-10-poc.md) the Windows 10 Enterprise .iso file was saved to the c:\VHD directory as **c:\VHD\w10-enterprise.iso**. The first step in creating a deployment share is to mount this file on SRV1. To mount the Windows 10 Enterprise DVD on SRV1, open an elevated Windows PowerShell prompt on the Hyper-V host computer and type the following command: +1. In [Step by step guide: Deploy Windows 10 in a test lab](windows-10-poc.md) the Windows 10 Enterprise .iso file was saved to the c:\VHD directory as **c:\VHD\w10-enterprise.iso**. The first step in creating a deployment share is to mount this file on SRV1. To mount the Windows 10 Enterprise DVD on SRV1, open an elevated Windows PowerShell prompt on the Hyper-V host computer and enter the following command: ```powershell Set-VMDvdDrive -VMName SRV1 -Path c:\VHD\w10-enterprise.iso ``` -1. Verify that the Windows Enterprise installation DVD is mounted on SRV1 as drive letter D. +2. Verify that the Windows Enterprise installation DVD is mounted on SRV1 as drive letter D. -1. The Windows 10 Enterprise installation files will be used to create a deployment share on SRV1 using the MDT deployment workbench. To open the deployment workbench, select **Start**, type **deployment**, and then select **Deployment Workbench**. +3. The Windows 10 Enterprise installation files will be used to create a deployment share on SRV1 using the MDT deployment workbench. To open the deployment workbench, select **Start**, enter **deployment**, and then select **Deployment Workbench**. -1. In the Deployment Workbench console, right-click **Deployment Shares** and select **New Deployment Share**. +4. In the Deployment Workbench console, right-click **Deployment Shares** and select **New Deployment Share**. -1. Use the following settings for the New Deployment Share Wizard: +5. Use the following settings for the New Deployment Share Wizard: - Deployment share path: **C:\MDTBuildLab** - Share name: **MDTBuildLab$** - Deployment share description: **MDT build lab** @@ -443,22 +500,23 @@ If you've already completed steps in [Deploy Windows 10 in a test lab using Micr - Progress: settings will be applied - Confirmation: Select **Finish** -1. Expand the **Deployment Shares** node, and then expand **MDT build lab**. +6. Expand the **Deployment Shares** node, and then expand **MDT build lab**. -1. Right-click the **Operating Systems** node, and then select **New Folder**. Name the new folder **Windows 10**. Complete the wizard using default values and select **Finish**. +7. Right-click the **Operating Systems** node, and then select **New Folder**. Name the new folder **Windows 10**. Complete the wizard using default values and select **Finish**. -1. Right-click the **Windows 10** folder created in the previous step, and then select **Import Operating System**. +8. Right-click the **Windows 10** folder created in the previous step, and then select **Import Operating System**. -1. Use the following settings for the Import Operating System Wizard: +9. Use the following settings for the Import Operating System Wizard: - OS Type: **Full set of source files** - Source: **D:\\** - Destination: **W10Ent_x64** - Summary: Select **Next** - Confirmation: Select **Finish** -1. For purposes of this test lab, we won't add applications, such as Microsoft Office, to the deployment share. For more information about adding applications, see [Add applications](deploy-windows-mdt/create-a-windows-10-reference-image.md#add-applications). +10. For purposes of this test lab, we won't add applications, such as Microsoft Office, to the deployment share. For more information about adding applications, see [Add applications](deploy-windows-mdt/create-a-windows-10-reference-image.md#add-applications). + +11. The next step is to create a task sequence to reference the OS that was imported. To create a task sequence, right-click the **Task Sequences** node under **MDT Build Lab** and then select **New Task Sequence**. Use the following settings for the New Task Sequence Wizard: -1. The next step is to create a task sequence to reference the OS that was imported. To create a task sequence, right-click the **Task Sequences** node under **MDT Build Lab** and then select **New Task Sequence**. Use the following settings for the New Task Sequence Wizard: - Task sequence ID: **REFW10X64-001** - Task sequence name: **Windows 10 Enterprise x64 Default Image** - Task sequence comments: **Reference Build** @@ -467,31 +525,31 @@ If you've already completed steps in [Deploy Windows 10 in a test lab using Micr - Specify Product Key: **Do not specify a product key at this time** - Full Name: **Contoso** - Organization: **Contoso** - - Internet Explorer home page: **http://www.contoso.com** + - Internet Explorer home page: **`http://www.contoso.com`** - Admin Password: **Do not specify an Administrator password at this time** - Summary: Select **Next** - Confirmation: Select **Finish** -1. Edit the task sequence to add the Microsoft NET Framework 3.5, which is required by many applications. To edit the task sequence, double-click **Windows 10 Enterprise x64 Default Image** that was created in the previous step. +12. Edit the task sequence to add the Microsoft NET Framework 3.5, which is required by many applications. To edit the task sequence, double-click **Windows 10 Enterprise x64 Default Image** that was created in the previous step. -1. Select the **Task Sequence** tab. Under **State Restore**, select **Tattoo** to highlight it, then select **Add** and choose **New Group**. A new group will be added under Tattoo. +13. Select the **Task Sequence** tab. Under **State Restore**, select **Tattoo** to highlight it, then select **Add** and choose **New Group**. A new group will be added under Tattoo. -1. On the Properties tab of the group that was created in the previous step, change the Name from New Group to **Custom Tasks (Pre-Windows Update)** and then select **Apply**. To see the name change, select **Tattoo**, then select the new group again. +14. On the Properties tab of the group that was created in the previous step, change the Name from New Group to **Custom Tasks (Pre-Windows Update)** and then select **Apply**. To see the name change, select **Tattoo**, then select the new group again. -1. Select the **Custom Tasks (Pre-Windows Update)** group again, select **Add**, point to **Roles**, and then select **Install Roles and Features**. +15. Select the **Custom Tasks (Pre-Windows Update)** group again, select **Add**, point to **Roles**, and then select **Install Roles and Features**. -1. Under **Select the roles and features that should be installed**, select **.NET Framework 3.5 (includes .NET 2.0 and 3.0)** and then select **Apply**. +16. Under **Select the roles and features that should be installed**, select **.NET Framework 3.5 (includes .NET 2.0 and 3.0)** and then select **Apply**. -1. Enable Windows Update in the task sequence by clicking the **Windows Update (Post-Application Installation)** step, clicking the **Options** tab, and clearing the **Disable this step** checkbox. +17. Enable Windows Update in the task sequence by clicking the **Windows Update (Post-Application Installation)** step, clicking the **Options** tab, and clearing the **Disable this step** checkbox. > [!NOTE] > Since we aren't installing applications in this test lab, there's no need to enable the Windows Update Pre-Application Installation step. However, you should enable this step if you're also installing applications. -1. Select **OK** to complete editing the task sequence. +18. Select **OK** to complete editing the task sequence. -1. The next step is to configure the MDT deployment share rules. To configure rules in the Deployment Workbench, right-click MDT build lab (C:\MDTBuildLab) and select **Properties**, and then select the **Rules** tab. +19. The next step is to configure the MDT deployment share rules. To configure rules in the Deployment Workbench, right-click MDT build lab (C:\MDTBuildLab) and select **Properties**, and then select the **Rules** tab. -1. Replace the default rules with the following text: +20. Replace the default rules with the following text: ```ini [Settings] @@ -526,7 +584,7 @@ If you've already completed steps in [Deploy Windows 10 in a test lab using Micr SkipFinalSummary=NO ``` -1. Select **Apply** and then select **Edit Bootstrap.ini**. Replace the contents of the Bootstrap.ini file with the following text, and save the file: +21. Select **Apply** and then select **Edit Bootstrap.ini**. Replace the contents of the Bootstrap.ini file with the following text, and save the file: ```ini [Settings] @@ -540,18 +598,18 @@ If you've already completed steps in [Deploy Windows 10 in a test lab using Micr SkipBDDWelcome=YES ``` -1. Select **OK** to complete the configuration of the deployment share. +22. Select **OK** to complete the configuration of the deployment share. -1. Right-click **MDT build lab (C:\MDTBuildLab)** and then select **Update Deployment Share**. +23. Right-click **MDT build lab (C:\MDTBuildLab)** and then select **Update Deployment Share**. -1. Accept all default values in the Update Deployment Share Wizard by clicking **Next**. The update process will take 5 to 10 minutes. When it has completed, select **Finish**. +24. Accept all default values in the Update Deployment Share Wizard by clicking **Next**. The update process will take 5 to 10 minutes. When it has completed, select **Finish**. -1. Copy **c:\MDTBuildLab\Boot\LiteTouchPE_x86.iso** on SRV1 to the **c:\VHD** directory on the Hyper-V host computer. In MDT, the x86 boot image can deploy both x86 and x64 operating systems, except on computers based on Unified Extensible Firmware Interface (UEFI). +25. Copy **c:\MDTBuildLab\Boot\LiteTouchPE_x86.iso** on SRV1 to the **c:\VHD** directory on the Hyper-V host computer. In MDT, the x86 boot image can deploy both x86 and x64 operating systems, except on computers based on Unified Extensible Firmware Interface (UEFI). > [!TIP] > To copy the file, right-click the **LiteTouchPE_x86.iso** file, and select **Copy** on SRV1. Then open the **c:\VHD** folder on the Hyper-V host, right-click inside the folder, and select **Paste**. -1. Open a Windows PowerShell prompt on the Hyper-V host computer and type the following commands: +26. Open a Windows PowerShell prompt on the Hyper-V host computer and enter the following commands: ```powershell New-VM -Name REFW10X64-001 -SwitchName poc-internal -NewVHDPath "c:\VHD\REFW10X64-001.vhdx" -NewVHDSizeBytes 60GB @@ -561,9 +619,9 @@ If you've already completed steps in [Deploy Windows 10 in a test lab using Micr vmconnect localhost REFW10X64-001 ``` -1. In the Windows Deployment Wizard, select **Windows 10 Enterprise x64 Default Image**, and then select **Next**. +27. In the Windows Deployment Wizard, select **Windows 10 Enterprise x64 Default Image**, and then select **Next**. -1. Accept the default values on the Capture Image page, and select **Next**. OS installation will complete after 5 to 10 minutes and then the VM will reboot automatically. Allow the system to boot normally, don't press a key. The process is fully automated. +28. Accept the default values on the Capture Image page, and select **Next**. OS installation will complete after 5 to 10 minutes and then the VM will reboot automatically. Allow the system to boot normally, don't press a key. The process is fully automated. Other system restarts will occur to complete updating and preparing the OS. Setup will complete the following procedures: @@ -579,7 +637,7 @@ If you've already completed steps in [Deploy Windows 10 in a test lab using Micr ### Add a Windows 10 OS image -1. Type the following commands at an elevated Windows PowerShell prompt on SRV1: +1. Enter the following commands at an elevated Windows PowerShell prompt on SRV1: ```powershell New-Item -ItemType Directory -Path "C:\Sources\OSD\OS\Windows 10 Enterprise x64" @@ -588,9 +646,9 @@ If you've already completed steps in [Deploy Windows 10 in a test lab using Micr 2. In the Configuration Manager console, in the **Software Library** workspace, expand **Operating Systems**, right-click **Operating System Images**, and then select **Add Operating System Image**. -3. On the Data Source page, under **Path:**, type or browse to **\\\SRV1\Sources$\OSD\OS\Windows 10 Enterprise x64\REFW10X64-001.wim**, and select **Next**. +3. On the Data Source page, under **Path:**, enter or browse to **\\\SRV1\Sources$\OSD\OS\Windows 10 Enterprise x64\REFW10X64-001.wim**, and select **Next**. -4. On the General page, next to **Name:**, type **Windows 10 Enterprise x64**, select **Next** twice, and then select **Close**. +4. On the General page, next to **Name:**, enter **Windows 10 Enterprise x64**, select **Next** twice, and then select **Close**. 5. Distribute the OS image to the SRV1 distribution point by right-clicking the **Windows 10 Enterprise x64** OS image and then clicking **Distribute Content**. @@ -610,9 +668,10 @@ If you've already completed steps in [Deploy Windows 10 in a test lab using Micr 2. On the Choose Template page, select the **Client Task Sequence** template and select **Next**. -3. On the General page, type **Windows 10 Enterprise x64** under **Task sequence name:** and then select **Next**. +3. On the General page, enter **Windows 10 Enterprise x64** under **Task sequence name:** and then select **Next**. 4. On the Details page, enter the following settings: + - Join a domain: **contoso.com** - Account: Select **Set** - User name: **contoso\CM_JD** @@ -632,9 +691,9 @@ If you've already completed steps in [Deploy Windows 10 in a test lab using Micr 6. On the Boot Image page, browse and select the **Zero Touch WinPE x64** boot image package, select **OK**, and then select **Next**. -7. On the MDT Package page, select **Create a new Microsoft Deployment Toolkit Files package**, under **Package source folder to be created (UNC Path):**, type **\\\SRV1\Sources$\OSD\MDT\MDT** (MDT is repeated here, not a typo), and then select **Next**. +7. On the MDT Package page, select **Create a new Microsoft Deployment Toolkit Files package**, under **Package source folder to be created (UNC Path):**, enter **\\\SRV1\Sources$\OSD\MDT\MDT** (MDT is repeated here, not a typo), and then select **Next**. -8. On the MDT Details page, next to **Name:** type **MDT** and then select **Next**. +8. On the MDT Details page, next to **Name:** enter **MDT** and then select **Next**. 9. On the OS Image page, browse and select the **Windows 10 Enterprise x64** package, select **OK**, and then select **Next**. @@ -644,9 +703,9 @@ If you've already completed steps in [Deploy Windows 10 in a test lab using Micr 12. On the USMT Package page, browse and select the **Microsoft Corporation User State Migration Tool for Windows 10.0.14393.0** package, select **OK**, and then select **Next**. -13. On the Settings Package page, select **Create a new settings package**, and under **Package source folder to be created (UNC Path):**, type **\\\SRV1\Sources$\OSD\Settings\Windows 10 x64 Settings**, and then select **Next**. +13. On the Settings Package page, select **Create a new settings package**, and under **Package source folder to be created (UNC Path):**, enter **\\\SRV1\Sources$\OSD\Settings\Windows 10 x64 Settings**, and then select **Next**. -14. On the Settings Details page, next to **Name:**, type **Windows 10 x64 Settings**, and select **Next**. +14. On the Settings Details page, next to **Name:**, enter **Windows 10 x64 Settings**, and select **Next**. 15. On the Sysprep Package page, select **Next** twice. @@ -663,6 +722,7 @@ If you've already completed steps in [Deploy Windows 10 in a test lab using Micr 4. In the **State Restore** group, select the **Set Status 5** action, select **Add** in the upper left corner, point to **User State**, and select **Request State Store**. This action adds a new step immediately after **Set Status 5**. 5. Configure this **Request State Store** step with the following settings: + - Request state storage location to: **Restore state from another computer** - Select the **If computer account fails to connect to state store, use the Network Access account** checkbox. - Options tab: Select the **Continue on error** checkbox. @@ -676,6 +736,7 @@ If you've already completed steps in [Deploy Windows 10 in a test lab using Micr 6. In the **State Restore** group, select **Restore User State**, select **Add**, point to **User State**, and select **Release State Store**. 7. Configure this **Release State Store** step with the following settings: + - Options tab: Select the **Continue on error** checkbox. - Add Condition: **Task Sequence Variable**: - Variable: **USMTLOCAL** @@ -704,10 +765,10 @@ If you've already completed steps in [Deploy Windows 10 in a test lab using Micr 4. Select the **Monitoring** tab, select the **Enable monitoring for this deployment share** checkbox, and then select **OK**. -5. Type the following command at an elevated Windows PowerShell prompt on SRV1: +5. Enter the following command at an elevated Windows PowerShell prompt on SRV1: - ```powershell - notepad "C:\Sources\OSD\Settings\Windows 10 x64 Settings\CustomSettings.ini" + ```cmd + notepad.exe "C:\Sources\OSD\Settings\Windows 10 x64 Settings\CustomSettings.ini" ``` 6. Replace the contents of the file with the following text, and then save the file: @@ -735,9 +796,9 @@ If you've already completed steps in [Deploy Windows 10 in a test lab using Micr > OSDMigrateAdditionalCaptureOptions=/all > ``` -7. Return to the Configuration Manager console, and in the Software Library workspace, expand **Application Management**, select **Packages**, right-click **Windows 10 x64 Settings**, and then select **Update Distribution Points**. Select **OK** in the popup that appears. +7. Return to the Configuration Manager console, and in the **Software Library** workspace, expand **Application Management**, select **Packages**, right-click **Windows 10 x64 Settings**, and then select **Update Distribution Points**. Select **OK** in the popup that appears. -8. In the Software Library workspace, expand **Operating Systems**, select **Task Sequences**, right-click **Windows 10 Enterprise x64**, and then select **Distribute Content**. +8. In the **Software Library** workspace, expand **Operating Systems**, select **Task Sequences**, right-click **Windows 10 Enterprise x64**, and then select **Distribute Content**. 9. In the Distribute Content Wizard, select **Next** twice, select **Add**, select **Distribution Point**, select the **SRV1.CONTOSO.COM** distribution point, select **OK**, select **Next** twice and then select **Close**. @@ -745,7 +806,7 @@ If you've already completed steps in [Deploy Windows 10 in a test lab using Micr ### Create a deployment for the task sequence -1. In the Software Library workspace, expand **Operating Systems**, select **Task Sequences**, right-click **Windows 10 Enterprise x64**, and then select **Deploy**. +1. In the **Software Library** workspace, expand **Operating Systems**, select **Task Sequences**, right-click **Windows 10 Enterprise x64**, and then select **Deploy**. 2. On the General page, next to **Collection**, select **Browse**, select the **All Unknown Computers** collection, select **OK**, and then select **Next**. @@ -761,7 +822,7 @@ If you've already completed steps in [Deploy Windows 10 in a test lab using Micr In this first deployment scenario, you'll deploy Windows 10 using PXE. This scenario creates a new computer that doesn't have any migrated users or settings. -1. Type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host: +1. Enter the following commands at an elevated Windows PowerShell prompt on the Hyper-V host: ```powershell New-VM -Name "PC4" -NewVHDPath "c:\vhd\pc4.vhdx" -NewVHDSizeBytes 40GB -SwitchName poc-internal -BootDevice NetworkAdapter -Generation 2 @@ -776,7 +837,7 @@ In this first deployment scenario, you'll deploy Windows 10 using PXE. This scen 4. Before you select **Next** in the Task Sequence Wizard, press the **F8** key. A command prompt will open. -5. At the command prompt, type **explorer.exe** and review the Windows PE file structure. +5. At the command prompt, enter **explorer.exe** and review the Windows PE file structure. 6. The smsts.log file is critical for troubleshooting any installation problems that might be encountered. Depending on the deployment phase, the smsts.log file is created in different locations: - X:\Windows\temp\SMSTSLog\smsts.log before disks are formatted. @@ -796,6 +857,7 @@ In this first deployment scenario, you'll deploy Windows 10 using PXE. This scen 10. The **Windows 10 Enterprise x64** task sequence is selected in the Task Sequence Wizard. Select **Next** to continue with the deployment. 11. The task sequence will require several minutes to complete. You can monitor progress of the task sequence using the MDT Deployment Workbench under Deployment Shares > MDTProduction > Monitoring. The task sequence will: + - Install Windows 10 - Install the Configuration Manager client and hotfix - Join the computer to the contoso.com domain @@ -803,7 +865,7 @@ In this first deployment scenario, you'll deploy Windows 10 using PXE. This scen 12. When Windows 10 installation has completed, sign in to PC4 using the **contoso\administrator** account. -13. Right-click **Start**, select **Run**, type **control appwiz.cpl**, press ENTER, select **Turn Windows features on or off**, and verify that **.NET Framework 3.5 (includes .NET 2.0 and 3.0)** is installed. This feature is included in the reference image. +13. Right-click **Start**, select **Run**, enter **control appwiz.cpl**, press ENTER, select **Turn Windows features on or off**, and verify that **.NET Framework 3.5 (includes .NET 2.0 and 3.0)** is installed. This feature is included in the reference image. 14. Shut down the PC4 VM. @@ -821,19 +883,25 @@ In the replace procedure, PC1 won't be migrated to a new OS. It's simplest to pe ### Create a replace task sequence -1. On SRV1, in the Configuration Manager console, in the Software Library workspace, expand **Operating Systems**, right-click **Task Sequences**, and then select **Create MDT Task Sequence**. +1. On SRV1, in the Configuration Manager console, in the **Software Library** workspace, expand **Operating Systems**, right-click **Task Sequences**, and then select **Create MDT Task Sequence**. 2. On the Choose Template page, select **Client Replace Task Sequence** and select **Next**. -3. On the General page, type the following information: +3. On the General page, enter the following information: + - Task sequence name: **Replace Task Sequence** - Task sequence comments: **USMT backup only** 4. Select **Next**, and on the Boot Image page, browse and select the **Zero Touch WinPE x64** boot image package. Select **OK** and then select **Next** to continue. + 5. On the MDT Package page, browse and select the **MDT** package. Select **OK** and then select **Next** to continue. + 6. On the USMT Package page, browse and select the **Microsoft Corporation User State Migration Tool for Windows** package. Select **OK** and then select **Next** to continue. + 7. On the Settings Package page, browse and select the **Windows 10 x64 Settings** package. Select **OK** and then select **Next** to continue. + 8. On the Summary page, review the details and then select **Next**. + 9. On the Confirmation page, select **Finish**. > [!NOTE] @@ -841,7 +909,7 @@ In the replace procedure, PC1 won't be migrated to a new OS. It's simplest to pe ### Deploy PC4 -Create a VM named PC4 to receive the applications and settings from PC1. This VM represents a new computer that will replace PC1. To create this VM, type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host: +Create a VM named PC4 to receive the applications and settings from PC1. This VM represents a new computer that will replace PC1. To create this VM, enter the following commands at an elevated Windows PowerShell prompt on the Hyper-V host: ```powershell New-VM -Name "PC4" -NewVHDPath "c:\vhd\pc4.vhdx" -NewVHDSizeBytes 60GB -SwitchName poc-internal -BootDevice NetworkAdapter -Generation 2 @@ -856,61 +924,66 @@ Set-VMNetworkAdapter -VMName PC4 -StaticMacAddress 00-15-5D-83-26-FF 1. Verify that the PC1 VM is running and in its original state, which was saved as a checkpoint and then restored in [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md). -1. If you haven't already saved a checkpoint for PC1, then do it now. Type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host: +2. If you haven't already saved a checkpoint for PC1, then do it now. Enter the following commands at an elevated Windows PowerShell prompt on the Hyper-V host: ```powershell Checkpoint-VM -Name PC1 -SnapshotName BeginState ``` -1. On SRV1, in the Configuration Manager console, in the Administration workspace, expand **Hierarchy Configuration** and select on **Discovery Methods**. -1. Double-click **Active Directory System Discovery** and on the **General** tab select the **Enable Active Directory System Discovery** checkbox. -1. Select the yellow starburst, select **Browse**, select **contoso\Computers**, and then select **OK** three times. -1. When a popup dialog box asks if you want to run full discovery, select **Yes**. -1. In the Assets and Compliance workspace, select **Devices** and verify that the computer account names for SRV1 and PC1 are displayed. See the following example (GREGLIN-PC1 is the computer account name of PC1 in this example): +3. On SRV1, in the Configuration Manager console, in the **Administration** workspace, expand **Hierarchy Configuration** and select on **Discovery Methods**. + +4. Double-click **Active Directory System Discovery** and on the **General** tab select the **Enable Active Directory System Discovery** checkbox. + +5. Select the yellow starburst, select **Browse**, select **contoso\Computers**, and then select **OK** three times. + +6. When a popup dialog box asks if you want to run full discovery, select **Yes**. + +7. In the **Assets and Compliance** workspace, select **Devices** and verify that the computer account names for SRV1 and PC1 are displayed. See the following example (GREGLIN-PC1 is the computer account name of PC1 in this example): > [!TIP] > If you don't see the computer account for PC1, select **Refresh** in the upper right corner of the console. The **Client** column indicates that the Configuration Manager client isn't currently installed. This procedure will be carried out next. -1. Sign in to PC1 using the contoso\administrator account and type the following command at an elevated command prompt to remove any pre-existing client configuration, if it exists. +8. Sign in to PC1 using the contoso\administrator account and enter the following command at an elevated command prompt to remove any pre-existing client configuration, if it exists. > [!Note] - > This command requires an elevated _command prompt_, not an elevated Windows PowerShell prompt. + > This command requires an elevated command prompt, not an elevated Windows PowerShell prompt. - ```dos - sc stop ccmsetup + ```cmd + sc.exe stop ccmsetup "\\SRV1\c$\Program Files\Microsoft Configuration Manager\Client\CCMSetup.exe" /Uninstall ``` > [!NOTE] > If PC1 still has Configuration Manager registry settings that were applied by Group Policy, startup scripts, or other policies in its previous domain, these might not all be removed by `CCMSetup /Uninstall` and can cause problems with installation or registration of the client in its new environment. It might be necessary to manually remove these settings if they are present. For more information, see [Manual removal of the Configuration Manager client](/archive/blogs/michaelgriswold/manual-removal-of-the-sccm-client). -1. On PC1, temporarily stop Windows Update from queuing items for download and clear all BITS jobs from the queue. From an elevated command prompt, type: +9. On PC1, temporarily stop Windows Update from queuing items for download and clear all BITS jobs from the queue. From an elevated command prompt, enter: - ```dos - net stop wuauserv - net stop BITS + ```cmd + net.exe stop wuauserv + net.exe stop BITS ``` - Verify that both services were stopped successfully, then type the following command at an elevated command prompt: + Verify that both services were stopped successfully, then enter the following command at an elevated command prompt: - ```dos + ```cmd del "%ALLUSERSPROFILE%\Application Data\Microsoft\Network\Downloader\qmgr*.dat" - net start BITS - bitsadmin /list /allusers + net.exe start BITS + bitsadmin.exe /list /allusers ``` Verify that BITSAdmin displays zero jobs. -1. To install the Configuration Manager client as a standalone process, type the following command at an elevated command prompt: +10. To install the Configuration Manager client as a standalone process, enter the following command at an elevated command prompt: - ```dos + ```cmd "\\SRV1\c$\Program Files\Microsoft Configuration Manager\Client\CCMSetup.exe" /mp:SRV1.contoso.com /logon SMSSITECODE=PS1 ``` -1. On PC1, using file explorer, open the **C:\Windows\ccmsetup** directory. During client installation, files will be downloaded here. -1. Installation progress will be captured in the file: **c:\windows\ccmsetup\logs\ccmsetup.log**. You can periodically open this file in notepad, or you can type the following command at an elevated Windows PowerShell prompt to monitor installation progress: +11. On PC1, using file explorer, open the **C:\Windows\ccmsetup** directory. During client installation, files will be downloaded here. + +12. Installation progress will be captured in the file: **c:\windows\ccmsetup\logs\ccmsetup.log**. You can periodically open this file in notepad, or you can enter the following command at an elevated Windows PowerShell prompt to monitor installation progress: ```powershell Get-Content -Path c:\windows\ccmsetup\logs\ccmsetup.log -Wait @@ -918,21 +991,21 @@ Set-VMNetworkAdapter -VMName PC4 -StaticMacAddress 00-15-5D-83-26-FF Installation might require several minutes, and display of the log file will appear to hang while some applications are installed. This behavior is normal. When setup is complete, verify that **CcmSetup is existing with return code 0** is displayed on the last line of the ccmsetup.log file. Then press **CTRL-C** to break out of the Get-Content operation. If you're viewing the log file in Windows PowerShell, the last line will be wrapped. A return code of `0` indicates that installation was successful and you should now see a directory created at **C:\Windows\CCM** that contains files used in registration of the client with its site. -1. On PC1, open the Configuration Manager control panel applet by typing the following command from a command prompt: +13. On PC1, open the Configuration Manager control panel applet by typing the following command from a command prompt: - ```dos - control smscfgrc + ```cmd + control.exe smscfgrc ``` -1. Select the **Site** tab, select **Configure Settings**, and select **Find Site**. The client will report that it has found the PS1 site. See the following example: +14. Select the **Site** tab, select **Configure Settings**, and select **Find Site**. The client will report that it has found the PS1 site. See the following example: ![site.](images/configmgr-site.png) If the client isn't able to find the PS1 site, review any error messages that are displayed in **C:\Windows\CCM\Logs\ClientIDManagerStartup.log** and **LocationServices.log**. A common reason the client can't locate the site code is because a previous configuration exists. For example, if a previous site code is configured at **HKLM\SOFTWARE\Microsoft\SMS\Mobile Client\GPRequestedSiteAssignmentCode**, delete or update this entry. -1. On SRV1, in the Assets and Compliance workspace, select **Device Collections** and then double-click **All Desktop and Server Clients**. This node will be added under **Devices**. +15. On SRV1, in the **Assets and Compliance** workspace, select **Device Collections** and then double-click **All Desktop and Server Clients**. This node will be added under **Devices**. -1. Select **All Desktop and Server Clients** and verify that the computer account for PC1 is displayed here with **Yes** and **Active** in the **Client** and **Client Activity** columns, respectively. You might have to refresh the view and wait few minutes for the client to appear here. See the following example: +16. Select **All Desktop and Server Clients** and verify that the computer account for PC1 is displayed here with **Yes** and **Active** in the **Client** and **Client Activity** columns, respectively. You might have to refresh the view and wait few minutes for the client to appear here. See the following example: ![client.](images/configmgr-client.png) @@ -941,9 +1014,10 @@ Set-VMNetworkAdapter -VMName PC4 -StaticMacAddress 00-15-5D-83-26-FF ### Create a device collection and deployment -1. On SRV1, in the Configuration Manager console, in the Asset and Compliance workspace, right-click **Device Collections** and then select **Create Device Collection**. +1. On SRV1, in the Configuration Manager console, in the **Assets and Compliance** workspace, right-click **Device Collections** and then select **Create Device Collection**. 2. Use the following settings in the **Create Device Collection Wizard**: + - General > Name: **Install Windows 10 Enterprise x64** - General > Limiting collection: **All Systems** - Membership Rules > Add Rule: **Direct Rule** @@ -956,7 +1030,7 @@ Set-VMNetworkAdapter -VMName PC4 -StaticMacAddress 00-15-5D-83-26-FF 3. Double-click the Install Windows 10 Enterprise x64 device collection and verify that the PC1 computer account is displayed. -4. In the Software Library workspace, expand **Operating Systems**, select **Task Sequences**, right-click **Windows 10 Enterprise x64** and then select **Deploy**. +4. In the **Software Library** workspace, expand **Operating Systems**, select **Task Sequences**, right-click **Windows 10 Enterprise x64** and then select **Deploy**. 5. Use the following settings in the Deploy Software wizard: - General > Collection: Select Browse and select **Install Windows 10 Enterprise x64** @@ -971,24 +1045,25 @@ Set-VMNetworkAdapter -VMName PC4 -StaticMacAddress 00-15-5D-83-26-FF ### Associate PC4 with PC1 -1. On SRV1 in the Configuration Manager console, in the Assets and Compliance workspace, right-click **Devices** and then select **Import Computer Information**. +1. On SRV1 in the Configuration Manager console, in the **Assets and Compliance** workspace, right-click **Devices** and then select **Import Computer Information**. 2. On the Select Source page, choose **Import single computer** and select **Next**. 3. On the Single Computer page, use the following settings: + - Computer Name: **PC4** - MAC Address: **00:15:5D:83:26:FF** - - Source Computer: \ + - Source Computer: \ 4. Select **Next**, and on the User Accounts page choose **Capture and restore specified user accounts**, then select the yellow starburst next to **User accounts to migrate**. -5. Select **Browse** and then under Enter the object name to select type **user1** and select OK twice. +5. Select **Browse** and then under **Enter the object name to select** enter **user1** and select **OK** twice. 6. Select the yellow starburst again and repeat the previous step to add the **contoso\administrator** account. 7. Select **Next** twice, and on the Choose Target Collection page, choose **Add computers to the following collection**, select **Browse**, choose **Install Windows 10 Enterprise x64**, select **OK**, select **Next** twice, and then select **Close**. -8. In the Assets and Compliance workspace, select **User State Migration** and review the computer association in the display pane. The source computer will be the computername of PC1 (GREGLIN-PC1 in this example), the destination computer will be **PC4**, and the migration type will be **side-by-side**. +8. In the **Assets and Compliance** workspace, select **User State Migration** and review the computer association in the display pane. The source computer will be the computername of PC1 (GREGLIN-PC1 in this example), the destination computer will be **PC4**, and the migration enter will be **side-by-side**. 9. Right-click the association in the display pane and then select **Specify User Accounts**. You can add or remove user account here. Select **OK**. @@ -1000,9 +1075,10 @@ Set-VMNetworkAdapter -VMName PC4 -StaticMacAddress 00-15-5D-83-26-FF ### Create a device collection for PC1 -1. On SRV1, in the Configuration Manager console, in the Assets and Compliance workspace, right-click **Device Collections** and then select **Create Device Collection**. +1. On SRV1, in the Configuration Manager console, in the **Assets and Compliance** workspace, right-click **Device Collections** and then select **Create Device Collection**. 2. Use the following settings in the **Create Device Collection Wizard**: + - General > Name: **USMT Backup (Replace)** - General > Limiting collection: **All Systems** - Membership Rules > Add Rule: **Direct Rule** @@ -1032,15 +1108,15 @@ In the Configuration Manager console, in the **Software Library** workspace, und 1. On PC1, open the Configuration Manager control panel applet by typing the following command in a command prompt: - ```dos - control smscfgrc + ```cmd + control.exe smscfgrc ``` 2. On the **Actions** tab, select **Machine Policy Retrieval & Evaluation Cycle**, select **Run Now**, select **OK**, and then select **OK** again. This method is one that you can use to run a task sequence in addition to the Client Notification method that will be demonstrated in the computer refresh procedure. -3. Type the following command at an elevated command prompt to open the Software Center: +3. Enter the following command at an elevated command prompt to open the Software Center: - ```dos + ```cmd C:\Windows\CCM\SCClient.exe ``` @@ -1052,26 +1128,30 @@ In the Configuration Manager console, in the **Software Library** workspace, und > If you don't see any available software, try running step #2 again to start the Machine Policy Retrieval & Evaluation Cycle. You should see an alert that new software is available. 5. Select **INSTALL SELECTED** and then select **INSTALL OPERATING SYSTEM**. + 6. Allow the **Replace Task Sequence** to complete, then verify that the C:\MigData folder on SRV1 contains the USMT backup. ### Deploy the new computer -1. Start PC4 and press ENTER for a network boot when prompted. To start PC4, type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host: +1. Start PC4 and press ENTER for a network boot when prompted. To start PC4, enter the following commands at an elevated Windows PowerShell prompt on the Hyper-V host: ```powershell Start-VM PC4 vmconnect localhost PC4 ``` -1. In the **Welcome to the Task Sequence Wizard**, enter **pass@word1** and select **Next**. -1. Choose the **Windows 10 Enterprise X64** image. -1. Setup will install the OS using the Windows 10 Enterprise x64 reference image, install the configuration manager client, join PC4 to the domain, and restore users and settings from PC1. -1. Save checkpoints for all VMs if you wish to review their status at a later date. This action isn't required, as checkpoints do take up space on the Hyper-V host. +2. In the **Welcome to the Task Sequence Wizard**, enter **pass@word1** and select **Next**. + +3. Choose the **Windows 10 Enterprise X64** image. + +4. Setup will install the OS using the Windows 10 Enterprise x64 reference image, install the configuration manager client, join PC4 to the domain, and restore users and settings from PC1. + +5. Save checkpoints for all VMs if you wish to review their status at a later date. This action isn't required, as checkpoints do take up space on the Hyper-V host. > [!Note] > The next procedure will install a new OS on PC1, and update its status in Configuration Manager and in Active Directory as a Windows 10 device. So you can't return to a previous checkpoint only on the PC1 VM without a conflict. Therefore, if you do create a checkpoint, you should do this action for all VMs. - To save a checkpoint for all VMs, type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host: + To save a checkpoint for all VMs, enter the following commands at an elevated Windows PowerShell prompt on the Hyper-V host: ```powershell Checkpoint-VM -Name DC1 -SnapshotName cm-refresh @@ -1083,14 +1163,17 @@ In the Configuration Manager console, in the **Software Library** workspace, und ### Initiate the computer refresh -1. On SRV1, in the Assets and Compliance workspace, select **Device Collections** and then double-click **Install Windows 10 Enterprise x64**. +1. On SRV1, in the **Assets and Compliance** workspace, select **Device Collections** and then double-click **Install Windows 10 Enterprise x64**. + 2. Right-click the computer account for PC1, point to **Client Notification**, select **Download Computer Policy**, and select **OK** in the popup dialog box. + 3. On PC1, in the notification area, select **New software is available** and then select **Open Software Center**. + 4. In the Software Center, select **Operating Systems**, select **Windows 10 Enterprise x64**, select **Install** and then select **INSTALL OPERATING SYSTEM**. See the following example: ![installOS.](images/configmgr-install-os.png) - The computer will restart several times during the installation process. Installation includes downloading updates, reinstalling the Configuration Manager Client Agent, and restoring the user state. You can view status of the installation in the Configuration Manager console by accessing the Monitoring workspace, clicking **Deployments**, and then double-clicking the deployment associated with the **Install Windows 10 Enterprise x64** collection. Under **Asset Details**, right-click the device and then select **More Details**. Select the **Status** tab to see a list of tasks that have been performed. See the following example: + The computer will restart several times during the installation process. Installation includes downloading updates, reinstalling the Configuration Manager Client Agent, and restoring the user state. You can view status of the installation in the Configuration Manager console by accessing the **Monitoring** workspace, clicking **Deployments**, and then double-clicking the deployment associated with the **Install Windows 10 Enterprise x64** collection. Under **Asset Details**, right-click the device and then select **More Details**. Select the **Status** tab to see a list of tasks that have been performed. See the following example: ![asset.](images/configmgr-asset.png) diff --git a/windows/deployment/windows-10-poc.md b/windows/deployment/windows-10-poc.md index 376a7ff9c4..0998486d71 100644 --- a/windows/deployment/windows-10-poc.md +++ b/windows/deployment/windows-10-poc.md @@ -9,12 +9,12 @@ ms.prod: windows-client ms.technology: itpro-deploy ms.localizationpriority: medium ms.topic: tutorial -ms.date: 10/31/2022 +ms.date: 11/23/2022 --- # Step by step guide: Configure a test lab to deploy Windows 10 -*Applies to* +*Applies to:* - Windows 10 @@ -69,6 +69,7 @@ The procedures in this guide are summarized in the following table. An estimate One computer that meets the hardware and software specifications below is required to complete the guide; A second computer is recommended to validate the upgrade process. - **Computer 1**: the computer you'll use to run Hyper-V and host virtual machines. This computer should have 16 GB or more of installed RAM and a multi-core processor. + - **Computer 2**: a client computer from your network. It's shadow-copied to create a VM that can be added to the PoC environment, enabling you to test a mirror image of a computer on your network. If you don't have a computer to use for this simulation, you can download an evaluation VHD and use it to represent this computer. Subsequent guides use this computer to simulate Windows 10 replace and refresh scenarios, so the VM is required even if you can't create this VM using computer 2. Hardware requirements are displayed below: @@ -92,7 +93,9 @@ The lab architecture is summarized in the following diagram: ![PoC diagram.](images/poc.png) - Computer 1 is configured to host four VMs on a private, PoC network. + - Two VMs are running Windows Server 2012 R2 with required network services and tools installed. + - Two VMs are client systems: One VM is intended to mirror a host on your network (computer 2) and one VM is running Windows 10 Enterprise to demonstrate the hardware replacement scenario. > [!NOTE] @@ -120,8 +123,8 @@ Starting with Windows 8, the host computer's microprocessor must support second 1. To verify your computer supports SLAT, open an administrator command prompt, type **systeminfo**, press ENTER, and review the section displayed at the bottom of the output, next to Hyper-V Requirements. See the following example: - ```console - C:\>systeminfo + ```cmd + C:\>systeminfo.exe ... Hyper-V Requirements: VM Monitor Mode Extensions: Yes @@ -136,8 +139,8 @@ Starting with Windows 8, the host computer's microprocessor must support second You can also identify Hyper-V support using [tools](/archive/blogs/taylorb/hyper-v-will-my-computer-run-hyper-v-detecting-intel-vt-and-amd-v) provided by the processor manufacturer, the [msinfo32](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc731397(v=ws.11)) tool, or you can download the [coreinfo](/sysinternals/downloads/coreinfo) utility and run it, as shown in the following example: - ```console - C:\>coreinfo -v + ```cmd + C:\>coreinfo.exe -v Coreinfo v3.31 - Dump information on system CPU and memory topology Copyright (C) 2008-2014 Mark Russinovich @@ -205,7 +208,7 @@ When you have completed installation of Hyper-V on the host computer, begin conf The following example displays the procedures described in this section, both before and after downloading files: - ```console + ```cmd C:>mkdir VHD C:>cd VHD C:\VHD>ren 9600*.vhd 2012R2-poc-1.vhd @@ -225,13 +228,23 @@ When you have completed installation of Hyper-V on the host computer, begin conf If you don't have a PC available to convert to VM, do the following steps to download an evaluation VM: -1. Open the [Download virtual machines](https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/) page. +1. Open the [Download virtual machines](https://developer.microsoft.com/microsoft-edge/tools/vms/) page. + + > [!NOTE] + > The above link may not be available in all locales. + 2. Under **Virtual machine**, choose **IE11 on Win7**. + 3. Under **Select platform**, choose **HyperV (Windows)**. + 4. Select **Download .zip**. The download is 3.31 GB. + 5. Extract the zip file. Three directories are created. + 6. Open the **Virtual Hard Disks** directory and then copy **IE11 - Win7.vhd** to the **C:\VHD** directory. + 7. Rename **IE11 - Win7.vhd** to **w7.vhd** (don't rename the file to w7.vhdx). + 8. In step 5 of the [Configure Hyper-V](#configure-hyper-v) section, replace the VHD file name **w7.vhdx** with **w7.vhd**. If you have a PC available to convert to VM (computer 2): @@ -242,6 +255,7 @@ If you have a PC available to convert to VM (computer 2): > The account used in this step must have local administrator privileges. You can use a local computer account, or a domain account with administrative rights if domain policy allows the use of cached credentials. After converting the computer to a VM, you must be able to sign in on this VM with administrator rights while the VM is disconnected from the network. 2. [Determine the VM generation and partition type](#determine-the-vm-generation-and-partition-type) that is required. + 3. Based on the VM generation and partition type, perform one of the following procedures: [Prepare a generation 1 VM](#prepare-a-generation-1-vm), [Prepare a generation 2 VM](#prepare-a-generation-2-vm), or [prepare a generation 1 VM from a GPT disk](#prepare-a-generation-1-vm-from-a-gpt-disk). #### Determine the VM generation and partition type @@ -256,6 +270,7 @@ When creating a VM in Hyper-V, you must specify either generation 1 or generatio If the PC is running a 32-bit OS or the OS is Windows 7, it must be converted to a generation 1 VM. Otherwise, it can be converted to a generation 2 VM. - To determine the OS and architecture of a PC, type **systeminfo** at a command prompt and review the output next to **OS Name** and **System Type**. + - To determine the partition style, open a Windows PowerShell prompt on the PC and type the following command: ```powershell @@ -265,7 +280,7 @@ If the PC is running a 32-bit OS or the OS is Windows 7, it must be converted to If the **Type** column doesn't indicate GPT, then the disk partition format is MBR ("Installable File System" = MBR). In the following example, the disk is GPT: ```powershell -PS C:> Get-WmiObject -Class Win32_DiskPartition | Select-Object -Property SystemName,Caption,Type +Get-WmiObject -Class Win32_DiskPartition | Select-Object -Property SystemName,Caption,Type SystemName Caption Type ---------- ------- ---- @@ -276,7 +291,7 @@ USER-PC1 Disk #0, Partition #1 GPT On a computer running Windows 8 or later, you can also type **Get-Disk** at a Windows PowerShell prompt to discover the partition style. The default output of this cmdlet displays the partition style for all attached disks. Both commands are displayed below. In this example, the client computer is running Windows 8.1 and uses a GPT style partition format: ```powershell -PS C:> Get-WmiObject -Class Win32_DiskPartition | Select-Object -Property SystemName,Caption,Type +Get-WmiObject -Class Win32_DiskPartition | Select-Object -Property SystemName,Caption,Type SystemName Caption Type ---------- ------- ---- @@ -293,34 +308,32 @@ Number Friendly Name OperationalStatus Tota 0 INTEL SSDSCMMW240A3L Online 223.57 GB GPT ``` - - -**Choosing a VM generation** +##### Choosing a VM generation The following tables display the Hyper-V VM generation to choose based on the OS, architecture, and partition style. Links to procedures to create the corresponding VMs are included. -**Windows 7 MBR** +###### Windows 7 MBR |Architecture|VM generation|Procedure| |--- |--- |--- | |32|1|[Prepare a generation 1 VM](#prepare-a-generation-1-vm)| |64|1|[Prepare a generation 1 VM](#prepare-a-generation-1-vm)| -**Windows 7 GPT** +###### Windows 7 GPT |Architecture|VM generation|Procedure| |--- |--- |--- | |32|N/A|N/A| |64|1|[Prepare a generation 1 VM from a GPT disk](#prepare-a-generation-1-vm-from-a-gpt-disk)| -**Windows 8 or later MBR** +###### Windows 8 or later MBR |Architecture|VM generation|Procedure| |--- |--- |--- | |32|1|[Prepare a generation 1 VM](#prepare-a-generation-1-vm)| |64|1, 2|[Prepare a generation 1 VM](#prepare-a-generation-1-vm)| -**Windows 8 or later GPT** +###### Windows 8 or later GPT |Architecture|VM generation|Procedure| |--- |--- |--- | @@ -347,7 +360,7 @@ The following tables display the Hyper-V VM generation to choose based on the OS 3. Select the checkboxes next to the `C:\` and the **system reserved** (BIOS/MBR) volumes. The system volume isn't assigned a drive letter, but will be displayed in the Disk2VHD tool with a volume label similar to `\?\Volume{`. See the following example. > [!IMPORTANT] - > You must include the system volume in order to create a bootable VHD. If this volume isn't displayed in the disk2vhd tool, then the computer is likely to be using the GPT partition style. For more information, see [Determine VM generation](#determine-vm-generation). + > You must include the system volume in order to create a bootable VHD. If this volume isn't displayed in the disk2vhd tool, then the computer is likely to be using the GPT partition style. For more information, see [Choosing a VM generation](#choosing-a-vm-generation). 4. Specify a location to save the resulting VHD or VHDX file (F:\VHD\w7.vhdx in the following example) and select **Create**. See the following example: @@ -374,13 +387,14 @@ The following tables display the Hyper-V VM generation to choose based on the OS 2. On the computer you wish to convert, open an elevated command prompt and type the following command: - ```console - mountvol s: /s + ```cmd + mountvol.exe s: /s ``` This command temporarily assigns a drive letter of S to the system volume and mounts it. If the letter S is already assigned to a different volume on the computer, then choose one that is available (ex: mountvol z: /s). 3. On the computer you wish to convert, double-click the disk2vhd utility to start the graphical user interface. + 4. Select the checkboxes next to the **C:\\** and the **S:\\** volumes, and clear the **Use Volume Shadow Copy checkbox**. Volume shadow copy won't work if the EFI system partition is selected. > [!IMPORTANT] @@ -394,7 +408,7 @@ The following tables display the Hyper-V VM generation to choose based on the OS 6. When the Disk2vhd utility has completed converting the source computer to a VHD, copy the VHDX file (PC1.vhdx) to your Hyper-V host in the C:\VHD directory. There should now be four files in this directory: - ```console + ```cmd C:\vhd>dir /B 2012R2-poc-1.vhd 2012R2-poc-2.vhd @@ -409,6 +423,7 @@ The following tables display the Hyper-V VM generation to choose based on the OS You might experience timeouts if you attempt to run Disk2vhd from a network share, or specify a network share for the destination. To avoid timeouts, use local, portable media such as a USB drive. 2. On the computer you wish to convert, double-click the disk2vhd utility to start the graphical user interface. + 3. Select the checkbox next to the **C:\\** volume and clear the checkbox next to **Use Vhdx**. > [!NOTE] @@ -524,7 +539,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40 GB to > [!NOTE] > The RAM values assigned to VMs in this step are not permanent, and can be easily increased or decreased later if needed to address performance issues. -5. Using the same elevated Windows PowerShell prompt that was used in the previous step, type one of the following sets of commands, depending on the type of VM that was prepared in the [Determine VM generation](#determine-vm-generation) section, either generation 1, generation 2, or generation 1 with GPT. +5. Using the same elevated Windows PowerShell prompt that was used in the previous step, type one of the following sets of commands, depending on the type of VM that was prepared in the [Choosing a VM generation](#choosing-a-vm-generation) section, either generation 1, generation 2, or generation 1 with GPT. To create a generation 1 VM (using c:\vhd\w7.vhdx): @@ -574,19 +589,23 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40 GB to The VM will automatically boot into Windows Setup. In the PC1 window: 1. Select **Next**. + 2. Select **Repair your computer**. + 3. Select **Troubleshoot**. + 4. Select **Command Prompt**. + 5. Type the following command to save an image of the OS drive: - ```console - dism /Capture-Image /ImageFile:D:\c.wim /CaptureDir:C:\ /Name:Drive-C + ```cmd + dism.exe /Capture-Image /ImageFile:D:\c.wim /CaptureDir:C:\ /Name:Drive-C ``` 6. Wait for the OS image to complete saving, and then type the following commands to convert the C: drive to MBR: - ```console - diskpart + ```cmd + diskpart.exe select disk 0 clean convert MBR @@ -601,14 +620,16 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40 GB to 7. Type the following commands to restore the OS image and boot files: - ```console - dism /Apply-Image /ImageFile:D:\c.wim /Index:1 /ApplyDir:C:\ - bcdboot c:\windows + ```cmd + dism.exe /Apply-Image /ImageFile:D:\c.wim /Index:1 /ApplyDir:C:\ + bcdboot.exe c:\windows exit ``` 8. Select **Continue** and verify the VM boots successfully. Don't boot from DVD. + 9. Select **Ctrl+Alt+Del**, and then in the bottom right corner, select **Shut down**. + 10. Type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host to remove the temporary disks and drives from PC1: ```powershell @@ -626,8 +647,14 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40 GB to ``` 2. Select **Next** to accept the default settings, read the license terms and select **I accept**, provide a strong administrator password, and select **Finish**. + 3. Select **Ctrl+Alt+Del** in the upper left corner of the virtual machine connection window, and then sign in to DC1 using the Administrator account. -4. Right-click **Start**, point to **Shut down or sign out**, and select **Sign out**. The VM connection will reset and a new connection dialog box will appear enabling you to choose a custom display configuration. Select a desktop size, select **Connect** and sign in again with the local Administrator account. Note: Signing in this way ensures that [enhanced session mode](/windows-server/virtualization/hyper-v/learn-more/Use-local-resources-on-Hyper-V-virtual-machine-with-VMConnect) is enabled. It's only necessary to do this action the first time you sign in to a new VM. + +4. Right-click **Start**, point to **Shut down or sign out**, and select **Sign out**. The VM connection will reset and a new connection dialog box will appear enabling you to choose a custom display configuration. Select a desktop size, select **Connect** and sign in again with the local Administrator account. + + > [!NOTE] + > Signing in this way ensures that [enhanced session mode](/windows-server/virtualization/hyper-v/learn-more/Use-local-resources-on-Hyper-V-virtual-machine-with-VMConnect) is enabled. It's only necessary to do this action the first time you sign in to a new VM. + 5. If DC1 is configured as described in this guide, it will currently be assigned an APIPA address, have a randomly generated hostname, and a single network adapter named "Ethernet." Open an elevated Windows PowerShell prompt on DC1 and type or paste the following commands to provide a new hostname and configure a static IP address and gateway: ```powershell @@ -690,7 +717,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40 GB to The following output should be displayed: - ```powershell + ```console UseRootHint : True Timeout(s) : 3 EnableReordering : True @@ -752,8 +779,8 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40 GB to To open Windows PowerShell on Windows 7, select **Start**, and search for "**power**." Right-click **Windows PowerShell** and then select **Pin to Taskbar** so that it's simpler to use Windows PowerShell during this lab. Select **Windows PowerShell** on the taskbar, and then type `ipconfig` at the prompt to see the client's current IP address. Also type `ping dc1.contoso.com` and `nltest /dsgetdc:contoso.com` to verify that it can reach the domain controller. See the following examples of a successful network connection: - ```console - ipconfig + ```cmd + ipconfig.exe Windows IP Configuration @@ -909,8 +936,8 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40 GB to 33. In most cases, this process completes configuration of the PoC network. However, if your network has a firewall that filters queries from local DNS servers, you'll also need to configure a server-level DNS forwarder on SRV1 to resolve internet names. To test whether or not DNS is working without this forwarder, try to reach a name on the internet from DC1 or PC1, which are only using DNS services on the PoC network. You can test DNS with the ping command, for example: - ```powershell - ping www.microsoft.com + ```cmd + ping.exe www.microsoft.com ``` If you see "Ping request couldn't find host `www.microsoft.com`" on PC1 and DC1, but not on SRV1, then you'll need to configure a server-level DNS forwarder on SRV1. To do this action, open an elevated Windows PowerShell prompt on SRV1 and type the following command. @@ -924,8 +951,8 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40 GB to 34. If DNS and routing are both working correctly, you'll see the following output on DC1 and PC1 (the IP address might be different, but that's OK): - ```powershell - PS C:\> ping www.microsoft.com + ```cmd + ping www.microsoft.com Pinging e2847.dspb.akamaiedge.net [23.222.146.170] with 32 bytes of data: Reply from 23.222.146.170: bytes=32 time=3ms TTL=51 @@ -943,7 +970,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40 GB to 36. Lastly, because the client computer has different hardware after copying it to a VM, its Windows activation will be invalidated and you might receive a message that you must activate Windows in three days. To extend this period to 30 days, type the following commands at an elevated Windows PowerShell prompt on PC1: ```powershell - runas /noprofile /env /user:administrator@contoso.com "cmd /c slmgr -rearm" + runas.exe /noprofile /env /user:administrator@contoso.com "cmd.exe /c slmgr -rearm" Restart-Computer ``` @@ -963,7 +990,7 @@ Use the following procedures to verify that the PoC environment is configured pr Resolve-DnsName -Server dc1.contoso.com -Name www.microsoft.com Get-DhcpServerInDC Get-DhcpServerv4Statistics - ipconfig /all + ipconfig.exe /all ``` **Get-Service** displays a status of "Running" for all three services. @@ -988,8 +1015,8 @@ Use the following procedures to verify that the PoC environment is configured pr Get-Service DNS,RemoteAccess Get-DnsServerForwarder Resolve-DnsName -Server dc1.contoso.com -Name www.microsoft.com - ipconfig /all - netsh int ipv4 show address + ipconfig.exe /all + netsh.exe int ipv4 show address ``` **Get-Service** displays a status of "Running" for both services. @@ -1004,38 +1031,38 @@ Use the following procedures to verify that the PoC environment is configured pr 3. On PC1, open an elevated Windows PowerShell prompt and type the following commands: - ```powershell - whoami - hostname - nslookup www.microsoft.com - ping -n 1 dc1.contoso.com - tracert www.microsoft.com + ```cmd + whoami.exe + hostname.exe + nslookup.exe www.microsoft.com + ping.exe -n 1 dc1.contoso.com + tracert.exe www.microsoft.com ``` - **whoami** displays the current user context, for example in an elevated Windows PowerShell prompt, contoso\administrator is displayed. + **whoami.exe** displays the current user context, for example in an elevated Windows PowerShell prompt, contoso\administrator is displayed. - **hostname** displays the name of the local computer, for example W7PC-001. + **hostname.exe** displays the name of the local computer, for example W7PC-001. - **nslookup** displays the DNS server used for the query, and the results of the query. For example, server `dc1.contoso.com`, address 192.168.0.1, Name `e2847.dspb.akamaiedge.net`. + **nslookup.exe** displays the DNS server used for the query, and the results of the query. For example, server `dc1.contoso.com`, address 192.168.0.1, Name `e2847.dspb.akamaiedge.net`. - **ping** displays if the source can resolve the target name, and whether or not the target responds to ICMP. If it can't be resolved, "couldn't find host" will be displayed. If the target is found and also responds to ICMP, you'll see "Reply from" and the IP address of the target. + **ping.exe** displays if the source can resolve the target name, and whether or not the target responds to ICMP. If it can't be resolved, "couldn't find host" will be displayed. If the target is found and also responds to ICMP, you'll see "Reply from" and the IP address of the target. - **tracert** displays the path to reach the destination, for example `srv1.contoso.com` [192.168.0.2] followed by a list of hosts and IP addresses corresponding to subsequent routing nodes between the source and the destination. + **tracert.exe** displays the path to reach the destination, for example `srv1.contoso.com` [192.168.0.2] followed by a list of hosts and IP addresses corresponding to subsequent routing nodes between the source and the destination. ## Appendix B: Terminology used in this guide |Term|Definition| |--- |--- | -|GPT|GUID partition table (GPT) is an updated hard-disk formatting scheme that enables the use of newer hardware. GPT is one of the partition formats that can be chosen when first initializing a hard drive, prior to creating and formatting partitions.| -|Hyper-V|Hyper-V is a server role introduced with Windows Server 2008 that lets you create a virtualized computing environment. Hyper-V can also be installed as a Windows feature on Windows client operating systems, starting with Windows 8.| -|Hyper-V host|The computer where Hyper-V is installed.| -|Hyper-V Manager|The user-interface console used to view and configure Hyper-V.| -|MBR|Master Boot Record (MBR) is a legacy hard-disk formatting scheme that limits support for newer hardware. MBR is one of the partition formats that can be chosen when first initializing a hard drive, prior to creating and formatting partitions. MBR is in the process of being replaced by the GPT partition format.| -|Proof of concept (PoC)|Confirmation that a process or idea works as intended. A PoC is carried out in a test environment to learn about and verify a process.| -|Shadow copy|A copy or "snapshot" of a computer at a point in time, created by the Volume Shadow Copy Service (VSS), typically for backup purposes.| -|Virtual machine (VM)|A VM is a virtual computer with its own operating system, running on the Hyper-V host.| -|Virtual switch|A virtual network connection used to connect VMs to each other and to physical network adapters on the Hyper-V host.| -|VM snapshot|A point in time image of a VM that includes its disk, memory and device state. It can be used to return a virtual machine to a former state corresponding to the time the snapshot was taken.| +|**GPT**|GUID partition table (GPT) is an updated hard-disk formatting scheme that enables the use of newer hardware. GPT is one of the partition formats that can be chosen when first initializing a hard drive, prior to creating and formatting partitions.| +|**Hyper-V**|Hyper-V is a server role introduced with Windows Server 2008 that lets you create a virtualized computing environment. Hyper-V can also be installed as a Windows feature on Windows client operating systems, starting with Windows 8.| +|**Hyper-V host**|The computer where Hyper-V is installed.| +|**Hyper-V Manager**|The user-interface console used to view and configure Hyper-V.| +|**MBR**|Master Boot Record (MBR) is a legacy hard-disk formatting scheme that limits support for newer hardware. MBR is one of the partition formats that can be chosen when first initializing a hard drive, prior to creating and formatting partitions. MBR is in the process of being replaced by the GPT partition format.| +|**Proof of concept (PoC)**|Confirmation that a process or idea works as intended. A PoC is carried out in a test environment to learn about and verify a process.| +|**Shadow copy**|A copy or "snapshot" of a computer at a point in time, created by the Volume Shadow Copy Service (VSS), typically for backup purposes.| +|**Virtual machine (VM)**|A VM is a virtual computer with its own operating system, running on the Hyper-V host.| +|**Virtual switch**|A virtual network connection used to connect VMs to each other and to physical network adapters on the Hyper-V host.| +|**VM snapshot**|A point in time image of a VM that includes its disk, memory and device state. It can be used to return a virtual machine to a former state corresponding to the time the snapshot was taken.| ## Next steps diff --git a/windows/deployment/windows-10-pro-in-s-mode.md b/windows/deployment/windows-10-pro-in-s-mode.md index e5ceaf1248..7bfe334519 100644 --- a/windows/deployment/windows-10-pro-in-s-mode.md +++ b/windows/deployment/windows-10-pro-in-s-mode.md @@ -9,13 +9,13 @@ ms.prod: windows-client ms.collection: - M365-modern-desktop ms.topic: article -ms.date: 10/31/2022 +ms.date: 11/23/2022 ms.technology: itpro-deploy --- # Switch to Windows 10 Pro or Enterprise from S mode -We recommend staying in S mode. However, in some limited scenarios, you might need to switch to Windows 10 Pro, Home, or Enterprise (not in S mode). You can switch devices running Windows 10, version 1709 or later. +We recommend staying in S mode. However, in some limited scenarios, you might need to switch to Windows 10 Pro, Home, or Enterprise (not in S mode). You can switch devices running Windows 10, version 1709 or later. Many other transformations are possible depending on which version and edition of Windows 10 you're starting with. Depending on the details, you might *switch* between S mode and the ordinary version or *convert* between different editions while staying in or out of S mode. The following quick reference table summarizes all of the switches or conversions that are supported by various means: @@ -37,20 +37,26 @@ Many other transformations are possible depending on which version and edition o | | Home | Not by any method | Not by any method | Not by any method | Use the following information to switch to Windows 10 Pro through the Microsoft Store. + > [!IMPORTANT] > While it's free to switch to Windows 10 Pro, it's not reversible. The only way to rollback this kind of switch is through a [bare-metal recovery (BMR)](/windows-hardware/manufacture/desktop/create-media-to-run-push-button-reset-features-s14) reset. This restores a Windows device to the factory state, even if the user needs to replace the hard drive or completely wipe the drive clean. If a device is switched out of S mode via the Microsoft Store, it will remain out of S mode even after the device is reset. ## Switch one device through the Microsoft Store + Use the following information to switch to Windows 10 Pro through the Microsoft Store or by navigating to **Settings** and then **Activation** on the device. Note these differences affecting switching modes in various releases of Windows 10: - In Windows 10, version 1709, you can switch devices one at a time from Windows 10 Pro in S mode to Windows 10 Pro by using the Microsoft Store or **Settings**. No other switches are possible. -- In Windows 10, version 1803, you can switch devices running any S mode edition to the equivalent non-S mode edition one at a time by using the Microsoft Store or **Settings**. -- Windows 10, version 1809, you can switch devices running any S mode edition to the equivalent non-S mode edition one at a time by using the Microsoft Store, **Settings**, or you can switch multiple devices in bulk by using Intune. You can also block users from switching devices themselves. -1. Sign into the Microsoft Store using your Microsoft account. +- In Windows 10, version 1803, you can switch devices running any S mode edition to the equivalent non-S mode edition one at a time by using the Microsoft Store or **Settings**. + +- Windows 10, version 1809, you can switch devices running any S mode edition to the equivalent non-S mode edition one at a time by using the Microsoft Store, **Settings**, or you can switch multiple devices in bulk by using Intune. You can also block users from switching devices themselves. + +1. Sign into the Microsoft Store using your Microsoft account. + 2. Search for "S mode". + 3. In the offer, select **Buy**, **Get**, or **Learn more.** You'll be prompted to save your files before the switch starts. Follow the prompts to switch to Windows 10 Pro. @@ -60,13 +66,14 @@ You'll be prompted to save your files before the switch starts. Follow the promp Starting with Windows 10, version 1809, if you need to switch multiple devices in your environment from Windows 10 Pro in S mode to Windows 10 Pro, you can use Microsoft Intune or any other supported mobile device management software. You can configure devices to switch out of S mode during OOBE or post-OOBE. Switching out of S mode gives you flexibility to manage Windows 10 in S mode devices at any point during the device lifecycle. 1. Start Microsoft Intune. -2. Navigate to **Device configuration > Profiles > Windows 10 and later > Edition upgrade and mode switch**. + +2. Navigate to **Device configuration** > **Profiles** > **Windows 10 and later** > **Edition upgrade and mode switch**. + 3. Follow the instructions to complete the switch. ## Block users from switching -You can control which devices or users can use the Microsoft Store to switch out of S mode in Windows 10. -To set this policy, go to **Device configuration > Profiles > Windows 10 and later > Edition upgrade and mode switch in Microsoft Intune**, and then choose **Keep in S mode**. +You can control which devices or users can use the Microsoft Store to switch out of S mode in Windows 10. To set this policy, go to **Device configuration** > **Profiles** > **Windows 10 and later** > **Edition upgrade and mode switch in Microsoft Intune**, and then choose **Keep in S mode**. ## S mode management with CSPs @@ -77,4 +84,4 @@ In addition to using Microsoft Intune or another modern device management tool t [FAQs](https://support.microsoft.com/help/4020089/windows-10-in-s-mode-faq)
    [Compare Windows 10 editions](https://www.microsoft.com/WindowsForBusiness/Compare)
    [Windows 10 Pro Education](/education/windows/test-windows10s-for-edu)
    -[Introduction to Microsoft Intune in the Azure portal](/intune/what-is-intune) \ No newline at end of file +[Introduction to Microsoft Intune in the Azure portal](/intune/what-is-intune) diff --git a/windows/deployment/windows-10-subscription-activation.md b/windows/deployment/windows-10-subscription-activation.md index 29d62e08fa..af9938ad6a 100644 --- a/windows/deployment/windows-10-subscription-activation.md +++ b/windows/deployment/windows-10-subscription-activation.md @@ -13,7 +13,7 @@ ms.collection: search.appverid: - MET150 ms.topic: conceptual -ms.date: 10/31/2022 +ms.date: 11/23/2022 appliesto: - ✅ Windows 10 - ✅ Windows 11 @@ -98,7 +98,7 @@ The following list illustrates how deploying Windows client has evolved with eac > The following requirements don't apply to general Windows client activation on Azure. Azure activation requires a connection to Azure KMS only. It supports workgroup, hybrid, and Azure AD-joined VMs. In most scenarios, activation of Azure VMs happens automatically. For more information, see [Understanding Azure KMS endpoints for Windows product activation of Azure virtual machines](/troubleshoot/azure/virtual-machines/troubleshoot-activation-problems). > [!IMPORTANT] -> As of October 1, 2022, subscription activation is available for _commercial_ and _GCC_ tenants. It's currently not available on GCC High or DoD tenants. For more information, see [Enable subscription activation with an existing EA](deploy-enterprise-licenses.md#enable-subscription-activation-with-an-existing-ea). +> As of October 1, 2022, subscription activation is available for *commercial* and *GCC* tenants. It's currently not available on GCC High or DoD tenants. For more information, see [Enable subscription activation with an existing EA](deploy-enterprise-licenses.md#enable-subscription-activation-with-an-existing-ea). For Microsoft customers with Enterprise Agreements (EA) or Microsoft Products & Services Agreements (MPSA), you must have the following requirements: @@ -144,7 +144,7 @@ You can benefit by moving to Windows as an online service in the following ways: > [!NOTE] > The following examples use Windows 10 Pro to Enterprise edition. The examples also apply to Windows 11, and Education editions. -The device is Azure AD-joined from **Settings > Accounts > Access work or school**. +The device is Azure AD-joined from **Settings** > **Accounts** > **Access work or school**. You assign Windows 10 Enterprise to a user: diff --git a/windows/deployment/windows-adk-scenarios-for-it-pros.md b/windows/deployment/windows-adk-scenarios-for-it-pros.md index f2fce638d0..f38cf33ebe 100644 --- a/windows/deployment/windows-adk-scenarios-for-it-pros.md +++ b/windows/deployment/windows-adk-scenarios-for-it-pros.md @@ -6,7 +6,7 @@ ms.author: frankroj manager: aaroncz ms.prod: windows-client ms.localizationpriority: medium -ms.date: 10/31/2022 +ms.date: 11/23/2022 ms.topic: article ms.technology: itpro-deploy --- @@ -19,50 +19,50 @@ In previous releases of Windows, the Windows ADK docs were published on both Tec Here are some key scenarios that will help you find the content on the MSDN Hardware Dev Center. -### Create a Windows image using command-line tools +## Create a Windows image using command-line tools [DISM](/windows-hardware/manufacture/desktop/dism---deployment-image-servicing-and-management-technical-reference-for-windows) is used to mount and service Windows images. Here are some things you can do with DISM: -- [Mount an offline image](/windows-hardware/manufacture/desktop/mount-and-modify-a-windows-image-using-dism) -- [Add drivers to an offline image](/windows-hardware/manufacture/desktop/add-and-remove-drivers-to-an-offline-windows-image) -- [Enable or disable Windows features](/windows-hardware/manufacture/desktop/enable-or-disable-windows-features-using-dism) -- [Add or remove packages](/windows-hardware/manufacture/desktop/add-or-remove-packages-offline-using-dism) -- [Add language packs](/windows-hardware/manufacture/desktop/add-language-packs-to-windows) -- [Add Universal Windows apps](/windows-hardware/manufacture/desktop/preinstall-apps-using-dism) -- [Upgrade the Windows edition](/windows-hardware/manufacture/desktop/change-the-windows-image-to-a-higher-edition-using-dism) +- [Mount an offline image](/windows-hardware/manufacture/desktop/mount-and-modify-a-windows-image-using-dism) +- [Add drivers to an offline image](/windows-hardware/manufacture/desktop/add-and-remove-drivers-to-an-offline-windows-image) +- [Enable or disable Windows features](/windows-hardware/manufacture/desktop/enable-or-disable-windows-features-using-dism) +- [Add or remove packages](/windows-hardware/manufacture/desktop/add-or-remove-packages-offline-using-dism) +- [Add language packs](/windows-hardware/manufacture/desktop/add-language-packs-to-windows) +- [Add Universal Windows apps](/windows-hardware/manufacture/desktop/preinstall-apps-using-dism) +- [Upgrade the Windows edition](/windows-hardware/manufacture/desktop/change-the-windows-image-to-a-higher-edition-using-dism) [Sysprep](/windows-hardware/manufacture/desktop/sysprep--system-preparation--overview) prepares a Windows installation for imaging and allows you to capture a customized installation. Here are some things you can do with Sysprep: -- [Generalize a Windows installation](/windows-hardware/manufacture/desktop/sysprep--generalize--a-windows-installation) -- [Customize the default user profile](/windows-hardware/manufacture/desktop/customize-the-default-user-profile-by-using-copyprofile) -- [Use answer files](/windows-hardware/manufacture/desktop/use-answer-files-with-sysprep) +- [Generalize a Windows installation](/windows-hardware/manufacture/desktop/sysprep--generalize--a-windows-installation) +- [Customize the default user profile](/windows-hardware/manufacture/desktop/customize-the-default-user-profile-by-using-copyprofile) +- [Use answer files](/windows-hardware/manufacture/desktop/use-answer-files-with-sysprep) [Windows PE (WinPE)](/windows-hardware/manufacture/desktop/winpe-intro) is a small operating system used to boot a computer that doesn't have an operating system. You can boot to Windows PE and then install a new operating system, recover data, or repair an existing operating system. Here are ways you can create a WinPE image: -- [Create a bootable USB drive](/windows-hardware/manufacture/desktop/winpe-create-usb-bootable-drive) -- [Create a Boot CD, DVD, ISO, or VHD](/windows-hardware/manufacture/desktop/winpe-create-usb-bootable-drive) +- [Create a bootable USB drive](/windows-hardware/manufacture/desktop/winpe-create-usb-bootable-drive) +- [Create a Boot CD, DVD, ISO, or VHD](/windows-hardware/manufacture/desktop/winpe-create-usb-bootable-drive) [Windows Recovery Environment (Windows RE)](/windows-hardware/manufacture/desktop/windows-recovery-environment--windows-re--technical-reference) is a recovery environment that can repair common operating system problems. Here are some things you can do with Windows RE: -- [Customize Windows RE](/windows-hardware/manufacture/desktop/customize-windows-re) -- [Push-button reset](/windows-hardware/manufacture/desktop/push-button-reset-overview) +- [Customize Windows RE](/windows-hardware/manufacture/desktop/customize-windows-re) +- [Push-button reset](/windows-hardware/manufacture/desktop/push-button-reset-overview) [Windows System Image Manager (Windows SIM)](/windows-hardware/customize/desktop/wsim/windows-system-image-manager-technical-reference) helps you create answer files that change Windows settings and run scripts during installation. Here are some things you can do with Windows SIM: -- [Create answer file](/windows-hardware/customize/desktop/wsim/create-or-open-an-answer-file) -- [Add a driver path to an answer file](/windows-hardware/customize/desktop/wsim/add-a-device-driver-path-to-an-answer-file) -- [Add a package to an answer file](/windows-hardware/customize/desktop/wsim/add-a-package-to-an-answer-file) -- [Add a custom command to an answer file](/windows-hardware/customize/desktop/wsim/add-a-custom-command-to-an-answer-file) +- [Create answer file](/windows-hardware/customize/desktop/wsim/create-or-open-an-answer-file) +- [Add a driver path to an answer file](/windows-hardware/customize/desktop/wsim/add-a-device-driver-path-to-an-answer-file) +- [Add a package to an answer file](/windows-hardware/customize/desktop/wsim/add-a-package-to-an-answer-file) +- [Add a custom command to an answer file](/windows-hardware/customize/desktop/wsim/add-a-custom-command-to-an-answer-file) For a list of settings you can change, see [Unattended Windows Setup Reference](/windows-hardware/customize/desktop/unattend/) on the MSDN Hardware Dev Center. @@ -72,12 +72,12 @@ Introduced in Windows 10, [Windows Imaging and Configuration Designer (ICD)](/wi Here are some things you can do with Windows ICD: -- [Build and apply a provisioning package](/windows/configuration/provisioning-packages/provisioning-create-package) -- [Export a provisioning package](/windows/configuration/provisioning-packages/provisioning-create-package) +- [Build and apply a provisioning package](/windows/configuration/provisioning-packages/provisioning-create-package) +- [Export a provisioning package](/windows/configuration/provisioning-packages/provisioning-create-package) ### IT Pro Windows deployment tools There are also a few tools included in the Windows ADK that are specific to IT Pros and this documentation is available on TechNet: -- [Volume Activation Management Tool (VAMT) Technical Reference](volume-activation/volume-activation-management-tool.md) -- [User State Migration Tool (USMT) Technical Reference](usmt/usmt-technical-reference.md) \ No newline at end of file +- [Volume Activation Management Tool (VAMT) Technical Reference](volume-activation/volume-activation-management-tool.md) +- [User State Migration Tool (USMT) Technical Reference](usmt/usmt-technical-reference.md) diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md index 4b87f046dd..854b107c86 100644 --- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md +++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md @@ -1,7 +1,7 @@ --- title: Fix issues found by the Readiness assessment tool description: This article details how to fix issues found by the Readiness assessment tool -ms.date: 05/30/2022 +ms.date: 11/17/2022 ms.prod: windows-client ms.technology: itpro-updates ms.topic: how-to diff --git a/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md index 14d1e1698a..28d817ea6d 100644 --- a/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md +++ b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md @@ -47,6 +47,9 @@ You'll need the following components to complete this lab: |**Hyper-V or a physical device running Windows 10**|The guide assumes that you'll use a Hyper-V VM, and provides instructions to install and configure Hyper-V if needed. To use a physical device, skip the steps to install and configure Hyper-V.| |**An account with Azure Active Directory (Azure AD) Premium license**|This guide will describe how to get a free 30-day trial Azure AD Premium subscription that can be used to complete the lab.| +> [!NOTE] +> When using a VM for Autopilot testing, assign at least two processors and 4 GB of memory. + ## Procedures A summary of the sections and procedures in the lab is provided below. Follow each section in the order it's presented, skipping the sections that don't apply to you. Optional procedures are provided in the appendices. diff --git a/windows/deployment/windows-autopilot/index.yml b/windows/deployment/windows-autopilot/index.yml index edec9d080e..567e5d62a8 100644 --- a/windows/deployment/windows-autopilot/index.yml +++ b/windows/deployment/windows-autopilot/index.yml @@ -6,12 +6,10 @@ summary: 'Note: Windows Autopilot documentation has moved! A few more resources metadata: title: Windows Autopilot deployment resources and documentation # Required; page title displayed in search results. Include the brand. < 60 chars. description: Learn about deploying Windows 10 and keeping it up to date in your organization. # Required; article description that is displayed in search results. < 160 chars. - services: windows-10 - ms.service: windows-10 #Required; service per approved list. service slug assigned to your service by ACOM. - ms.subservice: subservice - ms.topic: landing-page # Required + ms.topic: landing-page + ms.prod: windows-client + ms.technology: itpro-deploy ms.collection: - - windows-10 - highpri author: frankroj ms.author: frankroj diff --git a/windows/deployment/windows-deployment-scenarios-and-tools.md b/windows/deployment/windows-deployment-scenarios-and-tools.md index d939130747..b6ac225f0e 100644 --- a/windows/deployment/windows-deployment-scenarios-and-tools.md +++ b/windows/deployment/windows-deployment-scenarios-and-tools.md @@ -6,7 +6,7 @@ ms.author: frankroj author: frankroj ms.prod: windows-client ms.topic: article -ms.date: 10/31/2022 +ms.date: 11/23/2022 ms.technology: itpro-deploy --- @@ -32,13 +32,13 @@ DISM is one of the deployment tools included in the Windows ADK and is used for DISM services online and offline images. For example, with DISM you can install the Microsoft .NET Framework 3.5.1 in Windows 10 online, which means that you can start the installation in the running operating system, not that you get the software online. The /LimitAccess switch configures DISM to get the files only from a local source: -``` syntax +```cmd Dism.exe /Online /Enable-Feature /FeatureName:NetFX3 /All /Source:D:\Sources\SxS /LimitAccess ``` In Windows 10, you can use Windows PowerShell for many of the functions done by DISM.exe. The equivalent command in Windows 10 using PowerShell is: -``` syntax +```powershell Enable-WindowsOptionalFeature -Online -FeatureName NetFx3 -All -Source D:\Sources\SxS -LimitAccess ``` @@ -55,15 +55,15 @@ USMT is a backup and restore tool that allows you to migrate user state, data, a USMT includes several command-line tools, the most important of which are ScanState and LoadState: -- **ScanState.exe.** This tool performs the user-state backup. -- **LoadState.exe.** This tool performs the user-state restore. -- **UsmtUtils.exe.** This tool supplements the functionality in ScanState.exe and LoadState.exe. +- **ScanState.exe**: This tool performs the user-state backup. +- **LoadState.exe**: This tool performs the user-state restore. +- **UsmtUtils.exe**: This tool supplements the functionality in ScanState.exe and LoadState.exe. In addition to these tools, there are also XML templates that manage which data is migrated. You can customize the templates, or create new ones, to manage the backup process at a high level of detail. USMT uses the following terms for its templates: -- **Migration templates.** The default templates in USMT. -- **Custom templates.** Custom templates that you create. -- **Config template.** An optional template called Config.xml which you can use to exclude or include components in a migration without modifying the other standard XML templates. +- **Migration templates**: The default templates in USMT. +- **Custom templates**: Custom templates that you create. +- **Config template**: An optional template called Config.xml which you can use to exclude or include components in a migration without modifying the other standard XML templates. ![A sample USMT migration file that will exclude .MP3 files on all local drives and include the folder C:\\Data and all its files, including its subdirectories and their files..](images/mdt-11-fig06.png) @@ -73,60 +73,21 @@ USMT supports capturing data and settings from Windows Vista and later, and rest By default USMT migrates many settings, most of which are related to the user profile but also to Control Panel configurations, file types, and more. The default templates that are used in Windows 10 deployments are MigUser.xml and MigApp.xml. These two default templates migrate the following data and settings: -- Folders from each profile, including those folders from user profiles, and shared and public profiles. For example, the My Documents, My Video, My Music, My Pictures, desktop files, Start menu, Quick Launch settings, and Favorites folders are migrated. -- Specific file types. -
    - USMT templates migrate the following file types: +- Folders from each profile, including those folders from user profiles, and shared and public profiles. For example, the My Documents, My Video, My Music, My Pictures, desktop files, Start menu, Quick Launch settings, and Favorites folders are migrated. - - `.accdb` - - `.ch3` - - `.csv` - - `.dif` - - `.doc*` - - `.dot*` - - `.dqy` - - `.iqy` - - `.mcw` - - `.mdb*` - - `.mpp` - - `.one*` - - `.oqy` - - `.or6` - - `.pot*` - - `.ppa` - - `.pps*` - - `.ppt*` - - `.pre` - - `.pst` - - `.pub` - - `.qdf` - - `.qel` - - `.qph` - - `.qsd` - - `.rqy` - - `.rtf` - - `.scd` - - `.sh3` - - `.slk` - - `.txt` - - `.vl*` - - `.vsd` - - `.wk*` - - `.wpd` - - `.wps` - - `.wq1` - - `.wri` - - `.xl*` - - `.xla` - - `.xlb` - - `.xls*` -
    +- The following specific file types: + + `.accdb`, `.ch3`, `.csv`, `.dif`, `.doc*`, `.dot*`, `.dqy`, `.iqy`, `.mcw`, `.mdb*`, `.mpp`, `.one*`, `.oqy`, `.or6`, `.pot*`, `.ppa`, `.pps*`, `.ppt*`, `.pre`, `.pst`, `.pub`, `.qdf`, `.qel`, `.qph`, `.qsd`, `.rqy`, `.rtf`, `.scd`, `.sh3`, `.slk`, `.txt`, `.vl*`, `.vsd`, `.wk*`, `.wpd`, `.wps`, `.wq1`, `.wri`, `.xl*`, `.xla`, `.xlb`, `.xls*` + + > [!NOTE] + > The asterisk (`*`) stands for zero or more characters. > [!NOTE] > The OpenDocument extensions (`*.odt`, `*.odp`, `*.ods`) that Microsoft Office applications can use aren't migrated by default. -- Operating system component settings -- Application settings +- Operating system component settings + +- Application settings These settings are migrated by the default MigUser.xml and MigApp.xml templates. For more information, see [What does USMT migrate?](./usmt/usmt-what-does-usmt-migrate.md) For more general information on USMT, see [USMT technical reference](./usmt/usmt-reference.md). @@ -160,7 +121,7 @@ The updated Volume Activation Management Tool. VAMT also can be used to create reports, switch from MAK to KMS, manage Active Directory-based activation, and manage Office 2010 and Office 2013 volume activation. VAMT also supports PowerShell (instead of the old command-line tool). For example, if you want to get information from the VAMT database, you can type: -``` syntax +```powershell Get-VamtProduct ``` @@ -178,7 +139,7 @@ A machine booted with the Windows ADK default Windows PE boot image. For more information on Windows PE, see [Windows PE (WinPE)](/windows-hardware/manufacture/desktop/winpe-intro). -## Windows Recovery Environment +## Windows Recovery Environment Windows Recovery Environment (Windows RE) is a diagnostics and recovery toolset included in Windows Vista and later operating systems. The latest version of Windows RE is based on Windows PE. You can also extend Windows RE and add your own tools if needed. If a Windows installation fails to start and Windows RE is installed, you'll see an automatic failover into Windows RE. @@ -204,9 +165,9 @@ In some cases, you need to modify TFTP Maximum Block Size settings for performan Also, there are a few new features related to TFTP performance: -- **Scalable buffer management.** Allows buffering an entire file instead of a fixed-size buffer for each client, enabling different sessions to read from the same shared buffer. -- **Scalable port management.** Provides the capability to service clients with shared UDP port allocation, increasing scalability. -- **Variable-size transmission window (Variable Windows Extension).** Improves TFTP performance by allowing the client and server to determine the largest workable window size. +- **Scalable buffer management**: Allows buffering an entire file instead of a fixed-size buffer for each client, enabling different sessions to read from the same shared buffer. +- **Scalable port management**: Provides the capability to service clients with shared UDP port allocation, increasing scalability. +- **Variable-size transmission window (Variable Windows Extension)**: Improves TFTP performance by allowing the client and server to determine the largest workable window size. ![TFTP changes are now easy to perform.](images/mdt-11-fig12.png) @@ -214,7 +175,6 @@ TFTP changes are now easy to perform. ## Microsoft Deployment Toolkit - MDT is a free deployment solution from Microsoft. It provides end-to-end guidance, best practices, and tools for planning, building, and deploying Windows operating systems. MDT builds on top of the core deployment tools in the Windows ADK by contributing guidance, reducing complexity, and adding critical features for an enterprise-ready deployment solution. MDT has two main parts: the first is Lite Touch, which is a stand-alone deployment solution; the second is Zero Touch, which is an extension to Configuration Manager. @@ -242,16 +202,20 @@ MDOP is a suite of technologies available to Software Assurance customers throug The following components are included in the MDOP suite: -- **Microsoft Application Virtualization (App-V).** App-V 5.0 provides an integrated platform, more flexible virtualization, and powerful management for virtualized applications. With the release of App-V 5.0 SP3, you have support to run virtual applications on Windows 10. +- **Microsoft Application Virtualization (App-V).** App-V 5.0 provides an integrated platform, more flexible virtualization, and powerful management for virtualized applications. With the release of App-V 5.0 SP3, you have support to run virtual applications on Windows 10. -- **Microsoft User Experience Virtualization (UE-V).** UE-V monitors the changes that are made by users to application settings and Windows operating system settings. The user settings are captured and centralized to a settings storage location. These settings can then be applied to the different computers that are accessed by the user, including desktop computers, laptop computers, and virtual desktop infrastructure (VDI) sessions. +- **Microsoft User Experience Virtualization (UE-V).** UE-V monitors the changes that are made by users to application settings and Windows operating system settings. The user settings are captured and centralized to a settings storage location. These settings can then be applied to the different computers that are accessed by the user, including desktop computers, laptop computers, and virtual desktop infrastructure (VDI) sessions. -- **Microsoft Advanced Group Policy Management (AGPM).** AGPM enables advanced management of Group Policy objects by providing change control, offline editing, and role-based delegation. -- **Microsoft Diagnostics and Recovery Toolset (DaRT).** DaRT provides additional tools that extend Windows RE to help you troubleshoot and repair your machines. -- **Microsoft BitLocker Administration and Monitoring (MBAM).** MBAM is an administrator interface used to manage BitLocker drive encryption. It allows you to configure your enterprise with the correct BitLocker encryption policy options, and monitor compliance with these policies. +- **Microsoft Advanced Group Policy Management (AGPM).** AGPM enables advanced management of Group Policy objects by providing change control, offline editing, and role-based delegation. +- **Microsoft Diagnostics and Recovery Toolset (DaRT).** DaRT provides additional tools that extend Windows RE to help you troubleshoot and repair your machines. +- **Microsoft BitLocker Administration and Monitoring (MBAM).** MBAM is an administrator interface used to manage BitLocker drive encryption. It allows you to configure your enterprise with the correct BitLocker encryption policy options, and monitor compliance with these policies. For more information on the benefits of an MDOP subscription, see [Microsoft Desktop Optimization Pack](/microsoft-desktop-optimization-pack/). + + ## Windows Server Update Services WSUS is a server role in Windows Server 2012 R2 that enables you to maintain a local repository of Microsoft updates and then distribute them to machines on your network. WSUS offers approval control and reporting of update status in your environment. @@ -274,32 +240,31 @@ For more information on WSUS, see the [Windows Server Update Services Overview]( ## Unified Extensible Firmware Interface - For many years, BIOS has been the industry standard for booting a PC. BIOS has served us well, but it's time to replace it with something better. **UEFI** is the replacement for BIOS, so it's important to understand the differences between BIOS and UEFI. In this section, you learn the major differences between the two and how they affect operating system deployment. ### Introduction to UEFI BIOS has been in use for approximately 30 years. Even though it clearly has proven to work, it has some limitations, including: -- 16-bit code -- 1-MB address space -- Poor performance on ROM initialization -- MBR maximum bootable disk size of 2.2 TB +- 16-bit code +- 1-MB address space +- Poor performance on ROM initialization +- MBR maximum bootable disk size of 2.2 TB As the replacement to BIOS, UEFI has many features that Windows can and will use. With UEFI, you can benefit from: -- **Support for large disks.** UEFI requires a GUID Partition Table (GPT) based disk, which means a limitation of roughly 16.8 million TB in disk size and more than 100 primary disks. -- **Faster boot time.** UEFI doesn't use INT 13, and that improves boot time, especially when it comes to resuming from hibernate. -- **Multicast deployment.** UEFI firmware can use multicast directly when it boots up. In WDS, MDT, and Configuration Manager scenarios, you need to first boot up a normal Windows PE in unicast and then switch into multicast. With UEFI, you can run multicast from the start. -- **Compatibility with earlier BIOS.** Most of the UEFI implementations include a compatibility support module (CSM) that emulates BIOS. -- **CPU-independent architecture.** Even if BIOS can run both 32-bit and 64-bit versions of firmware, all firmware device drivers on BIOS systems must also be 16-bit, and this affects performance. One of the reasons is the limitation in addressable memory, which is only 64 KB with BIOS. -- **CPU-independent drivers.** On BIOS systems, PCI add-on cards must include a ROM that contains a separate driver for all supported CPU architectures. That isn't needed for UEFI because UEFI has the ability to use EFI Byte Code (EBC) images, which allow for a processor-independent device driver environment. -- **Flexible pre-operating system environment.** UEFI can perform many functions for you. You just need an UEFI application, and you can perform diagnostics and automatic repairs, and call home to report errors. -- **Secure boot.** Windows 8 and later can use the UEFI firmware validation process, called secure boot, which is defined in UEFI 2.3.1. Using this process, you can ensure that UEFI launches only a verified operating system loader and that malware can't switch the boot loader. +- **Support for large disks.** UEFI requires a GUID Partition Table (GPT) based disk, which means a limitation of roughly 16.8 million TB in disk size and more than 100 primary disks. +- **Faster boot time.** UEFI doesn't use INT 13, and that improves boot time, especially when it comes to resuming from hibernate. +- **Multicast deployment.** UEFI firmware can use multicast directly when it boots up. In WDS, MDT, and Configuration Manager scenarios, you need to first boot up a normal Windows PE in unicast and then switch into multicast. With UEFI, you can run multicast from the start. +- **Compatibility with earlier BIOS.** Most of the UEFI implementations include a compatibility support module (CSM) that emulates BIOS. +- **CPU-independent architecture.** Even if BIOS can run both 32-bit and 64-bit versions of firmware, all firmware device drivers on BIOS systems must also be 16-bit, and this affects performance. One of the reasons is the limitation in addressable memory, which is only 64 KB with BIOS. +- **CPU-independent drivers.** On BIOS systems, PCI add-on cards must include a ROM that contains a separate driver for all supported CPU architectures. That isn't needed for UEFI because UEFI has the ability to use EFI Byte Code (EBC) images, which allow for a processor-independent device driver environment. +- **Flexible pre-operating system environment.** UEFI can perform many functions for you. You just need an UEFI application, and you can perform diagnostics and automatic repairs, and call home to report errors. +- **Secure boot.** Windows 8 and later can use the UEFI firmware validation process, called secure boot, which is defined in UEFI 2.3.1. Using this process, you can ensure that UEFI launches only a verified operating system loader and that malware can't switch the boot loader. -### Versions +### UEFI versions UEFI Version 2.3.1B is the version required for Windows 8 and later logo compliance. Later versions have been released to address issues; a few machines may need to upgrade their firmware to fully support the UEFI implementation in Windows 8 and later. @@ -307,10 +272,10 @@ UEFI Version 2.3.1B is the version required for Windows 8 and later logo complia In regard to UEFI, hardware is divided into four device classes: -- **Class 0 devices.** The device of this class is the UEFI definition for a BIOS, or non-UEFI, device. -- **Class 1 devices.** The devices of this class behave like a standard BIOS machine, but they run EFI internally. They should be treated as normal BIOS-based machines. Class 1 devices use a CSM to emulate BIOS. These older devices are no longer manufactured. -- **Class 2 devices.** The devices of this class have the capability to behave as a BIOS- or a UEFI-based machine, and the boot process or the configuration in the firmware/BIOS determines the mode. Class 2 devices use a CSM to emulate BIOS. These are the most common type of devices currently available. -- **Class 3 devices.** The devices of this class are UEFI-only devices, which means you must run an operating system that supports only UEFI. Those operating systems include Windows 8, Windows 8.1, Windows Server 2012, and Windows Server 2012 R2. Windows 7 isn't supported on these class 3 devices. Class 3 devices don't have a CSM to emulate BIOS. +- **Class 0 devices.** The device of this class is the UEFI definition for a BIOS, or non-UEFI, device. +- **Class 1 devices.** The devices of this class behave like a standard BIOS machine, but they run EFI internally. They should be treated as normal BIOS-based machines. Class 1 devices use a CSM to emulate BIOS. These older devices are no longer manufactured. +- **Class 2 devices.** The devices of this class have the capability to behave as a BIOS- or a UEFI-based machine, and the boot process or the configuration in the firmware/BIOS determines the mode. Class 2 devices use a CSM to emulate BIOS. These are the most common type of devices currently available. +- **Class 3 devices.** The devices of this class are UEFI-only devices, which means you must run an operating system that supports only UEFI. Those operating systems include Windows 8, Windows 8.1, Windows Server 2012, and Windows Server 2012 R2. Windows 7 isn't supported on these class 3 devices. Class 3 devices don't have a CSM to emulate BIOS. ### Windows support for UEFI @@ -322,14 +287,14 @@ With UEFI 2.3.1, there are both x86 and x64 versions of UEFI. Windows 10 support There are many things that affect operating system deployment as soon as you run on UEFI/EFI-based hardware. Here are considerations to keep in mind when working with UEFI devices: -- Switching from BIOS to UEFI in the hardware is easy, but you also need to reinstall the operating system because you need to switch from MBR/NTFS to GPT/FAT32 and NTFS. -- When you deploy to a Class 2 device, make sure the boot option you select matches the setting you want to have. It's common for old machines to have several boot options for BIOS but only a few for UEFI, or vice versa. -- When deploying from media, remember the media has to be FAT32 for UEFI, and FAT32 has a file-size limitation of 4 GB. -- UEFI doesn't support cross-platform booting; therefore, you need to have the correct boot media (32-bit or 64-bit). +- Switching from BIOS to UEFI in the hardware is easy, but you also need to reinstall the operating system because you need to switch from MBR/NTFS to GPT/FAT32 and NTFS. +- When you deploy to a Class 2 device, make sure the boot option you select matches the setting you want to have. It's common for old machines to have several boot options for BIOS but only a few for UEFI, or vice versa. +- When deploying from media, remember the media has to be FAT32 for UEFI, and FAT32 has a file-size limitation of 4 GB. +- UEFI doesn't support cross-platform booting; therefore, you need to have the correct boot media (32-bit or 64-bit). For more information on UEFI, see the [UEFI firmware](/previous-versions/windows/it-pro/windows-8.1-and-8/hh824898(v=win.10)) overview and related resources. ## Related articles [Sideload apps in Windows 10](/windows/application-management/sideload-apps-in-windows-10)
    -[Windows ADK for Windows 10 scenarios for IT pros](windows-adk-scenarios-for-it-pros.md) \ No newline at end of file +[Windows ADK for Windows 10 scenarios for IT pros](windows-adk-scenarios-for-it-pros.md) diff --git a/windows/hub/index.yml b/windows/hub/index.yml index dc624bbd9f..aa9a8e5a92 100644 --- a/windows/hub/index.yml +++ b/windows/hub/index.yml @@ -8,12 +8,9 @@ brand: windows metadata: title: Windows client documentation for IT Pros # Required; page title displayed in search results. Include the brand. < 60 chars. description: Evaluate, plan, deploy, secure, and manage devices running Windows 10 and Windows 11. # Required; article description that is displayed in search results. < 160 chars. - services: windows-10 - ms.service: subservice #Required; service per approved list. service slug assigned to your service by ACOM. - ms.subservice: subservice # Optional; Remove if no subservice is used. - ms.topic: hub-page # Required + ms.topic: hub-page + ms.prod: windows-client ms.collection: - - windows-10 - highpri author: dougeby #Required; your GitHub user alias, with correct capitalization. ms.author: dougeby #Required; microsoft alias of author; optional team alias. diff --git a/windows/security/docfx.json b/windows/security/docfx.json index 84eb2da0af..8484e3b795 100644 --- a/windows/security/docfx.json +++ b/windows/security/docfx.json @@ -36,9 +36,10 @@ "recommendations": true, "breadcrumb_path": "/windows/resources/breadcrumb/toc.json", "uhfHeaderId": "MSDocsHeader-M365-IT", - "ms.topic": "article", - "manager": "dansimp", - "audience": "ITPro", + "ms.localizationpriority": "medium", + "ms.prod": "windows-client", + "ms.technology": "itpro-security", + "manager": "aaroncz", "feedback_system": "GitHub", "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs", "feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332", @@ -48,7 +49,6 @@ "folder_relative_path_in_docset": "./" } }, - "titleSuffix": "Windows security", "contributors_to_exclude": [ "rjagiewich", "traya1", @@ -56,13 +56,22 @@ "claydetels19", "jborsecnik", "tiburd", + "AngelaMotherofDragons", + "dstrome", + "v-dihans", "garycentric" ], "searchScope": ["Windows 10"] }, "fileMetadata": { - "titleSuffix":{ - "threat-protection/**/*.md": "Windows security" + "author":{ + "identity-protection/hello-for-business/**/*.md": "paolomatarazzo" + }, + "ms.author":{ + "identity-protection/hello-for-business/**/*.md": "paoloma" + }, + "ms.reviewer":{ + "identity-protection/hello-for-business/**/*.md": "erikdau" } }, "template": [], diff --git a/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md b/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md index 9217ed606d..33c5c76b9f 100644 --- a/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md +++ b/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md @@ -1,37 +1,23 @@ --- title: Multi-factor Unlock description: Learn how Windows 10 and Windows 11 offer multi-factor device unlock by extending Windows Hello with trusted signals. -ms.prod: windows-client -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 03/20/2018 -author: paolomatarazzo -ms.author: paoloma -ms.reviewer: prsriva -manager: aaroncz appliesto: - - ✅ Windows 10 - - ✅ Windows 11 -ms.technology: itpro-security +- ✅ Windows 10 and later +ms.topic: article --- # Multi-factor Unlock -**Requirements:** -* Windows Hello for Business deployment (Cloud, Hybrid or On-premises) -* Azure AD, Hybrid Azure AD, or Domain Joined (Cloud, Hybrid, or On-Premises deployments) -* Windows 10, version 1709 or newer, or Windows 11 -* Bluetooth, Bluetooth capable phone - optional +Windows Hello for Business supports the use of a single credential (PIN and biometrics) for unlocking a device. Therefore, if any of those credentials are compromised (shoulder surfed), an attacker could gain access to the system. -Windows, today, natively only supports the use of a single credential (password, PIN, fingerprint, face, etc.) for unlocking a device. Therefore, if any of those credentials are compromised (shoulder surfed), an attacker could gain access to the system. - -Windows 10 and Windows 11 offer multi-factor device unlock by extending Windows Hello with trusted signals. Administrators can configure their Windows to request a combination of factors and trusted signals to unlock their devices. +Windows Hello for Business can be configured with multi-factor device unlock, by extending Windows Hello with trusted signals. Administrators can configure devices to request a combination of factors and trusted signals to unlock theim. Which organizations can take advantage of Multi-factor unlock? Those who: -* Have expressed that PINs alone do not meet their security needs. -* Want to prevent Information Workers from sharing credentials. -* Want their organizations to comply with regulatory two-factor authentication policy. -* Want to retain the familiar Windows sign-in user experience and not settle for a custom solution. + +- Have expressed that PINs alone do not meet their security needs +- Want to prevent Information Workers from sharing credentials +- Want their organizations to comply with regulatory two-factor authentication policy +- Want to retain the familiar Windows sign-in user experience and not settle for a custom solution You enable multi-factor unlock using Group Policy. The **Configure device unlock factors** policy setting is located under **Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business**. diff --git a/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md b/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md index d42b632977..721ddca258 100644 --- a/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md +++ b/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md @@ -1,25 +1,18 @@ --- title: Azure Active Directory join cloud only deployment description: Use this deployment guide to successfully use Azure Active Directory to join a Windows 10 or Windows 11 device. -ms.prod: windows-client -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 06/23/2021 -author: paolomatarazzo -ms.author: paoloma -ms.reviewer: prsriva -manager: aaroncz appliesto: - - ✅ Windows 10 - - ✅ Windows 11 -ms.technology: itpro-security +- ✅ Windows 10 and later +ms.topic: article --- # Azure Active Directory join cloud only deployment +[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-cloud.md)] + ## Introduction -When you Azure Active Directory (Azure AD) join a Windows 10 or Windows 11 device, the system prompts you to enroll in Windows Hello for Business by default. If you want to use Windows Hello for Business in your cloud only environment, then there's no additional configuration needed. +When you Azure Active Directory (Azure AD) join a Windows device, the system prompts you to enroll in Windows Hello for Business by default. If you want to use Windows Hello for Business in your cloud-only environment, then there's no additional configuration needed. You may wish to disable the automatic Windows Hello for Business enrollment prompts if you aren't ready to use it in your environment. Instructions on how to disable Windows Hello for Business enrollment in a cloud only environment are included below. @@ -71,7 +64,11 @@ If you don't use Intune in your organization, then you can disable Windows Hello Intune uses the following registry keys: **`HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Policies\PassportForWork\\Device\Policies`** -To look up your Tenant ID, see [How to find your Azure Active Directory tenant ID](/azure/active-directory/fundamentals/active-directory-how-to-find-tenant) +To look up your Tenant ID, see [How to find your Azure Active Directory tenant ID](/azure/active-directory/fundamentals/active-directory-how-to-find-tenant) or try the following, ensuring to sign-in with your organization's account: + +```msgraph-interactive +GET https://graph.microsoft.com/v1.0/organization?$select=id +``` These registry settings are pushed from Intune for user policies: diff --git a/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md b/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md index edcdd4c52f..485f602211 100644 --- a/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md +++ b/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md @@ -1,22 +1,11 @@ --- title: Having enough Domain Controllers for Windows Hello for Business deployments description: Guide for planning to have an adequate number of Windows Server 2016 or later Domain Controllers for Windows Hello for Business deployments -ms.prod: windows-client -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 08/20/2018 -author: paolomatarazzo -ms.author: paoloma -ms.reviewer: prsriva -manager: aaroncz appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Server 2016 or later - - ✅ Hybrid or On-Premises deployment - - ✅ Key trust -ms.technology: itpro-security +- ✅ Windows 10 and later +- ✅ Windows Server 2016 and later +ms.topic: article --- # Planning an adequate number of Windows Server 2016 or later Domain Controllers for Windows Hello for Business deployments diff --git a/windows/security/identity-protection/hello-for-business/hello-and-password-changes.md b/windows/security/identity-protection/hello-for-business/hello-and-password-changes.md index 8f6de2d563..b7b06e3193 100644 --- a/windows/security/identity-protection/hello-for-business/hello-and-password-changes.md +++ b/windows/security/identity-protection/hello-for-business/hello-and-password-changes.md @@ -1,19 +1,10 @@ --- title: Windows Hello and password changes (Windows) description: When you change your password on a device, you may need to sign in with a password on other devices to reset Hello. -ms.prod: windows-client -ms.collection: M365-identity-device-management -ms.topic: article -ms.localizationpriority: medium ms.date: 07/27/2017 -author: paolomatarazzo -ms.author: paoloma -ms.reviewer: prsriva -manager: aaroncz appliesto: - - ✅ Windows 10 - - ✅ Windows 11 -ms.technology: itpro-security +- ✅ Windows 10 and later +ms.topic: article --- # Windows Hello and password changes diff --git a/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md b/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md index df42f82380..c9bc5a12f3 100644 --- a/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md +++ b/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md @@ -1,21 +1,10 @@ --- title: Windows Hello biometrics in the enterprise (Windows) description: Windows Hello uses biometrics to authenticate users and guard against potential spoofing, through fingerprint matching and facial recognition. -ms.prod: windows-client -ms.collection: - - M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 01/12/2021 -author: paolomatarazzo -ms.author: paoloma -ms.reviewer: prsriva -manager: aaroncz appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Holographic for Business -ms.technology: itpro-security +- ✅ Windows 10 and later +ms.topic: article --- # Windows Hello biometrics in the enterprise diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md index 20352aa60a..3486c444df 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md @@ -1,25 +1,15 @@ --- title: Prepare and Deploy Windows AD FS certificate trust (Windows Hello for Business) description: Learn how to Prepare and Deploy Windows Server 2016 Active Directory Federation Services (AD FS) for Windows Hello for Business, using certificate trust. -ms.prod: windows-client -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 01/14/2021 -author: paolomatarazzo -ms.author: paoloma -ms.reviewer: prsriva -manager: aaroncz appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ On-premises deployments - - ✅ Certificate trust -ms.technology: itpro-security +- ✅ Windows 10 and later +- ✅ Windows Server 2016 and later +ms.topic: article --- -# Prepare and Deploy Windows Server 2016 Active Directory Federation Services - Certificate Trust +# Prepare and Deploy Active Directory Federation Services (AD FS) -Windows Hello for Business works exclusively with the Active Directory Federation Service role included with Windows Server 2016 and requires an additional server update. The on-premises certificate trust deployment uses Active Directory Federation Services roles for key registration, device registration, and as a certificate registration authority. +Windows Hello for Business works exclusively with the Active Directory Federation Service (AD FS). The on-premises certificate trust deployment uses Active Directory Federation Services roles for key registration, device registration, and as a certificate registration authority. The following guidance describes deploying a new instance of Active Directory Federation Services 2016 using the Windows Information Database as the configuration database, which is ideal for environments with no more than 30 federation servers and no more than 100 relying party trusts. @@ -120,6 +110,8 @@ Sign-in the federation server with _Enterprise Admin_ equivalent credentials. ## Review & validate +[!INCLUDE [hello-on-premises-cert-trust](../../includes/hello-on-premises-cert-trust.md)] + Before you continue with the deployment, validate your deployment progress by reviewing the following items: - Confirm the AD FS farm uses the correct database configuration. diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md index 760d69ed2e..bde42599c7 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md @@ -1,28 +1,21 @@ --- title: Configure Windows Hello for Business Policy settings - certificate trust description: Configure Windows Hello for Business Policy settings for Windows Hello for Business. Certificate-based deployments need three group policy settings. -ms.prod: windows-client ms.collection: - M365-identity-device-management - highpri -ms.topic: article -localizationpriority: medium ms.date: 08/20/2018 -author: paolomatarazzo -ms.author: paoloma -ms.reviewer: prsriva -manager: aaroncz appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ On-premises deployments - - ✅ Certificate trust -ms.technology: itpro-security +- ✅ Windows 10 and later +- ✅ Windows Server 2016 and later +ms.topic: article --- # Configure Windows Hello for Business Policy settings - Certificate Trust -You need at least a Windows 10, version 1703 workstation to run the Group Policy Management Console, which provides the latest Windows Hello for Business and PIN Complexity Group Policy settings. To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows. You can download these tools from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=45520). -Install the Remote Server Administration Tools for Windows on a computer running Windows 10, version 1703 or later. +[!INCLUDE [hello-on-premises-cert-trust](../../includes/hello-on-premises-cert-trust.md)] + +To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows. You can download these tools from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=45520). +Install the Remote Server Administration Tools for Windows on a computer running Windows 10 or later. On-premises certificate-based deployments of Windows Hello for Business needs three Group Policy settings: * Enable Windows Hello for Business diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md index c324b543eb..af56ffb943 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md @@ -1,25 +1,17 @@ --- title: Update Active Directory schema for cert-trust deployment (Windows Hello for Business) description: How to Validate Active Directory prerequisites for Windows Hello for Business when deploying with the certificate trust model. -ms.prod: windows-client -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 08/19/2018 -author: paolomatarazzo -ms.author: paoloma -ms.reviewer: prsriva -manager: aaroncz appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ On-premises deployments - - ✅ Certificate trust -ms.technology: itpro-security +- ✅ Windows 10 and later +- ✅ Windows Server 2016 and later +ms.topic: article --- # Validate Active Directory prerequisites for cert-trust deployment -The key registration process for the on-premises deployment of Windows Hello for Business needs the Windows Server 2016 Active Directory or later schema. The key-trust model receives the schema extension when the first Windows Server 2016 or later domain controller is added to the forest. The certificate trust model requires manually updating the current schema to the Windows Server 2016 or later schema. +[!INCLUDE [hello-on-premises-cert-trust](../../includes/hello-on-premises-cert-trust.md)] + +The key registration process for the on-premises deployment of Windows Hello for Business needs the Windows Server 2016 Active Directory or later schema. The key-trust model receives the schema extension when the first Windows Server 2016 or later domain controller is added to the forest. The certificate trust model requires manually updating the current schema to the Windows Server 2016 or later schema. > [!NOTE] > If you already have a Windows Server 2016 or later domain controller in your forest, you can skip the "Updating the Schema" and "Create the KeyCredential Admins Security Global Group" steps that follow. @@ -30,7 +22,9 @@ Manually updating Active Directory uses the command-line utility **adprep.exe** To locate the schema master role holder, open and command prompt and type: -```Netdom query fsmo | findstr -i “schema”``` +```cmd +netdom.exe query fsmo | findstr.exe -i "schema" +``` ![Netdom example output.](images/hello-cmd-netdom.png) diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md index 38589541ad..28d010fbd8 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md @@ -1,24 +1,16 @@ --- title: Validate and Deploy MFA for Windows Hello for Business with certificate trust description: How to Validate and Deploy Multi-factor Authentication (MFA) Services for Windows Hello for Business with certificate trust -ms.prod: windows-client -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 08/19/2018 -author: paolomatarazzo -ms.author: paoloma -ms.reviewer: prsriva -manager: aaroncz appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ On-premises deployments - - ✅ Certificate trust -ms.technology: itpro-security +- ✅ Windows 10 and later +- ✅ Windows Server 2016 and later +ms.topic: article --- # Validate and Deploy Multi-Factor Authentication feature +[!INCLUDE [hello-on-premises-cert-trust](../../includes/hello-on-premises-cert-trust.md)] + Windows Hello for Business requires all users perform multi-factor authentication prior to creating and registering a Windows Hello for Business credential. On-premises deployments can use certificates, third-party authentication providers for AD FS, or a custom authentication provider for AD FS as an on-premises MFA option. For information on available third-party authentication methods, see [Configure Additional Authentication Methods for AD FS](/windows-server/identity/ad-fs/operations/configure-additional-authentication-methods-for-ad-fs). For creating a custom authentication method, see [Build a Custom Authentication Method for AD FS in Windows Server](/windows-server/identity/ad-fs/development/ad-fs-build-custom-auth-method) diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md index 15298bba55..4b692280e1 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md @@ -1,29 +1,21 @@ --- title: Validate Public Key Infrastructure - certificate trust model (Windows Hello for Business) description: How to Validate Public Key Infrastructure for Windows Hello for Business, under a certificate trust model. -ms.prod: windows-client -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 08/19/2018 -author: paolomatarazzo -ms.author: paoloma -ms.reviewer: prsriva -manager: aaroncz appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ On-premises deployments - - ✅ Certificate trust -ms.technology: itpro-security +- ✅ Windows 10 and later +- ✅ Windows Server 2016 and later +ms.topic: article --- # Validate and Configure Public Key Infrastructure - Certificate Trust Model +[!INCLUDE [hello-on-premises-cert-trust](../../includes/hello-on-premises-cert-trust.md)] + Windows Hello for Business must have a public key infrastructure regardless of the deployment or trust model. All trust models depend on the domain controllers having a certificate. The certificate serves as a root of trust for clients to ensure they are not communicating with a rogue domain controller. The certificate trust model extends certificate issuance to client computers. During Windows Hello for Business provisioning, the user receives a sign-in certificate. ## Deploy an enterprise certificate authority -This guide assumes most enterprise have an existing public key infrastructure. Windows Hello for Business depends on a Windows enterprise public key infrastructure running the Active Directory Certificate Services role from Windows Server 2012 or later. +This guide assumes most enterprise have an existing public key infrastructure. Windows Hello for Business depends on a Windows enterprise public key infrastructure running Active Directory Certificate Services. ### Lab-based public key infrastructure @@ -34,13 +26,13 @@ Sign-in using _Enterprise Admin_ equivalent credentials on Windows Server 2012 o >[!NOTE] >Never install a certificate authority on a domain controller in a production environment. -1. Open an elevated Windows PowerShell prompt. -2. Use the following command to install the Active Directory Certificate Services role. +1. Open an elevated Windows PowerShell prompt +2. Use the following command to install the Active Directory Certificate Services role ```PowerShell Add-WindowsFeature Adcs-Cert-Authority -IncludeManagementTools ``` -3. Use the following command to configure the Certificate Authority using a basic certificate authority configuration. +3. Use the following command to configure the Certificate Authority using a basic certificate authority configuration ```PowerShell Install-AdcsCertificationAuthority ``` diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-cert-trust.md b/windows/security/identity-protection/hello-for-business/hello-deployment-cert-trust.md index 0c3dce349f..115a1041e1 100644 --- a/windows/security/identity-protection/hello-for-business/hello-deployment-cert-trust.md +++ b/windows/security/identity-protection/hello-for-business/hello-deployment-cert-trust.md @@ -1,24 +1,16 @@ --- title: Windows Hello for Business Deployment Guide - On Premises Certificate Trust Deployment description: A guide to on premises, certificate trust Windows Hello for Business deployment. -ms.prod: windows-client -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 08/19/2018 -author: paolomatarazzo -ms.author: paoloma -ms.reviewer: prsriva -manager: aaroncz appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ On-premises deployments - - ✅ Certificate trust -ms.technology: itpro-security +- ✅ Windows 10 and later +- ✅ Windows Server 2016 and later +ms.topic: article --- # On Premises Certificate Trust Deployment +[!INCLUDE [hello-on-premises-cert-trust](../../includes/hello-on-premises-cert-trust.md)] + Windows Hello for Business replaces username and password sign-in to Windows with authentication using an asymmetric key pair. This deployment guide provides the information you'll need to successfully deploy Windows Hello for Business in an existing environment. Below, you can find all the information needed to deploy Windows Hello for Business in a Certificate Trust Model in your on-premises environment: diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md b/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md index e760eecda3..64b6af4819 100644 --- a/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md +++ b/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md @@ -1,25 +1,13 @@ --- title: Windows Hello for Business Deployment Overview description: Use this deployment guide to successfully deploy Windows Hello for Business in an existing environment. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: - - M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 02/15/2022 -ms.technology: itpro-security +appliesto: +- ✅ Windows 10 and later +ms.topic: article --- # Windows Hello for Business Deployment Overview -**Applies to** - -- Windows 10, version 1703 or later -- Windows 11 - Windows Hello for Business is the springboard to a world without passwords. It replaces username and password sign-in to Windows with strong user authentication based on an asymmetric key pair. This deployment overview is to guide you through deploying Windows Hello for Business. Your first step should be to use the Passwordless Wizard in the [Microsoft 365 admin center](https://admin.microsoft.com/AdminPortal/Home#/modernonboarding/passwordlesssetup) or the [Planning a Windows Hello for Business Deployment](hello-planning-guide.md) guide to determine the right deployment model for your organization. diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md b/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md index b64a57e89f..8c8fd3b65d 100644 --- a/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md +++ b/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md @@ -1,17 +1,10 @@ --- title: Windows Hello for Business Deployment Known Issues description: A Troubleshooting Guide for Known Windows Hello for Business Deployment Issues -params: siblings_only -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 05/03/2021 -ms.technology: itpro-security +appliesto: +- ✅ Windows 10 and later +ms.topic: article --- # Windows Hello for Business Known Deployment Issues @@ -19,12 +12,6 @@ The content of this article is to help troubleshoot and workaround known deploym ## PIN Reset on Azure AD Join Devices Fails with "We can't open that page right now" error -Applies to: - -- Azure AD joined deployments -- Windows 10, version 1803 and later -- Windows 11 - PIN reset on Azure AD-joined devices uses a flow called web sign-in to authenticate the user above lock. Web sign in only allows navigation to specific domains. If it attempts to navigate to a domain that is not allowed it will show a page with the error message "We can't open that page right now". ### Identifying Azure AD joined PIN Reset Allowed Domains Issue diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-key-trust.md b/windows/security/identity-protection/hello-for-business/hello-deployment-key-trust.md index 770fc668c9..6dfcd9f952 100644 --- a/windows/security/identity-protection/hello-for-business/hello-deployment-key-trust.md +++ b/windows/security/identity-protection/hello-for-business/hello-deployment-key-trust.md @@ -1,30 +1,21 @@ --- title: Windows Hello for Business Deployment Guide - On Premises Key Deployment description: A guide to on premises, key trust Windows Hello for Business deployment. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 08/20/2018 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ On-premises deployment - - ✅ Key trust -ms.technology: itpro-security +- ✅ Windows 10 and later +ms.topic: article --- # On Premises Key Trust Deployment +[!INCLUDE [hello-on-premises-key-trust](../../includes/hello-on-premises-key-trust.md)] + Windows Hello for Business replaces username and password sign-in to Windows with strong user authentication based on asymmetric key pair. The following deployment guide provides the information needed to successfully deploy Windows Hello for Business in an existing environment. Below, you can find all the information you need to deploy Windows Hello for Business in a key trust model in your on-premises environment: 1. [Validate Active Directory prerequisites](hello-key-trust-validate-ad-prereq.md) 2. [Validate and Configure Public Key Infrastructure](hello-key-trust-validate-pki.md) -3. [Prepare and Deploy Windows Server 2016 Active Directory Federation Services](hello-key-trust-adfs.md) +3. [Prepare and Deploy Active Directory Federation Services](hello-key-trust-adfs.md) 4. [Validate and Deploy Multifactor Authentication Services (MFA)](hello-key-trust-validate-deploy-mfa.md) 5. [Configure Windows Hello for Business Policy settings](hello-key-trust-policy-settings.md) diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md b/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md index 85e91958b3..af71e186d2 100644 --- a/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md +++ b/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md @@ -1,207 +1,195 @@ --- -title: Deploying Certificates to Key Trust Users to Enable RDP -description: Learn how to deploy certificates to a Key Trust user to enable remote desktop with supplied credentials -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: - - M365-identity-device-management +title: Deploy certificates for remote desktop sign-in +description: Learn how to deploy certificates to cloud Kerberos trust and key trust users, to enable remote desktop sign-in with supplied credentials. +ms.collection: - ContentEngagementFY23 ms.topic: article localizationpriority: medium -ms.date: 02/22/2021 +ms.date: 11/15/2022 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Hybrid deployment - - ✅ Key trust - - ✅ Cloud Kerberos trust +- ✅ Windows 10 and later ms.technology: itpro-security --- -# Deploy Certificates to Key Trust and Cloud Kerberos Trust Users to Enable RDP +# Deploy certificates for remote desktop (RDP) sign-in -Windows Hello for Business supports using a certificate as the supplied credential when establishing a remote desktop connection to a server or other device. For certificate trust deployments, creation of this certificate occurs at container creation time. +This document describes Windows Hello for Business functionalities or scenarios that apply to:\ +✅ **Deployment type:** [hybrid](hello-how-it-works-technology.md#hybrid-deployment)\ +✅ **Trust type:** [cloud Kerberos trust](hello-hybrid-cloud-kerberos-trust.md), [ key trust](hello-how-it-works-technology.md#key-trust)\ +✅ **Device registration type:** [Azure AD join](hello-how-it-works-technology.md#azure-active-directory-join), [Hybrid Azure AD join](hello-how-it-works-technology.md#hybrid-azure-ad-join) -This document discusses an approach for key trust and cloud Kerberos trust deployments where authentication certificates can be deployed to an existing WHFB user. +
    -Three approaches are documented here: +--- -1. Deploying a certificate to hybrid joined devices using an on-premises Active Directory certificate enrollment policy. +Windows Hello for Business supports using a certificate as the supplied credential, when establishing a remote desktop connection to another Windows device. This document discusses three approaches for *cloud Kerberos trust* and *key trust* deployments, where authentication certificates can be deployed to an existing Windows Hello for Business user: -1. Deploying a certificate to hybrid or Azure AD-joined devices using Simple Certificate Enrollment Protocol (SCEP) and Intune. +- Deploy certificates to hybrid joined devices using an on-premises Active Directory Certificate Services enrollment policy +- Deploy certificates to hybrid or Azure AD-joined devices using Intune +- Work with third-party PKIs -1. Working with non-Microsoft enterprise certificate authorities. - -## Deploying a certificate to a hybrid joined device using an on-premises Active Directory Certificate enrollment policy - -### Create a Windows Hello for Business certificate template - -1. Sign in to your issuing certificate authority (CA). - -1. Open the **Certificate Authority** Console (%windir%\system32\certsrv.msc). - -1. In the left pane of the MMC, expand **Certification Authority (Local)**, and then expand your CA within the Certification Authority list. - -1. Right-click **Certificate Templates** and then click **Manage** to open the **Certificate Templates** console. - -1. Right-click the **Smartcard Logon** template and click **Duplicate Template** - - ![Duplicating Smartcard Template.](images/rdpcert/duplicatetemplate.png) - -1. On the **Compatibility** tab: - 1. Clear the **Show resulting changes** check box - 1. Select **Windows Server 2012 or Windows Server 2012 R2** from the Certification Authority list - 1. Select **Windows Server 2012 or Windows Server 2012 R2** from the Certification Recipient list - -1. On the **General** tab: - 1. Specify a Template display name, such as **WHfB Certificate Authentication** - 1. Set the validity period to the desired value - 1. Take note of the Template name for later, which should be the same as the Template display name minus spaces (**WHfBCertificateAuthentication** in this example). - -1. On the **Extensions** tab, verify the **Application Policies** extension includes **Smart Card Logon**. - -1. On the **Subject Name** tab: - 1. Select the **Build from this Active Directory** information button if it is not already selected - 1. Select **Fully distinguished name** from the **Subject name format** list if Fully distinguished name is not already selected - 1. Select the **User Principal Name (UPN)** check box under **Include this information in alternative subject name** -1. On the **Request Handling** tab: - 1. Select the **Renew with same key** check box - 1. Set the Purpose to **Signature and smartcard logon** - 1. Click **Yes** when prompted to change the certificate purpose - 1. Click **Prompt the user during enrollment** - -1. On the **Cryptography** tab: - 1. Set the Provider Category to **Key Storage Provider** - 1. Set the Algorithm name to **RSA** - 1. Set the minimum key size to **2048** - 1. Select **Requests must use one of the following providers** - 1. Tick **Microsoft Software Key Storage Provider** - 1. Set the Request hash to **SHA256** - -1. On the **Security** tab, add the security group that you want to give **Enroll** access to. For example, if you want to give access to all users, select the **Authenticated** users group, and then select Enroll permissions for them. - -1. Click **OK** to finalize your changes and create the new template. Your new template should now appear in the list of Certificate Templates. - -1. Close the Certificate Templates console. - -1. Open an elevated command prompt and change to a temporary working directory. - -1. Execute the following command: - - `certutil -dstemplate \ \> \.txt` - - Replace \ with the Template name you took note of earlier in step 7. - -1. Open the text file created by the command above. - 1. Delete the last line of the output from the file that reads **CertUtil: -dsTemplate command completed successfully.** - 1. Modify the line that reads **pKIDefaultCSPs = "1,Microsoft Software Key Storage Provider"** to **pKIDefaultCSPs = "1,Microsoft Passport Key Storage Provider"** - -1. Save the text file. - -1. Update the certificate template by executing the following command: - - certutil -dsaddtemplate \.txt - -1. In the Certificate Authority console, right-click **Certificate Templates**, select **New**, and select **Certificate Template to Issue** - - ![Selecting Certificate Template to Issue.](images/rdpcert/certificatetemplatetoissue.png) - -1. From the list of templates, select the template you previously created (**WHFB Certificate Authentication**) and click **OK**. It can take some time for the template to replicate to all servers and become available in this list. - -1. After the template replicates, in the MMC, right-click in the Certification Authority list, click **All Tasks** and then click **Stop Service**. Right-click the name of the CA again, click **All Tasks**, and then click **Start Service**. - -### Requesting a Certificate - -1. Ensure the hybrid Azure AD joined device has network line of sight to Active Directory domain controllers and the issuing certificate authority. - -1. Start the **Certificates – Current User** console (%windir%\system32\certmgr.msc). - -1. In the left pane of the MMC, right-click **Personal**, click **All Tasks**, and then click **Request New Certificate…** - - ![Request a new certificate.](images/rdpcert/requestnewcertificate.png) - -1. On the Certificate Enrollment screen, click **Next**. - -1. Under Select Certificate Enrollment Policy, ensure **Active Directory Enrollment Policy** is selected and then click **Next**. - -1. Under Request Certificates, click the check-box next to the certificate template you created in the previous section (WHfB Certificate Authentication) and then click **Enroll**. - -1. After a successful certificate request, click Finish on the Certificate Installation Results screen - -## Deploying a certificate to Hybrid or Azure AD Joined Devices using Simple Certificate Enrollment Protocol (SCEP) via Intune - -Deploying a certificate to Azure AD Joined Devices may be achieved with the Simple Certificate Enrollment Protocol (SCEP) via Intune. For guidance deploying the required infrastructure, refer to [Configure infrastructure to support SCEP certificate profiles with Microsoft Intune](/mem/intune/protect/certificates-scep-configure). - -Next you should deploy the root CA certificate (and any other intermediate certificate authority certificates) to Azure AD Joined Devices using a Trusted root certificate profile with Intune. For guidance, refer to [Create trusted certificate profiles in Microsoft Intune](/mem/intune/protect/certificates-trusted-root). - -Once these requirements have been met, a new device configuration profile may be configured from Intune that provisions a certificate for the user of the device. Proceed as follows: - -1. Sign in to the Microsoft [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431). - -1. Navigate to Devices \> Configuration Profiles \> Create profile. - -1. Enter the following properties: - 1. For Platform, select **Windows 10 and later**. - 1. For Profile, select **SCEP Certificate**. - 1. Click **Create**. - -1. In **Basics**, enter the following parameters: - 1. **Name**: Enter a descriptive name for the profile. Name your profiles so you can easily identify them later. For example, a good profile name is SCEP profile for entire company. - 1. **Description**: Enter a description for the profile. This setting is optional, but recommended. - 1. Select **Next**. - -1. In the **Configuration settings**, complete the following: - 1. For Certificate Type, choose **User**. - 1. For Subject name format, set it to **CN={{UserPrincipalName}}**. - 1. Under Subject alternative name, select **User principal name (UPN)** from the drop-down menu and set the value to **CN={{UserPrincipalName}}**. - 1. For Certificate validity period, set a value of your choosing. - 1. For Key storage provider (KSP), choose **Enroll to Windows Hello for Business, otherwise fail (Windows 10 and later)**. - 1. For Key usage, choose **Digital Signature**. - 1. For Key size (bits), choose **2048**. - 1. For Hash algorithm, choose **SHA-2**. - 1. Under Root Certificate, click **+Root Certificate** and select the trusted certificate profile you created earlier for the Root CA Certificate. - 1. Under Extended key usage, add the following: - - | Name | Object Identifier | Predefined Values | - |------|-------------------|-------------------| - | Smart Card Logon | 1.3.6.1.4.1.311.20.2.2 | Smart Card Logon | - | Client Authentication | 1.3.6.1.5.5.7.3.2 | Client Authentication | - - 1. For Renewal threshold (%), set a value of your choosing. - 1. For SCEP Server URLs, provide the public endpoint that you configured during the deployment of your SCEP infrastructure. - 1. Click **Next** -1. In Assignments, target the devices or users who should receive a certificate and click **Next** - -1. In Applicability Rules, provide additional issuance restrictions if required and click **Next** - -1. In Review + create, click **Create** - -Once the configuration profile has been created, targeted clients will receive the profile from Intune on their next refresh cycle. You should find a new certificate in the user store. To validate the certificate is present, do the following steps: - -1. Open the Certificates - Current User console (%windir%\system32\certmgr.msc) - -1. In the left pane of the MMC, expand **Personal** and select **Certificates** - -1. In the right-hand pane of the MMC, check for the new certificate +## Deploy certificates via Active Directory Certificate Services (AD CS) > [!NOTE] -> This infrastructure may also deploy the same certificates to co-managed or modern-managed Hybrid Azure Active Directory-Joined devices using Intune Policies. +> This process is applicable to *hybrid Azure AD joined* devices only. -## Using non-Microsoft Enterprise Certificate Authorities +To deploy certificates using an on-premises Active Directory Certificate Services enrollment policy, you must first create a *certificate template*, and then deploy certificates based on that template. -If you are using a Public Key Infrastructure that uses non-Microsoft services, the certificate templates published to the on-premises Active Directory may not be available. For guidance with integration of Intune/SCEP with non-Microsoft PKI deployments, refer to [Use third-party certification authorities (CA) with SCEP in Microsoft Intune](/mem/intune/protect/certificate-authority-add-scep-overview). +Expand the following sections to learn more about the process. -As an alternative to using SCEP or if none of the previously covered solutions will work in your environment, you can manually generate Certificate Signing Requests (CSR) for submission to your PKI. To assist with this approach, you can use the [Generate-CertificateRequest](https://www.powershellgallery.com/packages/Generate-CertificateRequest) PowerShell commandlet. +
    +
    +Create a Windows Hello for Business certificate template -The Generate-CertificateRequest commandlet will generate an .inf file for a pre-existing Windows Hello for Business key. The .inf can be used to generate a certificate request manually using certreq.exe. The commandlet will also generate a .req file, which can be submitted to your PKI for a certificate. +Follow these steps to create a certificate template: -## RDP Sign-in with Windows Hello for Business Certificate Authentication +1. Sign in to your issuing certificate authority (CA) and open *Server Manager* +1. Select **Tools > Certification Authority**. The Certification Authority Microsoft Management Console (MMC) opens +1. In the MMC, expand the CA name and right-click **Certificate Templates > Manage** +1. The Certificate Templates console opens. All of the certificate templates are displayed in the details pane +1. Right-click the **Smartcard Logon** template and select **Duplicate Template** +1. Use the following table to configure the template: -After adding the certificate using an approach from any of the previous sections, you should be able to RDP to any Windows device or server in the same Forest as the user’s on-premises Active Directory account, provided the PKI certificate chain for the issuing certificate authority is deployed to that target server. + | Tab Name | Configurations | + | --- | --- | + | *Compatibility* |
    • Clear the **Show resulting changes** check box
    • Select **Windows Server 2012 or Windows Server 2012 R2** from the *Certification Authority list*
    • Select **Windows Server 2012 or Windows Server 2012 R2** from the *Certification Recipient list*
    | + | *General* |
    • Specify a **Template display name**, for example *WHfB Certificate Authentication*
    • Set the validity period to the desired value
    • Take note of the Template name for later, which should be the same as the Template display name minus spaces (*WHfBCertificateAuthentication* in this example)
    | + | *Extensions* | Verify the **Application Policies** extension includes **Smart Card Logon**| + | *Subject Name* |
    • Select the **Build from this Active Directory** information button if it isn't already selected
    • Select **Fully distinguished name** from the **Subject name format** list if Fully distinguished name isn't already selected
    • Select the **User Principal Name (UPN)** check box under **Include this information in alternative subject name**

    **Note:** If you deploy certificates via Intune, select **Supply in the request** instead of *Build from this Active Directory*.| + |*Request Handling*|
    • Set the Purpose to **Signature and smartcard logon** and select **Yes** when prompted to change the certificate purpose
    • Select the **Renew with same key** check box
    • Select **Prompt the user during enrollment**
    | + |*Cryptography*|
    • Set the Provider Category to **Key Storage Provider**
    • Set the Algorithm name to **RSA**
    • Set the minimum key size to **2048**
    • Select **Requests must use one of the following providers**
    • Select **Microsoft Software Key Storage Provider**
    • Set the Request hash to **SHA256**
    | + |*Security*|Add the security group that you want to give **Enroll** access to. For example, if you want to give access to all users, select the **Authenticated** users group, and then select Enroll permissions for them| -1. Open the Remote Desktop Client (%windir%\system32\mstsc.exe) on the Hybrid Azure Active Directory-Joined client where the authentication certificate has been deployed. -1. Attempt an RDP session to a target server. -1. Use the certificate credential protected by your Windows Hello for Business gesture. +1. Select **OK** to finalize your changes and create the new template. Your new template should now appear in the list of Certificate Templates +1. Close the Certificate Templates console +1. Open an elevated command prompt and change to a temporary working directory +1. Execute the following command, replacing `` with the **Template display name** noted above + + ```cmd + certutil.exe -dstemplate > + ``` + +1. Open the text file created by the command above. + - Delete the last line of the output from the file that reads\ + `CertUtil: -dsTemplate command completed successfully.` + - Modify the line that reads\ + `pKIDefaultCSPs = "1,Microsoft Software Key Storage Provider"` to\ + `pKIDefaultCSPs = "1,Microsoft Passport Key Storage Provider"` +1. Save the text file +1. Update the certificate template by executing the following command: + + ```cmd + certutil.exe -dsaddtemplate + ``` + +1. In the Certificate Authority console, right-click **Certificate Templates**, select **New > Certificate Template to Issue** +1. From the list of templates, select the template you previously created (**WHFB Certificate Authentication**) and select **OK**. It can take some time for the template to replicate to all servers and become available in this list +1. After the template replicates, in the MMC, right-click in the Certification Authority list, select **All Tasks > Stop Service**. Right-click the name of the CA again, select **All Tasks > Start Service** + +
    + +
    +
    +Request a certificate + +1. Sign in to a client that is hybrid Azure AD joined, ensuring that the client has line of sight to a domain controller and the issuing CA +1. Open the **Certificates - Current User** Microsoft Management Console (MMC). To do so, you can execute the command `certmgr.msc` +1. In the left pane of the MMC, right-click **Personal > All Tasks > Request New Certificate…** +1. On the Certificate Enrollment screen, select **Next** +1. Under *Select Certificate Enrollment Policy*, select **Active Directory Enrollment Policy > Next** +1. Under *Request Certificates*, select the check-box for the certificate template you created in the previous section (*WHfB Certificate Authentication*) and then select **Enroll** +1. After a successful certificate request, select **Finish** on the Certificate Installation Results screen + +
    + +## Deploy certificates via Intune + +> [!NOTE] +> This process is applicable to both *Azure AD joined* and *hybrid Azure AD joined* devices that are managed via Intune. + +Deploying a certificate to Azure AD joined or hybrid Azure AD joined devices may be achieved using the Simple Certificate Enrollment Protocol (SCEP) or PKCS (PFX) via Intune. For guidance deploying the required infrastructure, refer to: + +- [Configure infrastructure to support SCEP certificate profiles with Microsoft Intune][MEM-1] +- [Configure and use PKCS certificates with Intune][MEM-2] + +Next, you should deploy the root CA certificate (and any other intermediate certificate authority certificates) to Azure AD joined Devices using a *Trusted root certificate* policy with Intune. For guidance, refer to [Create trusted certificate profiles in Microsoft Intune][MEM-5]. + +Once these requirements are met, a policy can be configured in Intune that provisions certificates for the users on the targeted device. + +
    +
    +Create a policy in Intune + +This section describes how to configure a SCEP policy in Intune. Similar steps can be followed to configure a PKCS policy. + +1. Go to the Microsoft Endpoint Manager admin center +1. Select **Devices > Configuration profiles > Create profile** +1. Select **Platform > Windows 10 and later** and **Profile type > Templates > SCEP Certificate** +1. Select **Create** +1. In the *Basics* panel, provide a **Name** and, optionally, a **Description > Next** +1. In the *Configuration settings* panel, use the following table to configure the policy: + + | Setting| Configurations | + | --- | --- | + |*Certificate Type*| User | + |*Subject name format* | `CN={{UserPrincipalName}}` | + |*Subject alternative name* |From the dropdown, select **User principal name (UPN)** with a value of `{{UserPrincipalName}}` + |*Certificate validity period* | Configure a value of your choosing| + |*Key storage provider (KSP)* | **Enroll to Windows Hello for Business, otherwise fail (Windows 10 and later)** + |*Key usage*| **Digital Signature**| + |*Key size (bits)* | **2048**| + |*For Hash algorithm*|**SHA-2**| + |*Root Certificate*| Select **+Root Certificate** and select the trusted certificate profile created earlier for the Root CA Certificate| + |*Extended key usage*|
    • *Name:* **Smart Card Logon**
    • *Object Identifier:* `1.3.6.1.4.1.311.20.2.2`
    • *Predefined Values:* **Not configured**

    • *Name:* **Client Authentication**
    • *Object Identifier:* `1.3.6.1.5.5.7.3.2 `
    • *Predefined Values:* **Client Authentication**
    | + |*Renewal threshold (%)*|Configure a value of your choosing| + |*SCEP Server URLs*|Provide the public endpoint(s) that you configured during the deployment of your SCEP infrastructure| + +1. Select **Next** +1. In the *Assignments* panel, assign the policy to a security group that contains as members the devices or users that you want to configure and select **Next** +1. In the *Applicability Rules* panel, configure issuance restrictions, if needed, and select **Next** +1. In the *Review + create* panel, review the policy configuration and select **Create** + +For more information how to configure SCEP policies, see [Configure SCEP certificate profiles in Intune][MEM-3]. +To configure PKCS policies, see [Configure and use PKCS certificate with Intune][MEM-4]. + +
    + +
    +
    +Request a certificate +Once the Intune policy is created, targeted clients will request a certificate during their next policy refresh cycle. To validate that the certificate is present in the user store, follow these steps: + +1. Sign in to a client targeted by the Intune policy +1. Open the **Certificates - Current User** Microsoft Management Console (MMC). To do so, you can execute the command `certmgr.msc` +1. In the left pane of the MMC, expand **Personal** and select **Certificates** +1. In the right-hand pane of the MMC, check for the new certificate + +
    + +## Use third-party certification authorities + +If you're using a non-Microsoft PKI, the certificate templates published to the on-premises Active Directory may not be available. For guidance with integration of Intune/SCEP with non-Microsoft PKI deployments, refer to [Use third-party certification authorities (CA) with SCEP in Microsoft Intune][MEM-6]. + +As an alternative to using SCEP or if none of the previously covered solutions will work in your environment, you can manually generate Certificate Signing Requests (CSR) for submission to your PKI. To assist with this approach, you can use the [Generate-CertificateRequest][HTTP-1] PowerShell commandlet. + +The `Generate-CertificateRequest` commandlet will generate an *.inf* file for a pre-existing Windows Hello for Business key. The *.inf* can be used to generate a certificate request manually using `certreq.exe`. The commandlet will also generate a *.req* file, which can be submitted to your PKI for a certificate. + +## RDP sign-in with Windows Hello for Business certificate authentication + +After obtaining a certificate, users can RDP to any Windows devices in the same Active Directory forest as the user's Active Directory account. + +> [!NOTE] +> The certificate chain of the issuing CA must be trusted by the target server. + +1. Open the Remote Desktop Client (`mstsc.exe`) on the client where the authentication certificate has been deployed +1. Attempt an RDP session to a target server +1. Use the certificate credential protected by your Windows Hello for Business gesture to authenticate + +[MEM-1]: /mem/intune/protect/certificates-scep-configure +[MEM-2]: /mem/intune/protect/certificates-pfx-configure +[MEM-3]: /mem/intune/protect/certificates-profile-scep +[MEM-4]: /mem/intune/protect/certificates-pfx-configure +[MEM-5]: /mem/intune/protect/certificates-trusted-root +[MEM-6]: /mem/intune/protect/certificate-authority-add-scep-overview + +[HTTP-1]: https://www.powershellgallery.com/packages/Generate-CertificateRequest diff --git a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md index 28bab60966..e1b28aec6f 100644 --- a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md +++ b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md @@ -1,20 +1,10 @@ --- title: Windows Hello errors during PIN creation (Windows) description: When you set up Windows Hello in Windows 10/11, you may get an error during the Create a work PIN step. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: - - M365-identity-device-management ms.topic: troubleshooting -ms.localizationpriority: medium ms.date: 05/05/2018 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 -ms.technology: itpro-security +- ✅ Windows 10 and later --- # Windows Hello errors during PIN creation diff --git a/windows/security/identity-protection/hello-for-business/hello-event-300.md b/windows/security/identity-protection/hello-for-business/hello-event-300.md index 32ec0a5204..484985c43d 100644 --- a/windows/security/identity-protection/hello-for-business/hello-event-300.md +++ b/windows/security/identity-protection/hello-for-business/hello-event-300.md @@ -1,19 +1,10 @@ --- title: Event ID 300 - Windows Hello successfully created (Windows) description: This event is created when a Windows Hello for Business is successfully created and registered with Azure Active Directory (Azure AD). -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -ms.localizationpriority: medium ms.date: 07/27/2017 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 -ms.technology: itpro-security +- ✅ Windows 10 and later +ms.topic: article --- # Event ID 300 - Windows Hello successfully created diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.yml b/windows/security/identity-protection/hello-for-business/hello-faq.yml index 919393f45a..f4456c7110 100644 --- a/windows/security/identity-protection/hello-for-business/hello-faq.yml +++ b/windows/security/identity-protection/hello-for-business/hello-faq.yml @@ -18,9 +18,8 @@ metadata: ms.topic: faq localizationpriority: medium ms.date: 11/11/2022 - appliesto: - - ✅ Windows 10 - - ✅ Windows 11 + appliesto: + - ✅ Windows 10 and later title: Windows Hello for Business Frequently Asked Questions (FAQ) summary: | @@ -211,7 +210,7 @@ sections: - question: I have extended Active Directory to Azure Active Directory. Can I use the on-premises deployment model? answer: | - No. If your organization is federated or using online services, such as Azure AD Connect, Office 365, or OneDrive, then you must use a hybrid deployment model. On-premises deployments are exclusive to organizations who need more time before moving to the cloud and exclusively use Active Directory. + No. If your organization is using Microsoft cloud services, then you must use a hybrid deployment model. On-premises deployments are exclusive to organizations who need more time before moving to the cloud and exclusively use Active Directory. - question: Does Windows Hello for Business prevent the use of simple PINs? answer: | diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-conditional-access.md b/windows/security/identity-protection/hello-for-business/hello-feature-conditional-access.md index 8ac9d29d9f..a96e6d66b5 100644 --- a/windows/security/identity-protection/hello-for-business/hello-feature-conditional-access.md +++ b/windows/security/identity-protection/hello-for-business/hello-feature-conditional-access.md @@ -1,16 +1,10 @@ --- title: Conditional Access description: Ensure that only approved users can access your devices, applications, and services from anywhere by enabling single sign-on with Azure Active Directory. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 09/09/2019 -ms.technology: itpro-security +appliesto: +- ✅ Windows 10 and later +ms.topic: article --- # Conditional access diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-dual-enrollment.md b/windows/security/identity-protection/hello-for-business/hello-feature-dual-enrollment.md index 24c66f9452..adfbe58657 100644 --- a/windows/security/identity-protection/hello-for-business/hello-feature-dual-enrollment.md +++ b/windows/security/identity-protection/hello-for-business/hello-feature-dual-enrollment.md @@ -1,16 +1,10 @@ --- title: Dual Enrollment description: Learn how to configure Windows Hello for Business dual enrollment. Also, learn how to configure Active Directory to support Domain Administrator enrollment. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 09/09/2019 -ms.technology: itpro-security +appliesto: +- ✅ Windows 10 and later +ms.topic: article --- # Dual Enrollment @@ -19,7 +13,6 @@ ms.technology: itpro-security * Hybrid and On-premises Windows Hello for Business deployments * Enterprise joined or Hybrid Azure joined devices -* Windows 10, version 1709 or later * Certificate trust > [!NOTE] diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md b/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md index bb878fcd09..6bae92fc12 100644 --- a/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md +++ b/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md @@ -1,19 +1,10 @@ --- title: Dynamic lock description: Learn how to set Dynamic lock on Windows 10 and Windows 11 devices, by configuring group policies. This feature locks a device when a Bluetooth signal falls below a set value. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 07/12/2022 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 -ms.technology: itpro-security +- ✅ Windows 10 and later +ms.topic: article --- # Dynamic lock diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md index b50e72d0ef..313ef05f54 100644 --- a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md +++ b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md @@ -1,21 +1,13 @@ --- title: Pin Reset description: Learn how Microsoft PIN reset services enable you to help users recover who have forgotten their PIN. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva ms.collection: - M365-identity-device-management - highpri -ms.topic: article -localizationpriority: medium ms.date: 07/29/2022 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 -ms.technology: itpro-security +- ✅ Windows 10 and later +ms.topic: article --- # PIN reset @@ -31,11 +23,6 @@ There are two forms of PIN reset: There are two forms of PIN reset called destructive and non-destructive. Destructive PIN reset is the default and doesn't require configuration. During a destructive PIN reset, the user's existing PIN and underlying credentials, including any keys or certificates added to their Windows Hello container, will be deleted from the client and a new logon key and PIN are provisioned. For non-destructive PIN reset, you must deploy the Microsoft PIN reset service and client policy to enable the PIN recovery feature. During a non-destructive PIN reset, the user's Windows Hello for Business container and keys are preserved, but the user's PIN that they use to authorize key usage is changed. -**Requirements** - -- Reset from settings - Windows 10, version 1703 or later, Windows 11 -- Reset above Lock - Windows 10, version 1709 or later, Windows 11 - Destructive and non-destructive PIN reset use the same steps for initiating a PIN reset. If users have forgotten their PINs, but have an alternate sign-in method, they can navigate to Sign-in options in *Settings* and initiate a PIN reset from the PIN options. If users don't have an alternate way to sign into their devices, PIN reset can also be initiated from the Windows lock screen in the PIN credential provider. @@ -185,7 +172,11 @@ You can configure Windows devices to use the **Microsoft PIN Reset Service** usi - Value: **True** >[!NOTE] -> You must replace `TenantId` with the identifier of your Azure Active Directory tenant. +> You must replace `TenantId` with the identifier of your Azure Active Directory tenant. To look up your Tenant ID, see [How to find your Azure Active Directory tenant ID](/azure/active-directory/fundamentals/active-directory-how-to-find-tenant) or try the following, ensuring to sign-in with your organization's account:: + +```msgraph-interactive +GET https://graph.microsoft.com/v1.0/organization?$select=id +``` --- diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md b/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md index 31cdaa7534..2281821bdc 100644 --- a/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md +++ b/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md @@ -1,24 +1,15 @@ --- title: Remote Desktop description: Learn how Windows Hello for Business supports using biometrics with remote desktop -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 02/24/2021 -ms.technology: itpro-security +appliesto: +- ✅ Windows 10 and later +ms.topic: article --- # Remote Desktop **Requirements** - -- Windows 10 -- Windows 11 - Hybrid and On-premises Windows Hello for Business deployments - Azure AD joined, Hybrid Azure AD joined, and Enterprise joined devices diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md index d3817c3e30..27dde9400e 100644 --- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md +++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md @@ -1,19 +1,10 @@ --- title: How Windows Hello for Business works - Authentication description: Learn about the authentication flow for Windows Hello for Business. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 02/15/2022 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 -ms.technology: itpro-security +- ✅ Windows 10 and later +ms.topic: article --- # Windows Hello for Business and Authentication diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md index ab75ccda70..6d250848d5 100644 --- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md +++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md @@ -1,19 +1,10 @@ --- title: How Windows Hello for Business works - Provisioning description: Explore the provisioning flows for Windows Hello for Business, from within a variety of environments. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 2/15/2022 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 -ms.technology: itpro-security +- ✅ Windows 10 and later +ms.topic: article --- # Windows Hello for Business Provisioning diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md index 719c27216d..ad5eec8634 100644 --- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md +++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md @@ -1,19 +1,10 @@ --- title: How Windows Hello for Business works - technology and terms description: Explore technology and terms associated with Windows Hello for Business. Learn how Windows Hello for Business works. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 10/08/2018 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 -ms.technology: itpro-security +- ✅ Windows 10 and later +ms.topic: article --- # Technology and terms @@ -158,7 +149,7 @@ For certain devices that use firmware-based TPM produced by Intel or Qualcomm, t ## Federated environment -Primarily for large enterprise organizations with more complex authentication requirements, on-premises directory objects are synchronized with Azure AD and users accounts are managed on-premises. With AD FS, users have the same password on-premises and in the cloud and they don't have to sign in again to use Office 365 or other Azure-based applications. This federated authentication model can provide extra authentication requirements, such as smart card-based authentication or a third-party multi-factor authentication and is typically required when organizations have an authentication requirement not natively supported by Azure AD. +Primarily for large enterprise organizations with more complex authentication requirements, on-premises directory objects are synchronized with Azure AD and users accounts are managed on-premises. With AD FS, users have the same password on-premises and in the cloud and they don't have to sign in again to use Microsoft cloud services. This federated authentication model can provide extra authentication requirements, such as smart card-based authentication or a third-party multi-factor authentication and is typically required when organizations have an authentication requirement not natively supported by Azure AD. ### Related to federated environment @@ -194,7 +185,7 @@ If your environment has an on-premises AD footprint and you also want benefit fr ## Hybrid deployment -The Windows Hello for Business hybrid deployment is for organizations that have both on-premises and cloud resources that are accessed using a managed or federated identity that's synchronized with Azure AD. Hybrid deployments support devices that are Azure AD-registered, Azure AD-joined, and hybrid Azure AD-joined. The Hybrid deployment model supports two trust types for on-premises authentication, key trust and certificate trust. +The Windows Hello for Business hybrid deployment is for organizations that have both on-premises and cloud resources that are accessed using a managed or federated identity that's synchronized with Azure AD. Hybrid deployments support devices that are Azure AD-registered, Azure AD-joined, and hybrid Azure AD-joined. The Hybrid deployment model supports three trust types for on-premises authentication: cloud Kerberos trust, key trust and certificate trust. ### Related to hybrid deployment @@ -269,7 +260,7 @@ The Windows Hello for Business on-premises deployment is for organizations that ## Pass-through authentication -Pass-through authentication provides a simple password validation for Azure AD authentication services. It uses a software agent that runs on one or more on-premises servers to validate the users directly with your on-premises Active Directory. With pass-through authentication (PTA), you synchronize on-premises Active Directory user account objects with Office 365 and manage your users on-premises. Allows your users to sign in to both on-premises and Office 365 resources and applications using their on-premises account and password. This configuration validates users' passwords directly against your on-premises Active Directory without sending password hashes to Office 365. Companies with a security requirement to immediately enforce on-premises user account states, password policies, and sign-in hours would use this authentication method. With seamless single sign-on, users are automatically signed in to Azure AD when they are on their corporate devices and connected to your corporate network. +Pass-through authentication provides a simple password validation for Azure AD authentication services. It uses a software agent that runs on one or more on-premises servers to validate the users directly with your on-premises Active Directory. With pass-through authentication (PTA), you synchronize on-premises Active Directory user account objects with Azure AD and manage your users on-premises. Allows your users to sign in to both on-premises and Microsoft cloud resources and applications using their on-premises account and password. This configuration validates users' passwords directly against your on-premises Active Directory without sending password hashes to Azure AD. Companies with a security requirement to immediately enforce on-premises user account states, password policies, and sign-in hours would use this authentication method. With seamless single sign-on, users are automatically signed in to Azure AD when they are on their corporate devices and connected to your corporate network. ### Related to pass-through authentication @@ -283,7 +274,7 @@ Pass-through authentication provides a simple password validation for Azure AD a ## Password hash sync -Password hash sync is the simplest way to enable authentication for on-premises directory objects in Azure AD. With password hash sync (PHS), you synchronize your on-premises Active Directory user account objects with Office 365 and manage your users on-premises. Hashes of user passwords are synchronized from your on-premises Active Directory to Azure AD so that the users have the same password on-premises and in the cloud. When passwords are changed or reset on-premises, the new password hashes are synchronized to Azure AD so that your users can always use the same password for cloud resources and on-premises resources. The passwords are never sent to Azure AD or stored in Azure AD in clear text. Some premium features of Azure AD, such as Identity Protection, require PHS regardless of which authentication method is selected. With seamless single sign-on, users are automatically signed in to Azure AD when they are on their corporate devices and connected to your corporate network. +Password hash sync is the simplest way to enable authentication for on-premises directory objects in Azure AD. With password hash sync (PHS), you synchronize your on-premises Active Directory user account objects with Azure AD and manage your users on-premises. Hashes of user passwords are synchronized from your on-premises Active Directory to Azure AD so that the users have the same password on-premises and in the cloud. When passwords are changed or reset on-premises, the new password hashes are synchronized to Azure AD so that your users can always use the same password for cloud resources and on-premises resources. The passwords are never sent to Azure AD or stored in Azure AD in clear text. Some premium features of Azure AD, such as Identity Protection, require PHS regardless of which authentication method is selected. With seamless single sign-on, users are automatically signed in to Azure AD when they are on their corporate devices and connected to your corporate network. ### Related to password hash sync diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works.md index 03559c9e2e..9f3670151c 100644 --- a/windows/security/identity-protection/hello-for-business/hello-how-it-works.md +++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works.md @@ -1,18 +1,10 @@ --- title: How Windows Hello for Business works description: Learn how Windows Hello for Business works, and how it can help your users authenticate to services. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 05/05/2018 -appliesto: - - ✅ Windows 10 and later -ms.technology: itpro-security +appliesto: +- ✅ Windows 10 and later +ms.topic: article --- # How Windows Hello for Business works in Windows Devices diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md index ce22c81e4f..a53b5977d6 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md @@ -1,25 +1,15 @@ --- title: Configure Azure AD-joined devices for On-premises Single-Sign On using Windows Hello for Business description: Before adding Azure Active Directory (Azure AD) joined devices to your existing hybrid deployment, you need to verify the existing deployment can support them. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: - - M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 01/14/2021 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Azure Active Directory-join - - ✅ Hybrid Deployment - - ✅ Key trust -ms.technology: itpro-security +- ✅ Windows 10 and later +ms.topic: article --- # Configure Azure AD-joined devices for On-premises Single-Sign On using Windows Hello for Business + +[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-keycert-trust-aad.md)] + ## Prerequisites Before adding Azure Active Directory (Azure AD) joined devices to your existing hybrid deployment, you need to verify the existing deployment can support Azure AD-joined devices. Unlike hybrid Azure AD-joined devices, Azure AD-joined devices don't have a relationship with your Active Directory domain. This factor changes the way in which users authenticate to Active Directory. Validate the following configurations to ensure they support Azure AD-joined devices. diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md index 441651ecdb..1b222da4f8 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md @@ -1,26 +1,16 @@ --- -title: Using Certificates for AADJ On-premises Single-sign On single sign-on +title: Use Certificates to enable SSO for Azure AD join devices description: If you want to use certificates for on-premises single-sign on for Azure Active Directory-joined devices, then follow these additional steps. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 08/19/2018 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Azure AD-join - - ✅ Hybrid Deployment - - ✅ Certificate trust -ms.technology: itpro-security +- ✅ Windows 10 and later +ms.topic: article --- # Using Certificates for AADJ On-premises Single-sign On +[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-cert-trust-aad.md)] + If you plan to use certificates for on-premises single-sign on, then follow these **additional** steps to configure the environment to enroll Windows Hello for Business certificates for Azure AD-joined devices. > [!IMPORTANT] diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md index 8d2c2d3eb7..1acc6aa213 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md @@ -1,22 +1,15 @@ --- title: Azure AD Join Single Sign-on Deployment description: Learn how to provide single sign-on to your on-premises resources for Azure Active Directory-joined devices, using Windows Hello for Business. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 08/19/2018 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 -ms.technology: itpro-security +- ✅ Windows 10 and later +ms.topic: article --- # Azure AD Join Single Sign-on Deployment +[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-keycert-trust-aad.md)] + Windows Hello for Business combined with Azure Active Directory-joined devices makes it easy for users to securely access cloud-based resources using a strong, two-factor credential. Some resources may remain on-premises as enterprises transition resources to the cloud and Azure AD-joined devices may need to access these resources. With additional configurations to your current hybrid deployment, you can provide single sign-on to your on-premises resources for Azure Active Directory-joined devices using Windows Hello for Business, using a key or a certificate. ## Key vs. Certificate diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-new-install.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-new-install.md index d68fe373c4..234f257566 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-new-install.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-new-install.md @@ -1,24 +1,15 @@ --- title: Hybrid Azure AD joined Windows Hello for Business Trust New Installation (Windows Hello for Business) description: Learn about new installations for Windows Hello for Business certificate trust and the various technologies hybrid certificate trust deployments rely on. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 4/30/2021 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Hybrid deployment - - ✅ Certificate trust -ms.technology: itpro-security +- ✅ Windows 10 and later +ms.topic: article --- # Hybrid Azure AD joined Windows Hello for Business Certificate Trust New Installation +[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-cert-trust.md)] + Windows Hello for Business involves configuring distributed technologies that may or may not exist in your current infrastructure. Hybrid certificate trust deployments of Windows Hello for Business rely on these technologies - [Active Directory](#active-directory) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md index 912929f030..997dbea6e9 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md @@ -1,24 +1,15 @@ --- title: Configure Device Registration for Hybrid Azure AD joined Windows Hello for Business description: Azure Device Registration for Hybrid Certificate Trust Deployment (Windows Hello for Business) -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 4/30/2021 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Hybrid deployment - - ✅ Certificate trust -ms.technology: itpro-security +- ✅ Windows 10 and later +ms.topic: article --- # Configure Device Registration for Hybrid Azure AD joined Windows Hello for Business +[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-cert-trust-ad.md)] + Your environment is federated and you're ready to configure device registration for your hybrid environment. Hybrid Windows Hello for Business deployment needs device registration and device write-back to enable proper device authentication. > [!IMPORTANT] diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md index f3bd6859f8..56e0d50918 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md @@ -1,24 +1,15 @@ --- title: Hybrid Azure AD joined Windows Hello for Business Prerequisites description: Learn these prerequisites for hybrid Windows Hello for Business deployments using certificate trust. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 4/30/2021 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Hybrid deployment - - ✅ Certificate trust -ms.technology: itpro-security +- ✅ Windows 10 and later +ms.topic: article --- # Hybrid Azure AD joined Windows Hello for Business Prerequisites +[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-cert-trust.md)] + Hybrid environments are distributed systems that enable organizations to use on-premises and Azure-based identities and resources. Windows Hello for Business uses the existing distributed system as a foundation on which organizations can provide two-factor authentication that provides a single sign-in like experience to modern resources. The distributed systems on which these technologies were built involved several pieces of on-premises and cloud infrastructure. High-level pieces of the infrastructure include: diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md index fbf527bf4b..caf8cfe867 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md @@ -1,39 +1,30 @@ --- title: Hybrid Certificate Trust Deployment (Windows Hello for Business) description: Learn the information you need to successfully deploy Windows Hello for Business in a hybrid certificate trust scenario. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 09/08/2017 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Hybrid deployment - - ✅ Certificate trust -ms.technology: itpro-security +- ✅ Windows 10 and later +ms.topic: article --- # Hybrid Azure AD joined Certificate Trust Deployment +[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-cert-trust.md)] + Windows Hello for Business replaces username and password sign-in to Windows with strong user authentication based on asymmetric key pair. The following deployment guide provides the information needed to successfully deploy Windows Hello for Business in a hybrid certificate trust scenario. It is recommended that you review the Windows Hello for Business planning guide prior to using the deployment guide. The planning guide helps you make decisions by explaining the available options with each aspect of the deployment and explains the potential outcomes based on each of these decisions. You can review the [planning guide](/windows/access-protection/hello-for-business/hello-planning-guide) and download the [planning worksheet](https://go.microsoft.com/fwlink/?linkid=852514). -This deployment guide provides guidance for new deployments and customers who are already federated with Office 365. These two scenarios provide a baseline from which you can begin your deployment. +This deployment guide provides guidance for new deployments and customers who are already federated with Azure AD. These two scenarios provide a baseline from which you can begin your deployment. ## New Deployment Baseline -The new deployment baseline helps organizations who are moving to Azure and Office 365 to include Windows Hello for Business as part of their deployments. This baseline is good for organizations who are looking to deploy proof of concepts as well as IT professionals who want to familiarize themselves Windows Hello for Business by deploying a lab environment. +The new deployment baseline helps organizations who are moving to Azure AD to include Windows Hello for Business as part of their deployments. This baseline is good for organizations who are looking to deploy proof of concepts as well as IT professionals who want to familiarize themselves Windows Hello for Business by deploying a lab environment. This baseline provides detailed procedures to move your environment from an on-premises only environment to a hybrid environment using Windows Hello for Business to authenticate to Azure Active Directory and to your on-premises Active Directory using a single Windows sign-in. ## Federated Baseline -The federated baseline helps organizations that have completed their federation with Azure Active Directory and Office 365 and enables them to introduce Windows Hello for Business into their hybrid environment. This baseline exclusively focuses on the procedures needed to add Azure Device Registration and Windows Hello for Business to an existing hybrid deployment. +The federated baseline helps organizations that have completed their federation with Azure Active Directory and enables them to introduce Windows Hello for Business into their hybrid environment. This baseline exclusively focuses on the procedures needed to add Azure Device Registration and Windows Hello for Business to an existing hybrid deployment. Regardless of the baseline you choose, your next step is to familiarize yourself with the prerequisites needed for the deployment. Many of the prerequisites will be new for organizations and individuals pursuing the new deployment baseline. Organizations and individuals starting from the federated baseline will likely be familiar with most of the prerequisites, but should validate they are using the proper versions that include the latest updates. diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md index 191ad50880..fa4284edd5 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md @@ -1,24 +1,15 @@ --- title: Hybrid Azure AD joined Windows Hello for Business Certificate Trust Provisioning (Windows Hello for Business) description: In this article, learn about provisioning for hybrid certificate trust deployments of Windows Hello for Business. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 4/30/2021 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Hybrid deployment - - ✅ Certificate trust -ms.technology: itpro-security +- ✅ Windows 10 and later +ms.topic: article --- # Hybrid Azure AD joined Windows Hello for Business Certificate Trust Provisioning +[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-cert-trust.md)] + ## Provisioning The Windows Hello for Business provisioning begins immediately after the user has signed in, after the user profile is loaded, but before the user receives their desktop. Windows only launches the provisioning experience if all the prerequisite checks pass. You can determine the status of the prerequisite checks by viewing the **User Device Registration** in the **Event Viewer** under **Applications and Services Logs\Microsoft\Windows**. diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md index 82c2369b6c..748cc46a44 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md @@ -1,24 +1,15 @@ --- title: Configure Hybrid Azure AD joined Windows Hello for Business - Active Directory (AD) description: Discussing the configuration of Active Directory (AD) in a Hybrid deployment of Windows Hello for Business -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 4/30/2021 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Hybrid deployment - - ✅ Certificate trust -ms.technology: itpro-security +- ✅ Windows 10 and later +ms.topic: article --- # Configure Hybrid Azure AD joined Windows Hello for Business: Active Directory +[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-cert-trust.md)] + The key synchronization process for the hybrid deployment of Windows Hello for Business needs the Windows Server 2016 Active Directory schema. ### Creating Security Groups diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md index 55a8c1fe51..83988357c9 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md @@ -1,24 +1,15 @@ --- title: Configuring Hybrid Azure AD joined Windows Hello for Business - Active Directory Federation Services (ADFS) description: Discussing the configuration of Active Directory Federation Services (ADFS) in a Hybrid deployment of Windows Hello for Business -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 4/30/2021 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Hybrid deployment - - ✅ Certificate trust -ms.technology: itpro-security +- ✅ Windows 10 and later +ms.topic: article --- # Configure Hybrid Azure AD joined Windows Hello for Business: Active Directory Federation Services +[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-cert-trust.md)] + ## Federation Services The Windows Server 2016 Active Directory Federation Server Certificate Registration Authority (AD FS RA) enrolls for an enrollment agent certificate. Once the registration authority verifies the certificate request, it signs the certificate request using its enrollment agent certificate and sends it to the certificate authority. diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md index 9340b2698b..5002843385 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md @@ -1,25 +1,16 @@ --- title: Configure Hybrid Azure AD joined Windows Hello for Business Directory Synch description: Discussing Directory Synchronization in a Hybrid deployment of Windows Hello for Business -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 4/30/2021 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Hybrid deployment - - ✅ Certificate trust -ms.technology: itpro-security +- ✅ Windows 10 and later +ms.topic: article --- # Configure Hybrid Azure AD joined Windows Hello for Business- Directory Synchronization +[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-cert-trust.md)] + ## Directory Synchronization In hybrid deployments, users register the public portion of their Windows Hello for Business credential with Azure. Azure AD Connect synchronizes the Windows Hello for Business public key to Active Directory. diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md index 0c6e6e4808..98725d74b3 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md @@ -1,25 +1,16 @@ --- title: Configuring Hybrid Azure AD joined Windows Hello for Business - Public Key Infrastructure (PKI) description: Discussing the configuration of the Public Key Infrastructure (PKI) in a Hybrid deployment of Windows Hello for Business -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 4/30/2021 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Hybrid deployment - - ✅ Certificate trust -ms.technology: itpro-security +- ✅ Windows 10 and later +ms.topic: article --- # Configure Hybrid Azure AD joined Windows Hello for Business - Public Key Infrastructure +[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-cert-trust.md)] + Windows Hello for Business deployments rely on certificates. Hybrid deployments use publicly-issued server authentication certificates to validate the name of the server to which they are connecting and to encrypt the data that flows between them and the client computer. All deployments use enterprise issued certificates for domain controllers as a root of trust. Hybrid certificate trust deployments issue users with a sign-in certificate that enables them to authenticate using Windows Hello for Business credentials to non-Windows Server 2016 domain controllers. Additionally, hybrid certificate trust deployments issue certificates to registration authorities to provide defense-in-depth security when issuing user authentication certificates. diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md index 9665843315..ad8ff6984f 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md @@ -1,24 +1,14 @@ --- title: Configuring Hybrid Azure AD joined Windows Hello for Business - Group Policy description: Discussing the configuration of Group Policy in a Hybrid deployment of Windows Hello for Business -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 4/30/2021 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Hybrid deployment - - ✅ Certificate trust -ms.technology: itpro-security +- ✅ Windows 10 and later +ms.topic: article --- # Configure Hybrid Azure AD joined Windows Hello for Business - Group Policy +[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-cert-trust-ad.md)] ## Policy Configuration diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md index 68da777df7..360f679614 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md @@ -1,24 +1,15 @@ --- title: Configure Hybrid Windows Hello for Business Settings (Windows Hello for Business) description: Learn how to configure Windows Hello for Business settings in hybrid certificate trust deployment. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 4/30/2021 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Hybrid deployment - - ✅ Certificate trust -ms.technology: itpro-security +- ✅ Windows 10 and later +ms.topic: article --- # Configure Hybrid Azure AD joined Windows Hello for Business +[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-cert-trust.md)] + Your environment is federated and you are ready to configure your hybrid environment for Windows Hello for business using the certificate trust model. > [!IMPORTANT] > If your environment is not federated, review the [New Installation baseline](hello-hybrid-cert-new-install.md) section of this deployment document to learn how to federate your environment for your Windows Hello for Business deployment. diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md index d9cd8d2065..d8063e6127 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md @@ -1,29 +1,14 @@ --- title: Hybrid cloud Kerberos trust deployment (Windows Hello for Business) description: Learn the information you need to successfully deploy Windows Hello for Business in a hybrid cloud Kerberos trust scenario. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 11/1/2022 -appliesto: - - ✅ Windows 10, version 21H2 and later -ms.technology: itpro-security +appliesto: +- ✅ Windows 10, version 21H2 and later +ms.topic: article --- # Hybrid cloud Kerberos trust deployment -This document describes Windows Hello for Business functionalities or scenarios that apply to:\ -✅ **Deployment type:** [hybrid](hello-how-it-works-technology.md#hybrid-deployment)\ -✅ **Trust type:** [cloud Kerberos trust](hello-hybrid-cloud-kerberos-trust.md)\ -✅ **Device registration type:** [Azure AD join](hello-how-it-works-technology.md#azure-active-directory-join), [Hybrid Azure AD join](hello-how-it-works-technology.md#hybrid-azure-ad-join) - -
    - ---- +[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-cloudkerb-trust.md)] Windows Hello for Business replaces password sign-in with strong authentication, using an asymmetric key pair. This deployment guide provides the information to successfully deploy Windows Hello for Business in a hybrid cloud Kerberos trust scenario. diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md index 98e359fe83..32f0d91fc6 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md @@ -1,24 +1,15 @@ --- title: Windows Hello for Business Hybrid Azure AD joined Key Trust New Installation description: Learn how to configure a hybrid key trust deployment of Windows Hello for Business for systems with no previous installations. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 4/30/2021 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Hybrid deployment - - ✅ Key trust -ms.technology: itpro-security +- ✅ Windows 10 and later +ms.topic: article --- # Windows Hello for Business Hybrid Azure AD joined Key Trust New Installation +[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-key-trust.md)] + Windows Hello for Business involves configuring distributed technologies that may or may not exist in your current infrastructure. Hybrid key trust deployments of Windows Hello for Business rely on these technologies - [Active Directory](#active-directory) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md index 60421b9698..e6d1d3275c 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md @@ -1,24 +1,15 @@ --- title: Configure Device Registration for Hybrid Azure AD joined key trust Windows Hello for Business description: Azure Device Registration for Hybrid Certificate Key Deployment (Windows Hello for Business) -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 05/04/2022 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Hybrid deployment - - ✅ Key trust -ms.technology: itpro-security +- ✅ Windows 10 and later +ms.topic: article --- # Configure Device Registration for Hybrid Azure AD joined key trust Windows Hello for Business +[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-key-trust.md)] + You're ready to configure device registration for your hybrid environment. Hybrid Windows Hello for Business deployment needs device registration to enable proper device authentication. > [!NOTE] diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md index 883e949f0a..18df532ca9 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md @@ -1,24 +1,15 @@ --- title: Configure Directory Synchronization for Hybrid Azure AD joined key trust Windows Hello for Business description: Azure Directory Synchronization for Hybrid Certificate Key Deployment (Windows Hello for Business) -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 4/30/2021 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Hybrid deployment - - ✅ Key trust -ms.technology: itpro-security +- ✅ Windows 10 and later +ms.topic: article --- # Configure Directory Synchronization for Hybrid Azure AD joined key trust Windows Hello for Business +[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-key-trust.md)] + You are ready to configure directory synchronization for your hybrid environment. Hybrid Windows Hello for Business deployment needs both a cloud and an on-premises identity to authenticate and access resources in the cloud or on-premises. ## Deploy Azure AD Connect diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md index a91f625b7b..17e3fe7e61 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md @@ -1,24 +1,16 @@ --- title: Hybrid Azure AD joined Key trust Windows Hello for Business Prerequisites (Windows Hello for Business) description: Learn about the prerequisites for hybrid Windows Hello for Business deployments using key trust and what the next steps are in the deployment process. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 4/30/2021 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Hybrid deployment - - ✅ Key trust -ms.technology: itpro-security +- ✅ Windows 10 and later +ms.topic: article --- # Hybrid Azure AD joined Key trust Windows Hello for Business Prerequisites -Hybrid environments are distributed systems that enable organizations to use on-premises and Azure-based identities and resources. Windows Hello for Business uses the existing distributed system as a foundation on which organizations can provide two-factor authentication that provides a single sign-in like experience to modern resources. +[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-key-trust.md)] + +Hybrid environments are distributed systems that enable organizations to use on-premises and Azure AD-based identities and resources. Windows Hello for Business uses the existing distributed system as a foundation on which organizations can provide two-factor authentication that provides a single sign-in like experience to modern resources. The distributed systems on which these technologies were built involved several pieces of on-premises and cloud infrastructure. High-level pieces of the infrastructure include: @@ -33,7 +25,7 @@ The distributed systems on which these technologies were built involved several Hybrid Windows Hello for Business needs two directories: on-premises Active Directory and a cloud Azure Active Directory. The minimum required domain functional and forest functional levels for Windows Hello for Business deployment is Windows Server 2008 R2. -A hybrid Windows Hello for Business deployment needs an Azure Active Directory subscription. The hybrid key trust deployment does not need a premium Azure Active Directory subscription. +A hybrid Windows Hello for Business deployment requires Azure Active Directory. The hybrid key trust deployment does not need a premium Azure Active Directory subscription. You can deploy Windows Hello for Business in any environment with Windows Server 2008 R2 or later domain controllers. If using the key trust deployment model, you MUST ensure that you have adequate (1 or more, depending on your authentication load) Windows Server 2016 or later Domain Controllers in each Active Directory site where users will be authenticating for Windows Hello for Business. @@ -113,7 +105,7 @@ You can deploy Windows Hello for Business key trust in non-federated and federat Windows Hello for Business is a strong, two-factor credential the helps organizations reduce their dependency on passwords. The provisioning process lets a user enroll in Windows Hello for Business using their user name and password as one factor, but needs a second factor of authentication. -Hybrid Windows Hello for Business deployments can use Azure's Multifactor Authentication (MFA) service or they can use multifactor authentication provided by AD FS beginning with Windows Server 2012 R2, which includes an adapter model that enables third parties to integrate their MFA into AD FS. The MFA enabled by an Office 365 license is sufficient for Azure AD. +Hybrid Windows Hello for Business deployments can use Azure's Multifactor Authentication (MFA) service or they can use multifactor authentication provided by AD FS, which includes an adapter model that enables third parties to integrate their MFA into AD FS. ### Section Review diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md index addf5f5a20..9ab687ded9 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md @@ -1,33 +1,24 @@ --- title: Hybrid Key Trust Deployment (Windows Hello for Business) description: Review this deployment guide to successfully deploy Windows Hello for Business in a hybrid key trust scenario. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 08/20/2018 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Hybrid deployment - - ✅ Key trust -ms.technology: itpro-security +- ✅ Windows 10 and later +ms.topic: article --- # Hybrid Azure AD joined Key Trust Deployment +[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-key-trust.md)] + Windows Hello for Business replaces username and password sign-in to Windows with strong user authentication based on asymmetric key pair. The following deployment guide provides the information needed to successfully deploy Windows Hello for Business in a hybrid key trust scenario. It is recommended that you review the Windows Hello for Business planning guide prior to using the deployment guide. The planning guide helps you make decisions by explaining the available options with each aspect of the deployment and explains the potential outcomes based on each of these decisions. You can review the [planning guide](/windows/access-protection/hello-for-business/hello-planning-guide) and download the [planning worksheet](https://go.microsoft.com/fwlink/?linkid=852514). -This deployment guide provides guidance for new deployments and customers who are already federated with Office 365. These two scenarios provide a baseline from which you can begin your deployment. +This deployment guide provides guidance for new deployments and customers who are already federated with Azure AD. These two scenarios provide a baseline from which you can begin your deployment. ## New Deployment Baseline ## -The new deployment baseline helps organizations who are moving to Azure and Office 365 to include Windows Hello for Business as part of their deployments. This baseline is good for organizations who are looking to deploy proof of concepts as well as IT professionals who want to familiarize themselves Windows Hello for Business by deploying a lab environment. +The new deployment baseline helps organizations who are moving to Azure AD to include Windows Hello for Business as part of their deployments. This baseline is good for organizations who are looking to deploy proof of concepts as well as IT professionals who want to familiarize themselves Windows Hello for Business by deploying a lab environment. This baseline provides detailed procedures to move your environment from an on-premises only environment to a hybrid environment using Windows Hello for Business to authenticate to Azure Active Directory and to your on-premises Active Directory using a single Windows sign-in. diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md index 85b0134eed..b5c704fb93 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md @@ -1,23 +1,15 @@ --- title: Hybrid Azure AD joined Windows Hello for Business key trust Provisioning (Windows Hello for Business) description: Learn about provisioning for hybrid key trust deployments of Windows Hello for Business and learn where to find the hybrid key trust deployment guide. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 4/30/2021 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Hybrid deployment - - ✅ Key trust -ms.technology: itpro-security +- ✅ Windows 10 and later +ms.topic: article --- # Hybrid Azure AD joined Windows Hello for Business Key Trust Provisioning + +[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-key-trust.md)] + ## Provisioning The Windows Hello for Business provisioning begins immediately after the user has signed in, after the user profile is loaded, but before the user receives their desktop. Windows only launches the provisioning experience if all the prerequisite checks pass. You can determine the status of the prerequisite checks by viewing the **User Device Registration** in the **Event Viewer** under **Applications and Services Logs\Microsoft\Windows**. diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-ad.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-ad.md index eefcf80dae..cb30af909d 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-ad.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-ad.md @@ -1,24 +1,14 @@ --- title: Configuring Hybrid Azure AD joined key trust Windows Hello for Business - Active Directory (AD) description: Configuring Hybrid key trust Windows Hello for Business - Active Directory (AD) -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 4/30/2021 -ms.technology: itpro-security +appliesto: +- ✅ Windows 10 and later +ms.topic: article --- # Configuring Hybrid Azure AD joined key trust Windows Hello for Business: Active Directory -appliesto: -- ✅ Windows 10 -- ✅ Windows 11 -- ✅ Hybrid deployment -- ✅ Key trust +[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-key-trust-ad.md)] Configure the appropriate security groups to efficiently deploy Windows Hello for Business to users. diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md index 4a6cacda34..f19aab257d 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md @@ -1,27 +1,18 @@ --- title: Hybrid Azure AD joined Windows Hello for Business - Directory Synchronization description: How to configure Hybrid key trust Windows Hello for Business - Directory Synchronization -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 4/30/2021 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Hybrid deployment - - ✅ Key trust -ms.technology: itpro-security +- ✅ Windows 10 and later +ms.topic: article --- # Configure Hybrid Azure AD joined Windows Hello for Business: Directory Synchronization +[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-key-trust.md)] + ## Directory Synchronization -In hybrid deployments, users register the public portion of their Windows Hello for Business credential with Azure. Azure AD Connect synchronizes the Windows Hello for Business public key to Active Directory. +In hybrid deployments, users register the public portion of their Windows Hello for Business credential with Azure AD. Azure AD Connect synchronizes the Windows Hello for Business public key to Active Directory. ### Group Memberships for the Azure AD Connect Service Account >[!IMPORTANT] diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md index 7d80a9ac21..a824e822fe 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md @@ -1,24 +1,15 @@ --- title: Configure Hybrid Azure AD joined key trust Windows Hello for Business description: Configuring Hybrid key trust Windows Hello for Business - Public Key Infrastructure (PKI) -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 04/30/2021 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Hybrid deployment - - ✅ Key trust -ms.technology: itpro-security +- ✅ Windows 10 and later +ms.topic: article --- # Configure Hybrid Azure AD joined Windows Hello for Business: Public Key Infrastructure +[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-key-trust.md)] + Windows Hello for Business deployments rely on certificates. Hybrid deployments use publicly issued server authentication certificates to validate the name of the server to which they are connecting and to encrypt the data that flows them and the client computer. All deployments use enterprise issued certificates for domain controllers as a root of trust. diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md index 6d891a5b53..333f505d95 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md @@ -1,24 +1,15 @@ --- title: Configure Hybrid Azure AD joined Windows Hello for Business - Group Policy description: Configuring Hybrid key trust Windows Hello for Business - Group Policy -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 4/30/2021 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Hybrid deployment - - ✅ Key trust -ms.technology: itpro-security +- ✅ Windows 10 and later +ms.topic: article --- # Configure Hybrid Azure AD joined Windows Hello for Business: Group Policy +[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-key-trust-ad.md)] + ## Policy Configuration You need at least a Windows 10, version 1703 workstation to run the Group Policy Management Console, which provides the latest Windows Hello for Business and PIN Complexity Group Policy settings. To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows. You can download these tools from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=45520). diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings.md index 48fe302c63..5e24b6de2c 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings.md @@ -1,26 +1,17 @@ --- title: Configure Hybrid Azure AD joined Windows Hello for Business key trust Settings description: Begin the process of configuring your hybrid key trust environment for Windows Hello for Business. Start with your Active Directory configuration. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 4/30/2021 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Hybrid deployment - - ✅ Key trust -ms.technology: itpro-security +- ✅ Windows 10 and later +ms.topic: article --- # Configure Hybrid Azure AD joined Windows Hello for Business key trust settings +[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-key-trust.md)] + You are ready to configure your hybrid Azure AD joined key trust environment for Windows Hello for Business. - + > [!IMPORTANT] > Ensure your environment meets all the [prerequisites](hello-hybrid-key-trust-prereqs.md) before proceeding. Review the [New Installation baseline](hello-hybrid-key-new-install.md) section of this deployment document to learn how to prepare your environment for your Windows Hello for Business deployment. diff --git a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md index 1b10ff4e76..37b6335a50 100644 --- a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md +++ b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md @@ -1,18 +1,13 @@ --- title: Windows Hello for Business Deployment Prerequisite Overview description: Overview of all the different infrastructure requirements for Windows Hello for Business deployment models -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva ms.collection: - M365-identity-device-management - highpri -ms.topic: article -localizationpriority: medium ms.date: 2/15/2022 -ms.technology: itpro-security +appliesto: +- ✅ Windows 10 and later +ms.topic: article --- # Windows Hello for Business Deployment Prerequisite Overview @@ -21,7 +16,6 @@ This article lists the infrastructure requirements for the different deployment ## Azure AD Cloud Only Deployment -* Windows 10, version 1511 or later, or Windows 11 * Microsoft Azure Account * Azure Active Directory * Azure AD Multifactor Authentication diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md index b9d46ebca9..4a8dc18965 100644 --- a/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md +++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md @@ -1,24 +1,15 @@ --- title: Prepare & Deploy Windows Active Directory Federation Services with key trust (Windows Hello for Business) description: How to Prepare and Deploy Windows Server 2016 Active Directory Federation Services for Windows Hello for Business using key trust. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 08/19/2018 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ On-premises deployment - - ✅ Key trust -ms.technology: itpro-security +- ✅ Windows 10 and later +ms.topic: article --- # Prepare and Deploy Windows Server 2016 Active Directory Federation Services with Key Trust +[!INCLUDE [hello-on-premises-key-trust](../../includes/hello-on-premises-key-trust.md)] + Windows Hello for Business works exclusively with the Active Directory Federation Service role included with Windows Server 2016 and requires an additional server update. The on-premises key trust deployment uses Active Directory Federation Services roles for key registration and device registration. The following guidance describes deploying a new instance of Active Directory Federation Services 2016 using the Windows Information Database as the configuration database, which is ideal for environments with no more than 30 federation servers and no more than 100 relying party trusts. diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md index 090e46cd72..c618365d4e 100644 --- a/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md +++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md @@ -1,28 +1,18 @@ --- title: Configure Windows Hello for Business Policy settings - key trust description: Configure Windows Hello for Business Policy settings for Windows Hello for Business -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 08/19/2018 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ On-premises deployment - - ✅ Key trust -ms.technology: itpro-security +- ✅ Windows 10 and later +ms.topic: article --- # Configure Windows Hello for Business Policy settings - Key Trust -You need at least a Windows 10, version 1703 workstation to run the Group Policy Management Console, which provides the latest Windows Hello for Business and PIN Complexity Group Policy settings. To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows. You can download these tools from [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=45520). -Install the Remote Server Administration Tools for Windows on a computer running Windows 10, version 1703 or later. +[!INCLUDE [hello-on-premises-key-trust](../../includes/hello-on-premises-key-trust.md)] -Alternatively, you can create a copy of the .ADMX and .ADML files from a Windows 10, version 1703 installation setup template folder to their respective language folder on a Windows Server, or you can create a Group Policy Central Store and copy them their respective language folder. See [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](/troubleshoot/windows-client/group-policy/create-and-manage-central-store) for more information. +To run the Group Policy Management Console from a Windows client, you need to install the Remote Server Administration Tools for Windows. You can download these tools from [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=45520). + +Alternatively, you can create a copy of the .ADMX and .ADML files from a Windows client installation setup template folder to their respective language folder on a Windows Server, or you can create a Group Policy Central Store and copy them their respective language folder. See [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](/troubleshoot/windows-client/group-policy/create-and-manage-central-store) for more information. On-premises certificate-based deployments of Windows Hello for Business needs one Group Policy setting: Enable Windows Hello for Business diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md index a7cf2a4367..57080612a2 100644 --- a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md +++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md @@ -1,25 +1,16 @@ --- title: Key registration for on-premises deployment of Windows Hello for Business description: How to Validate Active Directory prerequisites for Windows Hello for Business when deploying with the key trust model. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 08/19/2018 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ On-premises deployment - - ✅ Key trust -ms.technology: itpro-security +- ✅ Windows 10 and later +ms.topic: article --- # Validate Active Directory prerequisites - Key Trust -Key trust deployments need an adequate number of 2016 or later domain controllers to ensure successful user authentication with Windows Hello for Business. To learn more about domain controller planning for key trust deployments, read the [Windows Hello for Business planning guide](hello-planning-guide.md), the [Planning an adequate number of Windows Server 2016 or later Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) section. +[!INCLUDE [hello-on-premises-key-trust](../../includes/hello-on-premises-key-trust.md)] + +Key trust deployments need an adequate number of 2016 or later domain controllers to ensure successful user authentication with Windows Hello for Business. To learn more about domain controller planning for key trust deployments, read the [Windows Hello for Business planning guide](hello-planning-guide.md), the [Planning an adequate number of Windows Server 2016 or later Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) section. > [!NOTE] >There was an issue with key trust authentication on Windows Server 2019. If you are planning to use Windows Server 2019 domain controllers refer to [KB4487044](https://support.microsoft.com/en-us/help/4487044/windows-10-update-kb4487044) to fix this issue. diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md index 42ee5bdd01..046acb3df3 100644 --- a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md +++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md @@ -1,24 +1,15 @@ --- title: Validate and Deploy MFA for Windows Hello for Business with key trust description: How to Validate and Deploy Multifactor Authentication (MFA) Services for Windows Hello for Business with key trust -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 08/19/2018 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ On-premises deployment - - ✅ Key trust -ms.technology: itpro-security +- ✅ Windows 10 and later +ms.topic: article --- # Validate and Deploy Multifactor Authentication (MFA) +[!INCLUDE [hello-on-premises-key-trust](../../includes/hello-on-premises-key-trust.md)] + > [!IMPORTANT] > As of July 1, 2019, Microsoft will no longer offer MFA Server for new deployments. New customers who would like to require multifactor authentication from their users should use cloud-based Azure AD Multi-Factor Authentication. Existing customers who have activated MFA Server prior to July 1 will be able to download the latest version, future updates and generate activation credentials as usual. diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md index 5a4c114b16..c3a9226714 100644 --- a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md +++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md @@ -1,24 +1,15 @@ --- title: Validate Public Key Infrastructure - key trust model (Windows Hello for Business) description: How to Validate Public Key Infrastructure for Windows Hello for Business, under a key trust model. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 08/19/2018 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ On-premises deployment - - ✅ Key trust -ms.technology: itpro-security +- ✅ Windows 10 and later +ms.topic: article --- # Validate and Configure Public Key Infrastructure - Key Trust +[!INCLUDE [hello-on-premises-key-trust](../../includes/hello-on-premises-key-trust.md)] + Windows Hello for Business must have a public key infrastructure regardless of the deployment or trust model. All trust models depend on the domain controllers having a certificate. The certificate serves as a root of trust for clients to ensure they are not communicating with a rogue domain controller. ## Deploy an enterprise certificate authority diff --git a/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md b/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md index ef4ec913e4..2d83fca7b3 100644 --- a/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md +++ b/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md @@ -1,31 +1,21 @@ --- title: Manage Windows Hello in your organization (Windows) description: You can create a Group Policy or mobile device management (MDM) policy that will implement Windows Hello for Business on devices running Windows 10. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva ms.collection: - M365-identity-device-management - highpri -ms.topic: article -ms.localizationpriority: medium ms.date: 2/15/2022 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 -ms.technology: itpro-security +- ✅ Windows 10 and later +ms.topic: article --- # Manage Windows Hello for Business in your organization -You can create a Group Policy or mobile device management (MDM) policy that will implement Windows Hello on devices running Windows 10. +You can create a Group Policy or mobile device management (MDM) policy to configure Windows Hello for Business on Windows devices. >[!IMPORTANT] ->The Group Policy setting **Turn on PIN sign-in** does not apply to Windows Hello for Business. It still prevents or enables the creation of a convenience PIN for Windows 10, version 1507 and 1511. -> ->Beginning in version 1607, Windows Hello as a convenience PIN is disabled by default on all domain-joined computers. To enable a convenience PIN for Windows 10, version 1607, enable the Group Policy setting **Turn on convenience PIN sign-in**. +>Windows Hello as a convenience PIN is disabled by default on all domain joined and Azure AD joined devices. To enable a convenience PIN, enable the Group Policy setting **Turn on convenience PIN sign-in**. > >Use **PIN Complexity** policy settings to manage PINs for Windows Hello for Business. @@ -144,9 +134,10 @@ All PIN complexity policies are grouped separately from feature enablement and a >- LowercaseLetters - 1 >- SpecialCharacters - 1 + diff --git a/windows/security/identity-protection/hello-for-business/hello-overview.md b/windows/security/identity-protection/hello-for-business/hello-overview.md index eb85e9ca3b..87ec948d71 100644 --- a/windows/security/identity-protection/hello-for-business/hello-overview.md +++ b/windows/security/identity-protection/hello-for-business/hello-overview.md @@ -1,25 +1,16 @@ --- title: Windows Hello for Business Overview (Windows) description: Learn how Windows Hello for Business replaces passwords with strong two-factor authentication on PCs and mobile devices in Windows 10 and Windows 11. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva ms.collection: - M365-identity-device-management - highpri ms.topic: conceptual -localizationpriority: medium appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Holographic for Business -ms.technology: itpro-security +- ✅ Windows 10 and later --- # Windows Hello for Business Overview -In Windows 10, Windows Hello for Business replaces passwords with strong two-factor authentication on devices. This authentication consists of a new type of user credential that is tied to a device and uses a biometric or PIN. +Windows Hello for Business replaces passwords with strong two-factor authentication on devices. This authentication consists of a type of user credential that is tied to a device and uses a biometric or PIN. >[!NOTE] > When Windows 10 first shipped, it included Microsoft Passport and Windows Hello, which worked together to provide multi-factor authentication. To simplify deployment and improve supportability, Microsoft has combined these technologies into a single solution under the Windows Hello name. Customers who have already deployed these technologies will not experience any change in functionality. Customers who have yet to evaluate Windows Hello will find it easier to deploy due to simplified policies, documentation, and semantics. diff --git a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md index 36ba184666..c3c5912b26 100644 --- a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md +++ b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md @@ -1,20 +1,10 @@ --- title: Planning a Windows Hello for Business Deployment description: Learn about the role of each component within Windows Hello for Business and how certain deployment decisions affect other aspects of your infrastructure. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: - - M365-identity-device-management -ms.topic: article -localizationpriority: conceptual ms.date: 09/16/2020 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 -ms.technology: itpro-security +- ✅ Windows 10 and later +ms.topic: article --- # Planning a Windows Hello for Business Deployment @@ -189,9 +179,9 @@ Hybrid Azure AD-joined devices managed by Group Policy need the Windows Server 2 Choose a trust type that is best suited for your organizations. Remember, the trust type determines two things. Whether you issue authentication certificates to your users and if your deployment needs Windows Server 2016 domain controllers. -One trust model is not more secure than the other. The major difference is based on the organization comfort with deploying Windows Server 2016 domain controllers and not enrolling users with end entity certificates (key-trust) against using existing domain controllers (Windows Server 2008R2 or later) and needing to enroll certificates for all their users (certificate trust). +One trust model is not more secure than the other. The major difference is based on the organization comfort with deploying Windows Server 2016 domain controllers and not enrolling users with end entity certificates (key-trust) against using existing domain controllers and needing to enroll certificates for all their users (certificate trust). -Because the certificate trust types issues certificates, there is more configuration and infrastructure needed to accommodate user certificate enrollment, which could also be a factor to consider in your decision. Additional infrastructure needed for certificate-trust deployments includes a certificate registration authority. In a federated environment, you need to activate the Device Writeback option in Azure AD Connect. +Because the certificate trust types issues certificates, there is more configuration and infrastructure needed to accommodate user certificate enrollment, which could also be a factor to consider in your decision. Additional infrastructure needed for certificate-trust deployments includes a certificate registration authority. In a federated environment, you need to activate the Device Writeback option in Azure AD Connect. If your organization wants to use the key trust type, write **key trust** in box **1b** on your planning worksheet. Write **Windows Server 2016** in box **4d**. Write **N/A** in box **5b**. diff --git a/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md b/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md index 78291dadbd..69e4a380e5 100644 --- a/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md +++ b/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md @@ -1,19 +1,10 @@ --- title: Prepare people to use Windows Hello (Windows) description: When you set a policy to require Windows Hello for Business in the workplace, you will want to prepare people in your organization. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 08/19/2018 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 -ms.technology: itpro-security +- ✅ Windows 10 and later +ms.topic: article --- # Prepare people to use Windows Hello diff --git a/windows/security/identity-protection/hello-for-business/hello-videos.md b/windows/security/identity-protection/hello-for-business/hello-videos.md index 3a99c148bd..bf6f5a4ea0 100644 --- a/windows/security/identity-protection/hello-for-business/hello-videos.md +++ b/windows/security/identity-protection/hello-for-business/hello-videos.md @@ -1,19 +1,10 @@ --- title: Windows Hello for Business Videos description: View several informative videos describing features and experiences in Windows Hello for Business in Windows 10 and Windows 11. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 07/26/2022 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 -ms.technology: itpro-security +- ✅ Windows 10 and later +ms.topic: article --- # Windows Hello for Business Videos ## Overview of Windows Hello for Business and Features diff --git a/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md b/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md index 68cc9b2ecd..f2ba4fd368 100644 --- a/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md +++ b/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md @@ -1,26 +1,18 @@ --- title: Why a PIN is better than an online password (Windows) -description: Windows Hello in Windows 10 enables users to sign in to their device using a PIN. How is a PIN different from (and better than) an online password. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva +description: Windows Hello enables users to sign in to their device using a PIN. How is a PIN different from (and better than) an online password. ms.collection: - M365-identity-device-management - highpri -ms.topic: article -ms.localizationpriority: medium ms.date: 10/23/2017 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 -ms.technology: itpro-security +- ✅ Windows 10 and later +ms.topic: article --- # Why a PIN is better than an online password -Windows Hello in Windows 10 enables users to sign in to their device using a PIN. How is a PIN different from (and better than) a local password? -On the surface, a PIN looks much like a password. A PIN can be a set of numbers, but enterprise policy might allow complex PINs that include special characters and letters, both upper-case and lower-case. Something like **t758A!** could be an account password or a complex Hello PIN. It isn't the structure of a PIN (length, complexity) that makes it better than an online password, it's how it works. First we need to distinguish between two types of passwords: `local` passwords are validated against the machine's password store, whereas `online` passwords are validated against a server. This article mostly covers the benefits a PIN has over an online password, and also why it can be considered even better than a local password. +Windows Hello enables users to sign in to their device using a PIN. How is a PIN different from (and better than) a local password? +On the surface, a PIN looks much like a password. A PIN can be a set of numbers, but enterprise policy might allow complex PINs that include special characters and letters, both upper-case and lower-case. Something like **t758A!** could be an account password or a complex Hello PIN. It isn't the structure of a PIN (length, complexity) that makes it better than an online password, it's how it works. First we need to distinguish between two types of passwords: `local` passwords are validated against the machine's password store, whereas `online` passwords are validated against a server. This article mostly covers the benefits a PIN has over an online password, and also why it can be considered even better than a local password. Watch Dana Huang explain why a Windows Hello for Business PIN is more secure than an online password. diff --git a/windows/security/identity-protection/hello-for-business/microsoft-compatible-security-key.md b/windows/security/identity-protection/hello-for-business/microsoft-compatible-security-key.md index a446e2b52f..6d5ad8dea5 100644 --- a/windows/security/identity-protection/hello-for-business/microsoft-compatible-security-key.md +++ b/windows/security/identity-protection/hello-for-business/microsoft-compatible-security-key.md @@ -1,16 +1,10 @@ --- title: Microsoft-compatible security key description: Learn how a Microsoft-compatible security key for Windows is different (and better) than any other FIDO2 security key. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 11/14/2018 -ms.technology: itpro-security +appliesto: +- ✅ Windows 10 and later +ms.topic: article --- # What is a Microsoft-compatible security key? diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index 5c2b1147af..a18a0b3aeb 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -1,24 +1,15 @@ --- title: Password-less strategy description: Learn about the password-less strategy and how Windows Hello for Business implements this strategy in Windows 10 and Windows 11. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management ms.topic: conceptual -localizationpriority: medium ms.date: 05/24/2022 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 -ms.technology: itpro-security +- ✅ Windows 10 and later --- # Password-less strategy -This article describes Windows' password-less strategy. Learn how Windows Hello for Business implements this strategy in Windows 10 and Windows 11. +This article describes Windows' password-less strategy and how Windows Hello for Business implements this strategy. ## Four steps to password freedom @@ -309,7 +300,7 @@ The following image shows the SCRIL setting for a user in Active Directory Users :::image type="content" source="images/passwordless/aduc-account-scril.png" alt-text="Example user properties in Active Directory that shows the SCRIL setting on Account options."::: -When you configure a user account for SCRIL, Active Directory changes the affected user's password to a random 128 bits of data. Additionally, domain controllers hosting the user account don't allow the user to sign-in interactively with a password. Also, users will no longer be troubled with needing to change their password when it expires, because passwords for SCRIL users in domains with a Windows Server 2012 R2 or early domain functional level don't expire. The users are effectively password-less because: +When you configure a user account for SCRIL, Active Directory changes the affected user's password to a random 128 bits of data. Additionally, domain controllers hosting the user account don't allow the user to sign-in interactively with a password. Users will no longer need to change their password when it expires, because passwords for SCRIL users don't expire. The users are effectively password-less because: - They don't know their password. - Their password is 128 random bits of data and is likely to include non-typable characters. diff --git a/windows/security/identity-protection/hello-for-business/reset-security-key.md b/windows/security/identity-protection/hello-for-business/reset-security-key.md index bf8a6a57bf..366a317f73 100644 --- a/windows/security/identity-protection/hello-for-business/reset-security-key.md +++ b/windows/security/identity-protection/hello-for-business/reset-security-key.md @@ -1,16 +1,10 @@ --- title: Reset-security-key description: Windows 10 and Windows 11 enables users to sign in to their device using a security key. How to reset a security key -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 11/14/2018 -ms.technology: itpro-security +appliesto: +- ✅ Windows 10 and later +ms.topic: article --- # How to reset a Microsoft-compatible security key? > [!Warning] diff --git a/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md b/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md index 4653d23331..5aa1fcad6a 100644 --- a/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md +++ b/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md @@ -1,17 +1,11 @@ --- title: How Windows Hello for Business works (Windows) description: Learn about registration, authentication, key material, and infrastructure for Windows Hello for Business. -ms.prod: windows-client -ms.localizationpriority: high -author: paolomatarazzo -ms.author: paoloma ms.date: 10/16/2017 -manager: aaroncz -ms.topic: article appliesto: - ✅ Windows 10 - ✅ Windows 11 -ms.technology: itpro-security +ms.topic: article --- # How Windows Hello for Business works in Windows devices diff --git a/windows/security/identity-protection/hello-for-business/toc.yml b/windows/security/identity-protection/hello-for-business/toc.yml index 2c22050ab0..502a196109 100644 --- a/windows/security/identity-protection/hello-for-business/toc.yml +++ b/windows/security/identity-protection/hello-for-business/toc.yml @@ -1,13 +1,11 @@ - name: Windows Hello for Business documentation href: index.yml -- name: Overview - items: - - name: Windows Hello for Business Overview - href: hello-overview.md - name: Concepts expanded: true items: - - name: Passwordless Strategy + - name: Windows Hello for Business overview + href: hello-overview.md + - name: Passwordless strategy href: passwordless-strategy.md - name: Why a PIN is better than a password href: hello-why-pin-is-better-than-password.md @@ -15,129 +13,160 @@ href: hello-biometrics-in-enterprise.md - name: How Windows Hello for Business works href: hello-how-it-works.md - - name: Technical Deep Dive - items: - - name: Provisioning - href: hello-how-it-works-provisioning.md - - name: Authentication - href: hello-how-it-works-authentication.md - - name: WebAuthn APIs - href: webauthn-apis.md -- name: How-to Guides +- name: Deployment guides items: - - name: Windows Hello for Business Deployment Overview + - name: Windows Hello for Business deployment overview href: hello-deployment-guide.md - - name: Planning a Windows Hello for Business Deployment + - name: Planning a Windows Hello for Business deployment href: hello-planning-guide.md - - name: Deployment Prerequisite Overview + - name: Deployment prerequisite overview href: hello-identity-verification.md - - name: Prepare people to use Windows Hello - href: hello-prepare-people-to-use.md - - name: Deployment Guides + - name: Cloud-only deployment + href: hello-aad-join-cloud-only-deploy.md + - name: Hybrid deployments items: - - name: Hybrid Cloud Kerberos Trust Deployment + - name: Cloud Kerberos trust deployment href: hello-hybrid-cloud-kerberos-trust.md - - name: Hybrid Azure AD Joined Key Trust + - name: Key trust deployment items: - - name: Hybrid Azure AD Joined Key Trust Deployment + - name: Overview href: hello-hybrid-key-trust.md - name: Prerequisites href: hello-hybrid-key-trust-prereqs.md - - name: New Installation Baseline + - name: New installation baseline href: hello-hybrid-key-new-install.md - - name: Configure Directory Synchronization + - name: Configure directory synchronization href: hello-hybrid-key-trust-dirsync.md - - name: Configure Azure Device Registration + - name: Configure Azure AD device registration href: hello-hybrid-key-trust-devreg.md - name: Configure Windows Hello for Business settings - href: hello-hybrid-key-whfb-settings.md - - name: Sign-in and Provisioning + items: + - name: Overview + href: hello-hybrid-key-whfb-settings.md + - name: Configure Active Directory + href: hello-hybrid-key-whfb-settings-ad.md + - name: Configure Azure AD Connect Sync + href: hello-hybrid-key-whfb-settings-dir-sync.md + - name: Configure PKI + href: hello-hybrid-key-whfb-settings-pki.md + - name: Configure Group Policy settings + href: hello-hybrid-key-whfb-settings-policy.md + - name: Sign-in and provision Windows Hello for Business href: hello-hybrid-key-whfb-provision.md - - name: Hybrid Azure AD Joined Certificate Trust + - name: On-premises SSO for Azure AD joined devices + href: hello-hybrid-aadj-sso.md + - name: Configure Azure AD joined devices for on-premises SSO + href: hello-hybrid-aadj-sso-base.md + - name: Certificate trust deployment items: - - name: Hybrid Azure AD Joined Certificate Trust Deployment + - name: Overview href: hello-hybrid-cert-trust.md - name: Prerequisites href: hello-hybrid-cert-trust-prereqs.md - - name: New Installation Baseline + - name: New installation baseline href: hello-hybrid-cert-new-install.md - - name: Configure Azure Device Registration + - name: Configure Azure AD device registration href: hello-hybrid-cert-trust-devreg.md - name: Configure Windows Hello for Business settings - href: hello-hybrid-cert-whfb-settings.md - - name: Sign-in and Provisioning + items: + - name: Overview + href: hello-hybrid-cert-whfb-settings.md + - name: Configure Active Directory + href: hello-hybrid-cert-whfb-settings-ad.md + - name: Configure Azure AD Connect Sync + href: hello-hybrid-cert-whfb-settings-dir-sync.md + - name: Configure PKI + href: hello-hybrid-cert-whfb-settings-pki.md + - name: Configure AD FS + href: hello-hybrid-cert-whfb-settings-adfs.md + - name: Configure Group Policy settings + href: hello-hybrid-cert-whfb-settings-policy.md + - name: Sign-in and provision Windows Hello for Business href: hello-hybrid-cert-whfb-provision.md - - name: On-premises SSO for Azure AD Joined Devices - items: - - name: On-premises SSO for Azure AD Joined Devices Deployment + - name: On-premises SSO for Azure AD joined devices href: hello-hybrid-aadj-sso.md - - name: Configure Azure AD joined devices for On-premises Single-Sign On using Windows Hello for Business + - name: Configure Azure AD joined devices for on-premises SSO href: hello-hybrid-aadj-sso-base.md - - name: Using Certificates for AADJ On-premises Single-sign On + - name: Using certificates for on-premises SSO href: hello-hybrid-aadj-sso-cert.md - - name: On-premises Key Trust + - name: Planning for Domain Controller load + href: hello-adequate-domain-controllers.md + - name: On-premises deployments + items: + - name: Key trust deployment items: - - name: On-premises Key Trust Deployment + - name: Overview href: hello-deployment-key-trust.md - - name: Validate Active Directory Prerequisites + - name: Validate Active Directory prerequisites href: hello-key-trust-validate-ad-prereq.md - - name: Validate and Configure Public Key Infrastructure + - name: Validate and configure Public Key Infrastructure (PKI) href: hello-key-trust-validate-pki.md - - name: Prepare and Deploy Windows Server 2016 Active Directory Federation Services + - name: Prepare and deploy Active Directory Federation Services (AD FS) href: hello-key-trust-adfs.md - - name: Validate and Deploy Multi-factor Authentication (MFA) Services + - name: Validate and deploy multi-factor authentication (MFA) services href: hello-key-trust-validate-deploy-mfa.md - name: Configure Windows Hello for Business policy settings href: hello-key-trust-policy-settings.md - - name: On-premises Certificate Trust + - name: Certificate trust deployment items: - - name: On-premises Certificate Trust Deployment + - name: Overview href: hello-deployment-cert-trust.md - - name: Validate Active Directory Prerequisites + - name: Validate Active Directory prerequisites href: hello-cert-trust-validate-ad-prereq.md - - name: Validate and Configure Public Key Infrastructure + - name: Validate and configure Public Key Infrastructure (PKI) href: hello-cert-trust-validate-pki.md - - name: Prepare and Deploy Windows Server 2016 Active Directory Federation Services + - name: Prepare and Deploy Active Directory Federation Services (AD FS) href: hello-cert-trust-adfs.md - - name: Validate and Deploy Multi-factor Authentication (MFA) Services + - name: Validate and deploy multi-factor authentication (MFA) services href: hello-cert-trust-validate-deploy-mfa.md - name: Configure Windows Hello for Business policy settings href: hello-cert-trust-policy-settings.md - - name: Azure AD join cloud only deployment - href: hello-aad-join-cloud-only-deploy.md - - name: Managing Windows Hello for Business in your organization - href: hello-manage-in-organization.md - - name: Deploying Certificates to Key Trust Users to Enable RDP - href: hello-deployment-rdp-certs.md - - name: Windows Hello for Business Features - items: - - name: Conditional Access - href: hello-feature-conditional-access.md - - name: PIN Reset - href: hello-feature-pin-reset.md - - name: Dual Enrollment - href: hello-feature-dual-enrollment.md - - name: Dynamic Lock - href: hello-feature-dynamic-lock.md - - name: Multi-factor Unlock - href: feature-multifactor-unlock.md - - name: Remote Desktop - href: hello-feature-remote-desktop.md - - name: Troubleshooting - items: - - name: Known Deployment Issues - href: hello-deployment-issues.md - - name: Errors During PIN Creation - href: hello-errors-during-pin-creation.md - - name: Event ID 300 - Windows Hello successfully created - href: hello-event-300.md - - name: Windows Hello and password changes - href: hello-and-password-changes.md + - name: Planning for Domain Controller load + href: hello-adequate-domain-controllers.md + - name: Deploy certificates for remote desktop (RDP) sign-in + href: hello-deployment-rdp-certs.md +- name: How-to Guides + items: + - name: Prepare people to use Windows Hello + href: hello-prepare-people-to-use.md + - name: Manage Windows Hello for Business in your organization + href: hello-manage-in-organization.md +- name: Windows Hello for Business features + items: + - name: Conditional access + href: hello-feature-conditional-access.md + - name: PIN Reset + href: hello-feature-pin-reset.md + - name: Dual Enrollment + href: hello-feature-dual-enrollment.md + - name: Dynamic Lock + href: hello-feature-dynamic-lock.md + - name: Multi-factor Unlock + href: feature-multifactor-unlock.md + - name: Remote desktop (RDP) sign-in + href: hello-feature-remote-desktop.md +- name: Troubleshooting + items: + - name: Known deployment issues + href: hello-deployment-issues.md + - name: Errors during PIN creation + href: hello-errors-during-pin-creation.md + - name: Event ID 300 - Windows Hello successfully created + href: hello-event-300.md + - name: Windows Hello and password changes + href: hello-and-password-changes.md - name: Reference items: - - name: Technology and Terminology + - name: How Windows Hello for Business provisioning works + href: hello-how-it-works-provisioning.md + - name: How Windows Hello for Business authentication works + href: hello-how-it-works-authentication.md + - name: WebAuthn APIs + href: webauthn-apis.md + - name: Technology and terminology href: hello-how-it-works-technology.md - name: Frequently Asked Questions (FAQ) href: hello-faq.yml - name: Windows Hello for Business videos href: hello-videos.md + diff --git a/windows/security/identity-protection/hello-for-business/webauthn-apis.md b/windows/security/identity-protection/hello-for-business/webauthn-apis.md index afac158d28..534fddf6ee 100644 --- a/windows/security/identity-protection/hello-for-business/webauthn-apis.md +++ b/windows/security/identity-protection/hello-for-business/webauthn-apis.md @@ -1,19 +1,10 @@ --- title: WebAuthn APIs description: Learn how to use WebAuthn APIs to enable passwordless authentication for your sites and apps. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 09/15/2022 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 -ms.technology: itpro-security +- ✅ Windows 10 and later +ms.topic: article --- # WebAuthn APIs for passwordless authentication on Windows diff --git a/windows/security/includes/hello-cloud.md b/windows/security/includes/hello-cloud.md new file mode 100644 index 0000000000..c40ed1027c --- /dev/null +++ b/windows/security/includes/hello-cloud.md @@ -0,0 +1,7 @@ +This document describes Windows Hello for Business functionalities or scenarios that apply to:\ +✅ **Deployment type:** [cloud](../identity-protection/hello-for-business/hello-how-it-works-technology.md#cloud-deployment)\ +✅ **Device registration type:** [Azure AD join](../identity-protection/hello-for-business/hello-how-it-works-technology.md#azure-active-directory-join) + +
    + +--- diff --git a/windows/security/includes/hello-hybrid-cert-trust-aad.md b/windows/security/includes/hello-hybrid-cert-trust-aad.md new file mode 100644 index 0000000000..e80912d8b9 --- /dev/null +++ b/windows/security/includes/hello-hybrid-cert-trust-aad.md @@ -0,0 +1,8 @@ +This document describes Windows Hello for Business functionalities or scenarios that apply to:\ +✅ **Deployment type:** [hybrid](../identity-protection/hello-for-business/hello-how-it-works-technology.md#hybrid-deployment)\ +✅ **Trust type:** [certificate trust](../identity-protection/hello-for-business/hello-how-it-works-technology.md#certificate-trust)\ +✅ **Device registration type:** [Azure AD join](../identity-protection/hello-for-business/hello-how-it-works-technology.md#azure-active-directory-join) + +
    + +--- diff --git a/windows/security/includes/hello-hybrid-cert-trust-ad.md b/windows/security/includes/hello-hybrid-cert-trust-ad.md new file mode 100644 index 0000000000..4ef97bd233 --- /dev/null +++ b/windows/security/includes/hello-hybrid-cert-trust-ad.md @@ -0,0 +1,8 @@ +This document describes Windows Hello for Business functionalities or scenarios that apply to:\ +✅ **Deployment type:** [hybrid](../identity-protection/hello-for-business/hello-how-it-works-technology.md#hybrid-deployment)\ +✅ **Trust type:** [certificate trust](../identity-protection/hello-for-business/hello-how-it-works-technology.md#certificate-trust)\ +✅ **Device registration type:** [Hybrid Azure AD join](../identity-protection/hello-for-business/hello-how-it-works-technology.md#hybrid-azure-ad-join) + +
    + +--- diff --git a/windows/security/includes/hello-hybrid-cert-trust.md b/windows/security/includes/hello-hybrid-cert-trust.md new file mode 100644 index 0000000000..77a897f264 --- /dev/null +++ b/windows/security/includes/hello-hybrid-cert-trust.md @@ -0,0 +1,8 @@ +This document describes Windows Hello for Business functionalities or scenarios that apply to:\ +✅ **Deployment type:** [hybrid](../identity-protection/hello-for-business/hello-how-it-works-technology.md#hybrid-deployment)\ +✅ **Trust type:** [certificate trust](../identity-protection/hello-for-business/hello-how-it-works-technology.md#certificate-trust)\ +✅ **Device registration type:** [Azure AD join](../identity-protection/hello-for-business/hello-how-it-works-technology.md#azure-active-directory-join), [Hybrid Azure AD join](../identity-protection/hello-for-business/hello-how-it-works-technology.md#hybrid-azure-ad-join) + +
    + +--- diff --git a/windows/security/includes/hello-hybrid-cloudkerb-trust.md b/windows/security/includes/hello-hybrid-cloudkerb-trust.md new file mode 100644 index 0000000000..4f68be791b --- /dev/null +++ b/windows/security/includes/hello-hybrid-cloudkerb-trust.md @@ -0,0 +1,8 @@ +This document describes Windows Hello for Business functionalities or scenarios that apply to:\ +✅ **Deployment type:** [hybrid](../identity-protection/hello-for-business/hello-how-it-works-technology.md#hybrid-deployment)\ +✅ **Trust type:** [cloud Kerberos trust](../identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md)\ +✅ **Device registration type:** [Azure AD join](../identity-protection/hello-for-business/hello-how-it-works-technology.md#azure-active-directory-join), [Hybrid Azure AD join](../identity-protection/hello-for-business/hello-how-it-works-technology.md#hybrid-azure-ad-join) + +
    + +--- diff --git a/windows/security/includes/hello-hybrid-key-trust-ad.md b/windows/security/includes/hello-hybrid-key-trust-ad.md new file mode 100644 index 0000000000..68521a5a14 --- /dev/null +++ b/windows/security/includes/hello-hybrid-key-trust-ad.md @@ -0,0 +1,8 @@ +This document describes Windows Hello for Business functionalities or scenarios that apply to:\ +✅ **Deployment type:** [hybrid](../identity-protection/hello-for-business/hello-how-it-works-technology.md#hybrid-deployment)\ +✅ **Trust type:** [key trust](../identity-protection/hello-for-business/hello-how-it-works-technology.md#key-trust)\ +✅ **Device registration type:** [Hybrid Azure AD join](../identity-protection/hello-for-business/hello-how-it-works-technology.md#hybrid-azure-ad-join) + +
    + +--- diff --git a/windows/security/includes/hello-hybrid-key-trust.md b/windows/security/includes/hello-hybrid-key-trust.md new file mode 100644 index 0000000000..fdb7466014 --- /dev/null +++ b/windows/security/includes/hello-hybrid-key-trust.md @@ -0,0 +1,8 @@ +This document describes Windows Hello for Business functionalities or scenarios that apply to:\ +✅ **Deployment type:** [hybrid](../identity-protection/hello-for-business/hello-how-it-works-technology.md#hybrid-deployment)\ +✅ **Trust type:** [key trust](../identity-protection/hello-for-business/hello-how-it-works-technology.md#key-trust)\ +✅ **Device registration type:** [Azure AD join](../identity-protection/hello-for-business/hello-how-it-works-technology.md#azure-active-directory-join), [Hybrid Azure AD join](../identity-protection/hello-for-business/hello-how-it-works-technology.md#hybrid-azure-ad-join) + +
    + +--- diff --git a/windows/security/includes/hello-hybrid-keycert-trust-aad.md b/windows/security/includes/hello-hybrid-keycert-trust-aad.md new file mode 100644 index 0000000000..a8d82200d3 --- /dev/null +++ b/windows/security/includes/hello-hybrid-keycert-trust-aad.md @@ -0,0 +1,7 @@ +This document describes Windows Hello for Business functionalities or scenarios that apply to:\ +✅ **Deployment type:** [hybrid](../identity-protection/hello-for-business/hello-how-it-works-technology.md#hybrid-deployment)\ +✅ **Trust type:** [key trust](../identity-protection/hello-for-business/hello-how-it-works-technology.md#key-trust), [certificate trust](../identity-protection/hello-for-business/hello-how-it-works-technology.md#certificate-trust)\ +✅ **Device registration type:** [Azure AD join](../identity-protection/hello-for-business/hello-how-it-works-technology.md#azure-active-directory-join) +
    + +--- diff --git a/windows/security/includes/hello-on-premises-cert-trust.md b/windows/security/includes/hello-on-premises-cert-trust.md new file mode 100644 index 0000000000..2cc01ac3ac --- /dev/null +++ b/windows/security/includes/hello-on-premises-cert-trust.md @@ -0,0 +1,8 @@ +This document describes Windows Hello for Business functionalities or scenarios that apply to:\ +✅ **Deployment type:** [on-premises](../identity-protection/hello-for-business/hello-how-it-works-technology.md#on-premises-deployment)\ +✅ **Trust type:** [certificate trust](../identity-protection/hello-for-business/hello-how-it-works-technology.md#certificate-trust)\ +✅ **Device registration type:** Active Directory domain join + +
    + +--- diff --git a/windows/security/includes/hello-on-premises-key-trust.md b/windows/security/includes/hello-on-premises-key-trust.md new file mode 100644 index 0000000000..cd6241fa72 --- /dev/null +++ b/windows/security/includes/hello-on-premises-key-trust.md @@ -0,0 +1,8 @@ +This document describes Windows Hello for Business functionalities or scenarios that apply to:\ +✅ **Deployment type:** [on-premises](../identity-protection/hello-for-business/hello-how-it-works-technology.md#on-premises-deployment)\ +✅ **Trust type:** [key trust](../identity-protection/hello-for-business/hello-how-it-works-technology.md#key-trust)\ +✅ **Device registration type:** Active Directory domain join + +
    + +--- diff --git a/windows/security/information-protection/bitlocker/bcd-settings-and-bitlocker.md b/windows/security/information-protection/bitlocker/bcd-settings-and-bitlocker.md index a2bd69a418..aaee4befef 100644 --- a/windows/security/information-protection/bitlocker/bcd-settings-and-bitlocker.md +++ b/windows/security/information-protection/bitlocker/bcd-settings-and-bitlocker.md @@ -1,261 +1,258 @@ --- title: BCD settings and BitLocker (Windows 10) -description: This topic for IT professionals describes the BCD settings that are used by BitLocker. +description: This article for IT professionals describes the BCD settings that are used by BitLocker. ms.reviewer: ms.prod: windows-client ms.localizationpriority: medium -author: dansimp -ms.author: dansimp +author: frankroj +ms.author: frankroj manager: aaroncz ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 02/28/2019 +ms.date: 11/08/2022 ms.custom: bitlocker ms.technology: itpro-security --- # Boot Configuration Data settings and BitLocker -**Applies to** +This article for IT professionals describes the Boot Configuration Data (BCD) settings that are used by BitLocker. -This topic for IT professionals describes the Boot Configuration Data (BCD) settings that are used by BitLocker. - -When protecting data at rest on an operating system volume, during the boot process BitLocker verifies that the security sensitive BCD settings have not changed since BitLocker was last enabled, resumed, or recovered. +When protecting data at rest on an operating system volume, during the boot process BitLocker verifies that the security sensitive BCD settings haven't changed since BitLocker was last enabled, resumed, or recovered. ## BitLocker and BCD Settings In Windows 7 and Windows Server 2008 R2, BitLocker validated BCD settings with the winload, winresume, and memtest prefixes to a large degree. However, this high degree of validation caused BitLocker to go into recovery mode for benign setting changes, for example, when applying a language pack, BitLocker would enter recovery mode. -In Windows 8, Windows Server 2012, and later operating systems, BitLocker narrows the set of BCD settings validated to reduce the chance of benign changes causing a BCD validation problem. If you believe that there is a risk in excluding a particular BCD setting from the validation profile, include that BCD setting in the BCD validation coverage to suit your validation preferences. -If a default BCD setting is found to persistently trigger a recovery for benign changes, exclude that BCD setting from the validation coverage. +In Windows 8, Windows Server 2012, and later operating systems, BitLocker narrows the set of BCD settings validated to reduce the chance of benign changes causing a BCD validation problem. If it's believed that there's a risk in excluding a particular BCD setting from the validation profile, include that BCD setting in the BCD validation coverage to suit the preferences for validation. If a default BCD setting is found to persistently trigger a recovery for benign changes, exclude that BCD setting from the validation coverage. ### When secure boot is enabled Computers with UEFI firmware can use secure boot to provide enhanced boot security. When BitLocker is able to use secure boot for platform and BCD integrity validation, as defined by the **Allow Secure Boot for integrity validation** group policy setting, the **Use enhanced Boot Configuration Data validation profile** group policy is ignored. -One of the benefits of using secure boot is that it can correct BCD settings during boot without triggering recovery events. Secure boot enforces the same BCD settings as BitLocker. Secure boot BCD enforcement is not configurable from within the operating system. +One of the benefits of using secure boot is that it can correct BCD settings during boot without triggering recovery events. Secure boot enforces the same BCD settings as BitLocker. Secure boot BCD enforcement isn't configurable from within the operating system. ## Customizing BCD validation settings To modify the BCD settings that are validated by BitLocker, the administrator will add or exclude BCD settings from the platform validation profile by enabling and configuring the **Use enhanced Boot Configuration Data validation profile** group policy setting. -For the purposes of BitLocker validation, BCD settings are associated with a specific set of Microsoft boot applications. These BCD settings can also be applied to the other Microsoft boot applications that are not part of the set to which the BCD settings are already applicable to. This can be done by attaching any of the following prefixes to the BCD settings which are being entered in the group policy settings dialog: +For the purposes of BitLocker validation, BCD settings are associated with a specific set of Microsoft boot applications. These BCD settings can also be applied to the other Microsoft boot applications that aren't part of the set to which the BCD settings are already applicable for. This setting can be done by attaching any of the following prefixes to the BCD settings that are being entered in the group policy settings dialog: -- winload -- winresume -- memtest -- all of the above +- winload +- winresume +- memtest +- all of the above -All BCD settings are specified by combining the prefix value with either a hexadecimal (hex) value or a “friendly name.” +All BCD settings are specified by combining the prefix value with either a hexadecimal (hex) value or a "friendly name." The BCD setting hex value is reported when BitLocker enters recovery mode and is stored in the event log (event ID 523). The hex value uniquely identifies the BCD setting that caused the recovery event. -You can quickly obtain the friendly name for the BCD settings on your computer by using the command “`bcdedit.exe /enum all`”. +You can quickly obtain the friendly name for the BCD settings on a computer by using the command `bcdedit.exe /enum all`. Not all BCD settings have friendly names; for those settings without a friendly name, the hex value is the only way to configure an exclusion policy. When specifying BCD values in the **Use enhanced Boot Configuration Data validation profile** group policy setting, use the following syntax: -- Prefix the setting with the boot application prefix -- Append a colon ‘:’ -- Append either the hex value or the friendly name -- If entering more than one BCD setting, you will need to enter each BCD setting on a new line +- Prefix the setting with the boot application prefix +- Append a colon `:` +- Append either the hex value or the friendly name +- If entering more than one BCD setting, each BCD setting will need to be entered on a new line -For example, either “`winload:hypervisordebugport`” or “`winload:0x250000f4`” yields the same value. +For example, either "`winload:hypervisordebugport`" or "`winload:0x250000f4`" yields the same value. -A setting that applies to all boot applications may be applied only to an individual application; however, the reverse is not true. For example, one can specify either “`all:locale`” or “`winresume:locale`”, but as the BCD setting “`win-pe`” does not apply to all boot applications, “`winload:winpe`” is valid, but “`all:winpe`” is not valid. The setting that controls boot debugging (“`bootdebug`” or 0x16000010) will always be validated and will have no effect if it is included in the provided fields. +A setting that applies to all boot applications may be applied only to an individual application. However, the reverse isn't true. For example, one can specify either "`all:locale`" or "`winresume:locale`", but as the BCD setting "`win-pe`" doesn't apply to all boot applications, "`winload:winpe`" is valid, but "`all:winpe`" isn't valid. The setting that controls boot debugging ("`bootdebug`" or 0x16000010) will always be validated and will have no effect if it's included in the provided fields. > [!NOTE] > Take care when configuring BCD entries in the Group Policy setting. The Local Group Policy Editor does not validate the correctness of the BCD entry. BitLocker will fail to be enabled if the Group Policy setting specified is invalid. -  + ### Default BCD validation profile The following table contains the default BCD validation profile used by BitLocker in Windows 8, Windows Server 2012, and subsequent versions: | Hex Value | Prefix | Friendly Name | | - | - | - | -| 0x11000001 | all | device| -| 0x12000002 | all | path| +| 0x11000001 | all | device| +| 0x12000002 | all | path| | 0x12000030 | all | loadoptions| -| 0x16000010 | all | bootdebug| -| 0x16000040 | all | advancedoptions| -| 0x16000041 | all| optionsedit| -| 0x16000048| all| nointegritychecks| -| 0x16000049| all| testsigning| -| 0x16000060| all| isolatedcontext| +| 0x16000010 | all | bootdebug| +| 0x16000040 | all | advancedoptions| +| 0x16000041 | all| optionsedit| +| 0x16000048| all| nointegritychecks| +| 0x16000049| all| testsigning| +| 0x16000060| all| isolatedcontext| | 0x1600007b| all| forcefipscrypto| -| 0x22000002| winload| systemroot| -| 0x22000011| winload| kernel| -| 0x22000012| winload| hal| -| 0x22000053| winload| evstore| -| 0x25000020| winload| nx| -| 0x25000052| winload| restrictapiccluster| -| 0x26000022| winload| winpe| -| 0x26000025 |winload|lastknowngood| -| 0x26000081| winload| safebootalternateshell| -| 0x260000a0| winload| debug| -| 0x260000f2| winload| hypervisordebug| -| 0x26000116| winload| hypervisorusevapic| -| 0x21000001| winresume| filedevice| -| 0x22000002| winresume| filepath| -| 0x26000006| winresume| debugoptionenabled| +| 0x22000002| winload| systemroot| +| 0x22000011| winload| kernel| +| 0x22000012| winload| hal| +| 0x22000053| winload| evstore| +| 0x25000020| winload| nx| +| 0x25000052| winload| restrictapiccluster| +| 0x26000022| winload| winpe| +| 0x26000025 |winload|lastknowngood| +| 0x26000081| winload| safebootalternateshell| +| 0x260000a0| winload| debug| +| 0x260000f2| winload| hypervisordebug| +| 0x26000116| winload| hypervisorusevapic| +| 0x21000001| winresume| filedevice| +| 0x22000002| winresume| filepath| +| 0x26000006| winresume| debugoptionenabled| ### Full list of friendly names for ignored BCD settings -This following is a full list of BCD settings with friendly names, which are ignored by default. These settings are not part of the default BitLocker validation profile, but can be added if you see a need to validate any of these settings before allowing a BitLocker–protected operating system drive to be unlocked. +The following list is a full list of BCD settings with friendly names, which are ignored by default. These settings aren't part of the default BitLocker validation profile, but can be added if you see a need to validate any of these settings before allowing a BitLocker-protected operating system drive to be unlocked. > [!NOTE] > Additional BCD settings exist that have hex values but do not have friendly names. These settings are not included in this list. | Hex Value | Prefix | Friendly Name | | - | - | - | -| 0x12000004 | all | description | -| 0x12000005 | all | locale | -| 0x12000016 | all | targetname | -| 0x12000019| all| busparams| -| 0x1200001d| all| key| -| 0x1200004a| all| fontpath| -| 0x14000006| all| inherit| -| 0x14000008| all| recoverysequence| -| 0x15000007| all| truncatememory| -| 0x1500000c| all| firstmegabytepolicy| -| 0x1500000d| all| relocatephysical| -| 0x1500000e| all| avoidlowmemory| -| 0x15000011| all| debugtype| -| 0x15000012 |all|debugaddress| -| 0x15000013| all| debugport| -| 0x15000014|all|baudrate| -| 0x15000015 | all| channel| -| 0x15000018 | all| debugstart| -| 0x1500001a | all| hostip| -| 0x1500001b | all| port| -| 0x15000022 | all| emsport| -| 0x15000023 | all| emsbaudrate| -| 0x15000042 | all| keyringaddress| -| 0x15000047 | all| configaccesspolicy| -| 0x1500004b | all| integrityservices| -| 0x1500004c | all| volumebandid| -| 0x15000051 | all| initialconsoleinput| -| 0x15000052 | all| graphicsresolution| -| 0x15000065 | all| displaymessage| +| 0x12000004 | all | description | +| 0x12000005 | all | locale | +| 0x12000016 | all | targetname | +| 0x12000019| all| busparams| +| 0x1200001d| all| key| +| 0x1200004a| all| fontpath| +| 0x14000006| all| inherit| +| 0x14000008| all| recoverysequence| +| 0x15000007| all| truncatememory| +| 0x1500000c| all| firstmegabytepolicy| +| 0x1500000d| all| relocatephysical| +| 0x1500000e| all| avoidlowmemory| +| 0x15000011| all| debugtype| +| 0x15000012 |all|debugaddress| +| 0x15000013| all| debugport| +| 0x15000014|all|baudrate| +| 0x15000015 | all| channel| +| 0x15000018 | all| debugstart| +| 0x1500001a | all| hostip| +| 0x1500001b | all| port| +| 0x15000022 | all| emsport| +| 0x15000023 | all| emsbaudrate| +| 0x15000042 | all| keyringaddress| +| 0x15000047 | all| configaccesspolicy| +| 0x1500004b | all| integrityservices| +| 0x1500004c | all| volumebandid| +| 0x15000051 | all| initialconsoleinput| +| 0x15000052 | all| graphicsresolution| +| 0x15000065 | all| displaymessage| | 0x15000066 | all| displaymessageoverride| | 0x15000081 | all| logcontrol| -| 0x16000009 | all| recoveryenabled| -| 0x1600000b | all| badmemoryaccess| -| 0x1600000f | all| traditionalkseg| -| 0x16000017 | all| noumex| -| 0x1600001c | all| dhcp| -| 0x1600001e | all| vm| -| 0x16000020 | all| bootems| -| 0x16000046 | all| graphicsmodedisabled| -| 0x16000050 | all| extendedinput| -| 0x16000053 | all| restartonfailure| -| 0x16000054 | all| highestmode| -| 0x1600006c | all| bootuxdisabled| -| 0x16000072 | all| nokeyboard| -| 0x16000074 | all| bootshutdowndisabled| -| 0x1700000a | all| badmemorylist| -| 0x17000077 | all| allowedinmemorysettings| -| 0x22000040 | all| fverecoveryurl| -| 0x22000041 | all| fverecoverymessage| -| 0x31000003 | all| ramdisksdidevice| +| 0x16000009 | all| recoveryenabled| +| 0x1600000b | all| badmemoryaccess| +| 0x1600000f | all| traditionalkseg| +| 0x16000017 | all| noumex| +| 0x1600001c | all| dhcp| +| 0x1600001e | all| vm| +| 0x16000020 | all| bootems| +| 0x16000046 | all| graphicsmodedisabled| +| 0x16000050 | all| extendedinput| +| 0x16000053 | all| restartonfailure| +| 0x16000054 | all| highestmode| +| 0x1600006c | all| bootuxdisabled| +| 0x16000072 | all| nokeyboard| +| 0x16000074 | all| bootshutdowndisabled| +| 0x1700000a | all| badmemorylist| +| 0x17000077 | all| allowedinmemorysettings| +| 0x22000040 | all| fverecoveryurl| +| 0x22000041 | all| fverecoverymessage| +| 0x31000003 | all| ramdisksdidevice| | 0x32000004 | all| ramdisksdipath| -| 0x35000001| all | ramdiskimageoffset| -| 0x35000002 | all| ramdisktftpclientport| -| 0x35000005 | all| ramdiskimagelength| -| 0x35000007 | all| ramdisktftpblocksize| -| 0x35000008 | all| ramdisktftpwindowsize| -| 0x36000006 | all| exportascd| -| 0x36000009 | all| ramdiskmcenabled| -| 0x3600000a | all| ramdiskmctftpfallback| -| 0x3600000b | all| ramdisktftpvarwindow| -| 0x21000001 | winload| osdevice| -| 0x22000013 | winload| dbgtransport| -| 0x220000f9 | winload| hypervisorbusparams| -| 0x22000110 | winload| hypervisorusekey| +| 0x35000001| all | ramdiskimageoffset| +| 0x35000002 | all| ramdisktftpclientport| +| 0x35000005 | all| ramdiskimagelength| +| 0x35000007 | all| ramdisktftpblocksize| +| 0x35000008 | all| ramdisktftpwindowsize| +| 0x36000006 | all| exportascd| +| 0x36000009 | all| ramdiskmcenabled| +| 0x3600000a | all| ramdiskmctftpfallback| +| 0x3600000b | all| ramdisktftpvarwindow| +| 0x21000001 | winload| osdevice| +| 0x22000013 | winload| dbgtransport| +| 0x220000f9 | winload| hypervisorbusparams| +| 0x22000110 | winload| hypervisorusekey| | 0x23000003 |winload| resumeobject| -| 0x25000021| winload| pae| -| 0x25000031 |winload| removememory| -| 0x25000032 | winload| increaseuserva| -| 0x25000033 | winload| perfmem| -| 0x25000050 | winload| clustermodeaddressing| -| 0x25000055 | winload| x2apicpolicy| -| 0x25000061 | winload| numproc| +| 0x25000021| winload| pae| +| 0x25000031 |winload| removememory| +| 0x25000032 | winload| increaseuserva| +| 0x25000033 | winload| perfmem| +| 0x25000050 | winload| clustermodeaddressing| +| 0x25000055 | winload| x2apicpolicy| +| 0x25000061 | winload| numproc| | 0x25000063 | winload| configflags| | 0x25000066| winload| groupsize| | 0x25000071 | winload| msi| -| 0x25000072 | winload| pciexpress| -| 0x25000080 | winload| safeboot| -| 0x250000a6 | winload| tscsyncpolicy| -| 0x250000c1| winload| driverloadfailurepolicy| -| 0x250000c2| winload| bootmenupolicy| -| 0x250000e0 |winload| bootstatuspolicy| -| 0x250000f0 | winload| hypervisorlaunchtype| -| 0x250000f3 | winload| hypervisordebugtype| -| 0x250000f4 | winload| hypervisordebugport| -| 0x250000f5 | winload| hypervisorbaudrate| -| 0x250000f6 | winload| hypervisorchannel| -| 0x250000f7 | winload| bootux| -| 0x250000fa | winload| hypervisornumproc| -| 0x250000fb | winload| hypervisorrootprocpernode| -| 0x250000fd | winload| hypervisorhostip| -| 0x250000fe | winload| hypervisorhostport| -| 0x25000100 | winload| tpmbootentropy| -| 0x25000113 | winload| hypervisorrootproc| -| 0x25000115 | winload| hypervisoriommupolicy| -| 0x25000120 | winload| xsavepolicy| -| 0x25000121 | winload| xsaveaddfeature0| -| 0x25000122 | winload| xsaveaddfeature1| -| 0x25000123 | winload| xsaveaddfeature2| -| 0x25000124 | winload| xsaveaddfeature3| -| 0x25000125 | winload| xsaveaddfeature4| -| 0x25000126 | winload| xsaveaddfeature5| -| 0x25000127 | winload| xsaveaddfeature6| -| 0x25000128 | winload| xsaveaddfeature7| -| 0x25000129 | winload| xsaveremovefeature| -| 0x2500012a | winload| xsaveprocessorsmask| -| 0x2500012b | winload| xsavedisable| -| 0x25000130 | winload| claimedtpmcounter| -| 0x26000004 | winload| stampdisks| -| 0x26000010 | winload| detecthal| -| 0x26000024 | winload| nocrashautoreboot| -| 0x26000030 | winload| nolowmem| -| 0x26000040 | winload| vga| -| 0x26000041 | winload| quietboot| -| 0x26000042 | winload| novesa| -| 0x26000043 | winload| novga| -| 0x26000051 | winload| usephysicaldestination| -| 0x26000054 | winload| uselegacyapicmode| -| 0x26000060 | winload| onecpu| -| 0x26000062 | winload| maxproc| -| 0x26000064 | winload| maxgroup| -| 0x26000065 | winload| groupaware| -| 0x26000070| winload| usefirmwarepcisettings| +| 0x25000072 | winload| pciexpress| +| 0x25000080 | winload| safeboot| +| 0x250000a6 | winload| tscsyncpolicy| +| 0x250000c1| winload| driverloadfailurepolicy| +| 0x250000c2| winload| bootmenupolicy| +| 0x250000e0 |winload| bootstatuspolicy| +| 0x250000f0 | winload| hypervisorlaunchtype| +| 0x250000f3 | winload| hypervisordebugtype| +| 0x250000f4 | winload| hypervisordebugport| +| 0x250000f5 | winload| hypervisorbaudrate| +| 0x250000f6 | winload| hypervisorchannel| +| 0x250000f7 | winload| bootux| +| 0x250000fa | winload| hypervisornumproc| +| 0x250000fb | winload| hypervisorrootprocpernode| +| 0x250000fd | winload| hypervisorhostip| +| 0x250000fe | winload| hypervisorhostport| +| 0x25000100 | winload| tpmbootentropy| +| 0x25000113 | winload| hypervisorrootproc| +| 0x25000115 | winload| hypervisoriommupolicy| +| 0x25000120 | winload| xsavepolicy| +| 0x25000121 | winload| xsaveaddfeature0| +| 0x25000122 | winload| xsaveaddfeature1| +| 0x25000123 | winload| xsaveaddfeature2| +| 0x25000124 | winload| xsaveaddfeature3| +| 0x25000125 | winload| xsaveaddfeature4| +| 0x25000126 | winload| xsaveaddfeature5| +| 0x25000127 | winload| xsaveaddfeature6| +| 0x25000128 | winload| xsaveaddfeature7| +| 0x25000129 | winload| xsaveremovefeature| +| 0x2500012a | winload| xsaveprocessorsmask| +| 0x2500012b | winload| xsavedisable| +| 0x25000130 | winload| claimedtpmcounter| +| 0x26000004 | winload| stampdisks| +| 0x26000010 | winload| detecthal| +| 0x26000024 | winload| nocrashautoreboot| +| 0x26000030 | winload| nolowmem| +| 0x26000040 | winload| vga| +| 0x26000041 | winload| quietboot| +| 0x26000042 | winload| novesa| +| 0x26000043 | winload| novga| +| 0x26000051 | winload| usephysicaldestination| +| 0x26000054 | winload| uselegacyapicmode| +| 0x26000060 | winload| onecpu| +| 0x26000062 | winload| maxproc| +| 0x26000064 | winload| maxgroup| +| 0x26000065 | winload| groupaware| +| 0x26000070| winload| usefirmwarepcisettings| | 0x26000090 | winload| bootlog| -| 0x26000091 | winload| sos| -| 0x260000a1 | winload| halbreakpoint| -| 0x260000a2 | winload| useplatformclock| -| 0x260000a3 |winload| forcelegacyplatform| -| 0x260000a4 | winload| useplatformtick| -| 0x260000a5 | winload| disabledynamictick| -| 0x260000b0 | winload| ems| -| 0x260000c3 | winload| onetimeadvancedoptions| -| 0x260000c4 | winload| onetimeoptionsedit| -| 0x260000e1| winload| disableelamdrivers| -| 0x260000f8 | winload| hypervisordisableslat| -| 0x260000fc | winload| hypervisoruselargevtlb| -| 0x26000114 | winload| hypervisordhcp| +| 0x26000091 | winload| sos| +| 0x260000a1 | winload| halbreakpoint| +| 0x260000a2 | winload| useplatformclock| +| 0x260000a3 |winload| forcelegacyplatform| +| 0x260000a4 | winload| useplatformtick| +| 0x260000a5 | winload| disabledynamictick| +| 0x260000b0 | winload| ems| +| 0x260000c3 | winload| onetimeadvancedoptions| +| 0x260000c4 | winload| onetimeoptionsedit| +| 0x260000e1| winload| disableelamdrivers| +| 0x260000f8 | winload| hypervisordisableslat| +| 0x260000fc | winload| hypervisoruselargevtlb| +| 0x26000114 | winload| hypervisordhcp| | 0x21000005 | winresume| associatedosdevice| -| 0x25000007 | winresume| bootux| +| 0x25000007 | winresume| bootux| | 0x25000008 | winresume| bootmenupolicy| -| 0x26000003| winresume |customsettings| +| 0x26000003| winresume |customsettings| | 0x26000004 | winresume| pae| -| 0x25000001 | memtest| passcount| -| 0x25000002 | memtest| testmix| -| 0x25000005 | memtest| stridefailcount| -| 0x25000006 | memtest| invcfailcount| -| 0x25000007 | memtest| matsfailcount| -| 0x25000008 | memtest| randfailcount| +| 0x25000001 | memtest| passcount| +| 0x25000002 | memtest| testmix| +| 0x25000005 | memtest| stridefailcount| +| 0x25000006 | memtest| invcfailcount| +| 0x25000007 | memtest| matsfailcount| +| 0x25000008 | memtest| randfailcount| | 0x25000009 |memtest| chckrfailcount| | 0x26000003| memtest| cacheenable| | 0x26000004 | memtest| failuresenabled| diff --git a/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.yml b/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.yml index 5278e578b5..6b2f45605c 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.yml +++ b/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.yml @@ -3,26 +3,28 @@ metadata: title: BitLocker and Active Directory Domain Services (AD DS) FAQ (Windows 10) description: Learn more about how BitLocker and Active Directory Domain Services (AD DS) can work together to keep devices secure. ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee - ms.reviewer: - ms.prod: m365-security + ms.prod: windows-client + ms.technology: itpro-security ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium - author: dansimp - ms.author: dansimp + author: frankroj + ms.author: frankroj manager: aaroncz audience: ITPro ms.collection: - M365-security-compliance - highpri ms.topic: faq - ms.date: 02/28/2019 + ms.date: 11/08/2022 ms.custom: bitlocker title: BitLocker and Active Directory Domain Services (AD DS) FAQ summary: | - **Applies to** - - Windows 10 + *Applies to:* + - Windows 10 + - Windows 11 + - Windows Server 2016 and above @@ -34,20 +36,20 @@ sections: answer: | Stored information | Description -------------------|------------ - Hash of the TPM owner password | Beginning with Windows 10, the password hash is not stored in AD DS by default. The password hash can be stored only if the TPM is owned and the ownership was taken by using components of Windows 8.1 or earlier, such as the BitLocker Setup Wizard or the TPM snap-in. - BitLocker recovery password | The recovery password allows you to unlock and access the drive after a recovery incident. Domain administrators can view the BitLocker recovery password by using the BitLocker Recovery Password Viewer. For more information about this tool, see [BitLocker: Use BitLocker Recovery Password Viewer](bitlocker-use-bitlocker-recovery-password-viewer.md). + Hash of the TPM owner password | Beginning with Windows 10, the password hash isn't stored in AD DS by default. The password hash can be stored only if the TPM is owned and the ownership was taken by using components of Windows 8.1 or earlier, such as the BitLocker Setup Wizard or the TPM snap-in. + BitLocker recovery password | The recovery password allows unlocking of and access to the drive after a recovery incident. Domain administrators can view the BitLocker recovery password by using the BitLocker Recovery Password Viewer. For more information about this tool, see [BitLocker: Use BitLocker Recovery Password Viewer](bitlocker-use-bitlocker-recovery-password-viewer.md). BitLocker key package | The key package helps to repair damage to the hard disk that would otherwise prevent standard recovery. Using the key package for recovery requires the BitLocker Repair Tool, `Repair-bde`. - question: | What if BitLocker is enabled on a computer before the computer has joined the domain? answer: | - If BitLocker is enabled on a drive before Group Policy has been applied to enforce a backup, the recovery information will not be automatically backed up to AD DS when the computer joins the domain or when Group Policy is subsequently applied. However, you can use the **Choose how BitLocker-protected operating system drives can be recovered**, **Choose how BitLocker-protected fixed drives can be recovered**, and **Choose how BitLocker-protected removable drives can be recovered** Group Policy settings to require the computer to be connected to a domain before BitLocker can be enabled to help ensure that recovery information for BitLocker-protected drives in your organization is backed up to AD DS. + If BitLocker is enabled on a drive before Group Policy has been applied to enforce a backup, the recovery information won't be automatically backed up to AD DS when the computer joins the domain or when Group Policy is subsequently applied. However, the Group Policy settings **Choose how BitLocker-protected operating system drives can be recovered**, **Choose how BitLocker-protected fixed drives can be recovered**, and **Choose how BitLocker-protected removable drives can be recovered** can be chosen to require the computer to be connected to a domain before BitLocker can be enabled to help ensure that recovery information for BitLocker-protected drives in the organization is backed up to AD DS. For more info, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md). - The BitLocker Windows Management Instrumentation (WMI) interface does allow administrators to write a script to back up or synchronize an online client's existing recovery information; however, BitLocker does not automatically manage this process. The `manage-bde` command-line tool can also be used to manually back up recovery information to AD DS. For example, to back up all of the recovery information for the `$env:SystemDrive` to AD DS, you would use the following command script from an elevated command prompt: + The BitLocker Windows Management Instrumentation (WMI) interface does allow administrators to write a script to back up or synchronize an online client's existing recovery information. However, BitLocker doesn't automatically manage this process. The `manage-bde.exe` command-line tool can also be used to manually back up recovery information to AD DS. For example, to back up all of the recovery information for the `$env:SystemDrive` to AD DS, the following command script can be used from an elevated command prompt: - ```PowerShell + ```powershell $BitLocker = Get-BitLockerVolume -MountPoint $env:SystemDrive $RecoveryProtector = $BitLocker.KeyProtector | Where-Object { $_.KeyProtectorType -eq 'RecoveryPassword' } @@ -56,29 +58,29 @@ sections: ``` > [!IMPORTANT] - > Joining a computer to the domain should be the first step for new computers within an organization. After computers are joined to a domain, storing the BitLocker recovery key to AD DS is automatic (when enabled in Group Policy). + > Joining a computer to the domain should be the first step for new computers within an organization. After computers are joined to a domain, storing the BitLocker recovery key to AD DS is automatic (when enabled in Group Policy). - question: | Is there an event log entry recorded on the client computer to indicate the success or failure of the Active Directory backup? answer: | - Yes, an event log entry that indicates the success or failure of an Active Directory backup is recorded on the client computer. However, even if an event log entry says "Success," the information could have been subsequently removed from AD DS, or BitLocker could have been reconfigured in such a way that the Active Directory information can no longer unlock the drive (such as by removing the recovery password key protector). In addition, it is also possible that the log entry could be spoofed. + Yes, an event log entry that indicates the success or failure of an Active Directory backup is recorded on the client computer. However, even if an event log entry says "Success," the information could have been subsequently removed from AD DS, or BitLocker could have been reconfigured in such a way that the Active Directory information can no longer unlock the drive (such as by removing the recovery password key protector). In addition, it's also possible that the log entry could be spoofed. - Ultimately, determining whether a legitimate backup exists in AD DS requires querying AD DS with domain administrator credentials by using the BitLocker password viewer tool. + Ultimately, determining whether a legitimate backup exists in AD DS requires querying AD DS with domain administrator credentials by using the BitLocker password viewer tool. - question: | - If I change the BitLocker recovery password on my computer and store the new password in AD DS, will AD DS overwrite the old password? + If I change the BitLocker recovery password on my computer and store the new password in AD DS, will AD DS overwrite the old password? answer: | - No. By design, BitLocker recovery password entries do not get deleted from AD DS; therefore, you might see multiple passwords for each drive. To identify the latest password, check the date on the object. + No. By design, BitLocker recovery password entries don't get deleted from AD DS. Therefore, multiple passwords might be seen for each drive. To identify the latest password, check the date on the object. - question: | What happens if the backup initially fails? Will BitLocker retry it? answer: | - If the backup initially fails, such as when a domain controller is unreachable at the time when the BitLocker setup wizard is run, BitLocker does not try again to back up the recovery information to AD DS. + If the backup initially fails, such as when a domain controller is unreachable at the time when the BitLocker setup wizard is run, BitLocker doesn't try again to back up the recovery information to AD DS. - When an administrator selects the **Require BitLocker backup to AD DS** check box of the **Store BitLocker recovery information in Active Directory Domain Service (Windows 2008 and Windows Vista)** policy setting, or the equivalent **Do not enable BitLocker until recovery information is stored in AD DS for (operating system | fixed data | removable data) drives** check box in any of the **Choose how BitLocker-protected operating system drives can be recovered**, **Choose how BitLocker-protected fixed data drives can be recovered**, and **Choose how BitLocker-protected removable data drives can be recovered** policy settings, users can't enable BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds. With these settings configured if the backup fails, BitLocker cannot be enabled, ensuring that administrators will be able to recover BitLocker-protected drives in the organization. + When an administrator selects the **Require BitLocker backup to AD DS** check box of the **Store BitLocker recovery information in Active Directory Domain Service (Windows 2008 and Windows Vista)** policy setting, or the equivalent **Do not enable BitLocker until recovery information is stored in AD DS for (operating system | fixed data | removable data) drives** check box in any of the **Choose how BitLocker-protected operating system drives can be recovered**, **Choose how BitLocker-protected fixed data drives can be recovered**, and **Choose how BitLocker-protected removable data drives can be recovered** policy settings, users can't enable BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds. With these settings configured if the backup fails, BitLocker can't be enabled, ensuring that administrators will be able to recover BitLocker-protected drives in the organization. For more info, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md). - When an administrator clears these check boxes, the administrator is allowing a drive to be BitLocker-protected without having the recovery information successfully backed up to AD DS; however, BitLocker will not automatically retry the backup if it fails. Instead, administrators can create a backup script, as described earlier in [What if BitLocker is enabled on a computer before the computer has joined the domain?](#what-if-bitlocker-is-enabled-on-a-computer-before-the-computer-has-joined-the-domain-) to capture the information after connectivity is restored. + When an administrator clears these check boxes, the administrator is allowing a drive to be BitLocker-protected without having the recovery information successfully backed up to AD DS; however, BitLocker won't automatically retry the backup if it fails. Instead, administrators can create a backup script, as described earlier in [What if BitLocker is enabled on a computer before the computer has joined the domain?](#what-if-bitlocker-is-enabled-on-a-computer-before-the-computer-has-joined-the-domain-) to capture the information after connectivity is restored. diff --git a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md index 9e61120973..e277229e21 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md +++ b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md @@ -4,26 +4,26 @@ description: This article for the IT professional explains how BitLocker feature ms.reviewer: ms.prod: windows-client ms.localizationpriority: medium -author: dansimp -ms.author: dansimp +author: frankroj +ms.author: frankroj manager: aaroncz ms.collection: - M365-security-compliance ms.topic: conceptual -ms.date: 02/28/2019 +ms.date: 11/08/2022 ms.custom: bitlocker ms.technology: itpro-security --- # BitLocker basic deployment -**Applies to** +*Applies to:* -- Windows 10 -- Windows 11 -- Windows Server 2016 and above +- Windows 10 +- Windows 11 +- Windows Server 2016 and above -This article for the IT professional explains how BitLocker features can be used to protect your data through drive encryption. +This article for the IT professional explains how BitLocker features can be used to protect data through drive encryption. ## Using BitLocker to encrypt volumes @@ -34,77 +34,148 @@ If the drive was prepared as a single contiguous space, BitLocker requires a new > [!NOTE] > For more info about using this tool, see [Bdehdcfg](/windows-server/administration/windows-commands/bdehdcfg) in the Command-Line Reference. -BitLocker encryption can be done using the following methods: +BitLocker encryption can be enabled and managed using the following methods: -- BitLocker control panel -- Windows Explorer -- `manage-bde` command-line interface -- BitLocker Windows PowerShell cmdlets +- BitLocker control panel +- Windows Explorer +- `manage-bde.exe` command-line interface +- BitLocker Windows PowerShell cmdlets ### Encrypting volumes using the BitLocker control panel -Encrypting volumes with the BitLocker control panel (select **Start**, type *Bitlocker*, select **Manage BitLocker**) is how many users will use BitLocker. The name of the BitLocker control panel is BitLocker Drive Encryption. The BitLocker control panel supports encrypting operating system, fixed data, and removable data volumes. The BitLocker control panel will organize available drives in the appropriate category based on how the device reports itself to Windows. Only formatted volumes with assigned drive letters will appear properly in the BitLocker control panel applet. +Encrypting volumes with the BitLocker control panel (select **Start**, enter `Bitlocker`, select **Manage BitLocker**) is how many users will use BitLocker. The name of the BitLocker control panel is BitLocker Drive Encryption. The BitLocker control panel supports encrypting operating system, fixed data, and removable data volumes. The BitLocker control panel will organize available drives in the appropriate category based on how the device reports itself to Windows. Only formatted volumes with assigned drive letters will appear properly in the BitLocker control panel applet. -To start encryption for a volume, select **Turn on BitLocker** for the appropriate drive to initialize the BitLocker Drive Encryption Wizard. BitLocker Drive Encryption Wizard options vary based on volume type (operating system volume or data volume). +To start encryption for a volume, select **Turn on BitLocker** for the appropriate drive to initialize the **BitLocker Drive Encryption Wizard**. **BitLocker Drive Encryption Wizard** options vary based on volume type (operating system volume or data volume). -### Operating system volume +#### Operating system volume -When the BitLocker Drive Encryption Wizard launches, it verifies the computer meets the BitLocker system requirements for encrypting an operating system volume. By default, the system requirements are: +For the operating system volume the **BitLocker Drive Encryption Wizard** presents several screens that prompt for options while it performs several actions: -|Requirement|Description| -|--- |--- | -|Hardware configuration|The computer must meet the minimum requirements for the supported Windows versions.| -|Operating system|BitLocker is an optional feature that can be installed by Server Manager on Windows Server 2012 and later.| -|Hardware TPM|TPM version 1.2 or 2.0.

    A TPM isn't required for BitLocker; however, only a computer with a TPM can provide the additional security of pre-startup system integrity verification and multifactor authentication.| -|BIOS configuration|

  • A Trusted Computing Group (TCG)-compliant BIOS or UEFI firmware.
  • The boot order must be set to start first from the hard disk, and not the USB or CD drives.
  • The firmware must be able to read from a USB flash drive during startup.
    • | -|File system| One FAT32 partition for the system drive and one NTFS partition for the operating system drive. This is applicable for computers that boot natively with UEFI firmware.
    For computers with legacy BIOS firmware, at least two NTFS disk partitions, one for the system drive and one for the operating system drive.
    For either firmware, the system drive partition must be at least 350 megabytes (MB) and set as the active partition.| -|Hardware encrypted drive prerequisites (optional)|To use a hardware encrypted drive as the boot drive, the drive must be in the uninitialized state and in the security inactive state. In addition, the system must always boot with native UEFI version 2.3.1 or higher and the CSM (if any) disabled.| +1. When the **BitLocker Drive Encryption Wizard** first launches, it verifies the computer meets the BitLocker system requirements for encrypting an operating system volume. By default, the system requirements are: -Upon passing the initial configuration, users are required to enter a password for the volume. If the volume doesn't pass the initial configuration for BitLocker, the user is presented with an error dialog describing the appropriate actions to be taken. -Once a strong password has been created for the volume, a recovery key will be generated. The BitLocker Drive Encryption Wizard will prompt for a location to save this key. A BitLocker recovery key is a special key that you can create when you turn on BitLocker Drive Encryption for the first time on each drive that you encrypt. You can use the recovery key to gain access to your computer if the drive that Windows is installed on (the operating system drive) is encrypted using BitLocker Drive Encryption and BitLocker detects a condition that prevents it from unlocking the drive when the computer is starting up. A recovery key can also be used to gain access to your files and folders on a removable data drive (such as an external hard drive or USB flash drive) that is encrypted using BitLocker To Go, if for some reason you forget the password or your computer can't access the drive. + |Requirement|Description| + |--- |--- | + |Hardware configuration|The computer must meet the minimum requirements for the supported Windows versions.| + |Operating system|BitLocker is an optional feature that can be installed by Server Manager on Windows Server 2012 and later.| + |Hardware TPM|TPM version 1.2 or 2.0.

    A TPM isn't required for BitLocker; however, only a computer with a TPM can provide the additional security of pre-startup system integrity verification and multifactor authentication.| + |UEFI firmware/BIOS configuration|
    • A Trusted Computing Group (TCG)-compliant BIOS or UEFI firmware.
    • The boot order must be set to start first from the hard disk, and not the USB or CD drives.
    • The firmware must be able to read from a USB flash drive during startup.
    | + |File system| One FAT32 partition for the system drive and one NTFS partition for the operating system drive. This requirement is applicable for computers that boot natively with UEFI firmware.
    For computers with legacy BIOS firmware, at least two NTFS disk partitions, one for the system drive and one for the operating system drive.
    For either firmware, the system drive partition must be at least 350 megabytes (MB) and set as the active partition.| + |Hardware encrypted drive prerequisites (optional)|To use a hardware encrypted drive as the boot drive, the drive must be in the uninitialized state and in the security inactive state. In addition, the system must always boot with native UEFI version 2.3.1 or higher and the CSM (if any) disabled.| -You should store the recovery key by printing it, saving it on removable media, or saving it as a file in a network folder or on your OneDrive, or on another drive of your computer that you aren't encrypting. You can't save the recovery key to the root directory of a non-removable drive and can't be stored on the encrypted volume. You can't save the recovery key for a removable data drive (such as a USB flash drive) on removable media. Ideally, you should store the recovery key separate from your computer. After you create a recovery key, you can use the BitLocker control panel to make additional copies. + If the volume doesn't pass the initial configuration for BitLocker, the user is presented with an error dialog describing the appropriate actions to be taken. -- Encrypt used disk space only - Encrypts only disk space that contains data -- Encrypt entire drive - Encrypts the entire volume including free space +2. Upon passing the initial configuration, users may be prompted to enter a password for the volume, for example, if a TPM isn't available. If a TPM is available, the password screen will be skipped. -It's recommended that drives with little to no data use the **used disk space only** encryption option and that drives with data or an operating system use the **encrypt entire drive** option. +3. After the initial configuration/password screens, a recovery key will be generated. The **BitLocker Drive Encryption Wizard** will prompt for a location to save the recovery key. A BitLocker recovery key is a special key that is created when BitLocker Drive Encryption is turned on for the first time on each drive that is encrypted. The recovery key can be used to gain access to the computer if: -> [!NOTE] -> Deleted files appear as free space to the file system, which isn't encrypted by **used disk space only**. Until they are wiped or overwritten, deleted files hold information that could be recovered with common data forensic tools. + - The drive that Windows is installed on (the operating system drive) is encrypted using BitLocker Drive Encryption + - BitLocker detects a condition that prevents it from unlocking the drive when the computer is starting up -Selecting an encryption type and choosing **Next** will give the user the option of running a BitLocker system check (selected by default) which will ensure that BitLocker can properly access the recovery and encryption keys before the volume encryption begins. We recommend running this system check before starting the encryption process. If the system check isn't run and a problem is encountered when the operating system attempts to start, the user will need to provide the recovery key to start Windows. + A recovery key can also be used to gain access to the files and folders on a removable data drive (such as an external hard drive or USB flash drive) that is encrypted using BitLocker To Go, if for some reason the password is forgotten or the computer can't access the drive. + The recovery key can be stored using the following methods: -After completing the system check (if selected), the BitLocker Drive Encryption Wizard restarts the computer to begin encryption. Upon reboot, users are required to enter the password chosen to boot into the operating system volume. Users can check encryption status by checking the system notification area or the BitLocker control panel. + - **Save to your Azure AD account** (if applicable) + - **Save to a USB flash drive** + - **Save to a file** - the file needs to be saved to a location that isn't on the computer itself such as a network folder or OneDrive + - **Print the recovery key** + + The recovery key can't be stored at the following locations: + + - The drive being encrypted + - The root directory of a non-removable/fixed drive + - An encrypted volume + + > [!TIP] + > Ideally, a computer's recovery key should be stored separate from the computer itself. + + > [!NOTE] + > After a recovery key is created, the BitLocker control panel can be used to make additional copies of the recovery key. + +4. The **BitLocker Drive Encryption Wizard** will then prompt how much of the drive to encrypt. The **BitLocker Drive Encryption Wizard** will have two options that determine how much of the drive is encrypted: + + - **Encrypt used disk space only** - Encrypts only disk space that contains data. + - **Encrypt entire drive** - Encrypts the entire volume including free space. Also known as full disk encryption. + + Each of the methods is recommended in the following scenarios: + + - **Encrypt used disk space only**: + + - The drive has never had data + - Formatted or erased drives that in the past have never had confidential data that was never encrypted + + - **Encrypt entire drive** (full disk encryption): + + - Drives that currently have data + - Drives that currently have an operating system + - Formatted or erased drives that in the past had confidential data that was never encrypted + + > [!IMPORTANT] + > Deleted files appear as free space to the file system, which isn't encrypted by **used disk space only**. Until they are wiped or overwritten, deleted files hold information that could be recovered with common data forensic tools. + +5. The **BitLocker Drive Encryption Wizard** will then prompt for an encryption mode: + + - **New encryption mode** + - **Compatible mode** + + Normally **New encryption mode** should be chosen, but if the drive will be potentially moved to another computer with an older Windows operating system, then select **Compatible mode**. + +6. After selecting an encryption mode, the **BitLocker Drive Encryption Wizard** will give the option of running a BitLocker system check via the option **Run BitLocker system check**. This system check will ensure that BitLocker can properly access the recovery and encryption keys before the volume encryption begins. it's recommended run this system check before starting the encryption process. If the system check isn't run and a problem is encountered when the operating system attempts to start, the user will need to provide the recovery key to start Windows. + +After completing the system check (if selected), the **BitLocker Drive Encryption Wizard** will begin encryption. A reboot may be initiated to start encryption. If a reboot was initiated, if there was no TPM and a password was specified, the password will need to be entered to boot into the operating system volume. + +Users can check encryption status by checking the system notification area or the BitLocker control panel. Until encryption is completed, the only available options for managing BitLocker involve manipulation of the password protecting the operating system volume, backing up the recovery key, and turning off BitLocker. -### Data volume +#### Data volume -Encrypting data volumes using the BitLocker control panel interface works in a similar fashion to encryption of the operating system volumes. Users select **Turn on BitLocker** within the control panel to begin the BitLocker Drive Encryption wizard. -Unlike for operating system volumes, data volumes aren't required to pass any configuration tests for the wizard to proceed. Upon launching the wizard, a choice of authentication methods to unlock the drive appears. The available options are **password** and **smart card** and **automatically unlock this drive on this computer**. Disabled by default, the latter option will unlock the data volume without user input when the operating system volume is unlocked. +Encrypting data volumes using the BitLocker control panel works in a similar fashion to encryption of the operating system volumes. Users select **Turn on BitLocker** within the BitLocker control panel to begin the **BitLocker Drive Encryption Wizard**. -After selecting the desired authentication method and choosing **Next**, the wizard presents options for storage of the recovery key. These options are the same as for operating system volumes. -With the recovery key saved, selecting **Next** in the wizard will show available options for encryption. These options are the same as for operating system volumes; **used disk space only** and **full drive encryption**. If the volume being encrypted is new or empty, it's recommended that used space only encryption is selected. +1. Upon launching the **BitLocker Drive Encryption Wizard**, unlike for operating system volumes, data volumes aren't required to pass any configuration tests for the **BitLocker Drive Encryption Wizard** to proceed -With an encryption method chosen, a final confirmation screen is displayed before the encryption process begins. Selecting **Start encrypting** begins encryption. +2. A choice of authentication methods to unlock the drive appears. The available options are: + + - **Use a password to unlock the drive** + - **Use my smart card to unlock the drive** + - **Automatically unlock this drive on this computer** - Disabled by default but if enabled, this option will unlock the data volume without user input when the operating system volume is unlocked. + +3. The **BitLocker Drive Encryption Wizard** presents options for storage of the recovery key. These options are the same as for operating system volumes: + + - **Save to your Azure AD account** (if applicable) + - **Save to a USB flash drive** + - **Save to a file** - the file needs to be saved to a location that isn't on the computer itself such as a network folder or OneDrive + - **Print the recovery key** + +4. After saving the recovery key, the **BitLocker Drive Encryption Wizard** will show available options for encryption. These options are the same as for operating system volumes: + + - **Encrypt used disk space only** - Encrypts only disk space that contains data. + - **Encrypt entire drive** - Encrypts the entire volume including free space. Also known as full disk encryption. + +5. The **BitLocker Drive Encryption Wizard** will then prompt for an encryption mode: + + - **New encryption mode** + - **Compatible mode** + + Normally **New encryption mode** should be chosen, but if the drive will be potentially moved to another computer with an older Windows operating system, then select **Compatible mode**. + +6. The **BitLocker Drive Encryption Wizard** will display a final confirmation screen before the encryption process begins. Selecting **Start encrypting** begins encryption. Encryption status displays in the notification area or within the BitLocker control panel. -### OneDrive option +### OneDrive option -There's a new option for storing the BitLocker recovery key using the OneDrive. This option requires that computers aren't members of a domain and that the user is using a Microsoft Account. Local accounts don't give the option to use OneDrive. Using the OneDrive option is the default, recommended recovery key storage method for computers that aren't joined to a domain. +There's an option for storing the BitLocker recovery key using OneDrive. This option requires that computers aren't members of a domain and that the user is using a Microsoft Account. Local accounts don't give the option to use OneDrive. Using the OneDrive option is the default recommended recovery key storage method for computers that aren't joined to a domain. -Users can verify whether the recovery key was saved properly by checking their OneDrive for the BitLocker folder which is created automatically during the save process. The folder will contain two files, a readme.txt and the recovery key. For users storing more than one recovery password on their OneDrive, they can identify the required recovery key by looking at the file name. The recovery key ID is appended to the end of the file name. +Users can verify whether the recovery key was saved properly by checking OneDrive for the BitLocker folder. The BitLocker folder on OneDrive is created automatically during the save process. The folder will contain two files, a `readme.txt` and the recovery key. For users storing more than one recovery password on their OneDrive, they can identify the required recovery key by looking at the file name. The recovery key ID is appended to the end of the file name. ### Using BitLocker within Windows Explorer -Windows Explorer allows users to launch the BitLocker Drive Encryption wizard by right-clicking a volume and selecting **Turn On BitLocker**. This option is available on client computers by default. On servers, you must first install the BitLocker and Desktop-Experience features for this option to be available. After selecting **Turn on BitLocker**, the wizard works exactly as it does when launched using the BitLocker control panel. +Windows Explorer allows users to launch the **BitLocker Drive Encryption Wizard** by right-clicking a volume and selecting **Turn On BitLocker**. This option is available on client computers by default. On servers, the BitLocker feature and the Desktop-Experience feature must first be installed for this option to be available. After selecting **Turn on BitLocker**, the wizard works exactly as it does when launched using the BitLocker control panel. -## Down-level compatibility +## Down-level compatibility -The following table shows the compatibility matrix for systems that have been BitLocker-enabled and then presented to a different version of Windows. +The following table shows the compatibility matrix for systems that have been BitLocker enabled and then presented to a different version of Windows. Table 1: Cross compatibility for Windows 11, Windows 10, Windows 8.1, Windows 8, and Windows 7 encrypted volumes @@ -115,67 +186,81 @@ Table 1: Cross compatibility for Windows 11, Windows 10, Windows 8.1, Windows 8, |Fully encrypted volume from Windows 7|Presents as fully encrypted|Presented as fully encrypted|N/A| |Partially encrypted volume from Windows 7|Windows 11, Windows 10, and Windows 8.1 will complete encryption regardless of policy|Windows 8 will complete encryption regardless of policy|N/A| -## Encrypting volumes using the manage-bde command-line interface +## Encrypting volumes using the `manage-bde.exe` command-line interface -Manage-bde is a command-line utility that can be used for scripting BitLocker operations. Manage-bde offers additional options not displayed in the BitLocker control panel. For a complete list of the options, see [Manage-bde](/windows-server/administration/windows-commands/manage-bde). +`Manage-bde.exe` is a command-line utility that can be used for scripting BitLocker operations. `Manage-bde.exe` offers additional options not displayed in the BitLocker control panel. For a complete list of the options, see [Manage-bde](/windows-server/administration/windows-commands/manage-bde). -Manage-bde offers a multitude of wider options for configuring BitLocker. So using the command syntax may require care and possibly later customization by the user. For example, using just the `manage-bde -on` command on a data volume will fully encrypt the volume without any authenticating protectors. A volume encrypted in this manner still requires user interaction to turn on BitLocker protection, even though the command successfully completed because an authentication method needs to be added to the volume for it to be fully protected. +`Manage-bde.exe` offers a multitude of wider options for configuring BitLocker. Using the command syntax may require care. For example, using just the `manage-bde.exe -on` command on a data volume will fully encrypt the volume without any authenticating protectors. A volume encrypted in this manner still requires user interaction to turn on BitLocker protection, even though the command successfully completed. For the volume to be fully protected, an authentication method needs to also be added to the volume in addition to running the `manage-bde.exe`command. Command-line users need to determine the appropriate syntax for a given situation. The following section covers general encryption for operating system volumes and data volumes. -### Operating system volume +### Operating system volume commands -Listed below are examples of basic valid commands for operating system volumes. In general, using only the `manage-bde -on ` command encrypts the operating system volume with a TPM-only protector and no recovery key. However, many environments require more secure protectors such as passwords or PIN and expect to be able to recover information with a recovery key. +Listed below are examples of basic valid commands for operating system volumes. In general, using only the `manage-bde.exe -on ` command encrypts the operating system volume with a TPM-only protector and no recovery key. However, many environments require more secure protectors such as passwords or PIN and expect to be able to recover information with a recovery key. -**Determining volume status** +#### Determining volume status -A good practice when using manage-bde is to determine the volume status on the target system. Use the following command to determine volume status: +A good practice when using `manage-bde.exe` is to determine the volume status on the target system. Use the following command to determine volume status: -`manage-bde -status` +`manage-bde.exe -status` This command returns the volumes on the target, current encryption status, and volume type (operating system or data) for each volume. Using this information, users can determine the best encryption method for their environment. -**Enabling BitLocker without a TPM** +#### Enabling BitLocker without a TPM -For example, suppose that you want to enable BitLocker on a computer without a TPM chip. To properly enable BitLocker for the operating system volume, you'll need to use a USB flash drive as a startup key to boot (in this example, the drive letter E). You would first create the startup key needed for BitLocker using the –protectors option and save it to the USB drive on E: and then begin the encryption process. You'll need to reboot the computer when prompted to complete the encryption process. +Suppose BitLocker is desired on a computer without a TPM. In this scenario, a USB flash drive is needed as a startup key for the operating system volume. The startup key will then allow the computer to boot. To create the startup key using `manage-bde.exe`, the `-protectors` switch would be used specifying the `-startupkey` option. Assuming the USB flash drive is drive letter `E:`, then the following `manage-bde.exe` commands would be used t create the startup key and start the BitLocker encryption: ```powershell -manage-bde –protectors -add C: -startupkey E: -manage-bde -on C: +manage-bde.exe -protectors -add C: -startupkey E: +manage-bde.exe -on C: ``` -**Enabling BitLocker with a TPM only** +If prompted, reboot the computer to complete the encryption process. -It's possible to encrypt the operating system volume without any defined protectors by using manage-bde. Use this command: +#### Enabling BitLocker with a TPM only -`manage-bde -on C:` +It's possible to encrypt the operating system volume without any defined protectors by using `manage-bde.exe`. Use this command: -This will encrypt the drive using the TPM as the protector. If users are unsure of the protector for a volume, they can use the -protectors option in manage-bde to list this information by executing the following command: +```cmd +manage-bde.exe -on C: +``` -`manage-bde -protectors -get ` +This command will encrypt the drive using the TPM as the protector. If users are unsure of the protector for a volume, they can use the `-protectors` option in `manage-bde.exe` to list this information by executing the following command: -**Provisioning BitLocker with two protectors** +```cmd +manage-bde.exe -protectors -get +``` -Another example is a user on a non-TPM hardware who wishes to add a password and SID-based protector to the operating system volume. In this instance, the user adds the protectors first. This is done with the command: +#### Provisioning BitLocker with two protectors -`manage-bde -protectors -add C: -pw -sid ` +Another example is a user on a non-TPM hardware who wishes to add a password and SID-based protector to the operating system volume. In this instance, the user adds the protectors first. Adding the protectors is done with the command: -This command requires the user to enter and then confirm the password protectors before adding them to the volume. With the protectors enabled on the volume, the user just needs to turn BitLocker on. +```cmd +manage-bde.exe -protectors -add C: -pw -sid +``` -### Data volume +This command requires the user to enter and then confirm the password protectors before adding them to the volume. With the protectors enabled on the volume, the user just needs to turn on BitLocker. -Data volumes use the same syntax for encryption as operating system volumes but they don't require protectors for the operation to complete. Encrypting data volumes can be done using the base command: `manage-bde -on ` or users can choose to add protectors to the volume. We recommend that you add at least one primary protector and a recovery protector to a data volume. +### Data volume commands -**Enabling BitLocker with a password** +Data volumes use the same syntax for encryption as operating system volumes but they don't require protectors for the operation to complete. Encrypting data volumes can be done using the base command: -A common protector for a data volume is the password protector. In the example below, we add a password protector to the volume and turn on BitLocker. +```cmd +manage-bde.exe -on +``` + +Or users can choose to add protectors to the volume. It is recommended to add at least one primary protector and a recovery protector to a data volume. + +#### Enabling BitLocker with a password + +A common protector for a data volume is the password protector. In the example below, a password protector is added to the volume and turn on BitLocker. ```powershell -manage-bde -protectors -add -pw C: -manage-bde -on C: +manage-bde.exe -protectors -add -pw C: +manage-bde.exe -on C: ``` -## Encrypting volumes using the BitLocker Windows PowerShell cmdlets +## Encrypting volumes using the BitLocker Windows PowerShell cmdlets Windows PowerShell cmdlets provide an alternative way to work with BitLocker. Using Windows PowerShell's scripting capabilities, administrators can integrate BitLocker options into existing scripts with ease. The list below displays the available BitLocker cmdlets. @@ -194,11 +279,11 @@ Windows PowerShell cmdlets provide an alternative way to work with BitLocker. Us |**Suspend-BitLocker**|
  • Confirm
  • MountPoint
  • RebootCount
  • WhatIf| |**Unlock-BitLocker**|
  • AdAccountOrGroup
  • Confirm
  • MountPoint
  • Password
  • RecoveryKeyPath
  • RecoveryPassword
  • RecoveryPassword
  • WhatIf| -Similar to manage-bde, the Windows PowerShell cmdlets allow configuration beyond the options offered in the control panel. As with manage-bde, users need to consider the specific needs of the volume they're encrypting prior to running Windows PowerShell cmdlets. +Similar to `manage-bde.exe`, the Windows PowerShell cmdlets allow configuration beyond the options offered in the control panel. As with `manage-bde.exe`, users need to consider the specific needs of the volume they're encrypting prior to running Windows PowerShell cmdlets. -A good initial step is to determine the current state of the volume(s) on the computer. You can do this using the `Get-BitLocker` volume cmdlet. The output from this cmdlet displays information on the volume type, protectors, protection status, and other useful information. +A good initial step is to determine the current state of the volume(s) on the computer. You can do this using the `Get-BitLocker` volume PowerShell cmdlet. The output from this cmdlet displays information on the volume type, protectors, protection status, and other useful information. -Occasionally, all protectors may not be shown when using **Get-BitLockerVolume** due to lack of space in the output display. If you don't see all of the protectors for a volume, you can use the Windows PowerShell pipe command (|) to format a listing of the protectors. +Occasionally, all protectors may not be shown when using **Get-BitLockerVolume** due to lack of space in the output display. If all of the protectors for a volume aren't seen, the Windows PowerShell pipe command (`|`) can be used to format a listing of the protectors. > [!NOTE] > In the event that there are more than four protectors for a volume, the pipe command may run out of display space. For volumes with more than four protectors, use the method described in the section below to generate a listing of all protectors with protector ID. @@ -206,7 +291,8 @@ Occasionally, all protectors may not be shown when using **Get-BitLockerVolume** ```powershell Get-BitLockerVolume C: | fl ``` -If you want to remove the existing protectors prior to provisioning BitLocker on the volume, you can utilize the `Remove-BitLockerKeyProtector` cmdlet. Accomplishing this requires the GUID associated with the protector to be removed. + +If the existing protectors need to be removed prior to provisioning BitLocker on the volume, the `Remove-BitLockerKeyProtector` cmdlet can be used. Accomplishing this action requires the GUID associated with the protector to be removed. A simple script can pipe out the values of each **Get-BitLockerVolume** return to another variable as seen below: ```powershell @@ -214,18 +300,18 @@ $vol = Get-BitLockerVolume $keyprotectors = $vol.KeyProtector ``` -Using this script, we can display the information in the **$keyprotectors** variable to determine the GUID for each protector. -Using this information, we can then remove the key protector for a specific volume using the command: +Using this script, the information in the **$keyprotectors** variable can be displayed to determine the GUID for each protector. This information can then be used to remove the key protector for a specific volume using the command: ```powershell Remove-BitLockerKeyProtector : -KeyProtectorID "{GUID}" ``` + > [!NOTE] > The BitLocker cmdlet requires the key protector GUID (enclosed in quotation marks) to execute. Ensure the entire GUID, with braces, is included in the command. -### Operating system volume +### Operating system volume PowerShell cmdlets -Using the BitLocker Windows PowerShell cmdlets is similar to working with the manage-bde tool for encrypting operating system volumes. Windows PowerShell offers users a lot of flexibility. For example, users can add the desired protector as part command for encrypting the volume. Below are examples of common user scenarios and steps to accomplish them using the BitLocker cmdlets for Windows PowerShell. +Using the BitLocker Windows PowerShell cmdlets is similar to working with the `manage-bde.exe` tool for encrypting operating system volumes. Windows PowerShell offers users flexibility. For example, users can add the desired protector as part command for encrypting the volume. Below are examples of common user scenarios and steps to accomplish them using the BitLocker cmdlets for Windows PowerShell. To enable BitLocker with just the TPM protector, use this command: @@ -239,11 +325,10 @@ The example below adds one additional protector, the StartupKey protectors, and Enable-BitLocker C: -StartupKeyProtector -StartupKeyPath -SkipHardwareTest ``` -### Data volume +### Data volume PowerShell cmdlets Data volume encryption using Windows PowerShell is the same as for operating system volumes. You should add the desired protectors prior to encrypting the volume. The following example adds a password protector to the E: volume using the variable $pw as the password. The $pw variable is held as a SecureString value to store the user-defined password. Last, encryption begins. - ```powershell $pw = Read-Host -AsSecureString @@ -252,12 +337,12 @@ Enable-BitLockerKeyProtector E: -PasswordProtector -Password $pw ### Using an SID-based protector in Windows PowerShell -The ADAccountOrGroup protector is an Active Directory SID-based protector. This protector can be added to both operating system and data volumes, although it doesn't unlock operating system volumes in the pre-boot environment. The protector requires the SID for the domain account or group to link with the protector. BitLocker can protect a cluster-aware disk by adding an SID-based protector for the Cluster Name Object (CNO) that lets the disk properly failover and be unlocked to any member computer of the cluster. +The **ADAccountOrGroup** protector is an Active Directory SID-based protector. This protector can be added to both operating system and data volumes, although it doesn't unlock operating system volumes in the pre-boot environment. The protector requires the SID for the domain account or group to link with the protector. BitLocker can protect a cluster-aware disk by adding an SID-based protector for the Cluster Name Object (CNO) that lets the disk properly failover and unlock to any member computer of the cluster. > [!WARNING] -> The SID-based protector requires the use of an additional protector (such as TPM, PIN, recovery key, etc.) when used on operating system volumes. +> The SID-based protector requires the use of an additional protector such as TPM, PIN, recovery key, etc. when used on operating system volumes. -To add an ADAccountOrGroup protector to a volume, you need either the actual domain SID or the group name preceded by the domain and a backslash. In the example below, the CONTOSO\\Administrator account is added as a protector to the data volume G. +To add an **ADAccountOrGroup** protector to a volume, either the domain SID is needed or the group name preceded by the domain and a backslash. In the example below, the **CONTOSO\\Administrator** account is added as a protector to the data volume G. ```powershell Enable-BitLocker G: -AdAccountOrGroupProtector -AdAccountOrGroup CONTOSO\Administrator @@ -268,23 +353,25 @@ For users who wish to use the SID for the account or group, the first step is to ```powershell Get-ADUser -filter {samaccountname -eq "administrator"} ``` + > [!NOTE] > Use of this command requires the RSAT-AD-PowerShell feature. > [!TIP] -> In addition to the Windows PowerShell command above, information about the locally logged on user and group membership can be found using: WHOAMI /ALL. This doesn't require the use of additional features. +> In addition to the Windows PowerShell command above, information about the locally logged on user and group membership can be found using: `WHOAMI /ALL`. This doesn't require the use of additional features. In the example below, the user wishes to add a domain SID-based protector to the previously encrypted operating system volume. The user knows the SID for the user account or group they wish to add and uses the following command: ```powershell Add-BitLockerKeyProtector C: -ADAccountOrGroupProtector -ADAccountOrGroup "" ``` + > [!NOTE] > Active Directory-based protectors are normally used to unlock Failover Cluster-enabled volumes. -## Checking BitLocker status +## Checking BitLocker status -To check the BitLocker status of a particular volume, administrators can look at the status of the drive in the BitLocker control panel applet, Windows Explorer, manage-bde command-line tool, or Windows PowerShell cmdlets. Each option offers different levels of detail and ease of use. We'll look at each of the available methods in the following section. +To check the BitLocker status of a particular volume, administrators can look at the status of the drive in the BitLocker control panel applet, Windows Explorer, `manage-bde.exe` command-line tool, or Windows PowerShell cmdlets. Each option offers different levels of detail and ease of use. We'll look at each of the available methods in the following section. ### Checking BitLocker status with the control panel @@ -297,21 +384,21 @@ Checking BitLocker status with the control panel is the most common method used | **Suspended** | BitLocker is suspended and not actively protecting the volume | | **Waiting for Activation**| BitLocker is enabled with a clear protector key and requires further action to be fully protected| -If a drive is pre-provisioned with BitLocker, a status of "Waiting for Activation" displays with a yellow exclamation icon on the volume. This status means that there was only a clear protector used when encrypting the volume. In this case, the volume isn't in a protected state and needs to have a secure key added to the volume before the drive is fully protected. Administrators can use the control panel, manage-bde tool, or WMI APIs to add an appropriate key protector. Once complete, the control panel will update to reflect the new status. +If a drive is pre-provisioned with BitLocker, a status of "Waiting for Activation" displays with a yellow exclamation icon on the volume. This status means that there was only a clear protector used when encrypting the volume. In this case, the volume isn't in a protected state and needs to have a secure key added to the volume before the drive is fully protected. Administrators can use the control panel, `manage-bde.exe` tool, or WMI APIs to add an appropriate key protector. Once complete, the control panel will update to reflect the new status. Using the control panel, administrators can choose **Turn on BitLocker** to start the BitLocker Drive Encryption wizard and add a protector, like PIN for an operating system volume (or password if no TPM exists), or a password or smart card protector to a data volume. The drive security window displays prior to changing the volume status. Selecting **Activate BitLocker** will complete the encryption process. Once BitLocker protector activation is completed, the completion notice is displayed. -### Checking BitLocker status with manage-bde +### Checking BitLocker status with `manage-bde.exe` -Administrators who prefer a command-line interface can utilize manage-bde to check volume status. Manage-bde is capable of returning more information about the volume than the graphical user interface tools in the control panel. For example, manage-bde can display the BitLocker version in use, the encryption type, and the protectors associated with a volume. +Administrators who prefer a command-line interface can utilize `manage-bde.exe` to check volume status. Manage-bde is capable of returning more information about the volume than the graphical user interface tools in the control panel. For example, `manage-bde.exe` can display the BitLocker version in use, the encryption type, and the protectors associated with a volume. -To check the status of a volume using manage-bde, use the following command: +To check the status of a volume using `manage-bde.exe`, use the following command: ```powershell -manage-bde -status +manage-bde.exe -status ``` > [!NOTE] @@ -319,22 +406,23 @@ manage-bde -status ### Checking BitLocker status with Windows PowerShell -Windows PowerShell commands offer another way to query BitLocker status for volumes. Like manage-bde, Windows PowerShell includes the advantage of being able to check the status of a volume on a remote computer. +Windows PowerShell commands offer another way to query BitLocker status for volumes. Like `manage-bde.exe`, Windows PowerShell includes the advantage of being able to check the status of a volume on a remote computer. Using the Get-BitLockerVolume cmdlet, each volume on the system displays its current BitLocker status. To get information that is more detailed on a specific volume, use the following command: ```powershell Get-BitLockerVolume -Verbose | fl ``` -This command displays information about the encryption method, volume type, key protectors, etc. + +This command displays information about the encryption method, volume type, key protectors, and more. ### Provisioning BitLocker during operating system deployment -Administrators can enable BitLocker prior to operating system deployment from the Windows Pre-installation environment. This is done with a randomly generated clear key protector applied to the formatted volume and by encrypting the volume prior to running the Windows setup process. If the encryption uses the **Used Disk Space Only** option described later in this document, this step takes only a few seconds and incorporates well into regular deployment processes. +Administrators can enable BitLocker prior to operating system deployment from the Windows Pre-installation environment. Enabling BitLocker prior to the operating system deployment is done with a randomly generated clear key protector applied to the formatted volume and by encrypting the volume prior to running the Windows setup process. If the encryption uses the **Used Disk Space Only** option described later in this document, this step takes only a few seconds and incorporates well into regular deployment processes. ### Decrypting BitLocker volumes -Decrypting volumes removes BitLocker and any associated protectors from the volumes. Decryption should occur when protection is no longer required. BitLocker decryption shouldn't occur as a troubleshooting step. BitLocker can be removed from a volume using the BitLocker control panel applet, manage-bde, or Windows PowerShell cmdlets. We'll discuss each method further below. +Decrypting volumes removes BitLocker and any associated protectors from the volumes. Decryption should occur when protection is no longer required. BitLocker decryption shouldn't occur as a troubleshooting step. BitLocker can be removed from a volume using the BitLocker control panel applet, `manage-bde.exe`, or Windows PowerShell cmdlets. We'll discuss each method further below. ### Decrypting volumes using the BitLocker control panel applet @@ -345,22 +433,23 @@ The control panel doesn't report decryption progress but displays it in the noti Once decryption is complete, the drive updates its status in the control panel and becomes available for encryption. -### Decrypting volumes using the manage-bde command-line interface +### Decrypting volumes using the `manage-bde.exe` command-line interface -Decrypting volumes using manage-bde is straightforward. Decryption with manage-bde offers the advantage of not requiring user confirmation to start the process. Manage-bde uses the -off command to start the decryption process. A sample command for decryption is: +Decrypting volumes using `manage-bde.exe` is straightforward. Decryption with `manage-bde.exe` offers the advantage of not requiring user confirmation to start the process. Manage-bde uses the -off command to start the decryption process. A sample command for decryption is: ```powershell -manage-bde -off C: +manage-bde.exe -off C: ``` + This command disables protectors while it decrypts the volume and removes all protectors when decryption is complete. If users wish to check the status of the decryption, they can use the following command: ```powershell -manage-bde -status C: +manage-bde.exe -status C: ``` ### Decrypting volumes using the BitLocker Windows PowerShell cmdlets -Decryption with Windows PowerShell cmdlets is straightforward, similar to manage-bde. Windows PowerShell offers the ability to decrypt multiple drives in one pass. In the example below, the user has three encrypted volumes, which they wish to decrypt. +Decryption with Windows PowerShell cmdlets is straightforward, similar to `manage-bde.exe`. Windows PowerShell offers the ability to decrypt multiple drives in one pass. In the example below, the user has three encrypted volumes, which they wish to decrypt. Using the Disable-BitLocker command, they can remove all protectors and encryption at the same time without the need for more commands. An example of this command is: @@ -374,7 +463,7 @@ If a user didn't want to input each mount point individually, using the `-MountP Disable-BitLocker -MountPoint E:,F:,G: ``` -## See also +## Related articles - [Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md) - [BitLocker recovery guide](bitlocker-recovery-guide-plan.md) diff --git a/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md b/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md index e515250330..58f5c7fe83 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md +++ b/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md @@ -1,66 +1,59 @@ --- title: BitLocker Countermeasures (Windows 10) -description: Windows uses technologies including TPM, Secure Boot, Trusted Boot, and Early Launch Antimalware (ELAM) to protect against attacks on the BitLocker encryption key. +description: Windows uses technologies including TPM, Secure Boot, Trusted Boot, and Early Launch Anti-malware (ELAM) to protect against attacks on the BitLocker encryption key. ms.reviewer: ms.prod: windows-client ms.localizationpriority: medium -author: dansimp -ms.author: dansimp +author: frankroj +ms.author: frankroj manager: aaroncz ms.collection: - M365-security-compliance ms.topic: conceptual -ms.date: 02/28/2019 +ms.date: 11/08/2022 ms.custom: bitlocker ms.technology: itpro-security --- # BitLocker Countermeasures -**Applies to** +*Applies to:* -- Windows 10 -- Windows 11 -- Windows Server 2016 and above +- Windows 10 +- Windows 11 +- Windows Server 2016 and above -Windows uses technologies including trusted platform module (TPM), secure boot, and measured boot to help protect BitLocker encryption keys against attacks. -BitLocker is part of a strategic approach to securing data against offline attacks through encryption technology. -Data on a lost or stolen computer is vulnerable. -For example, there could be unauthorized access, either by running a software attack tool against the computer or by transferring the computer’s hard disk to a different computer. +Windows uses technologies including trusted platform module (TPM), secure boot, and measured boot to help protect BitLocker encryption keys against attacks. BitLocker is part of a strategic approach to securing data against offline attacks through encryption technology. Data on a lost or stolen computer is vulnerable. For example, there could be unauthorized access, either by running a software attack tool against the computer or by transferring the computer's hard disk to a different computer. BitLocker helps mitigate unauthorized data access on lost or stolen computers before the authorized operating system is started. This mitigation is done by: -- **Encrypting volumes on your computer.** For example, you can turn on BitLocker for your operating system volume, or a volume on a fixed or removable data drive (such as a USB flash drive, SD card, and so on). Turning on BitLocker for your operating system volume encrypts all system files on the volume, including the paging files and hibernation files. The only exception is for the System partition, which includes the Windows Boot Manager and minimal boot collateral required for decryption of the operating system volume after the key is unsealed. -- **Ensuring the integrity of early boot components and boot configuration data.** On devices that have a TPM version 1.2 or higher, BitLocker uses the enhanced security capabilities of the TPM to make data accessible only if the computer’s BIOS firmware code and configuration, original boot sequence, boot components, and BCD configuration all appear unaltered and the encrypted disk is located in the original computer. On systems that leverage TPM PCR[7], BCD setting changes deemed safe are permitted to improve usability. - +- **Encrypting volumes on a computer.** For example, BitLocker can be turned on for the operating system volume, a volume on a fixed drive. or removable data drive (such as a USB flash drive, SD card, etc.) Turning on BitLocker for the operating system volume encrypts all system files on the volume, including the paging files and hibernation files. The only exception is for the System partition, which includes the Windows Boot Manager and minimal boot collateral required for decryption of the operating system volume after the key is unsealed. + +- **Ensuring the integrity of early boot components and boot configuration data.** On devices that have a TPM version 1.2 or higher, BitLocker uses the enhanced security capabilities of the TPM to make data accessible only if the computer's BIOS firmware code and configuration, original boot sequence, boot components, and BCD configuration all appear unaltered and the encrypted disk is located in the original computer. On systems that use TPM PCR[7], BCD setting changes deemed safe are permitted to improve usability. + The next sections provide more details about how Windows protects against various attacks on the BitLocker encryption keys in Windows 11, Windows 10, Windows 8.1, and Windows 8. -For more information about how to enable the best overall security configuration for devices beginning with Windows 10 version 1803 or Windows 11, see [Standards for a highly secure Windows device](/windows-hardware/design/device-experiences/oem-highly-secure). +For more information about how to enable the best overall security configuration for devices beginning with Windows 10 version 1803, see [Standards for a highly secure Windows device](/windows-hardware/design/device-experiences/oem-highly-secure). ## Protection before startup -Before Windows starts, you must rely on security features implemented as part of the device hardware and firmware, including TPM and secure boot. Fortunately, many modern computers feature a TPM and secure boot. +Before Windows starts, security features implemented as part of the device hardware and firmware must be relied on, including TPM and secure boot. Fortunately, many modern computers feature a TPM and secure boot. ### Trusted Platform Module -A trusted platform module (TPM) is a microchip designed to provide basic security-related functions, primarily involving encryption keys. -On some platforms, TPM can alternatively be implemented as a part of secure firmware. -BitLocker binds encryption keys with the TPM to ensure that a computer hasn't been tampered with while the system was offline. -For more info about TPM, see [Trusted Platform Module](/windows/device-security/tpm/trusted-platform-module-overview). +A trusted platform module (TPM) is a microchip designed to provide basic security-related functions, primarily involving encryption keys. On some platforms, TPM can alternatively be implemented as a part of secure firmware. BitLocker binds encryption keys with the TPM to ensure that a computer hasn't been tampered with while the system was offline. For more info about TPM, see [Trusted Platform Module](/windows/device-security/tpm/trusted-platform-module-overview). ### UEFI and secure boot -Unified Extensible Firmware Interface (UEFI) is a programmable boot environment that initializes devices and starts the operating system’s bootloader. +Unified Extensible Firmware Interface (UEFI) is a programmable boot environment that initializes devices and starts the operating system's bootloader. -The UEFI specification defines a firmware execution authentication process called [Secure Boot](../secure-the-windows-10-boot-process.md). -Secure Boot blocks untrusted firmware and bootloaders (signed or unsigned) from being able to start on the system. +The UEFI specification defines a firmware execution authentication process called [Secure Boot](../secure-the-windows-10-boot-process.md). Secure Boot blocks untrusted firmware and bootloaders (signed or unsigned) from being able to start on the system. -By default, BitLocker provides integrity protection for Secure Boot by utilizing the TPM PCR[7] measurement. -An unauthorized EFI firmware, EFI boot application, or bootloader can't run and acquire the BitLocker key. +By default, BitLocker provides integrity protection for Secure Boot by utilizing the TPM PCR[7] measurement. An unauthorized EFI firmware, EFI boot application, or bootloader can't run and acquire the BitLocker key. ### BitLocker and reset attacks -To defend against malicious reset attacks, BitLocker leverages the TCG Reset Attack Mitigation, also known as MOR bit (Memory Overwrite Request), before extracting keys into memory. +To defend against malicious reset attacks, BitLocker uses the TCG Reset Attack Mitigation, also known as MOR bit (Memory Overwrite Request), before extracting keys into memory. >[!NOTE] >This does not protect against physical attacks where an attacker opens the case and attacks the hardware. @@ -71,89 +64,88 @@ The next sections cover pre-boot authentication and DMA policies that can provid ### Pre-boot authentication -Pre-boot authentication with BitLocker is a policy setting that requires the use of either user input, such as a PIN, a startup key, or both to authenticate prior to making the contents of the system drive accessible. -The Group Policy setting is [Require additional authentication at startup](./bitlocker-group-policy-settings.md) and the corresponding setting in the [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp) is SystemDrivesRequireStartupAuthentication. +Pre-boot authentication with BitLocker is a policy setting that requires the use of either user input, such as a PIN, a startup key, or both to authenticate prior to making the contents of the system drive accessible. The Group Policy setting is [Require additional authentication at startup](./bitlocker-group-policy-settings.md) and the corresponding setting in the [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp) is SystemDrivesRequireStartupAuthentication. -BitLocker accesses and stores the encryption keys in memory only after pre-boot authentication is completed. -If Windows can’t access the encryption keys, the device can’t read or edit the files on the system drive. The only option for bypassing pre-boot authentication is entering the recovery key. +BitLocker accesses and stores the encryption keys in memory only after pre-boot authentication is completed. If Windows can't access the encryption keys, the device can't read or edit the files on the system drive. The only option for bypassing pre-boot authentication is entering the recovery key. -Pre-boot authentication is designed to prevent the encryption keys from being loaded to system memory without the trusted user supplying another authentication factor such as a PIN or startup key. -This helps mitigate DMA and memory remanence attacks. +Pre-boot authentication is designed to prevent the encryption keys from being loaded to system memory without the trusted user supplying another authentication factor such as a PIN or startup key. This feature helps mitigate DMA and memory remanence attacks. On computers with a compatible TPM, operating system drives that are BitLocker-protected can be unlocked in four ways: - **TPM-only.** Using TPM-only validation doesn't require any interaction with the user to unlock and provide access to the drive. If the TPM validation succeeds, the user sign-in experience is the same as a standard sign-in. If the TPM is missing or changed or if BitLocker detects changes to the BIOS or UEFI code or configuration, critical operating system startup files, or the boot configuration, BitLocker enters recovery mode, and the user must enter a recovery password to regain access to the data. This option is more convenient for sign-in but less secure than the other options, which require an additional authentication factor. + - **TPM with startup key.** In addition to the protection that the TPM-only provides, part of the encryption key is stored on a USB flash drive, referred to as a startup key. Data on the encrypted volume can't be accessed without the startup key. + - **TPM with PIN.** In addition to the protection that the TPM provides, BitLocker requires that the user enters a PIN. Data on the encrypted volume can't be accessed without entering the PIN. TPMs also have [anti-hammering protection](/windows/security/hardware-protection/tpm/tpm-fundamentals#anti-hammering) that is designed to prevent brute force attacks that attempt to determine the PIN. + - **TPM with startup key and PIN.** In addition to the core component protection that the TPM-only provides, part of the encryption key is stored on a USB flash drive, and a PIN is required to authenticate the user to the TPM. This configuration provides multifactor authentication so that if the USB key is lost or stolen, it can't be used for access to the drive, because the correct PIN is also required. In the following group policy example, TPM + PIN is required to unlock an operating system drive: ![Pre-boot authentication setting in Group Policy.](images/pre-boot-authentication-group-policy.png) -Pre-boot authentication with a PIN can mitigate an attack vector for devices that use a bootable eDrive because an exposed eDrive bus can allow an attacker to capture the BitLocker encryption key during startup. -Pre-boot authentication with a PIN can also mitigate DMA port attacks during the window of time between when BitLocker unlocks the drive and Windows boots to the point that Windows can set any port-related policies that have been configured. +Pre-boot authentication with a PIN can mitigate an attack vector for devices that use a bootable eDrive because an exposed eDrive bus can allow an attacker to capture the BitLocker encryption key during startup. Pre-boot authentication with a PIN can also mitigate DMA port attacks during the window of time between when BitLocker unlocks the drive and Windows boots to the point that Windows can set any port-related policies that have been configured. -On the other hand, Pre-boot authentication-prompts can be inconvenient to users. -In addition, users who forget their PIN or lose their startup key are denied access to their data until they can contact their organization’s support team to obtain a recovery key. -Pre-boot authentication can also make it more difficult to update unattended desktops and remotely administered servers because a PIN needs to be entered when a computer reboots or resumes from hibernation. +On the other hand, Pre-boot authentication-prompts can be inconvenient to users. In addition, users who forget their PIN or lose their startup key are denied access to their data until they can contact their organization's support team to obtain a recovery key. Pre-boot authentication can also make it more difficult to update unattended desktops and remotely administered servers because a PIN needs to be entered when a computer reboots or resumes from hibernation. -To address these issues, you can deploy [BitLocker Network Unlock](./bitlocker-how-to-enable-network-unlock.md). -Network Unlock allows systems within the physical enterprise security perimeter that meet the hardware requirements and have BitLocker enabled with TPM+PIN to boot into Windows without user intervention. -It requires direct ethernet connectivity to an enterprise Windows Deployment Services (WDS) server. +To address these issues, [BitLocker Network Unlock](./bitlocker-how-to-enable-network-unlock.md) can be deployed. Network Unlock allows systems within the physical enterprise security perimeter that meet the hardware requirements and have BitLocker enabled with TPM+PIN to boot into Windows without user intervention. It requires direct ethernet connectivity to an enterprise Windows Deployment Services (WDS) server. ### Protecting Thunderbolt and other DMA ports -There are a few different options to protect DMA ports, such as Thunderbolt™3. -Beginning with Windows 10 version 1803 or Windows 11, new Intel-based devices have kernel protection against DMA attacks via Thunderbolt™ 3 ports enabled by default. -This Kernel DMA Protection is available only for new systems beginning with Windows 10 version 1803 or Windows 11, as it requires changes in the system firmware and/or BIOS. +There are a few different options to protect DMA ports, such as Thunderbolt™3. Beginning with Windows 10 version 1803, new Intel-based devices have kernel protection against DMA attacks via Thunderbolt™ 3 ports enabled by default. This Kernel DMA Protection is available only for new systems beginning with Windows 10 version 1803, as it requires changes in the system firmware and/or BIOS. -You can use the System Information desktop app (MSINFO32) to check if a device has kernel DMA protection enabled: +You can use the System Information desktop app `MSINFO32.exe` to check if a device has kernel DMA protection enabled: ![Kernel DMA protection.](images/kernel-dma-protection.png) -If kernel DMA protection is *not* enabled, follow these steps to protect Thunderbolt™ 3-enabled ports: +If kernel DMA protection isn't enabled, follow these steps to protect Thunderbolt™ 3 enabled ports: + +1. Require a password for BIOS changes -1. Require a password for BIOS changes 2. Intel Thunderbolt Security must be set to User Authorization in BIOS settings. Refer to [Intel Thunderbolt™ 3 and Security on Microsoft Windows® 10 Operating System documentation](https://thunderbolttechnology.net/security/Thunderbolt%203%20and%20Security.pdf) + 3. Additional DMA security may be added by deploying policy (beginning with Windows 10 version 1607 or Windows 11): - - MDM: [DataProtection/AllowDirectMemoryAccess](/windows/client-management/mdm/policy-csp-dataprotection#dataprotection-allowdirectmemoryaccess) policy + - MDM: [DataProtection/AllowDirectMemoryAccess](/windows/client-management/mdm/policy-csp-dataprotection#dataprotection-allowdirectmemoryaccess) policy + - Group Policy: [Disable new DMA devices when this computer is locked](./bitlocker-group-policy-settings.md#disable-new-dma-devices-when-this-computer-is-locked) (This setting isn't configured by default.) -For Thunderbolt v1 and v2 (DisplayPort Connector), refer to the “Thunderbolt Mitigation” section in [KB 2516445](https://support.microsoft.com/help/2516445/blocking-the-sbp-2-driver-and-thunderbolt-controllers-to-reduce-1394-d). -For SBP-2 and 1394 (a.k.a. Firewire), refer to the “SBP-2 Mitigation” section in [KB 2516445](https://support.microsoft.com/help/2516445/blocking-the-sbp-2-driver-and-thunderbolt-controllers-to-reduce-1394-d). - +For Thunderbolt v1 and v2 (DisplayPort Connector), refer to the **Thunderbolt Mitigation** section in [Blocking the SBP-2 driver and Thunderbolt controllers to reduce 1394 DMA and Thunderbolt DMA threats to BitLocker](https://support.microsoft.com/help/2516445/blocking-the-sbp-2-driver-and-thunderbolt-controllers-to-reduce-1394-d). For SBP-2 and 1394 (also known as Firewire), refer to the **SBP-2 Mitigation** section in [Blocking the SBP-2 driver and Thunderbolt controllers to reduce 1394 DMA and Thunderbolt DMA threats to BitLocker](https://support.microsoft.com/help/2516445/blocking-the-sbp-2-driver-and-thunderbolt-controllers-to-reduce-1394-d). + ## Attack countermeasures This section covers countermeasures for specific types of attacks. ### Bootkits and rootkits -A physically present attacker might attempt to install a bootkit or rootkit-like piece of software into the boot chain in an attempt to steal the BitLocker keys. -The TPM should observe this installation via PCR measurements, and the BitLocker key won't be released. +A physically present attacker might attempt to install a bootkit or rootkit-like piece of software into the boot chain in an attempt to steal the BitLocker keys. The TPM should observe this installation via PCR measurements, and the BitLocker key won't be released. -This is the default configuration. +> [!NOTE] +> BitLocker protects against this attack by default. -A BIOS password is recommended for defense-in-depth in case a BIOS exposes settings that may weaken the BitLocker security promise. -Intel Boot Guard and AMD Hardware Verified Boot support stronger implementations of Secure Boot that provide additional resilience against malware and physical attacks. -Intel Boot Guard and AMD Hardware Verified Boot are part of platform boot verification [standards for a highly secure Windows device](/windows-hardware/design/device-experiences/oem-highly-secure). +A BIOS password is recommended for defense-in-depth in case a BIOS exposes settings that may weaken the BitLocker security promise. Intel Boot Guard and AMD Hardware Verified Boot support stronger implementations of Secure Boot that provide additional resilience against malware and physical attacks. Intel Boot Guard and AMD Hardware Verified Boot are part of platform boot verification [standards for a highly secure Windows device](/windows-hardware/design/device-experiences/oem-highly-secure). ### Brute force attacks against a PIN -Require TPM + PIN for anti-hammering protection. + +Require TPM + PIN for anti-hammering protection. ### DMA attacks See [Protecting Thunderbolt and other DMA ports](#protecting-thunderbolt-and-other-dma-ports) earlier in this article. ### Paging file, crash dump, and Hyberfil.sys attacks -These files are secured on an encrypted volume by default when BitLocker is enabled on OS drives. -It also blocks automatic or manual attempts to move the paging file. + +These files are secured on an encrypted volume by default when BitLocker is enabled on OS drives. It also blocks automatic or manual attempts to move the paging file. ### Memory remanence -Enable secure boot and mandatorily prompt a password to change BIOS settings. -For customers requiring protection against these advanced attacks, configure a TPM+PIN protector, disable Standby power management, and shut down or hibernate the device before it leaves the control of an authorized user. +Enable secure boot and mandatorily prompt a password to change BIOS settings. For customers requiring protection against these advanced attacks, configure a TPM+PIN protector, disable Standby power management, and shut down or hibernate the device before it leaves the control of an authorized user. + +### Tricking BitLocker to pass the key to a rogue operating system + +An attacker might modify the boot manager configuration database (BCD) which is stored on a non-encrypted partition and add an entry point to a rogue operating system on a different partition. During the boot process, BitLocker code will make sure that the operating system that the encryption key obtained from the TPM is given to, is cryptographically verified to be the intended recipient. Because this strong cryptographic verification already exists, we don’t recommend storing a hash of a disk partition table in Platform Configuration Register (PCR) 5. + +An attacker might also replace the entire operating system disk while preserving the platform hardware and firmware and could then extract a protected BitLocker key blob from the metadata of the victim OS partition. The attacker could then attempt to unseal that BitLocker key blob by calling the TPM API from an operating system under their control. This will not succeed because when Windows seals the BitLocker key to the TPM, it does it with a PCR 11 value of 0, and to successfully unseal the blob, PCR 11 in the TPM must have a value of 0. However, when the boot manager passes the control to any boot loader (legitimate or rogue) it always changes PCR 11 to a value of 1. Since the PCR 11 value is guaranteed to be different after exiting the boot manager, the attacker can't unlock the BitLocker key. ## Attacker countermeasures @@ -161,12 +153,12 @@ The following sections cover mitigations for different types of attackers. ### Attacker without much skill or with limited physical access -Physical access may be limited by a form factor that doesn't expose buses and memory. -For example, there are no external DMA-capable ports, no exposed screws to open the chassis, and memory is soldered to the mainboard. +Physical access may be limited by a form factor that doesn't expose buses and memory. For example, there are no external DMA-capable ports, no exposed screws to open the chassis, and memory is soldered to the mainboard. -This attacker of opportunity doesn't use destructive methods or sophisticated forensics hardware/software. +This attacker of opportunity doesn't use destructive methods or sophisticated forensics hardware/software. + +Mitigation: -Mitigation: - Pre-boot authentication set to TPM only (the default) ### Attacker with skill and lengthy physical access @@ -174,27 +166,32 @@ Mitigation: Targeted attack with plenty of time; this attacker will open the case, will solder, and will use sophisticated hardware or software. Mitigation: + - Pre-boot authentication set to TPM with a PIN protector (with a sophisticated alphanumeric PIN [enhanced pin] to help the TPM anti-hammering mitigation). -And- -- Disable Standby power management and shut down or hibernate the device before it leaves the control of an authorized user. This can be set using Group Policy: +- Disable Standby power management and shut down or hibernate the device before it leaves the control of an authorized user. This configuration can be set using the following Group Policy: - - Computer Configuration|Policies|Administrative Templates|Windows Components|File Explorer|Show hibernate in the power options menu - - Computer Configuration|Policies|Administrative Templates|System|Power Management|Sleep Settings|Allow standby states (S1-S3) when sleeping (plugged in) - - Computer Configuration|Policies|Administrative Templates|System|Power Management|Sleep Settings|Allow standby states (S1-S3) when sleeping (on battery) + - *Computer Configuration* > *Policies* > *Administrative Templates* > *Windows Components* > *File Explorer* > **Show hibernate in the power options menu** -These settings are **Not configured** by default. + - *Computer Configuration* > *Policies* > *Administrative Templates* > *Power Management* > *Sleep Settings* > **Allow standby states (S1-S3) when sleeping (plugged in)** + + - *Computer Configuration* > *Policies* > *Administrative Templates* > *Power Management* > *Sleep Settings* > **Allow standby states (S1-S3) when sleeping (on battery)** + +> [!IMPORTANT] +> These settings are **not configured** by default. For some systems, bypassing TPM-only may require opening the case, and may require soldering, but could possibly be done for a reasonable cost. Bypassing a TPM with a PIN protector would cost much more, and require brute forcing the PIN. With a sophisticated enhanced PIN, it could be nearly impossible. The Group Policy setting for [enhanced PIN](./bitlocker-group-policy-settings.md) is: -Computer Configuration|Administrative Templates|Windows Components|BitLocker Drive Encryption|Operating System Drives|Allow enhanced PINs for startup +- *Computer Configuration* > *Policies* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Operating System Drives* > **Allow enhanced PINs for startup** -This setting is **Not configured** by default. +> [!IMPORTANT] +> This setting is **not configured** by default. For secure administrative workstations, Microsoft recommends a TPM with PIN protector and to disable Standby power management and shut down or hibernate the device. -## See also +## Related articles - [Blocking the SBP-2 driver and Thunderbolt controllers to reduce 1394 DMA and Thunderbolt DMA threats to BitLocker](https://support.microsoft.com/help/2516445/blocking-the-sbp-2-driver-and-thunderbolt-controllers-to-reduce-1394-d) - [BitLocker Group Policy settings](./bitlocker-group-policy-settings.md) diff --git a/windows/security/information-protection/bitlocker/bitlocker-deployment-and-administration-faq.yml b/windows/security/information-protection/bitlocker/bitlocker-deployment-and-administration-faq.yml index 2b9f32384a..37e6318217 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-deployment-and-administration-faq.yml +++ b/windows/security/information-protection/bitlocker/bitlocker-deployment-and-administration-faq.yml @@ -4,23 +4,26 @@ metadata: description: Browse frequently asked questions about BitLocker deployment and administration, such as, "Can BitLocker deployment be automated in an enterprise environment?" ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee ms.reviewer: - ms.prod: m365-security + ms.prod: windows-client + ms.technology: itpro-security ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium - author: dansimp - ms.author: dansimp + author: frankroj + ms.author: frankroj manager: aaroncz audience: ITPro ms.collection: M365-security-compliance ms.topic: faq - ms.date: 02/28/2019 + ms.date: 11/08/2022 ms.custom: bitlocker title: BitLocker frequently asked questions (FAQ) summary: | - **Applies to** - - Windows 10 + *Applies to:* + - Windows 10 + - Windows 11 + - Windows Server 2016 and above sections: @@ -28,7 +31,7 @@ sections: questions: - question: Can BitLocker deployment be automated in an enterprise environment? answer: | - Yes, you can automate the deployment and configuration of BitLocker and the TPM using either WMI or Windows PowerShell scripts. How you choose to implement the scripts depends on your environment. You can also use Manage-bde.exe to locally or remotely configure BitLocker. For more info about writing scripts that use the BitLocker WMI providers, see [BitLocker Drive Encryption Provider](/windows/win32/secprov/bitlocker-drive-encryption-provider). For more info about using Windows PowerShell cmdlets with BitLocker Drive Encryption, see [BitLocker Cmdlets in Windows PowerShell](/powershell/module/bitlocker/index?view=win10-ps). + Yes, the deployment and configuration of both BitLocker and the TPM can be automated using either WMI or Windows PowerShell scripts. Which method is chosen to implement the automation depends on the environment. `Manage-bde.exe` can also be used to locally or remotely configure BitLocker. For more info about writing scripts that use the BitLocker WMI providers, see [BitLocker Drive Encryption Provider](/windows/win32/secprov/bitlocker-drive-encryption-provider). For more info about using Windows PowerShell cmdlets with BitLocker Drive Encryption, see [BitLocker Cmdlets in Windows PowerShell](/powershell/module/bitlocker/index?view=win10-ps). - question: Can BitLocker encrypt more than just the operating system drive? answer: Yes. @@ -38,58 +41,58 @@ sections: - question: How long will initial encryption take when BitLocker is turned on? answer: | - Although BitLocker encryption occurs in the background while you continue to work, and the system remains usable, encryption times vary depending on the type of drive that is being encrypted, the size of the drive, and the speed of the drive. If you are encrypting large drives, you may want to set encryption to occur during times when you will not be using the drive. + Although BitLocker encryption occurs in the background while a user continues to work with the system remaining usable, encryption times vary depending on the type of drive that is being encrypted, the size of the drive, and the speed of the drive. If encrypting large drives, encryption may want to be scheduled during times when the drive isn't being used. - You can also choose whether or not BitLocker should encrypt the entire drive or just the used space on the drive when you turn on BitLocker. On a new hard drive, encrypting just the used spaced can be considerably faster than encrypting the entire drive. When this encryption option is selected, BitLocker automatically encrypts data as it is saved, ensuring that no data is stored unencrypted. + When BitLocker is enabled, BitLocker can also be set to encrypt the entire drive or just the used space on the drive. On a new hard drive, encrypting just the used spaced can be considerably faster than encrypting the entire drive. When this encryption option is selected, BitLocker automatically encrypts data as it is saved, ensuring that no data is stored unencrypted. - question: What happens if the computer is turned off during encryption or decryption? - answer: If the computer is turned off or goes into hibernation, the BitLocker encryption and decryption process will resume where it stopped the next time Windows starts. This is true even if the power is suddenly unavailable. + answer: If the computer is turned off or goes into hibernation, the BitLocker encryption and decryption process will resume where it stopped the next time Windows starts. BitLocker resuming encryption or decryption is true even if the power is suddenly unavailable. - question: Does BitLocker encrypt and decrypt the entire drive all at once when reading and writing data? - answer: No, BitLocker does not encrypt and decrypt the entire drive when reading and writing data. The encrypted sectors in the BitLocker-protected drive are decrypted only as they are requested from system read operations. Blocks that are written to the drive are encrypted before the system writes them to the physical disk. No unencrypted data is ever stored on a BitLocker-protected drive. + answer: No, BitLocker doesn't encrypt and decrypt the entire drive when reading and writing data. The encrypted sectors in the BitLocker-protected drive are decrypted only as they're requested from system read operations. Blocks that are written to the drive are encrypted before the system writes them to the physical disk. No unencrypted data is ever stored on a BitLocker-protected drive. - question: How can I prevent users on a network from storing data on an unencrypted drive? answer: | - You can configure Group Policy settings to require that data drives be BitLocker-protected before a BitLocker-protected computer can write data to them. For more info, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md). - When these policy settings are enabled, the BitLocker-protected operating system will mount any data drives that are not protected by BitLocker as read-only. + Group Policy settings can be configured to require that data drives be BitLocker-protected before a BitLocker-protected computer can write data to them. For more info, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md). + When these policy settings are enabled, the BitLocker-protected operating system will mount any data drives that aren't protected by BitLocker as read-only. - question: What is Used Disk Space Only encryption? answer: | - BitLocker in Windows 10 lets users choose to encrypt just their data. Although it's not the most secure way to encrypt a drive, this option can reduce encryption time by more than 99 percent, depending on how much data that needs to be encrypted. For more information, see [Used Disk Space Only encryption](bitlocker-device-encryption-overview-windows-10.md#used-disk-space-only-encryption). + BitLocker in Windows 10 lets users choose to encrypt just their data. Although it's not the most secure way to encrypt a drive, this option can reduce encryption time by more than 99 percent, depending on how much data that needs to be encrypted. For more information, see [Used Disk Space Only encryption](bitlocker-device-encryption-overview-windows-10.md#used-disk-space-only-encryption). - question: What system changes would cause the integrity check on my operating system drive to fail? answer: | The following types of system changes can cause an integrity check failure and prevent the TPM from releasing the BitLocker key to decrypt the protected operating system drive: - - Moving the BitLocker-protected drive into a new computer. - - Installing a new motherboard with a new TPM. - - Turning off, disabling, or clearing the TPM. - - Changing any boot configuration settings. - - Changing the BIOS, UEFI firmware, master boot record, boot sector, boot manager, option ROM, or other early boot components or boot configuration data. + - Moving the BitLocker-protected drive into a new computer. + - Installing a new motherboard with a new TPM. + - Turning off, disabling, or clearing the TPM. + - Changing any boot configuration settings. + - Changing the BIOS, UEFI firmware, master boot record, boot sector, boot manager, option ROM, or other early boot components or boot configuration data. - question: What causes BitLocker to start into recovery mode when attempting to start the operating system drive? answer: | - Because BitLocker is designed to protect your computer from numerous attacks, there are numerous reasons why BitLocker could start in recovery mode. + Because BitLocker is designed to protect computers from numerous attacks, there are numerous reasons why BitLocker could start in recovery mode. For example: - Changing the BIOS boot order to boot another drive in advance of the hard drive. - - Adding or removing hardware, such as inserting a new card in the computer, including some PCMIA wireless cards. + - Adding or removing hardware, such as inserting a new card in the computer. - Removing, inserting, or completely depleting the charge on a smart battery on a portable computer. In BitLocker, recovery consists of decrypting a copy of the volume master key using either a recovery key stored on a USB flash drive or a cryptographic key derived from a recovery password. - The TPM is not involved in any recovery scenarios, so recovery is still possible if the TPM fails boot component validation, malfunctions, or is removed. + The TPM isn't involved in any recovery scenarios, so recovery is still possible if the TPM fails boot component validation, malfunctions, or is removed. - question: What can prevent BitLocker from binding to PCR 7? - answer: BitLocker can be prevented from binding to PCR 7 if a non-Windows OS booted prior to Windows, or if Secure Boot is not available to the device, either because it has been disabled or the hardware does not support it. + answer: BitLocker can be prevented from binding to PCR 7 if a non-Windows OS booted prior to Windows, or if Secure Boot isn't available to the device, either because it has been disabled or the hardware doesn't support it. - question: Can I swap hard disks on the same computer if BitLocker is enabled on the operating system drive? - answer: Yes, you can swap multiple hard disks on the same computer if BitLocker is enabled, but only if the hard disks were BitLocker-protected on the same computer. The BitLocker keys are unique to the TPM and operating system drive. So if you want to prepare a backup operating system or data drive in case a disk fails, make sure that they were matched with the correct TPM. You can also configure different hard drives for different operating systems and then enable BitLocker on each one with different authentication methods (such as one with TPM-only and one with TPM+PIN) without any conflicts. + answer: Yes, multiple hard disks can be swapped on the same computer if BitLocker is enabled, but only if the hard disks were BitLocker-protected on the same computer. The BitLocker keys are unique to the TPM and the operating system drive. If a backup operating system or data drive needs to be prepared in case of a disk failure, make sure that they were matched with the correct TPM. Different hard drives can also be configured for different operating systems and then enable BitLocker on each one with different authentication methods (such as one with TPM-only and one with TPM+PIN) without any conflicts. - question: Can I access my BitLocker-protected drive if I insert the hard disk into a different computer? - answer: Yes, if the drive is a data drive, you can unlock it from the **BitLocker Drive Encryption** Control Panel item just as you would any other data drive by using a password or smart card. If the data drive was configured for automatic unlock only, you will have to unlock it by using the recovery key. The encrypted hard disk can be unlocked by a data recovery agent (if one was configured) or it can be unlocked by using the recovery key. + answer: Yes, if the drive is a data drive, it can be unlocked from the **BitLocker Drive Encryption** Control Panel item by using a password or smart card. If the data drive was configured for automatic unlock only, it will need to be unlocked by using the recovery key. The encrypted hard disk can be unlocked by a data recovery agent (if one was configured) or it can be unlocked by using the recovery key. - - question: Why is "Turn BitLocker on" not available when I right-click a drive? - answer: Some drives cannot be encrypted with BitLocker. Reasons a drive cannot be encrypted include insufficient disk size, an incompatible file system, if the drive is a dynamic disk, or a drive is designated as the system partition. By default, the system drive (or system partition) is hidden from display. However, if it is not created as a hidden drive when the operating system was installed due to a custom installation process, that drive might be displayed but cannot be encrypted. + - question: Why is **Turn BitLocker on** not available when I right-click a drive? + answer: Some drives can't be encrypted with BitLocker. Reasons a drive can't be encrypted include insufficient disk size, an incompatible file system, if the drive is a dynamic disk, or a drive is designated as the system partition. By default, the system drive (or system partition) is hidden from display. However, if it isn't created as a hidden drive when the operating system was installed due to a custom installation process, that drive might be displayed but can't be encrypted. - question: What type of disk configurations are supported by BitLocker? answer: Any number of internal, fixed data drives can be protected with BitLocker. On some versions ATA and SATA-based, direct-attached storage devices are also supported. diff --git a/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md b/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md index 50fa530e4f..9e7aba3ca0 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md +++ b/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md @@ -3,23 +3,23 @@ title: BitLocker deployment comparison (Windows 10) description: This article shows the BitLocker deployment comparison chart. ms.prod: windows-client ms.localizationpriority: medium -author: lovina-saldanha -ms.author: v-lsaldanha +author: frankroj +ms.author: frankroj manager: aaroncz ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 05/20/2021 +ms.date: 11/08/2022 ms.custom: bitlocker ms.technology: itpro-security --- # BitLocker deployment comparison -**Applies to** +*Applies to:* -- Windows 10 -- Windows 11 -- Windows Server 2016 and above +- Windows 10 +- Windows 11 +- Windows Server 2016 and above This article depicts the BitLocker deployment comparison chart. @@ -27,37 +27,37 @@ This article depicts the BitLocker deployment comparison chart. | Requirements |Microsoft Intune |Microsoft Configuration Manager |Microsoft BitLocker Administration and Monitoring (MBAM) | |---------|---------|---------|---------| -|Minimum client operating system version |Windows 11 and Windows 10 | Windows 11, Windows 10, and Windows 8.1 | Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 10 IoT, and Windows 11 | -|Supported Windows SKUs | Enterprise, Pro, Education | Enterprise, Pro, Education | Enterprise | -|Minimum Windows version |1909 | None | None | -|Supported domain-joined status | Microsoft Azure Active Directory (Azure AD) joined, hybrid Azure AD joined | Active Directory-joined, hybrid Azure AD joined | Active Directory-joined | -|Permissions required to manage policies | Endpoint security manager or custom | Full administrator or custom | Domain Admin or Delegated GPO access | -|Cloud or on premises | Cloud | On premises | On premises | +|*Minimum client operating system version* |Windows 11 and Windows 10 | Windows 11, Windows 10, and Windows 8.1 | Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 10 IoT, and Windows 11 | +|*Supported Windows SKUs* | Enterprise, Pro, Education | Enterprise, Pro, Education | Enterprise | +|*Minimum Windows version* |1909 | None | None | +|*Supported domain-joined status* | Microsoft Azure Active Directory (Azure AD) joined, hybrid Azure AD joined | Active Directory-joined, hybrid Azure AD joined | Active Directory-joined | +|*Permissions required to manage policies* | Endpoint security manager or custom | Full administrator or custom | Domain Admin or Delegated GPO access | +|*Cloud or on premises* | Cloud | On premises | On premises | |Server components required? | | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | -|Additional agent required? | No (device enrollment only) | Configuration Manager client | MBAM client | -|Administrative plane | Microsoft Endpoint Manager admin center | Configuration Manager console | Group Policy Management Console and MBAM sites | -|Administrative portal installation required | | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | -|Compliance reporting capabilities | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | -|Force encryption | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | -|Encryption for storage cards (mobile) | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | | -|Allow recovery password | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | -|Manage startup authentication | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | -|Select cipher strength and algorithms for fixed drives | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | -|Select cipher strength and algorithms for removable drives | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | -|Select cipher strength and algorithms for operating environment drives | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | -|Standard recovery password storage location | Azure AD or Active Directory | Configuration Manager site database | MBAM database | -|Store recovery password for operating system and fixed drives to Azure AD or Active Directory | Yes (Active Directory and Azure AD) | Yes (Active Directory only) | Yes (Active Directory only) | -|Customize preboot message and recovery link | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | -|Allow/deny key file creation | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | -|Deny Write permission to unprotected drives | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | -|Can be administered outside company network | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | | -|Support for organization unique IDs | | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | -|Self-service recovery | Yes (through Azure AD or Company Portal app) | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | -|Recovery password rotation for fixed and operating environment drives | Yes (Windows 10, version 1909 and later or Windows 11) | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | -|Wait to complete encryption until recovery information is backed up to Azure AD | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | | | -|Wait to complete encryption until recovery information is backed up to Active Directory | | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | -|Allow or deny Data Recovery Agent | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | -|Unlock a volume using certificate with custom object identifier | | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | -|Prevent memory overwrite on restart | | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | -|Configure custom Trusted Platform Module Platform Configuration Register profiles | | | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | -|Manage auto-unlock functionality | | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | +|*Additional agent required?* | No (device enrollment only) | Configuration Manager client | MBAM client | +|*Administrative plane* | Microsoft Endpoint Manager admin center | Configuration Manager console | Group Policy Management Console and MBAM sites | +|*Administrative portal installation required* | | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | +|*Compliance reporting capabilities* | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | +|*Force encryption* | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | +|*Encryption for storage cards (mobile)* | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | | +|*Allow recovery password* | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | +|*Manage startup authentication* | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | +|*Select cipher strength and algorithms for fixed drives* | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | +|*Select cipher strength and algorithms for removable drives* | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | +|*Select cipher strength and algorithms for operating environment drives* | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | +|*Standard recovery password storage location* | Azure AD or Active Directory | Configuration Manager site database | MBAM database | +|*Store recovery password for operating system and fixed drives to Azure AD or Active Directory* | Yes (Active Directory and Azure AD) | Yes (Active Directory only) | Yes (Active Directory only) | +|*Customize preboot message and recovery link* | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | +|*Allow/deny key file creation* | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | +|*Deny Write permission to unprotected drives* | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | +|*Can be administered outside company network* | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | | +|*Support for organization unique IDs* | | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | +|*Self-service recovery* | Yes (through Azure AD or Company Portal app) | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | +|*Recovery password rotation for fixed and operating environment drives* | Yes (Windows 10, version 1909 and later) | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | +|*Wait to complete encryption until recovery information is backed up to Azure AD* | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | | | +|*Wait to complete encryption until recovery information is backed up to Active Directory* | | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | +|*Allow or deny Data Recovery Agent* | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | +|*Unlock a volume using certificate with custom object identifier* | | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | +|*Prevent memory overwrite on restart* | | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | +|*Configure custom Trusted Platform Module Platform Configuration Register profiles* | | | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | +|*Manage auto-unlock functionality* | | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | diff --git a/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md b/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md index 314bdaff4d..5b4d79dcc1 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md +++ b/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md @@ -3,56 +3,57 @@ title: Overview of BitLocker Device Encryption in Windows description: This article provides an overview of how BitLocker Device Encryption can help protect data on devices running Windows. ms.prod: windows-client ms.localizationpriority: medium -author: dansimp -ms.author: dansimp +author: frankroj +ms.author: frankroj manager: aaroncz ms.collection: - M365-security-compliance - highpri ms.topic: conceptual -ms.date: 03/10/2022 +ms.date: 11/08/2022 ms.custom: bitlocker ms.technology: itpro-security --- # Overview of BitLocker Device Encryption in Windows -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and later +*Applies to:* -This article explains how BitLocker Device Encryption can help protect data on devices running Windows. For a general overview and list of articles about BitLocker, see [BitLocker](bitlocker-overview.md). +- Windows 10 +- Windows 11 +- Windows Server 2016 and above -When users travel, their organization’s confidential data goes with them. Wherever confidential data is stored, it must be protected against unauthorized access. Windows has a long history of providing at-rest data-protection solutions that guard against nefarious attackers, beginning with the Encrypting File System in the Windows 2000 operating system. More recently, BitLocker has provided encryption for full drives and portable drives. Windows consistently improves data protection by improving existing options and providing new strategies. +This article explains how BitLocker Device Encryption can help protect data on devices running Windows. See [BitLocker](bitlocker-overview.md) for a general overview and list of articles. -Table 2 lists specific data-protection concerns and how they're addressed in Windows 11, Windows 10, and Windows 7. +When users travel, their organization's confidential data goes with them. Wherever confidential data is stored, it must be protected against unauthorized access. Windows has a long history of providing at-rest data-protection solutions that guard against nefarious attackers, beginning with the Encrypting File System in the Windows 2000 operating system. More recently, BitLocker has provided encryption for full drives and portable drives. Windows consistently improves data protection by improving existing options and providing new strategies. -**Table 2. Data Protection in Windows 11, Windows 10, and Windows 7** +## Data Protection in Windows 11, Windows 10, and Windows 7 -| Windows 7 | Windows 11 and Windows 10 | +The below table lists specific data-protection concerns and how they're addressed in Windows 11, Windows 10, and Windows 7. + + +| Windows 7 | Windows 11 and Windows 10 | |---|---| | When BitLocker is used with a PIN to protect startup, PCs such as kiosks can't be restarted remotely. | Modern Windows devices are increasingly protected with BitLocker Device Encryption out of the box and support SSO to seamlessly protect the BitLocker encryption keys from cold boot attacks.

    Network Unlock allows PCs to start automatically when connected to the internal network. | | When BitLocker is enabled, the provisioning process can take several hours. | BitLocker pre-provisioning, encrypting hard drives, and Used Space Only encryption allow administrators to enable BitLocker quickly on new computers. | | There's no support for using BitLocker with self-encrypting drives (SEDs). | BitLocker supports offloading encryption to encrypted hard drives. | | Administrators have to use separate tools to manage encrypted hard drives. | BitLocker supports encrypted hard drives with onboard encryption hardware built in, which allows administrators to use the familiar BitLocker administrative tools to manage them. | | Encrypting a new flash drive can take more than 20 minutes. | Used Space Only encryption in BitLocker To Go allows users to encrypt removable data drives in seconds. | -| BitLocker could require users to enter a recovery key when system configuration changes occur. | BitLocker requires the user to enter a recovery key only when disk corruption occurs or when you lose the PIN or password. | -| Users need to enter a PIN to start the PC, and then their password to sign in to Windows. | Modern Windows devices are increasingly protected with BitLocker Device Encryption out of the box and support SSO to help protect the BitLocker encryption keys from cold boot attacks. | +| BitLocker could require users to enter a recovery key when system configuration changes occur. | BitLocker requires the user to enter a recovery key only when disk corruption occurs or when the PIN or password is lost. | +| Users need to enter a PIN to start the PC, and then their password to sign in to Windows. | Modern Windows devices are increasingly protected with BitLocker Device Encryption out of the box and support SSO to help protect the BitLocker encryption keys from cold boot attacks. | ## Prepare for drive and file encryption -The best type of security measures is transparent to the user during implementation and use. Every time there's a possible delay or difficulty because of a security feature, there's strong likelihood that users will try to bypass security. This situation is especially true for data protection, and that’s a scenario that organizations need to avoid. -Whether you’re planning to encrypt entire volumes, removable devices, or individual files, Windows 11 and Windows 10 meet your needs by providing streamlined, usable solutions. In fact, you can take several steps in advance to prepare for data encryption and make the deployment quick and smooth. +The best type of security measures is transparent to the user during implementation and use. Every time there's a possible delay or difficulty because of a security feature, there's a strong likelihood that users will try to bypass security. This situation is especially true for data protection, and that's a scenario that organizations need to avoid. Whether planning to encrypt entire volumes, removable devices, or individual files, Windows 11 and Windows 10 meet these needs by providing streamlined, usable solutions. In fact, several steps can be taken in advance to prepare for data encryption and make the deployment quick and smooth. ### TPM pre-provisioning -In Windows 7, preparing the TPM for use offered a couple of challenges: +In Windows 7, preparing the TPM offered a few challenges: -* You can turn on the TPM in the BIOS, which requires someone to either go into the BIOS settings to turn it on or to install a driver to turn it on from within Windows. -* When you enable the TPM, it may require one or more restarts. +- Turning on the TPM required going into the BIOS or UEFI firmware of the device. Turning on the TPM at the device requires someone to either physically go into the BIOS or UEFI firmware settings of the device to turn on the TPM, or to install a driver in Windows to turn on the TPM from within Windows. +- When the TPM is enabled, it may require one or more restarts. -Basically, it was a hassle. If IT staff were provisioning new PCs, they could handle all of this, but if you wanted to add BitLocker to devices that were already in users’ hands, those users would have struggled with the technical challenges and would either call IT for support or leave BitLocker disabled. +This made preparing the TPM in Windows 7 problematic. If IT staff are provisioning new PCs, they can handle the required steps for preparing a TPM. However, if BitLocker needed to be enabled on devices that are already in users' hands, those users would probably struggle with the technical challenges. The user would then either call to IT for support or leave BitLocker disabled. Microsoft includes instrumentation in Windows 11 and Windows 10 that enable the operating system to fully manage the TPM. There's no need to go into the BIOS, and all scenarios that required a restart have been eliminated. @@ -62,65 +63,83 @@ BitLocker is capable of encrypting entire hard drives, including both system and With earlier versions of Windows, administrators had to enable BitLocker after Windows had been installed. Although this process could be automated, BitLocker would need to encrypt the entire drive, a process that could take anywhere from several hours to more than a day depending on drive size and performance, which delayed deployment. Microsoft has improved this process through multiple features in Windows 11 and Windows 10. -## BitLocker device encryption +## BitLocker Device Encryption -Beginning in Windows 8.1, Windows automatically enables BitLocker Device Encryption on devices that support Modern Standby. With Windows 11 and Windows 10, Microsoft offers BitLocker Device Encryption support on a much broader range of devices, including those that are Modern Standby, and devices that run Windows 10 Home edition or Windows 11. +Beginning in Windows 8.1, Windows automatically enables BitLocker Device Encryption on devices that support Modern Standby. With Windows 11 and Windows 10, Microsoft offers BitLocker Device Encryption support on a much broader range of devices, including those devices that are Modern Standby, and devices that run Home edition of Windows 10 or Windows 11. -Microsoft expects that most devices in the future will pass the testing requirements, which makes BitLocker device encryption pervasive across modern Windows devices. BitLocker device encryption further protects the system by transparently implementing device-wide data encryption. +Microsoft expects that most devices in the future will pass the requirements for BitLocker Device Encryption that will make BitLocker Device Encryption pervasive across modern Windows devices. BitLocker Device Encryption further protects the system by transparently implementing device-wide data encryption. -Unlike a standard BitLocker implementation, BitLocker device encryption is enabled automatically so that the device is always protected. The following list outlines how this happens: +Unlike a standard BitLocker implementation, BitLocker Device Encryption is enabled automatically so that the device is always protected. The following list outlines how BitLocker Device Encryption is enabled automatically: -* When a clean installation of Windows 11 or Windows 10 is completed and the out-of-box experience is finished, the computer is prepared for first use. As part of this preparation, BitLocker Device Encryption is initialized on the operating system drive and fixed data drives on the computer with a clear key (this is the equivalent of standard BitLocker suspended state). In this state, the drive is shown with a warning icon in Windows Explorer. The yellow warning icon is removed after the TPM protector is created and the recovery key is backed up, as explained in the following bullet points. -* If the device isn't domain joined, a Microsoft account that has been granted administrative privileges on the device is required. When the administrator uses a Microsoft account to sign in, the clear key is removed, a recovery key is uploaded to the online Microsoft account, and a TPM protector is created. Should a device require the recovery key, the user will be guided to use an alternate device and navigate to a recovery key access URL to retrieve the recovery key by using his or her Microsoft account credentials. -* If the user uses a domain account to sign in, the clear key isn't removed until the user joins the device to a domain and the recovery key is successfully backed up to Active Directory Domain Services (AD DS). You must enable the **Computer Configuration\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption\\Operating System Drives** Group Policy setting, and select the **Do not enable BitLocker until recovery information is stored in AD DS for operating system drives** option. With this configuration, the recovery password is created automatically when the computer joins the domain, and then the recovery key is backed up to AD DS, the TPM protector is created, and the clear key is removed. -* Similar to signing in with a domain account, the clear key is removed when the user signs in to an Azure AD account on the device. As described in the bullet point above, the recovery password is created automatically when the user authenticates to Azure AD. Then, the recovery key is backed up to Azure AD, the TPM protector is created, and the clear key is removed. +- When a clean installation of Windows 11 or Windows 10 is completed and the out-of-box experience is finished, the computer is prepared for first use. As part of this preparation, BitLocker Device Encryption is initialized on the operating system drive and fixed data drives on the computer with a clear key that is the equivalent of standard BitLocker suspended state. In this state, the drive is shown with a warning icon in Windows Explorer. The yellow warning icon is removed after the TPM protector is created and the recovery key is backed up, as explained in the following bullet points. -Microsoft recommends that BitLocker Device Encryption be enabled on any systems that support it, but the automatic BitLocker Device Encryption process can be prevented by changing the following registry setting: -- **Subkey**: HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\BitLocker -- **Value**: PreventDeviceEncryption equal to True (1) -- **Type**: REG\_DWORD +- If the device isn't domain joined, a Microsoft account that has been granted administrative privileges on the device is required. When the administrator uses a Microsoft account to sign in, the clear key is removed, a recovery key is uploaded to the online Microsoft account, and a TPM protector is created. Should a device require the recovery key, the user will be guided to use an alternate device and navigate to a recovery key access URL to retrieve the recovery key by using their Microsoft account credentials. -Administrators can manage domain-joined devices that have BitLocker device encryption enabled through Microsoft BitLocker Administration and Monitoring (MBAM). In this case, BitLocker device encryption automatically makes additional BitLocker options available. No conversion or encryption is required, and MBAM can manage the full BitLocker policy set if any configuration changes are required. +- If the user uses a domain account to sign in, the clear key isn't removed until the user joins the device to a domain, and the recovery key is successfully backed up to Active Directory Domain Services (AD DS). The following Group Policy settings must be enabled for the recovery key to be backed up to AD DS: + + *Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Operating System Drives* > **Do not enable BitLocker until recovery information is stored in AD DS for operating system drives** + + With this configuration, the recovery password is created automatically when the computer joins the domain, and then the recovery key is backed up to AD DS, the TPM protector is created, and the clear key is removed. + +- Similar to signing in with a domain account, the clear key is removed when the user signs in to an Azure AD account on the device. As described in the bullet point above, the recovery password is created automatically when the user authenticates to Azure AD. Then, the recovery key is backed up to Azure AD, the TPM protector is created, and the clear key is removed. + +Microsoft recommends automatically enabling BitLocker Device Encryption on any systems that support it. However, the automatic BitLocker Device Encryption process can be prevented by changing the following registry setting: + +- **Subkey**: `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\BitLocker` +- **Type**: `REG_DWORD` +- **Value**: `PreventDeviceEncryption` equal to `1` (True) + +Administrators can manage domain-joined devices that have BitLocker Device Encryption enabled through Microsoft BitLocker Administration and Monitoring (MBAM). In this case, BitLocker Device Encryption automatically makes additional BitLocker options available. No conversion or encryption is required, and MBAM can manage the full BitLocker policy set if any configuration changes are required. > [!NOTE] -> BitLocker Device Encryption uses the XTS-AES 128-bit encryption method. In case you need to use a different encryption method and/or cipher strength, the device must be configured and decrypted (if already encrypted) first. After that, different BitLocker settings can be applied. +> BitLocker Device Encryption uses the XTS-AES 128-bit encryption method. If a different encryption method and/or cipher strength is needed but the device is already encrypted, it must first be decrypted before the new encryption method and/or cipher strength can be applied. After the device has been decrypted, different BitLocker settings can be applied. ## Used Disk Space Only encryption -BitLocker in earlier Windows versions could take a long time to encrypt a drive, because it encrypted every byte on the volume (including parts that didn't have data). That is still the most secure way to encrypt a drive, especially if a drive has previously contained confidential data that has since been moved or deleted. In that case, traces of the confidential data could remain on portions of the drive marked as unused. -But why encrypt a new drive when you can encrypt the data as it is being written? To reduce encryption time, BitLocker in Windows 11 and Windows 10 let users choose to encrypt just their data. Depending on the amount of data on the drive, this option can reduce encryption time by more than 99 percent. -Exercise caution when encrypting only used space on an existing volume on which confidential data may have already been stored in an unencrypted state, however, because those sectors can be recovered through disk-recovery tools until they're overwritten by new encrypted data. In contrast, encrypting only used space on a brand-new volume can significantly decrease deployment time without the security risk because all new data will be encrypted as it's written to the disk. +BitLocker in earlier Windows versions could take a long time to encrypt a drive because it encrypted every byte on the volume including areas that didn't have data. Encrypting every byte on the volume including areas that didn't have data is known as full disk encryption. Full disk encryption is still the most secure way to encrypt a drive, especially if a drive has previously contained confidential data that has since been moved or deleted. If a drive previously had confidential data that has been moved or deleted, traces of the confidential data could remain on portions of the drive marked as unused. + +To reduce encryption time, BitLocker in Windows 11 and Windows 10 let users choose to encrypt just the areas of the disk that contain data. Areas of the disk that don't contain data and are empty won't be encrypted. Any new data is encrypted as it's created. Depending on the amount of data on the drive, this option can reduce the initial encryption time by more than 99 percent. + +Exercise caution when encrypting only used space on an existing volume on which confidential data may have already been stored in an unencrypted state. When using used space encryption, sectors where previously unencrypted data are stored can be recovered through disk-recovery tools until they're overwritten by new encrypted data. In contrast, encrypting only used space on a brand-new volume can significantly decrease deployment time without the security risk because all new data will be encrypted as it's written to the disk. ## Encrypted hard drive support -SEDs have been available for years, but Microsoft couldn’t support their use with some earlier versions of Windows because the drives lacked important key management features. Microsoft worked with storage vendors to improve the hardware capabilities, and now BitLocker supports the next generation of SEDs, which are called encrypted hard drives. -Encrypted hard drives provide onboard cryptographic capabilities to encrypt data on drives, which improves both drive and system performance by offloading cryptographic calculations from the PC’s processor to the drive itself and rapidly encrypting the drive by using dedicated, purpose-built hardware. If you plan to use, whole-drive encryption with Windows 11 or Windows 10, Microsoft recommends that you investigate hard drive manufacturers and models to determine whether any of their encrypted hard drives meet your security and budget requirements. -For more information about encrypted hard drives, see [Encrypted Hard Drive](../encrypted-hard-drive.md). +SEDs have been available for years, but Microsoft couldn't support their use with some earlier versions of Windows because the drives lacked important key management features. Microsoft worked with storage vendors to improve the hardware capabilities, and now BitLocker supports the next generation of SEDs, which are called encrypted hard drives. + +Encrypted hard drives provide onboard cryptographic capabilities to encrypt data on drives. This feature improves both drive and system performance by offloading cryptographic calculations from the PC's processor to the drive itself. Data is rapidly encrypted by the drive by using dedicated, purpose-built hardware. If planning to use whole-drive encryption with Windows 11 or Windows 10, Microsoft recommends researching hard drive manufacturers and models to determine whether any of their encrypted hard drives meet the security and budget requirements. + +For more information about encrypted hard drives, see [Encrypted hard drive](../encrypted-hard-drive.md). ## Preboot information protection An effective implementation of information protection, like most security controls, considers usability and security. Users typically prefer a simple security experience. In fact, the more transparent a security solution becomes, the more likely users are to conform to it. + It's crucial that organizations protect information on their PCs regardless of the state of the computer or the intent of users. This protection shouldn't be cumbersome to users. One undesirable and previously commonplace situation is when the user is prompted for input during preboot, and then again during Windows sign-in. Challenging users for input more than once should be avoided. -Windows 11 and Windows 10 can enable a true SSO experience from the preboot environment on modern devices and in some cases even on older devices when robust information protection configurations are in place. The TPM in isolation is able to securely protect the BitLocker encryption key while it is at rest, and it can securely unlock the operating system drive. When the key is in use and thus in memory, a combination of hardware and Windows capabilities can secure the key and prevent unauthorized access through cold-boot attacks. Although other countermeasures like PIN-based unlock are available, they aren't as user-friendly; depending on the devices’ configuration they may not offer additional security when it comes to key protection. For more information, see [BitLocker Countermeasures](bitlocker-countermeasures.md). + +Windows 11 and Windows 10 can enable a true SSO experience from the preboot environment on modern devices and in some cases even on older devices when robust information protection configurations are in place. The TPM in isolation is able to securely protect the BitLocker encryption key while it is at rest, and it can securely unlock the operating system drive. When the key is in use and thus in memory, a combination of hardware and Windows capabilities can secure the key and prevent unauthorized access through cold-boot attacks. Although other countermeasures like PIN-based unlock are available, they aren't as user-friendly; depending on the devices' configuration they may not offer additional security when it comes to key protection. For more information, see [BitLocker Countermeasures](bitlocker-countermeasures.md). ## Manage passwords and PINs -When BitLocker is enabled on a system drive and the PC has a TPM, you can choose to require that users type a PIN before BitLocker will unlock the drive. Such a PIN requirement can prevent an attacker who has physical access to a PC from even getting to the Windows sign-in, which makes it virtually impossible for the attacker to access or modify user data and system files. +When BitLocker is enabled on a system drive and the PC has a TPM, users can be required to type a PIN before BitLocker will unlock the drive. Such a PIN requirement can prevent an attacker who has physical access to a PC from even getting to the Windows sign-in, which makes it almost impossible for the attacker to access or modify user data and system files. + +Requiring a PIN at startup is a useful security feature because it acts as a second authentication factor. However, this configuration comes with some costs. One of the most significant costs is the need to change the PIN regularly. In enterprises that used BitLocker with Windows 7 and the Windows Vista operating system, users had to contact systems administrators to update their BitLocker PIN or password. This requirement not only increased management costs but made users less willing to change their BitLocker PIN or password regularly. -Requiring a PIN at startup is a useful security feature because it acts as a second authentication factor (a second “something you know”). This configuration comes with some costs, however. One of the most significant is the need to change the PIN regularly. In enterprises that used BitLocker with Windows 7 and the Windows Vista operating system, users had to contact systems administrators to update their BitLocker PIN or password. This requirement not only increased management costs but made users less willing to change their BitLocker PIN or password regularly. Windows 11 and Windows 10 users can update their BitLocker PINs and passwords themselves, without administrator credentials. Not only will this feature reduce support costs, but it could improve security, too, because it encourages users to change their PINs and passwords more often. In addition, Modern Standby devices don't require a PIN for startup: They're designed to start infrequently and have other mitigations in place that further reduce the attack surface of the system. + For more information about how startup security works and the countermeasures that Windows 11 and Windows 10 provide, see [Protect BitLocker from pre-boot attacks](./bitlocker-countermeasures.md). ## Configure Network Unlock -Some organizations have location-specific data security requirements. This is most common in environments where high-value data is stored on PCs. The network environment may provide crucial data protection and enforce mandatory authentication; therefore, policy states that those PCs shouldn't leave the building or be disconnected from the corporate network. Safeguards like physical security locks and geofencing may help enforce this policy as reactive controls. Beyond these, a proactive security control that grants data access only when the PC is connected to the corporate network is necessary. +Some organizations have location specific data security requirements. Location specific data security requirements are most common in environments where high-value data is stored on PCs. The network environment may provide crucial data protection and enforce mandatory authentication. Therefore, policy states that those PCs shouldn't leave the building or be disconnected from the corporate network. Safeguards like physical security locks and geofencing may help enforce this policy as reactive controls. Beyond these safeguards, a proactive security control that grants data access only when the PC is connected to the corporate network is necessary. Network Unlock enables BitLocker-protected PCs to start automatically when connected to a wired corporate network on which Windows Deployment Services runs. Anytime the PC isn't connected to the corporate network, a user must type a PIN to unlock the drive (if PIN-based unlock is enabled). Network Unlock requires the following infrastructure: -* Client PCs that have Unified Extensible Firmware Interface (UEFI) firmware version 2.3.1 or later, which supports Dynamic Host Configuration Protocol (DHCP) -* A server running at least Windows Server 2012 with the Windows deployment services role -* A server with the DHCP server role installed +- Client PCs that have Unified Extensible Firmware Interface (UEFI) firmware version 2.3.1 or later, which supports Dynamic Host Configuration Protocol (DHCP) + +- A server running at least Windows Server 2012 with the Windows deployment services (WDS) role + +- A server with the DHCP server role installed For more information about how to configure Network unlock feature, see [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md). @@ -128,21 +147,31 @@ For more information about how to configure Network unlock feature, see [BitLock Part of the Microsoft Desktop Optimization Pack, Microsoft BitLocker Administration and Monitoring (MBAM) makes it easier to manage and support BitLocker and BitLocker To Go. MBAM 2.5 with Service Pack 1, the latest version, has the following key features: -* Enables administrators to automate the process of encrypting volumes on client computers across the enterprise. -* Enables security officers to quickly determine the compliance state of individual computers or even of the enterprise itself. -* Provides centralized reporting and hardware management with Microsoft Configuration Manager. -* Reduces the workload on the help desk to assist end users with BitLocker recovery requests. -* Enables end users to recover encrypted devices independently by using the Self-Service Portal. -* Enables security officers to easily audit access to recovery key information. -* Empowers Windows Enterprise users to continue working anywhere with the assurance that their corporate data is protected. -* Enforces the BitLocker encryption policy options that you set for your enterprise. -* Integrates with existing management tools, such as Microsoft Configuration Manager. -* Offers an IT-customizable recovery user experience. -* Supports Windows 11 and Windows 10. +- Enables administrators to automate the process of encrypting volumes on client computers across the enterprise. + +- Enables security officers to quickly determine the compliance state of individual computers or even of the enterprise itself. + +- Provides centralized reporting and hardware management with Microsoft Configuration Manager. + +- Reduces the workload on the help desk to assist end users with BitLocker recovery requests. + +- Enables end users to recover encrypted devices independently by using the Self-Service Portal. + +- Enables security officers to easily audit access to recovery key information. + +- Empowers Windows Enterprise users to continue working anywhere with the assurance that their corporate data is protected. + +- Enforces the BitLocker encryption policy options that are set for the enterprise. + +- Integrates with existing management tools, such as Microsoft Configuration Manager. + +- Offers an IT-customizable recovery user experience. + +- Supports Windows 11 and Windows 10. > [!IMPORTANT] > Enterprises could use MBAM to manage client computers with BitLocker that are domain-joined on-premises until mainstream support ended in July 2019, or they could receive extended support until April 2026. -Going forward, the functionality of MBAM will be incorporated into Configuration Manager. For more information, see [Features in Configuration Manager technical preview version 1909](/mem/configmgr/core/get-started/2019/technical-preview-1909#bkmk_bitlocker). +Going forward, the functionality of MBAM will be incorporated into Configuration Manager. For more information, see [Plan for BitLocker management](/mem/configmgr/protect/plan-design/bitlocker-management). Enterprises not using Configuration Manager can use the built-in features of Azure AD and Microsoft Intune for administration and monitoring. For more information, see [Monitor device encryption with Intune](/mem/intune/protect/encryption-monitor). diff --git a/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.yml b/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.yml index 3f48006d72..353a01de5b 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.yml +++ b/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.yml @@ -4,37 +4,40 @@ metadata: description: Find the answers you need by exploring this brief hub page listing FAQ pages for various aspects of BitLocker. ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee ms.reviewer: - ms.prod: m365-security + ms.prod: windows-client + ms.technology: itpro-security ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium - author: dansimp - ms.author: dansimp + author: frankroj + ms.author: frankroj manager: aaroncz audience: ITPro ms.collection: - M365-security-compliance - highpri ms.topic: faq - ms.date: 02/28/2019 + ms.date: 11/08/2022 ms.custom: bitlocker title: BitLocker frequently asked questions (FAQ) resources summary: | - **Applies to** - - Windows 10 + *Applies to:* + - Windows 10 + - Windows 11 + - Windows Server 2016 and above - This topic links to frequently asked questions about BitLocker. BitLocker is a data protection feature that encrypts drives on your computer to help prevent data theft or exposure. BitLocker-protected computers can also delete data more securely when they are decommissioned because it is much more difficult to recover deleted data from an encrypted drive than from a non-encrypted drive. + This article links to frequently asked questions about BitLocker. BitLocker is a data protection feature that encrypts drives on computers to help prevent data theft or exposure. BitLocker-protected computers can also delete data more securely when they're decommissioned because it's much more difficult to recover deleted data from an encrypted drive than from a non-encrypted drive. - - [Overview and requirements](bitlocker-overview-and-requirements-faq.yml) - - [Upgrading](bitlocker-upgrading-faq.yml) - - [Deployment and administration](bitlocker-deployment-and-administration-faq.yml) - - [Key management](bitlocker-key-management-faq.yml) - - [BitLocker To Go](bitlocker-to-go-faq.yml) - - [Active Directory Domain Services (AD DS)](bitlocker-and-adds-faq.yml) - - [Security](bitlocker-security-faq.yml) - - [BitLocker Network Unlock](bitlocker-network-unlock-faq.yml) - - [Using BitLocker with other programs and general questions](bitlocker-using-with-other-programs-faq.yml) + - [Overview and requirements](bitlocker-overview-and-requirements-faq.yml) + - [Upgrading](bitlocker-upgrading-faq.yml) + - [Deployment and administration](bitlocker-deployment-and-administration-faq.yml) + - [Key management](bitlocker-key-management-faq.yml) + - [BitLocker To Go](bitlocker-to-go-faq.yml) + - [Active Directory Domain Services (AD DS)](bitlocker-and-adds-faq.yml) + - [Security](bitlocker-security-faq.yml) + - [BitLocker Network Unlock](bitlocker-network-unlock-faq.yml) + - [Using BitLocker with other programs and general questions](bitlocker-using-with-other-programs-faq.yml) @@ -44,11 +47,11 @@ sections: - question: | More information answer: | - - [Prepare your organization for BitLocker: Planning and Policies](prepare-your-organization-for-bitlocker-planning-and-policies.md) - - [BitLocker Group Policy settings](bitlocker-group-policy-settings.md) - - [BCD settings and BitLocker](bcd-settings-and-bitlocker.md) - - [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md) - - [BitLocker: How to deploy on Windows Server 2012](bitlocker-how-to-deploy-on-windows-server.md) - - [BitLocker: Use BitLocker Drive Encryption Tools to manage BitLocker](bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md) - - [BitLocker: Use BitLocker Recovery Password Viewer](bitlocker-use-bitlocker-recovery-password-viewer.md) - - [BitLocker Cmdlets in Windows PowerShell](/powershell/module/bitlocker/index?view=win10-ps&preserve-view=true) + - [Prepare your organization for BitLocker: Planning and Policies](prepare-your-organization-for-bitlocker-planning-and-policies.md) + - [BitLocker Group Policy settings](bitlocker-group-policy-settings.md) + - [BCD settings and BitLocker](bcd-settings-and-bitlocker.md) + - [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md) + - [BitLocker: How to deploy on Windows Server 2012](bitlocker-how-to-deploy-on-windows-server.md) + - [BitLocker: Use BitLocker Drive Encryption Tools to manage BitLocker](bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md) + - [BitLocker: Use BitLocker Recovery Password Viewer](bitlocker-use-bitlocker-recovery-password-viewer.md) + - [BitLocker Cmdlets in Windows PowerShell](/powershell/module/bitlocker/index?view=win10-ps&preserve-view=true) diff --git a/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md b/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md index 2294d0cd3e..58f19b4708 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md +++ b/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md @@ -4,38 +4,42 @@ description: This article for IT professionals describes the function, location, ms.reviewer: ms.prod: windows-client ms.localizationpriority: medium -author: dansimp -ms.author: dansimp +author: frankroj +ms.author: frankroj manager: aaroncz ms.collection: - M365-security-compliance - highpri ms.topic: conceptual -ms.date: 04/17/2019 +ms.date: 11/08/2022 ms.custom: bitlocker ms.technology: itpro-security --- # BitLocker group policy settings -**Applies to:** +*Applies to:* -- Windows 10, Windows 11, Windows Server 2019, Windows Server 2016, Windows 8.1, and Windows Server 2012 R2 +- Windows 10 +- Windows 11 +- Windows Server 2016 and above This article for IT professionals describes the function, location, and effect of each Group Policy setting that is used to manage BitLocker Drive Encryption. -To control the drive encryption tasks the user can perform from the Windows Control Panel or to modify other configuration options, you can use Group Policy administrative templates or local computer policy settings. How you configure these policy settings depends on how you implement BitLocker and what level of user interaction will be allowed. +Group Policy administrative templates or local computer policy settings can be used to control what BitLocker drive encryption tasks and configurations can be performed by users, for example through the **BitLocker Drive Encryption** control panel. Which of these policies are configured and how they're configured depends on how BitLocker is implemented and what level of interaction is desired for end users. > [!NOTE] > A separate set of Group Policy settings supports the use of the Trusted Platform Module (TPM). For details about those settings, see [Trusted Platform Module Group Policy settings](../tpm/trusted-platform-module-services-group-policy-settings.md). -BitLocker Group Policy settings can be accessed using the Local Group Policy Editor and the Group Policy Management Console (GPMC) under **Computer Configuration\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption**. -Most of the BitLocker Group Policy settings are applied when BitLocker is initially turned on for a drive. If a computer isn't compliant with existing Group Policy settings, BitLocker may not be turned on or modified until the computer is in a compliant state. When a drive is out of compliance with Group Policy settings (for example, if a Group Policy setting was changed after the initial BitLocker deployment in your organization, and then the setting was applied to previously encrypted drives), no change can be made to the BitLocker configuration of that drive except a change that will bring it into compliance. +BitLocker Group Policy settings can be accessed using the Local Group Policy Editor and the Group Policy Management Console (GPMC) under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption**. -If multiple changes are necessary to bring the drive into compliance, you must suspend BitLocker protection, make the necessary changes, and then resume protection. This situation could occur, for example, if a removable drive is initially configured to be unlocked with a password and then Group -Policy settings are changed to disallow passwords and require smart cards. In this situation, you need to suspend BitLocker protection by using the [Manage-bde](/windows-server/administration/windows-commands/manage-bde) command-line tool, delete the password unlock method, and add the smart card method. After this is complete, BitLocker is compliant with the Group Policy setting and BitLocker protection on the drive can be resumed. +Most of the BitLocker Group Policy settings are applied when BitLocker is initially turned on for a drive. If a computer isn't compliant with existing Group Policy settings, BitLocker may not be turned on, or BitLocker configuration may be modified until the computer is in a compliant state. When a drive becomes out of compliance with Group Policy settings, only changes to the BitLocker configuration that will bring it into compliance are allowed. This scenario could occur, for example, if a previously encrypted drive was brought out of compliance by change in Group Policy settings. -## BitLocker group policy settings +If multiple changes are necessary to bring the drive into compliance, BitLocker protection may need to be suspended, the necessary changes made, and then protection resumed. This situation could occur, for example, if a removable drive is initially configured for unlock with a password but then Group Policy settings are changed to disallow passwords and require smart cards. In this situation, BitLocker protection needs to be suspended by using the [Manage-bde](/windows-server/administration/windows-commands/manage-bde) command-line tool, delete the password unlock method, and add the smart card method. After this process is complete, BitLocker is compliant with the Group Policy setting, and BitLocker protection on the drive can be resumed. + +In other scenarios, to bring the drive into compliance with a change in Group Policy settings, BitLocker may need to be disabled and the drive decrypted followed by reenabling BitLocker and then re-encrypting the drive. An example of this scenario is when the BitLocker encryption method or cipher strength is changed. The [Manage-bde](/windows-server/administration/windows-commands/manage-bde) command-line can also be used in this scenario to help bring the device into compliance. + +## BitLocker group policy settings details > [!NOTE] > For more details about Active Directory configuration related to BitLocker enablement, please see [Set up MDT for BitLocker](/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker). @@ -44,290 +48,281 @@ The following sections provide a comprehensive list of BitLocker group policy se The following policy settings can be used to determine how a BitLocker-protected drive can be unlocked. -- [Allow devices with Secure Boot and protected DMA ports to opt out of preboot PIN](#bkmk-hstioptout) -- [Allow network unlock at startup](#bkmk-netunlock) -- [Require additional authentication at startup](#bkmk-unlockpol1) -- [Allow enhanced PINs for startup](#bkmk-unlockpol2) -- [Configure minimum PIN length for startup](#bkmk-unlockpol3) -- [Disable new DMA devices when this computer is locked](#disable-new-dma-devices-when-this-computer-is-locked) -- [Disallow standard users from changing the PIN or password](#bkmk-dpinchange) -- [Configure use of passwords for operating system drives](#bkmk-ospw) -- [Require additional authentication at startup (Windows Server 2008 and Windows Vista)](#bkmk-unlockpol4) -- [Configure use of smart cards on fixed data drives](#bkmk-unlockpol5) -- [Configure use of passwords on fixed data drives](#bkmk-unlockpol6) -- [Configure use of smart cards on removable data drives](#bkmk-unlockpol7) -- [Configure use of passwords on removable data drives](#bkmk-unlockpol8) -- [Validate smart card certificate usage rule compliance](#bkmk-unlockpol9) -- [Enable use of BitLocker authentication requiring preboot keyboard input on slates](#bkmk-slates) +- [Allow devices with Secure Boot and protected DMA ports to opt out of preboot PIN](#allow-devices-with-secure-boot-and-protected-dma-ports-to-opt-out-of-preboot-pin) +- [Allow network unlock at startup](#allow-network-unlock-at-startup) +- [Require additional authentication at startup](#require-additional-authentication-at-startup) +- [Allow enhanced PINs for startup](#allow-enhanced-pins-for-startup) +- [Configure minimum PIN length for startup](#configure-minimum-pin-length-for-startup) +- [Disable new DMA devices when this computer is locked](#disable-new-dma-devices-when-this-computer-is-locked) +- [Disallow standard users from changing the PIN or password](#disallow-standard-users-from-changing-the-pin-or-password) +- [Configure use of passwords for operating system drives](#configure-use-of-passwords-for-operating-system-drives) +- [Require additional authentication at startup (Windows Server 2008 and Windows Vista)](#require-additional-authentication-at-startup-windows-server-2008-and-windows-vista) +- [Configure use of smart cards on fixed data drives](#configure-use-of-smart-cards-on-fixed-data-drives) +- [Configure use of passwords on fixed data drives](#configure-use-of-passwords-on-fixed-data-drives) +- [Configure use of smart cards on removable data drives](#configure-use-of-smart-cards-on-removable-data-drives) +- [Configure use of passwords on removable data drives](#configure-use-of-passwords-on-removable-data-drives) +- [Validate smart card certificate usage rule compliance](#validate-smart-card-certificate-usage-rule-compliance) +- [Enable use of BitLocker authentication requiring preboot keyboard input on slates](#enable-use-of-bitlocker-authentication-requiring-preboot-keyboard-input-on-slates) The following policy settings are used to control how users can access drives and how they can use BitLocker on their computers. -- [Deny write access to fixed drives not protected by BitLocker](#bkmk-driveaccess1) -- [Deny write access to removable drives not protected by BitLocker](#bkmk-driveaccess2) -- [Control use of BitLocker on removable drives](#bkmk-driveaccess3) +- [Deny write access to fixed drives not protected by BitLocker](#deny-write-access-to-fixed-drives-not-protected-by-bitlocker) +- [Deny write access to removable drives not protected by BitLocker](#deny-write-access-to-removable-drives-not-protected-by-bitlocker) +- [Control use of BitLocker on removable drives](#control-use-of-bitlocker-on-removable-drives) The following policy settings determine the encryption methods and encryption types that are used with BitLocker. -- [Choose drive encryption method and cipher strength](#bkmk-encryptmeth) -- [Configure use of hardware-based encryption for fixed data drives](#bkmk-hdefxd) -- [Configure use of hardware-based encryption for operating system drives](#bkmk-hdeosd) -- [Configure use of hardware-based encryption for removable data drives](#bkmk-hderdd) -- [Enforce drive encryption type on fixed data drives](#bkmk-detypefdd) -- [Enforce drive encryption type on operating system drives](#bkmk-detypeosd) -- [Enforce drive encryption type on removable data drives](#bkmk-detyperdd) +- [Choose drive encryption method and cipher strength](#choose-drive-encryption-method-and-cipher-strength) +- [Configure use of hardware-based encryption for fixed data drives](#configure-use-of-hardware-based-encryption-for-fixed-data-drives) +- [Configure use of hardware-based encryption for operating system drives](#configure-use-of-hardware-based-encryption-for-operating-system-drives) +- [Configure use of hardware-based encryption for removable data drives](#configure-use-of-hardware-based-encryption-for-removable-data-drives) +- [Enforce drive encryption type on fixed data drives](#enforce-drive-encryption-type-on-fixed-data-drives) +- [Enforce drive encryption type on operating system drives](#enforce-drive-encryption-type-on-operating-system-drives) +- [Enforce drive encryption type on removable data drives](#enforce-drive-encryption-type-on-removable-data-drives) The following policy settings define the recovery methods that can be used to restore access to a BitLocker-protected drive if an authentication method fails or is unable to be used. -- [Choose how BitLocker-protected operating system drives can be recovered](#bkmk-rec1) -- [Choose how users can recover BitLocker-protected drives (Windows Server 2008 and Windows Vista)](#bkmk-rec2) -- [Store BitLocker recovery information in Active Directory Domain Services (Windows Server 2008 and Windows Vista)](#bkmk-rec3) -- [Choose default folder for recovery password](#bkmk-rec4) -- [Choose how BitLocker-protected fixed drives can be recovered](#bkmk-rec6) -- [Choose how BitLocker-protected removable drives can be recovered](#bkmk-rec7) -- [Configure the pre-boot recovery message and URL](#bkmk-configurepreboot) +- [Choose how BitLocker-protected operating system drives can be recovered](#choose-how-bitlocker-protected-operating-system-drives-can-be-recovered) +- [Choose how users can recover BitLocker-protected drives (Windows Server 2008 and Windows Vista)](#choose-how-users-can-recover-bitlocker-protected-drives-windows-server-2008-and-windows-vista) +- [Store BitLocker recovery information in Active Directory Domain Services (Windows Server 2008 and Windows Vista)](#store-bitlocker-recovery-information-in-active-directory-domain-services-windows-server-2008-and-windows-vista) +- [Choose default folder for recovery password](#choose-default-folder-for-recovery-password) +- [Choose how BitLocker-protected fixed drives can be recovered](#choose-how-bitlocker-protected-fixed-drives-can-be-recovered) +- [Choose how BitLocker-protected removable drives can be recovered](#choose-how-bitlocker-protected-removable-drives-can-be-recovered) +- [Configure the pre-boot recovery message and URL](#configure-the-pre-boot-recovery-message-and-url) -The following policies are used to support customized deployment scenarios in your organization. +The following policies are used to support customized deployment scenarios in an organization. -- [Allow Secure Boot for integrity validation](#bkmk-secboot) -- [Provide the unique identifiers for your organization](#bkmk-depopt1) -- [Prevent memory overwrite on restart](#bkmk-depopt2) -- [Configure TPM platform validation profile for BIOS-based firmware configurations](#bkmk-tpmbios) -- [Configure TPM platform validation profile (Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2)](#bkmk-depopt3) -- [Configure TPM platform validation profile for native UEFI firmware configurations](#bkmk-tpmvaluefi) -- [Reset platform validation data after BitLocker recovery](#bkmk-resetrec) -- [Use enhanced Boot Configuration Data validation profile](#bkmk-enbcd) -- [Allow access to BitLocker-protected fixed data drives from earlier versions of Windows](#bkmk-depopt4) -- [Allow access to BitLocker-protected removable data drives from earlier versions of Windows](#bkmk-depopt5) +- [Allow Secure Boot for integrity validation](#allow-secure-boot-for-integrity-validation) +- [Provide the unique identifiers for your organization](#provide-the-unique-identifiers-for-your-organization) +- [Prevent memory overwrite on restart](#prevent-memory-overwrite-on-restart) +- [Configure TPM platform validation profile for BIOS-based firmware configurations](#configure-tpm-platform-validation-profile-for-bios-based-firmware-configurations) +- [Configure TPM platform validation profile (Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2)](#configure-tpm-platform-validation-profile-windows-vista-windows-server-2008-windows-7-windows-server-2008-r2) +- [Configure TPM platform validation profile for native UEFI firmware configurations](#configure-tpm-platform-validation-profile-for-native-uefi-firmware-configurations) +- [Reset platform validation data after BitLocker recovery](#reset-platform-validation-data-after-bitlocker-recovery) +- [Use enhanced Boot Configuration Data validation profile](#use-enhanced-boot-configuration-data-validation-profile) +- [Allow access to BitLocker-protected fixed data drives from earlier versions of Windows](#allow-access-to-bitlocker-protected-fixed-data-drives-from-earlier-versions-of-windows) +- [Allow access to BitLocker-protected removable data drives from earlier versions of Windows](#allow-access-to-bitlocker-protected-removable-data-drives-from-earlier-versions-of-windows) -### Allow devices with secure boot and protected DMA ports to opt out of preboot PIN +### Allow devices with secure boot and protected DMA ports to opt out of preboot PIN -| |   | +| Item | Info | |:---|:---| -|**Policy description**|With this policy setting, you can allow TPM-only protection for newer, more secure devices, such as devices that support Modern Standby or HSTI, while requiring PIN on older devices.| -|**Introduced**|Windows 10, version 1703, or Windows 11| +|**Policy description**|With this policy setting, TPM-only protection can be allowed for newer, more secure devices, such as devices that support Modern Standby or HSTI, while requiring PIN on older devices.| +|**Introduced**|Windows 10, version 1703| |**Drive type**|Operating system drives| -|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives| -|**Conflicts**|This setting overrides the **Require startup PIN with TPM** option of the [Require additional authentication at startup](#bkmk-unlockpol1) policy on compliant hardware.| +|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Operating System Drives*| +|**Conflicts**|This setting overrides the **Require startup PIN with TPM** option of the [Require additional authentication at startup](#require-additional-authentication-at-startup) policy on compliant hardware.| |**When enabled**|Users on Modern Standby and HSTI compliant devices will have the choice to turn on BitLocker without preboot authentication.| -|**When disabled or not configured**|The options of the [Require additional authentication at startup](#bkmk-unlockpol1) policy apply.| +|**When disabled or not configured**|The options of the [Require additional authentication at startup](#require-additional-authentication-at-startup) policy apply.| -**Reference** +#### Reference: Allow devices with secure boot and protected DMA ports to opt out of preboot PIN -The preboot authentication option **Require startup PIN with TPM** of the [Require additional authentication at startup](#bkmk-unlockpol1) policy is often enabled to help ensure security for older devices that don't support Modern Standby. But visually impaired users have no audible way to know when to enter a PIN. +The preboot authentication option **Require startup PIN with TPM** of the [Require additional authentication at startup](#require-additional-authentication-at-startup) policy is often enabled to help ensure security for older devices that don't support Modern Standby. But visually impaired users have no audible way to know when to enter a PIN. This setting enables an exception to the PIN-required policy on secure hardware. -### Allow network unlock at startup +### Allow network unlock at startup This policy controls a portion of the behavior of the Network Unlock feature in BitLocker. This policy is required to enable BitLocker Network Unlock on a network because it allows clients running BitLocker to create the necessary network key protector during encryption. This policy is used with the BitLocker Drive Encryption Network Unlock Certificate security policy (located in the **Public Key Policies** folder of Local Computer Policy) to allow systems that are connected to a trusted network to properly utilize the Network Unlock feature. -| |   | +| Item | Info | |:---|:---| -|**Policy description**|With this policy setting, you can control whether a BitLocker-protected computer that is connected to a trusted local area network and joined to a domain can create and use network key protectors on TPM-enabled computers to automatically unlock the operating system drive when the computer is started.| +|**Policy description**|With this policy setting, it can be controlled whether a BitLocker-protected computer that is connected to a trusted local area network and joined to a domain can create and use network key protectors on TPM-enabled computers to automatically unlock the operating system drive when the computer is started.| |**Introduced**|Windows Server 2012 and Windows 8| |**Drive type**|Operating system drives| -|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives| +|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Operating System Drives*| |**Conflicts**|None| |**When enabled**|Clients configured with a BitLocker Network Unlock certificate can create and use Network Key Protectors.| -|**When disabled or not configured**|Clients can't create and use Network Key Protectors| +|**When disabled or not configured**|Clients can't create and use Network Key Protectors.| -**Reference** +#### Reference: Allow network unlock at startup -To use a network key protector to unlock the computer, the computer and the server that hosts BitLocker Drive Encryption Network Unlock must be provisioned with a Network Unlock certificate. The Network Unlock certificate is used to create a network key protector and to protect the information exchange with the server to unlock the computer. You can use the Group Policy setting **Computer Configuration\\Windows Settings\\Security Settings\\Public Key Policies\\BitLocker Drive Encryption Network Unlock Certificate** on the domain controller to distribute this certificate to computers in your organization. This unlock method uses the TPM on the computer, so computers that don't have a TPM can't create network key protectors to automatically unlock by using Network Unlock. +To use a network key protector to unlock the computer, the computer and the server that hosts BitLocker Drive Encryption Network Unlock must be provisioned with a Network Unlock certificate. The Network Unlock certificate is used to create a network key protector and to protect the information exchange with the server to unlock the computer. The Group Policy setting **Computer Configuration** > **Windows Settings** > **Security Settings** > **Public Key Policies** > **BitLocker Drive Encryption Network Unlock Certificate** can be used on the domain controller to distribute this certificate to computers in the organization. This unlock method uses the TPM on the computer, so computers that don't have a TPM can't create network key protectors to automatically unlock by using Network Unlock. > [!NOTE] > For reliability and security, computers should also have a TPM startup PIN that can be used when the computer is disconnected from the wired network or can't connect to the domain controller at startup. For more information about Network Unlock feature, see [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md). -### Require additional authentication at startup +### Require additional authentication at startup This policy setting is used to control which unlock options are available for operating system drives. -| |   | +| Item | Info | |:---|:---| -|**Policy description**|With this policy setting, you can configure whether BitLocker requires additional authentication each time the computer starts and whether you are using BitLocker with a Trusted Platform Module (TPM). This policy setting is applied when you turn on BitLocker.| +|**Policy description**|With this policy setting, it can be configured whether BitLocker requires additional authentication each time the computer starts and whether BitLocker will be used with a Trusted Platform Module (TPM). This policy setting is applied when BitLocker is turned on.| |**Introduced**|Windows Server 2008 R2 and Windows 7| |**Drive type**|Operating system drives| -|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives| +|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Operating System Drives*| |**Conflicts**|If one authentication method is required, the other methods can't be allowed. Use of BitLocker with a TPM startup key or with a TPM startup key and a PIN must be disallowed if the **Deny write access to removable drives not protected by BitLocker** policy setting is enabled.| |**When enabled**|Users can configure advanced startup options in the BitLocker Setup Wizard.| -|**When disabled or not configured**|Users can configure only basic options on computers with a TPM.

    Only one of the additional authentication options can be required at startup; otherwise, a policy error occurs.| +|**When disabled or not configured**|Users can configure only basic options on computers with a TPM.

    Only one of the additional authentication options can be required at startup; otherwise, a policy error occurs.| -**Reference** +#### Reference: Require additional authentication at startup -If you want to use BitLocker on a computer without a TPM, select **Allow BitLocker without a compatible TPM**. In this mode, a password or USB drive is required for startup. The USB drive stores the startup key that is used to encrypt the drive. When the USB drive is inserted, the startup key is authenticated and the operating system drive is accessible. If the USB drive is lost or unavailable, BitLocker recovery is required to access the drive. +If BitLocker needs to be used on a computer without a TPM, select **Allow BitLocker without a compatible TPM**. In this mode, a password or USB drive is required for startup. The USB drive stores the startup key that is used to encrypt the drive. When the USB drive is inserted, the startup key is authenticated, and the operating system drive is accessible. If the USB drive is lost or unavailable, BitLocker recovery is required to access the drive. On a computer with a compatible TPM, additional authentication methods can be used at startup to improve protection for encrypted data. When the computer starts, it can use: -- Only the TPM -- Insertion of a USB flash drive containing the startup key -- The entry of a 4-digit to 20-digit personal identification number (PIN) -- A combination of the PIN and the USB flash drive +- Only the TPM +- Insertion of a USB flash drive containing the startup key +- The entry of a 4-digit to 20-digit personal identification number (PIN) +- A combination of the PIN and the USB flash drive There are four options for TPM-enabled computers or devices: -- Configure TPM startup +- Configure TPM startup + - Allow TPM + - Require TPM + - Do not allow TPM +- Configure TPM startup PIN - - Allow TPM - - Require TPM - - Do not allow TPM -- Configure TPM startup PIN + - Allow startup PIN with TPM + - Require startup PIN with TPM + - Do not allow startup PIN with TPM - - Allow startup PIN with TPM - - Require startup PIN with TPM - - Do not allow startup PIN with TPM -- Configure TPM startup key +- Configure TPM startup key + - Allow startup key with TPM + - Require startup key with TPM + - Do not allow startup key with TPM - - Allow startup key with TPM - - Require startup key with TPM - - Do not allow startup key with TPM -- Configure TPM startup key and PIN +- Configure TPM startup key and PIN + - Allow TPM startup key with PIN + - Require startup key and PIN with TPM + - Do not allow TPM startup key with PIN - - Allow TPM startup key with PIN - - Require startup key and PIN with TPM - - Do not allow TPM startup key with PIN +### Allow enhanced PINs for startup -### Allow enhanced PINs for startup +This policy setting permits the use of enhanced PINs when an unlock method that includes a PIN is used. -This policy setting permits the use of enhanced PINs when you use an unlock method that includes a PIN. - -| |   | +| Item | Info | |:---|:---| -|**Policy description**|With this policy setting, you can configure whether enhanced startup PINs are used with BitLocker.| +|**Policy description**|With this policy setting, it can be configured whether enhanced startup PINs are used with BitLocker.| |**Introduced**|Windows Server 2008 R2 and Windows 7| |**Drive type**|Operating system drives| -|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives| +|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Operating System Drives*| |**Conflicts**|None| |**When enabled**|All new BitLocker startup PINs that are set will be enhanced PINs. Existing drives that were protected by using standard startup PINs aren't affected.| -|**When disabled or not configured**|Enhanced PINs will not be used.| +|**When disabled or not configured**|Enhanced PINs won't be used.| -**Reference** +#### Reference: Allow enhanced PINs for startup -Enhanced startup PINs permit the use of characters (including uppercase and lowercase letters, symbols, numbers, and spaces). This policy setting is applied when you turn on BitLocker. +Enhanced startup PINs permit the use of characters (including uppercase and lowercase letters, symbols, numbers, and spaces). This policy setting is applied when BitLocker is turned on. > [!IMPORTANT] > Not all computers support enhanced PIN characters in the preboot environment. It's strongly recommended that users perform a system check during the BitLocker setup to verify that enhanced PIN characters can be used. -### Configure minimum PIN length for startup +### Configure minimum PIN length for startup -This policy setting is used to set a minimum PIN length when you use an unlock method that includes a PIN. +This policy setting is used to set a minimum PIN length when an unlock method that includes a PIN is used. -| |   | +| Item | Info | |:---|:---| -|**Policy description**|With this policy setting, you can configure a minimum length for a TPM startup PIN. This policy setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of four digits, and it can have a maximum length of 20 digits. By default, the minimum PIN length is 6.| +|**Policy description**|With this policy setting, it can be configured a minimum length for a TPM startup PIN. This policy setting is applied when BitLocker is turned on. The startup PIN must have a minimum length of four digits, and it can have a maximum length of 20 digits. By default, the minimum PIN length is 6.| |**Introduced**|Windows Server 2008 R2 and Windows 7| |**Drive type**|Operating system drives| -|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives| +|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Operating System Drives*| |**Conflicts**|None| -|**When enabled**|You can require that startup PINs set by users must have a minimum length you choose that is between 4 and 20 digits.| +|**When enabled**|The required minimum length of startup PINs set by users can be set between 4 and 20 digits.| |**When disabled or not configured**|Users can configure a startup PIN of any length between 6 and 20 digits.| -**Reference** +#### Reference: Configure minimum PIN length for startup -This policy setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of four digits and can have a maximum length of 20 digits. +This policy setting is applied when BitLocker is turned on. The startup PIN must have a minimum length of four digits and can have a maximum length of 20 digits. -Originally, BitLocker allowed a length from 4 to 20 characters for a PIN. -Windows Hello has its own PIN for logon, length of which can be 4 to 127 characters. -Both BitLocker and Windows Hello use the TPM to prevent PIN brute-force attacks. +Originally, BitLocker allowed a length from 4 to 20 characters for a PIN. Windows Hello has its own PIN for sign-in, length of which can be 4 to 127 characters. Both BitLocker and Windows Hello use the TPM to prevent PIN brute-force attacks. The TPM can be configured to use Dictionary Attack Prevention parameters ([lockout threshold and lockout duration](../tpm/trusted-platform-module-services-group-policy-settings.md)) to control how many failed authorizations attempts are allowed before the TPM is locked out, and how much time must elapse before another attempt can be made. -The Dictionary Attack Prevention Parameters provide a way to balance security needs with usability. -For example, when BitLocker is used with a TPM + PIN configuration, the number of PIN guesses is limited over time. -A TPM 2.0 in this example could be configured to allow only 32 PIN guesses immediately, and then only one more guess every two hours. -This totals a maximum of about 4415 guesses per year. -If the PIN is four digits, all 9999 possible PIN combinations could be attempted in a little over two years. +The Dictionary Attack Prevention Parameters provide a way to balance security needs with usability. For example, when BitLocker is used with a TPM + PIN configuration, the number of PIN guesses is limited over time. A TPM 2.0 in this example could be configured to allow only 32 PIN guesses immediately, and then only one more guess every two hours. This number of attempts totals to a maximum of about 4415 guesses per year. If the PIN is four digits, all 9999 possible PIN combinations could be attempted in a little over two years. -Increasing the PIN length requires a greater number of guesses for an attacker. -In that case, the lockout duration between each guess can be shortened to allow legitimate users to retry a failed attempt sooner, while maintaining a similar level of protection. +Increasing the PIN length requires a greater number of guesses for an attacker. In that case, the lockout duration between each guess can be shortened to allow legitimate users to retry a failed attempt sooner, while maintaining a similar level of protection. -Beginning with Windows 10, version 1703, or Windows 11, the minimum length for the BitLocker PIN was increased to six characters to better align with other Windows features that use TPM 2.0, including Windows Hello. -To help organizations with the transition, beginning with Windows 10, version 1709 and Windows 10, version 1703 with the October 2017, or Windows 11 [cumulative update](https://support.microsoft.com/help/4018124) installed, the BitLocker PIN length is six characters by default, but it can be reduced to four characters. -If the minimum PIN length is reduced from the default of six characters, then the TPM 2.0 lockout period will be extended. +Beginning with Windows 10, version 1703, the minimum length for the BitLocker PIN was increased to six characters to better align with other Windows features that use TPM 2.0, including Windows Hello. To help organizations with the transition, beginning with Windows 10, version 1709 and Windows 10, version 1703 with the October 2017 [cumulative update](https://support.microsoft.com/help/4018124) installed, the BitLocker PIN length is six characters by default, but it can be reduced to four characters. If the minimum PIN length is reduced from the default of six characters, then the TPM 2.0 lockout period will be extended. ### Disable new DMA devices when this computer is locked -This policy setting allows you to block direct memory access (DMA) for all hot pluggable PCI ports until a user signs in to Windows. +This policy setting allows blocking of direct memory access (DMA) for all hot pluggable PCI ports until a user signs in to Windows. -| |   | +| Item | Info | |:---|:---| |**Policy description**|This setting helps prevent attacks that use external PCI-based devices to access BitLocker keys.| -|**Introduced**|Windows 10, version 1703, or Windows 11| +|**Introduced**|Windows 10, version 1703| |**Drive type**|Operating system drives| -|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption| +|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption*| |**Conflicts**|None| |**When enabled**|Every time the user locks the scree, DMA will be blocked on hot pluggable PCI ports until the user signs in again.| |**When disabled or not configured**|DMA is available on hot pluggable PCI devices if the device is turned on, regardless of whether a user is signed in.| -**Reference** +#### Reference: Disable new DMA devices when this computer is locked This policy setting is only enforced when BitLocker or device encryption is enabled. As explained in the [Microsoft Security Guidance blog](/archive/blogs/secguide/issue-with-bitlockerdma-setting-in-windows-10-fall-creators-update-v1709), in some cases when this setting is enabled, internal, PCI-based peripherals can fail, including wireless network drivers and input and audio peripherals. This problem is fixed in the [April 2018 quality update](https://support.microsoft.com/help/4093105). -### Disallow standard users from changing the PIN or password +### Disallow standard users from changing the PIN or password -This policy setting allows you to configure whether standard users are allowed to change the PIN or password that is used to protect the operating system drive. +This policy setting allows configuration of whether standard users are allowed to change the PIN or password that is used to protect the operating system drive. -| |   | +| Item | Info | |:---|:---| -|**Policy description**|With this policy setting, you can configure whether standard users are allowed to change the PIN or password used to protect the operating system drive.| +|**Policy description**|With this policy setting, it can be configured whether standard users are allowed to change the PIN or password used to protect the operating system drive.| |**Introduced**|Windows Server 2012 and Windows 8| |**Drive type**|Operating system drives| -|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives| +|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Operating System Drives*| |**Conflicts**|None| |**When enabled**|Standard users aren't allowed to change BitLocker PINs or passwords.| |**When disabled or not configured**|Standard users are permitted to change BitLocker PINs or passwords.| -**Reference** +#### Reference: Disallow standard users from changing the PIN or password -To change the PIN or password, the user must be able to provide the current PIN or password. This policy setting is applied when you turn on BitLocker. +To change the PIN or password, the user must be able to provide the current PIN or password. This policy setting is applied when BitLocker is turned on. -### Configure use of passwords for operating system drives +### Configure use of passwords for operating system drives This policy controls how non-TPM based systems utilize the password protector. Used with the **Password must meet complexity requirements** policy, this policy allows administrators to require password length and complexity for using the password protector. By default, passwords must be eight characters in length. Complexity configuration options determine how important domain connectivity is for the client. For the strongest password security, administrators should choose **Require password complexity** because it requires domain connectivity, and it requires that the BitLocker password meets the same password complexity requirements as domain sign-in passwords. -| |   | +| Item | Info | |:---|:---| -|**Policy description**|With this policy setting, you can specify the constraints for passwords that are used to unlock operating system drives that are protected with BitLocker.| +|**Policy description**|With this policy setting, the constraints for passwords that are used to unlock operating system drives that are protected with BitLocker can be specified.| |**Introduced**|Windows Server 2012 and Windows 8| |**Drive type**|Operating system drives| -|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives| -|**Conflicts**|Passwords can't be used if FIPS-compliance is enabled.


    **NOTE:** The **System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing** policy setting, which is located at **Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options** specifies whether FIPS-compliance is enabled.| -|**When enabled**|Users can configure a password that meets the requirements you define. To enforce complexity requirements for the password, select **Require complexity**.| +|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Operating System Drives*| +|**Conflicts**|Passwords can't be used if FIPS-compliance is enabled.

    **NOTE:** The **System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing** policy setting, which is located at *Computer Configuration* > *Windows Settings* > *Security Settings* > *Local Policies* > *Security Options* specifies whether FIPS-compliance is enabled.
    | +|**When enabled**|Users can configure a password that meets the defined requirements. To enforce complexity requirements for the password, select **Require complexity**.| |**When disabled or not configured**|The default length constraint of eight characters will apply to operating system drive passwords and no complexity checks will occur.| -**Reference** +#### Reference: Configure use of passwords for operating system drives -If non-TPM protectors are allowed on operating system drives, you can provision a password, enforce complexity requirements on the password, and configure a minimum length for the password. For the complexity requirement setting to be effective, the group policy setting **Password must meet complexity requirements**, which is located at **Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password Policy\\**, must be also enabled. +If non-TPM protectors are allowed on operating system drives, a password, enforcement of complexity requirements on the password, and configuration of a minimum length for the password can all be provisioned. For the complexity requirement setting to be effective, the group policy setting **Password must meet complexity requirements**, which is located at *Computer Configuration* > *Windows Settings* > *Security Settings* > *Account Policies* > *Password Policy*, must be also enabled. > [!NOTE] > These settings are enforced when turning on BitLocker, not when unlocking a volume. BitLocker allows unlocking a drive with any of the protectors that are available on the drive. -When set to **Require complexity**, a connection to a domain controller is necessary when BitLocker is enabled to validate the complexity the password. When set to **Allow complexity**, a connection to a domain controller is attempted to validate that the complexity adheres to the rules set by the policy. If no domain controllers are found, the password will be accepted regardless of actual password complexity, and the drive will be encrypted by using that password as a protector. When set to **Do not allow complexity**, there is no password complexity validation. +When set to **Require complexity**, a connection to a domain controller is necessary when BitLocker is enabled to validate the complexity the password. When set to **Allow complexity**, a connection to a domain controller is attempted to validate that the complexity adheres to the rules set by the policy. If no domain controllers are found, the password will be accepted regardless of actual password complexity, and the drive will be encrypted by using that password as a protector. When set to **Do not allow complexity**, there's no password complexity validation. + Passwords must be at least eight characters. To configure a greater minimum length for the password, enter the desired number of characters in the **Minimum password length** box. -When this policy setting is enabled, you can set the option **Configure password complexity for operating system drives** to: +When this policy setting is enabled, the option **Configure password complexity for operating system drives** can be set to: -- Allow password complexity -- Deny password complexity -- Require password complexity +- Allow password complexity +- Deny password complexity +- Require password complexity -### Require additional authentication at startup (Windows Server 2008 and Windows Vista) +### Require additional authentication at startup (Windows Server 2008 and Windows Vista) This policy setting is used to control what unlock options are available for computers running Windows Server 2008 or Windows Vista. -| |   | +| Item | Info | |:---|:---| -|**Policy description**|With this policy setting, you can control whether the BitLocker Setup Wizard on computers running Windows Vista or Windows Server 2008 can set up an additional authentication method that is required each time the computer starts.| +|**Policy description**|With this policy setting, it can be controlled whether the BitLocker Setup Wizard on computers running Windows Vista or Windows Server 2008 can set up an additional authentication method that is required each time the computer starts.| |**Introduced**|Windows Server 2008 and Windows Vista| |**Drive type**|Operating system drives (Windows Server 2008 and Windows Vista)| -|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives| -|**Conflicts**|If you choose to require an additional authentication method, other authentication methods can't be allowed.| -|**When enabled**|The BitLocker Setup Wizard displays the page that allows the user to configure advanced startup options for BitLocker. You can further configure setting options for computers with or without a TPM.| +|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Operating System Drives*| +|**Conflicts**|If an additional authentication method is chosen, other authentication methods can't be allowed.| +|**When enabled**|The BitLocker Setup Wizard displays the page that allows the user to configure advanced startup options for BitLocker. Setting options can be further configured for computers with or without a TPM.| |**When disabled or not configured**|The BitLocker Setup Wizard displays basic steps that allow users to enable BitLocker on computers with a TPM. In this basic wizard, no additional startup key or startup PIN can be configured.| -**Reference** +#### Reference: Require additional authentication at startup (Windows Server 2008 and Windows Vista) On a computer with a compatible TPM, two authentication methods can be used at startup to provide added protection for encrypted data. When the computer starts, it can prompt users to insert a USB drive that contains a startup key. It can also prompt users to enter a startup PIN with a length between 6 and 20 digits. @@ -335,57 +330,56 @@ A USB drive that contains a startup key is needed on computers without a compati There are two options for TPM-enabled computers or devices: -- Configure TPM startup PIN +- Configure TPM startup PIN + - Allow startup PIN with TPM + - Require startup PIN with TPM + - Do not allow startup PIN with TPM - - Allow startup PIN with TPM - - Require startup PIN with TPM - - Do not allow startup PIN with TPM -- Configure TPM startup key +- Configure TPM startup key + - Allow startup key with TPM + - Require startup key with TPM + - Do not allow startup key with TPM - - Allow startup key with TPM - - Require startup key with TPM - - Do not allow startup key with TPM - -These options are mutually exclusive. If you require the startup key, you must not allow the startup PIN. If you require the startup PIN, you must not allow the startup key. Otherwise, a policy error will occur. +These options are mutually exclusive. If a startup key is required, a startup PIN isn't allowed. If startup PIN is required, startup key isn't allowed. If these policies are in conflict, a policy error will occur. To hide the advanced page on a TPM-enabled computer or device, set these options to **Do not allow** for the startup key and for the startup PIN. -### Configure use of smart cards on fixed data drives +### Configure use of smart cards on fixed data drives This policy setting is used to require, allow, or deny the use of smart cards with fixed data drives. -| |   | +| Item | Info | |:---|:---| -|**Policy description**|With this policy setting, you can specify whether smart cards can be used to authenticate user access to the BitLocker-protected fixed data drives on a computer.| +|**Policy description**|This policy setting can be used to specify whether smart cards can be used to authenticate user access to the BitLocker-protected fixed data drives on a computer.| |**Introduced**|Windows Server 2008 R2 and Windows 7| |**Drive type**|Fixed data drives| -|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives| -|**Conflicts**|To use smart cards with BitLocker, you may also need to modify the object identifier setting in the **Computer Configuration\Administrative Templates\BitLocker Drive Encryption\Validate smart card certificate usage rule compliance** policy setting to match the object identifier of your smart card certificates.| -|**When enabled**|Smart cards can be used to authenticate user access to the drive. You can require smart card authentication by selecting the **Require use of smart cards on fixed data drives** check box.| +|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Fixed Data Drives*| +|**Conflicts**|To use smart cards with BitLocker, the object identifier setting in the **Computer Configuration\Administrative Templates\BitLocker Drive Encryption\Validate smart card certificate usage rule compliance** policy setting may need to be modified to match the object identifier of the smart card certificates.| +|**When enabled**|Smart cards can be used to authenticate user access to the drive. Smart card authentication can be required by selecting the **Require use of smart cards on fixed data drives** check box.| |**When disabled**|Users can't use smart cards to authenticate their access to BitLocker-protected fixed data drives.| |**When not configured**|Smart cards can be used to authenticate user access to a BitLocker-protected drive.| -**Reference** +#### Reference: Configure use of smart cards on fixed data drives > [!NOTE] > These settings are enforced when turning on BitLocker, not when unlocking a drive. BitLocker allows unlocking a drive by using any of the protectors that are available on the drive. -### Configure use of passwords on fixed data drives +### Configure use of passwords on fixed data drives This policy setting is used to require, allow, or deny the use of passwords with fixed data drives. -| |   | +| Item | Info | |:---|:---| -|**Policy description**|With this policy setting, you can specify whether a password is required to unlock BitLocker-protected fixed data drives.| +|**Policy description**|With this policy setting, it can be specified whether a password is required to unlock BitLocker-protected fixed data drives.| |**Introduced**|Windows Server 2008 R2 and Windows 7| |**Drive type**|Fixed data drives| -|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives| +|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Fixed Data Drives*| |**Conflicts**|To use password complexity, the **Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy\Password must meet complexity requirements** policy setting must also be enabled.| -|**When enabled**|Users can configure a password that meets the requirements you define. To require the use of a password, select **Require password for fixed data drive**. To enforce complexity requirements on the password, select **Require complexity**.| +|**When enabled**|Users can configure a password that meets the defined requirements. To require the use of a password, select **Require password for fixed data drive**. To enforce complexity requirements on the password, select **Require complexity**.| |**When disabled**|The user isn't allowed to use a password.| |**When not configured**|Passwords are supported with the default settings, which don't include password complexity requirements and require only eight characters.| -**Reference** +#### Reference: Configure use of passwords on fixed data drives When set to **Require complexity**, a connection to a domain controller is necessary to validate the complexity of the password when BitLocker is enabled. @@ -398,53 +392,51 @@ Passwords must be at least eight characters. To configure a greater minimum leng > [!NOTE] > These settings are enforced when turning on BitLocker, not when unlocking a drive. BitLocker allows unlocking a drive with any of the protectors that are available on the drive. -For the complexity requirement setting to be effective, the Group Policy setting **Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password Policy\\Password must meet complexity requirements** must also be enabled. -This policy setting is configured on a per-computer basis. This means that it applies to local user accounts and domain user accounts. Because the password filter that's used to validate password complexity is located on the domain controllers, local user accounts can't access the password filter because they're not authenticated for domain access. When this policy setting is enabled, if you sign in with a local user account, and you attempt to encrypt a drive or change a password on an existing BitLocker-protected drive, an "Access denied" error message is displayed. In this situation, the password key protector can't be added to the drive. +For the complexity requirement setting to be effective, the Group Policy setting **Computer Configuration** > **Windows Settings** > **Security Settings** > **Account Policies** > **Password Policy** > **Password must meet complexity requirements** must also be enabled. This policy setting is configured on a per-computer basis. The policy setting also applies to both local user accounts and domain user accounts. Because the password filter that's used to validate password complexity is located on the domain controllers, local user accounts can't access the password filter because they're not authenticated for domain access. When this policy setting is enabled, if a local user account signs in, and a drive is attempted to be encrypted or a password changed on an existing BitLocker-protected drive, an **Access denied** error message is displayed. In this situation, the password key protector can't be added to the drive. -Enabling this policy setting requires that connectivity to a domain be established before adding a password key protector to a BitLocker-protected drive. Users who work remotely and have periods of time in which they can't connect to the domain should be made aware of this requirement so that they can schedule a time when they will be connected to the domain to turn on BitLocker or to change a password on a BitLocker-protected data drive. +Enabling this policy setting requires that a device is connected to a domain before adding a password key protector to a BitLocker-protected drive. Users who work remotely and have periods of time in which they can't connect to the domain should be made aware of this requirement so that they can schedule a time when they'll be connected to the domain to turn on BitLocker or to change a password on a BitLocker-protected data drive. > [!IMPORTANT] -> Passwords can't be used if FIPS compliance is enabled. The **System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing** policy setting in **Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options** specifies whether FIPS compliance is enabled. +> Passwords can't be used if FIPS compliance is enabled. The **System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing** policy setting in *Computer Configuration* > *Windows Settings* > *Security Settings* > *Local Policies* > *Security Options* specifies whether FIPS compliance is enabled. -### Configure use of smart cards on removable data drives +### Configure use of smart cards on removable data drives This policy setting is used to require, allow, or deny the use of smart cards with removable data drives. -| |   | +| Item | Info | |:---|:---| -|**Policy description**|With this policy setting, you can specify whether smart cards can be used to authenticate user access to BitLocker-protected removable data drives on a computer.| +|**Policy description**|This policy setting can be used to specify whether smart cards can be used to authenticate user access to BitLocker-protected removable data drives on a computer.| |**Introduced**|Windows Server 2008 R2 and Windows 7| |**Drive type**|Removable data drives| -|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives| -|**Conflicts**|To use smart cards with BitLocker, you may also need to modify the object identifier setting in the **Computer Configuration\Administrative Templates\BitLocker Drive Encryption\Validate smart card certificate usage rule compliance** policy setting to match the object identifier of your smart card certificates.| -|**When enabled**|Smart cards can be used to authenticate user access to the drive. You can require smart card authentication by selecting the **Require use of smart cards on removable data drives** check box.| +|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Removable Data Drives*| +|**Conflicts**|To use smart cards with BitLocker, the object identifier setting in the **Computer Configuration** > **Administrative Templates** > **BitLocker Drive Encryption** > **Validate smart card certificate usage rule compliance** policy setting may also need to be modified to match the object identifier of the smart card certificates.| +|**When enabled**|Smart cards can be used to authenticate user access to the drive. Smart card authentication can be required by selecting the **Require use of smart cards on removable data drives** check box.| |**When disabled or not configured**|Users aren't allowed to use smart cards to authenticate their access to BitLocker-protected removable data drives.| |**When not configured**|Smart cards are available to authenticate user access to a BitLocker-protected removable data drive.| -**Reference** +#### Reference: Configure use of smart cards on removable data drives > [!NOTE] > These settings are enforced when turning on BitLocker, not when unlocking a drive. BitLocker allows unlocking a drive with any of the protectors that are available on the drive. -### Configure use of passwords on removable data drives +### Configure use of passwords on removable data drives This policy setting is used to require, allow, or deny the use of passwords with removable data drives. -| |   | +| Item | Info | |:---|:---| -|**Policy description**|With this policy setting, you can specify whether a password is required to unlock BitLocker-protected removable data drives.| +|**Policy description**|With this policy setting, it can be specified whether a password is required to unlock BitLocker-protected removable data drives.| |**Introduced**|Windows Server 2008 R2 and Windows 7| |**Drive type**|Removable data drives| -|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives| +|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Removable Data Drives*| |**Conflicts**|To use password complexity, the **Password must meet complexity requirements** policy setting, which is located at **Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy** must also be enabled.| -|**When enabled**|Users can configure a password that meets the requirements you define. To require the use of a password, select **Require password for removable data drive**. To enforce complexity requirements on the password, select **Require complexity**.| +|**When enabled**|Users can configure a password that meets the defined requirements. To require the use of a password, select **Require password for removable data drive**. To enforce complexity requirements on the password, select **Require complexity**.| |**When disabled**|The user isn't allowed to use a password.| |**When not configured**|Passwords are supported with the default settings, which don't include password complexity requirements and require only eight characters.| -**Reference** +#### Reference: Configure use of passwords on removable data drives -If you choose to allow the use of a password, you can require a password to be used, enforce complexity requirements, and configure a minimum length. For the complexity requirement setting to be effective, the group policy setting **Password must meet complexity requirements**, which is located at -**Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password Policy**, must also be enabled. +If use of passwords is allowed, requiring a password to be used, enforcement of password complexity requirements, and password minimum length can all be configured. For the complexity requirement setting to be effective, the group policy setting **Password must meet complexity requirements**, which is located at *Computer Configuration* > *Windows Settings* > *Security Settings* > *Account Policies* > *Password Policy*, must also be enabled. > [!NOTE] > These settings are enforced when turning on BitLocker, not when unlocking a drive. BitLocker allows unlocking a drive with any of the protectors that are available on the drive. @@ -453,32 +445,32 @@ Passwords must be at least eight characters. To configure a greater minimum leng When set to **Require complexity**, a connection to a domain controller is necessary when BitLocker is enabled to validate the complexity of the password. -When set to **Allow complexity**, a connection to a domain controller is be attempted to validate that the complexity adheres to the rules set by the policy. However, if no domain controllers are found, the password is still be accepted regardless of actual password complexity and the drive is encrypted by using that password as a protector. +When set to **Allow complexity**, a connection to a domain controller is attempted to validate that the complexity adheres to the rules set by the policy. However, if no domain controllers are found, the password is still be accepted regardless of actual password complexity and the drive is encrypted by using that password as a protector. When set to **Do not allow complexity**, no password complexity validation is done. > [!NOTE] -> Passwords can't be used if FIPS compliance is enabled. The **System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing** policy setting in **Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options** specifies whether FIPS compliance is enabled. +> Passwords can't be used if FIPS compliance is enabled. The **System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing** policy setting in **Computer Configuration** > **Windows Settings** > **Security Settings** > **Local Policies** > **Security Options** specifies whether FIPS compliance is enabled. For information about this setting, see [System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing](../../threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md). -### Validate smart card certificate usage rule compliance +### Validate smart card certificate usage rule compliance This policy setting is used to determine what certificate to use with BitLocker. -| |   | +| Item | Info | |:---|:---| -|**Policy description**|With this policy setting, you can associate an object identifier from a smart card certificate to a BitLocker-protected drive.| +|**Policy description**|With this policy setting, an object identifier from a smart card certificate can be associated to a BitLocker-protected drive.| |**Introduced**|Windows Server 2008 R2 and Windows 7| |**Drive type**|Fixed and removable data drives| -|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption| +|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption*| |**Conflicts**|None| |**When enabled**|The object identifier that is specified in the **Object identifier** setting must match the object identifier in the smart card certificate.| |**When disabled or not configured**|The default object identifier is used.| -**Reference** +#### Reference: Validate smart card certificate usage rule compliance -This policy setting is applied when you turn on BitLocker. +This policy setting is applied when BitLocker is turned on. The object identifier is specified in the enhanced key usage (EKU) of a certificate. BitLocker can identify which certificates can be used to authenticate a user certificate to a BitLocker-protected drive by matching the object identifier in the certificate with the object identifier that is defined by this policy setting. @@ -487,138 +479,143 @@ The default object identifier is 1.3.6.1.4.1.311.67.1.1. > [!NOTE] > BitLocker doesn't require that a certificate have an EKU attribute; however, if one is configured for the certificate, it must be set to an object identifier that matches the object identifier configured for BitLocker. -### Enable use of BitLocker authentication requiring preboot keyboard input on slates +### Enable use of BitLocker authentication requiring preboot keyboard input on slates -### Enable use of BitLocker authentication requiring pre-boot keyboard input on slates - -| |   | +| Item | Info | |:---|:---| -|**Policy description**|With this policy setting, you can allow users to enable authentication options that require user input from the preboot environment, even if the platform indicates a lack of preboot input capability.| +|**Policy description**|With this policy setting, users can be allowed to enable authentication options that require user input from the preboot environment, even if the platform indicates a lack of preboot input capability.| |**Introduced**|Windows Server 2012 and Windows 8| |**Drive type**|Operating system drive| -|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drive| +|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Operating System Drives*| |**Conflicts**|None| |**When enabled**|Devices must have an alternative means of preboot input (such as an attached USB keyboard).| |**When disabled or not configured**|The Windows Recovery Environment must be enabled on tablets to support entering the BitLocker recovery password.| -**Reference** +#### Reference: Enable use of BitLocker authentication requiring preboot keyboard input on slates The Windows touch keyboard (such as used by tablets) isn't available in the preboot environment where BitLocker requires additional information, such as a PIN or password. It's recommended that administrators enable this policy only for devices that are verified to have an alternative means of preboot input, such as attaching a USB keyboard. -When the Windows Recovery Environment isn't enabled and this policy isn't enabled, you can't turn on BitLocker on a device that uses the Windows touch keyboard. +When the Windows Recovery Environment (WinRE) isn't enabled and this policy isn't enabled, BitLocker can't be turned on a device that uses the Windows touch keyboard. -If you don't enable this policy setting, the following options in the **Require additional authentication at startup** policy might not be available: +If this policy setting isn't enabled, the following options in the **Require additional authentication at startup** policy might not be available: -- Configure TPM startup PIN: Required and Allowed -- Configure TPM startup key and PIN: Required and Allowed -- Configure use of passwords for operating system drives +- Configure TPM startup PIN: Required and Allowed +- Configure TPM startup key and PIN: Required and Allowed +- Configure use of passwords for operating system drives -### Deny write access to fixed drives not protected by BitLocker +### Deny write access to fixed drives not protected by BitLocker This policy setting is used to require encryption of fixed drives prior to granting Write access. -| |   | +| Item | Info | |:---|:---| -|**Policy description**|With this policy setting, you can set whether BitLocker protection is required for fixed data drives to be writable on a computer.| +|**Policy description**|With this policy setting, it can be set whether BitLocker protection is required for fixed data drives to be writable on a computer.| |**Introduced**|Windows Server 2008 R2 and Windows 7| |**Drive type**|Fixed data drives| -|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives| +|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Fixed Data Drives*| |**Conflicts**|See the Reference section for a description of conflicts.| |**When enabled**|All fixed data drives that aren't BitLocker-protected are mounted as Read-only. If the drive is protected by BitLocker, it's mounted with Read and Write access.| |**When disabled or not configured**|All fixed data drives on the computer are mounted with Read and Write access.| -**Reference** +#### Reference: Deny write access to fixed drives not protected by BitLocker -This policy setting is applied when you turn on BitLocker. +This policy setting is applied when BitLocker is turned on. Conflict considerations include: -1. When this policy setting is enabled, users receive "Access denied" error messages when they try to save data to unencrypted fixed data drives. See the Reference section for additional conflicts. -2. If BdeHdCfg.exe is run on a computer when this policy setting is enabled, you could encounter the following issues: +1. When this policy setting is enabled, users receive **Access denied** error messages when they try to save data to unencrypted fixed data drives. See the Reference section for additional conflicts. - - If you attempted to shrink the drive and create the system drive, the drive size is successfully reduced and a raw partition is created. However, the raw partition isn't formatted. The following error message is displayed: "The new active drive cannot be formatted. You may need to manually prepare your drive for BitLocker." - - If you attempt to use unallocated space to create the system drive, a raw partition will be created. However, the raw partition will not be formatted. The following error message is displayed: "The new active drive cannot be formatted. You may need to manually prepare your drive for BitLocker." - - If you attempt to merge an existing drive into the system drive, the tool fails to copy the required boot file onto the target drive to create the system drive. The following error message is displayed: "BitLocker setup failed to copy boot files. You may need to manually prepare your drive for BitLocker." +2. If `BdeHdCfg.exe` is run on a computer when this policy setting is enabled, the following issues could be encountered: -3. If this policy setting is enforced, a hard drive can't be repartitioned because the drive is protected. If you are upgrading computers in your organization from a previous version of Windows, and those computers were configured with a single partition, you should create the required BitLocker system partition before you apply this policy setting to the computers. + - If it was attempted to shrink a drive to create the system drive, the drive size is successfully reduced, and a raw partition is created. However, the raw partition isn't formatted. The following error message is displayed: **The new active drive cannot be formatted. You may need to manually prepare your drive for BitLocker.** -### Deny write access to removable drives not protected by BitLocker + - If it was attempted to use unallocated space to create the system drive, a raw partition will be created. However, the raw partition won't be formatted. The following error message is displayed: **The new active drive cannot be formatted. You may need to manually prepare your drive for BitLocker.** + + - If it was attempted to merge an existing drive into the system drive, the tool fails to copy the required boot file onto the target drive to create the system drive. The following error message is displayed: **BitLocker setup failed to copy boot files. You may need to manually prepare your drive for BitLocker.** + +3. If this policy setting is enforced, a hard drive can't be repartitioned because the drive is protected. If computers are being upgrading in an organization from a previous version of Windows, and those computers were configured with a single partition, the required BitLocker system partition should be created before applying this policy setting to the computers. + +### Deny write access to removable drives not protected by BitLocker This policy setting is used to require that removable drives are encrypted prior to granting Write access, and to control whether BitLocker-protected removable drives that were configured in another organization can be opened with Write access. -| |   | +| Item | Info | |:---|:---| -|**Policy description**|With this policy setting, you can configure whether BitLocker protection is required for a computer to be able to write data to a removable data drive.| +|**Policy description**|With this policy setting, it can be configured whether BitLocker protection is required for a computer to be able to write data to a removable data drive.| |**Introduced**|Windows Server 2008 R2 and Windows 7| |**Drive type**|Removable data drives| -|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives| +|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Removable Data Drives*| |**Conflicts**|See the Reference section for a description of conflicts.| |**When enabled**|All removable data drives that aren't BitLocker-protected are mounted as Read-only. If the drive is protected by BitLocker, it's mounted with Read and Write access.| |**When disabled or not configured**|All removable data drives on the computer are mounted with Read and Write access.| -**Reference** +#### Reference: Deny write access to removable drives not protected by BitLocker If the **Deny write access to devices configured in another organization** option is selected, only drives with identification fields that match the computer's identification fields are given Write access. When a removable data drive is accessed, it's checked for a valid identification field and allowed identification fields. These fields are defined by the **Provide the unique identifiers for your organization** policy setting. > [!NOTE] -> You can override this policy setting with the policy settings under **User Configuration\\Administrative Templates\\System\\Removable Storage Access**. If the **Removable Disks: Deny write access** policy setting is enabled, this policy setting will be ignored. +> This policy setting can be overridden with the policy settings under **User Configuration** > **Administrative Templates** > **System** > **Removable Storage Access**. If the **Removable Disks: Deny write access** policy setting is enabled, this policy setting will be ignored. Conflict considerations include: -1. Use of BitLocker with the TPM plus a startup key or with the TPM plus a PIN and startup key must be disallowed if the **Deny write access to removable drives not protected by BitLocker** policy setting is enabled. -2. Use of recovery keys must be disallowed if the **Deny write access to removable drives not protected by BitLocker** policy setting is enabled. -3. You must enable the **Provide the unique identifiers for your organization** policy setting if you want to deny Write access to drives that were configured in another organization. +1. Use of BitLocker with the TPM plus a startup key or with the TPM plus a PIN and startup key must be disallowed if the **Deny write access to removable drives not protected by BitLocker** policy setting is enabled. -### Control use of BitLocker on removable drives +2. Use of recovery keys must be disallowed if the **Deny write access to removable drives not protected by BitLocker** policy setting is enabled. + +3. The **Provide the unique identifiers for your organization** policy setting must be enabled if Write access needs to be denied to drives that were configured in another organization. + +### Control use of BitLocker on removable drives This policy setting is used to prevent users from turning BitLocker on or off on removable data drives. -| |   | +| Item | Info | |:---|:---| -|**Policy description**|With this policy setting, you can control the use of BitLocker on removable data drives.| +|**Policy description**|With this policy setting, it can be controlled the use of BitLocker on removable data drives.| |**Introduced**|Windows Server 2008 R2 and Windows 7| |**Drive type**|Removable data drives| -|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives| +|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Removable Data Drives*| |**Conflicts**|None| -|**When enabled**|You can select property settings that control how users can configure BitLocker.| +|**When enabled**|Property settings can be selected that control how users can configure BitLocker.| |**When disabled**|Users can't use BitLocker on removable data drives.| |**When not configured**|Users can use BitLocker on removable data drives.| -**Reference** +#### Reference: Control use of BitLocker on removable drives -This policy setting is applied when you turn on BitLocker. +This policy setting is applied when BitLocker is turned on. For information about suspending BitLocker protection, see [BitLocker Basic Deployment](bitlocker-basic-deployment.md). The options for choosing property settings that control how users can configure BitLocker are: -- **Allow users to apply BitLocker protection on removable data drives** Enables the user to run the BitLocker Setup Wizard on a removable data drive. -- **Allow users to suspend and decrypt BitLocker on removable data drives** Enables the user to remove BitLocker from the drive or to suspend the encryption while performing maintenance. +- **Allow users to apply BitLocker protection on removable data drives** Enables the user to run the BitLocker Setup Wizard on a removable data drive. -### Choose drive encryption method and cipher strength +- **Allow users to suspend and decrypt BitLocker on removable data drives** Enables the user to remove BitLocker from the drive or to suspend the encryption while performing maintenance. + +### Choose drive encryption method and cipher strength This policy setting is used to control the encryption method and cipher strength. -| |   | +| Item | Info | |:---|:---| -|**Policy description**|With this policy setting, you can control the encryption method and strength for drives.| +|**Policy description**|With this policy setting, it can be controlled the encryption method and strength for drives.| |**Introduced**|Windows Server 2012 and Windows 8| |**Drive type**|All drives| -|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption| +|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption*| |**Conflicts**|None| -|**When enabled**|You can choose an encryption algorithm and key cipher strength for BitLocker to use to encrypt drives.| -|**When disabled or not configured**|Beginning with Windows 10, version 1511, or Windows 11, BitLocker uses the default encryption method of XTS-AES 128-bit or the encryption method that is specified by the setup script. +|**When enabled**|An encryption algorithm and key cipher strength for BitLocker can be chosen to use to encrypt drives.| +|**When disabled or not configured**|Beginning with Windows 10, version 1511, BitLocker uses the default encryption method of XTS-AES 128-bit or the encryption method that is specified by the setup script. -**Reference** +#### Reference: Choose drive encryption method and cipher strength -The values of this policy determine the strength of the cipher that BitLocker uses for encryption. -Enterprises may want to control the encryption level for increased security (AES-256 is stronger than AES-128). +The values of this policy determine the strength of the cipher that BitLocker uses for encryption. Enterprises may want to control the encryption level for increased security (AES-256 is stronger than AES-128). -If you enable this setting, you can configure an encryption algorithm and key cipher strength for fixed data drives, operating system drives, and removable data drives individually. -For fixed and operating system drives, we recommend that you use the XTS-AES algorithm. -For removable drives, you should use AES-CBC 128-bit or AES-CBC 256-bit if the drive will be used in other devices that aren't running Windows 10, version 1511 or later, or Windows 11. +If this setting is enabled, it can be configured an encryption algorithm and key cipher strength for fixed data drives, operating system drives, and removable data drives individually. + +- For fixed and operating system drives, it's recommended to use the XTS-AES algorithm. + +- For removable drives, AES-CBC 128-bit or AES-CBC 256-bit should be used if the drive will be used in other devices that aren't running Windows 10, version 1511 or later. Changing the encryption method has no effect if the drive is already encrypted or if encryption is in progress. In these cases, this policy setting is ignored. @@ -627,171 +624,171 @@ Changing the encryption method has no effect if the drive is already encrypted o When this policy setting is disabled or not configured, BitLocker will use the default encryption method of XTS-AES 128-bit or the encryption method that is specified in the setup script. -### Configure use of hardware-based encryption for fixed data drives +### Configure use of hardware-based encryption for fixed data drives This policy controls how BitLocker reacts to systems that are equipped with encrypted drives when they're used as fixed data volumes. Using hardware-based encryption can improve the performance of drive operations that involve frequent reading or writing of data to the drive. -| |   | +| Item | Info | |:---|:---| -|**Policy description**|With this policy setting, you can manage BitLocker’s use of hardware-based encryption on fixed data drives and to specify which encryption algorithms BitLocker can use with hardware-based encryption.| +|**Policy description**|This policy setting allows management of BitLocker's use of hardware-based encryption on fixed data drives and to specify which encryption algorithms BitLocker can use with hardware-based encryption.| |**Introduced**|Windows Server 2012 and Windows 8| |**Drive type**|Fixed data drives| -|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives| +|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Fixed Data Drives*| |**Conflicts**|None| -|**When enabled**|You can specify additional options that control whether BitLocker software-based encryption is used instead of hardware-based encryption on computers that don't support hardware-based encryption. You can also specify whether you want to restrict the encryption algorithms and cipher suites that are used with hardware-based encryption.| +|**When enabled**|Additional options can be specified that control whether BitLocker software-based encryption is used instead of hardware-based encryption on computers that don't support hardware-based encryption. It can also be specified to restrict the encryption algorithms and cipher suites that are used with hardware-based encryption.| |**When disabled**|BitLocker can't use hardware-based encryption with fixed data drives, and BitLocker software-based encryption is used by default when the drive in encrypted.| |**When not configured**|BitLocker software-based encryption is used irrespective of hardware-based encryption ability.| -**Reference** +#### Reference: Configure use of hardware-based encryption for fixed data drives > [!NOTE] > The **Choose drive encryption method and cipher strength** policy setting doesn't apply to hardware-based encryption. -The encryption algorithm that is used by hardware-based encryption is set when the drive is partitioned. By default, BitLocker uses the algorithm that is configured on the drive to encrypt the drive. The **Restrict encryption algorithms and cipher suites allowed for hardware-based encryption** option of this setting enables you to restrict the encryption algorithms that BitLocker can use with hardware encryption. If the algorithm that is set for the drive isn't available, BitLocker disables the use of hardware-based encryption. Encryption algorithms are specified by object identifiers (OID), for example: +The encryption algorithm that is used by hardware-based encryption is set when the drive is partitioned. By default, BitLocker uses the algorithm that is configured on the drive to encrypt the drive. The **Restrict encryption algorithms and cipher suites allowed for hardware-based encryption** option of this setting enables restriction of the encryption algorithms that BitLocker can use with hardware encryption. If the algorithm that is set for the drive isn't available, BitLocker disables the use of hardware-based encryption. Encryption algorithms are specified by object identifiers (OID), for example: -- Advanced Encryption Standard (AES) 128 in Cipher Block Chaining (CBC) mode OID: 2.16.840.1.101.3.4.1.2 -- AES 256 in CBC mode OID: 2.16.840.1.101.3.4.1.42 +- Advanced Encryption Standard (AES) 128 in Cipher Block Chaining (CBC) mode OID: 2.16.840.1.101.3.4.1.2 +- AES 256 in CBC mode OID: 2.16.840.1.101.3.4.1.42 -### Configure use of hardware-based encryption for operating system drives +### Configure use of hardware-based encryption for operating system drives This policy controls how BitLocker reacts when encrypted drives are used as operating system drives. Using hardware-based encryption can improve the performance of drive operations that involve frequent reading or writing of data to the drive. -| |   | +| Item | Info | |:---|:---| -|**Policy description**|With this policy setting, you can manage BitLocker’s use of hardware-based encryption on operating system drives and specify which encryption algorithms it can use with hardware-based encryption.| +|**Policy description**|This policy setting allows management of BitLocker's use of hardware-based encryption on operating system drives and specifies which encryption algorithms it can use with hardware-based encryption.| |**Introduced**|Windows Server 2012 and Windows 8| |**Drive type**|Operating system drives| -|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives| +|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Operating System Drives*| |**Conflicts**|None| -|**When enabled**|You can specify additional options that control whether BitLocker software-based encryption is used instead of hardware-based encryption on computers that don't support hardware-based encryption. You can also specify whether you want to restrict the encryption algorithms and cipher suites that are used with hardware-based encryption.| +|**When enabled**|Additional options can be specified that control whether BitLocker software-based encryption is used instead of hardware-based encryption on computers that don't support hardware-based encryption. It can also be specified to restrict the encryption algorithms and cipher suites that are used with hardware-based encryption.| |**When disabled**|BitLocker can't use hardware-based encryption with operating system drives, and BitLocker software-based encryption is used by default when the drive in encrypted.| |**When not configured**|BitLocker software-based encryption is used irrespective of hardware-based encryption ability.| -**Reference** +#### Reference: Configure use of hardware-based encryption for operating system drives If hardware-based encryption isn't available, BitLocker software-based encryption is used instead. > [!NOTE] > The **Choose drive encryption method and cipher strength** policy setting doesn't apply to hardware-based encryption. -The encryption algorithm that is used by hardware-based encryption is set when the drive is partitioned. By default, BitLocker uses the algorithm that is configured on the drive to encrypt the drive. The **Restrict encryption algorithms and cipher suites allowed for hardware-based encryption** option of this setting enables you to restrict the encryption algorithms that BitLocker can use with hardware encryption. If the algorithm that is set for the drive isn't available, BitLocker disables the use of hardware-based encryption. Encryption algorithms are specified by object identifiers (OID), for example: +The encryption algorithm that is used by hardware-based encryption is set when the drive is partitioned. By default, BitLocker uses the algorithm that is configured on the drive to encrypt the drive. The **Restrict encryption algorithms and cipher suites allowed for hardware-based encryption** option of this setting enables restriction of the encryption algorithms that BitLocker can use with hardware encryption. If the algorithm that is set for the drive isn't available, BitLocker disables the use of hardware-based encryption. Encryption algorithms are specified by object identifiers (OID), for example: -- Advanced Encryption Standard (AES) 128 in Cipher Block Chaining (CBC) mode OID: 2.16.840.1.101.3.4.1.2 -- AES 256 in CBC mode OID: 2.16.840.1.101.3.4.1.42 +- Advanced Encryption Standard (AES) 128 in Cipher Block Chaining (CBC) mode OID: 2.16.840.1.101.3.4.1.2 +- AES 256 in CBC mode OID: 2.16.840.1.101.3.4.1.42 -### Configure use of hardware-based encryption for removable data drives +### Configure use of hardware-based encryption for removable data drives This policy controls how BitLocker reacts to encrypted drives when they're used as removable data drives. Using hardware-based encryption can improve the performance of drive operations that involve frequent reading or writing of data to the drive. -| |   | +| Item | Info | |:---|:---| -|**Policy description**|With this policy setting, you can manage BitLocker’s use of hardware-based encryption on removable data drives and specify which encryption algorithms it can use with hardware-based encryption.| +|**Policy description**|This policy setting allows management of BitLocker's use of hardware-based encryption on removable data drives and specifies which encryption algorithms it can use with hardware-based encryption.| |**Introduced**|Windows Server 2012 and Windows 8| |**Drive type**|Removable data drive| -|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives| +|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Removable Data Drives*| |**Conflicts**|None| -|**When enabled**|You can specify additional options that control whether BitLocker software-based encryption is used instead of hardware-based encryption on computers that don't support hardware-based encryption. You can also specify whether you want to restrict the encryption algorithms and cipher suites that are used with hardware-based encryption.| +|**When enabled**|Additional options can be specified that control whether BitLocker software-based encryption is used instead of hardware-based encryption on computers that don't support hardware-based encryption. It can also be specified to restrict the encryption algorithms and cipher suites that are used with hardware-based encryption.| |**When disabled**|BitLocker can't use hardware-based encryption with removable data drives, and BitLocker software-based encryption is used by default when the drive in encrypted.| |**When not configured**|BitLocker software-based encryption is used irrespective of hardware-based encryption ability.| -**Reference** +#### Reference: Configure use of hardware-based encryption for removable data drives If hardware-based encryption isn't available, BitLocker software-based encryption is used instead. > [!NOTE] > The **Choose drive encryption method and cipher strength** policy setting doesn't apply to hardware-based encryption. -The encryption algorithm that is used by hardware-based encryption is set when the drive is partitioned. By default, BitLocker uses the algorithm that is configured on the drive to encrypt the drive. The **Restrict encryption algorithms and cipher suites allowed for hardware-based encryption** option of this setting enables you to restrict the encryption algorithms that BitLocker can use with hardware encryption. If the algorithm that is set for the drive isn't available, BitLocker disables the use of hardware-based encryption. Encryption algorithms are specified by object identifiers (OID), for example: +The encryption algorithm that is used by hardware-based encryption is set when the drive is partitioned. By default, BitLocker uses the algorithm that is configured on the drive to encrypt the drive. The **Restrict encryption algorithms and cipher suites allowed for hardware-based encryption** option of this setting enables restriction of the encryption algorithms that BitLocker can use with hardware encryption. If the algorithm that is set for the drive isn't available, BitLocker disables the use of hardware-based encryption. Encryption algorithms are specified by object identifiers (OID), for example: -- Advanced Encryption Standard (AES) 128 in Cipher Block Chaining (CBC) mode OID: 2.16.840.1.101.3.4.1.2 -- AES 256 in CBC mode OID: 2.16.840.1.101.3.4.1.42 +- Advanced Encryption Standard (AES) 128 in Cipher Block Chaining (CBC) mode OID: 2.16.840.1.101.3.4.1.2 +- AES 256 in CBC mode OID: 2.16.840.1.101.3.4.1.42 -### Enforce drive encryption type on fixed data drives +### Enforce drive encryption type on fixed data drives This policy controls whether fixed data drives utilize Used Space Only encryption or Full encryption. Setting this policy also causes the BitLocker Setup Wizard to skip the encryption options page so no encryption selection displays to the user. -| |   | +| Item | Info | |:---|:---| -|**Policy description**|With this policy setting, you can configure the encryption type that is used by BitLocker.| +|**Policy description**|With this policy setting, it can be configured the encryption type that is used by BitLocker.| |**Introduced**|Windows Server 2012 and Windows 8| |**Drive type**|Fixed data drive| -|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives| +|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Fixed Data Drives*| |**Conflicts**|None| |**When enabled**|This policy defines the encryption type that BitLocker uses to encrypt drives, and the encryption type option isn't presented in the BitLocker Setup Wizard.| |**When disabled or not configured**|The BitLocker Setup Wizard asks the user to select the encryption type before turning on BitLocker.| -**Reference** +#### Reference: Enforce drive encryption type on fixed data drives -This policy setting is applied when you turn on BitLocker. Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress. Choose Full encryption to make it mandatory for the entire drive to be encrypted when BitLocker is turned on. Choose Used Space Only encryption to make it mandatory to encrypt only that portion of the drive that is used to store data when BitLocker is turned on. +This policy setting is applied when BitLocker is turned on. Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress. Choose Full encryption to make it mandatory for the entire drive to be encrypted when BitLocker is turned on. Choose Used Space Only encryption to make it mandatory to encrypt only that portion of the drive that is used to store data when BitLocker is turned on. > [!NOTE] -> This policy is ignored when you are shrinking or expanding a volume and the BitLocker driver uses the current encryption method. For example, when a drive that is using Used Space Only encryption is expanded, the new free space isn't wiped as it would be for a drive that is using Full encryption. The user could wipe the free space on a Used Space Only drive by using the following command: `manage-bde -w`. If the volume is shrunk, no action is taken for the new free space. +> This policy is ignored when a volume is being shrunk or expanded and the BitLocker drive uses the current encryption method. For example, when a drive that is using Used Space Only encryption is expanded, the new free space isn't wiped as it would be for a drive that is using Full encryption. The user could wipe the free space on a Used Space Only drive by using the following command: `manage-bde.exe -w`. If the volume is shrunk, no action is taken for the new free space. For more information about the tool to manage BitLocker, see [Manage-bde](/windows-server/administration/windows-commands/manage-bde). -### Enforce drive encryption type on operating system drives +### Enforce drive encryption type on operating system drives This policy controls whether operating system drives utilize Full encryption or Used Space Only encryption. Setting this policy also causes the BitLocker Setup Wizard to skip the encryption options page, so no encryption selection displays to the user. -| |   | +| Item | Info | |:---|:---| -|**Policy description**|With this policy setting, you can configure the encryption type that is used by BitLocker.| +|**Policy description**|With this policy setting, it can be configured the encryption type that is used by BitLocker.| |**Introduced**|Windows Server 2012 and Windows 8| |**Drive type**|Operating system drive| -|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives| +|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Operating System Drives*| |**Conflicts**|None| |**When enabled**|The encryption type that BitLocker uses to encrypt drives is defined by this policy, and the encryption type option isn't presented in the BitLocker Setup Wizard.| |**When disabled or not configured**|The BitLocker Setup Wizard asks the user to select the encryption type before turning on BitLocker.| -**Reference** +#### Reference: Enforce drive encryption type on operating system drives -This policy setting is applied when you turn on BitLocker. Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress. Choose Full encryption to make it mandatory for the entire drive to be encrypted when BitLocker is turned on. Choose Used Space Only encryption to make it mandatory to encrypt only that portion of the drive that is used to store data when BitLocker is turned on. +This policy setting is applied when BitLocker is turned on. Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress. Choose Full encryption to make it mandatory for the entire drive to be encrypted when BitLocker is turned on. Choose Used Space Only encryption to make it mandatory to encrypt only that portion of the drive that is used to store data when BitLocker is turned on. > [!NOTE] -> This policy is ignored when shrinking or expanding a volume, and the BitLocker driver uses the current encryption method. For example, when a drive that is using Used Space Only encryption is expanded, the new free space isn't wiped as it would be for a drive that uses Full encryption. The user could wipe the free space on a Used Space Only drive by using the following command: `manage-bde -w`. If the volume is shrunk, no action is taken for the new free space. +> This policy is ignored when shrinking or expanding a volume, and the BitLocker driver uses the current encryption method. For example, when a drive that is using Used Space Only encryption is expanded, the new free space isn't wiped as it would be for a drive that uses Full encryption. The user could wipe the free space on a Used Space Only drive by using the following command: `manage-bde.exe -w`. If the volume is shrunk, no action is taken for the new free space. For more information about the tool to manage BitLocker, see [Manage-bde](/windows-server/administration/windows-commands/manage-bde). -### Enforce drive encryption type on removable data drives +### Enforce drive encryption type on removable data drives This policy controls whether fixed data drives utilize Full encryption or Used Space Only encryption. Setting this policy also causes the BitLocker Setup Wizard to skip the encryption options page, so no encryption selection displays to the user. -| |   | +| Item | Info | |:---|:---| -|**Policy description**|With this policy setting, you can configure the encryption type that is used by BitLocker.| +|**Policy description**|With this policy setting, it can be configured the encryption type that is used by BitLocker.| |**Introduced**|Windows Server 2012 and Windows 8| |**Drive type**|Removable data drive| -|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives| +|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Removable Data Drives*| |**Conflicts**|None| |**When enabled**|The encryption type that BitLocker uses to encrypt drives is defined by this policy, and the encryption type option isn't presented in the BitLocker Setup Wizard.| |**When disabled or not configured**|The BitLocker Setup Wizard asks the user to select the encryption type before turning on BitLocker.| -**Reference** +#### Reference: Enforce drive encryption type on removable data drives -This policy setting is applied when you turn on BitLocker. Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress. Choose Full encryption to make it mandatory for the entire drive to be encrypted when BitLocker is turned on. Choose Used Space Only encryption to make it mandatory to encrypt only that portion of the drive that is used to store data when BitLocker is turned on. +This policy setting is applied when BitLocker is turned on. Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress. Choose Full encryption to make it mandatory for the entire drive to be encrypted when BitLocker is turned on. Choose Used Space Only encryption to make it mandatory to encrypt only that portion of the drive that is used to store data when BitLocker is turned on. > [!NOTE] -> This policy is ignored when shrinking or expanding a volume, and the BitLocker driver uses the current encryption method. For example, when a drive that is using Used Space Only encryption is expanded, the new free space isn't wiped as it would be for a drive that is using Full Encryption. The user could wipe the free space on a Used Space Only drive by using the following command: `manage-bde -w`. If the volume is shrunk, no action is taken for the new free space. +> This policy is ignored when shrinking or expanding a volume, and the BitLocker driver uses the current encryption method. For example, when a drive that is using Used Space Only encryption is expanded, the new free space isn't wiped as it would be for a drive that is using Full Encryption. The user could wipe the free space on a Used Space Only drive by using the following command: `manage-bde.exe -w`. If the volume is shrunk, no action is taken for the new free space. For more information about the tool to manage BitLocker, see [Manage-bde](/windows-server/administration/windows-commands/manage-bde). -### Choose how BitLocker-protected operating system drives can be recovered +### Choose how BitLocker-protected operating system drives can be recovered This policy setting is used to configure recovery methods for operating system drives. -| |   | +| Item | Info | |:---|:---| -|**Policy description**|With this policy setting, you can control how BitLocker-protected operating system drives are recovered in the absence of the required startup key information.| +|**Policy description**|With this policy setting, it can be controlled how BitLocker-protected operating system drives are recovered in the absence of the required startup key information.| |**Introduced**|Windows Server 2008 R2 and Windows 7| |**Drive type**|Operating system drives| -|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives| -|**Conflicts**|You must disallow the use of recovery keys if the **Deny write access to removable drives not protected by BitLocker** policy setting is enabled.

    When using data recovery agents, you must enable the **Provide the unique identifiers for your organization** policy setting.| -|**When enabled**|You can control the methods that are available to users to recover data from BitLocker-protected operating system drives.| +|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Operating System Drives*| +|**Conflicts**|The use of recovery keys must be disallowed if the **Deny write access to removable drives not protected by BitLocker** policy setting is enabled.

    When using data recovery agents, the **Provide the unique identifiers for your organization** policy setting must be enabled.| +|**When enabled**|it can be controlled the methods that are available to users to recover data from BitLocker-protected operating system drives.| |**When disabled or not configured**|The default recovery options are supported for BitLocker recovery. By default, a data recovery agent is allowed, the recovery options can be specified by the user (including the recovery password and recovery key), and recovery information isn't backed up to AD DS.| -**Reference** +#### Reference: Choose how BitLocker-protected operating system drives can be recovered -This policy setting is applied when you turn on BitLocker. +This policy setting is applied when BitLocker is turned on. The **Allow data recovery agent** check box is used to specify whether a data recovery agent can be used with BitLocker-protected operating system drives. Before a data recovery agent can be used, it must be added from **Public Key Policies**, which is located in the Group Policy Management Console (GPMC) or in the Local Group Policy Editor. @@ -799,377 +796,380 @@ For more information about adding data recovery agents, see [BitLocker basic dep In **Configure user storage of BitLocker recovery information**, select whether users are allowed, required, or not allowed to generate a 48-digit recovery password. -Select **Omit recovery options from the BitLocker setup wizard** to prevent users from specifying recovery options when they enable BitLocker on a drive. This means that you can't specify which recovery option to use when you enable BitLocker. Instead, BitLocker recovery options for -the drive are determined by the policy setting. +Select **Omit recovery options from the BitLocker setup wizard** to prevent users from specifying recovery options when they enable BitLocker on a drive. This policy setting means that which recovery option to use when BitLocker is enabled can't be specified. Instead, BitLocker recovery options for the drive are determined by the policy setting. -In **Save BitLocker recovery information to Active Directory Domain Services**, choose which BitLocker recovery information to store in Active Directory Domain Services (AD DS) for operating system drives. If you select **Store recovery password and key packages**, the BitLocker recovery password and the key package are stored in AD DS. Storing the key package supports the recovery of data from a drive that is physically corrupted. If you select **Store recovery password only**, only the recovery password is stored in AD DS. +In **Save BitLocker recovery information to Active Directory Domain Services**, choose which BitLocker recovery information to store in Active Directory Domain Services (AD DS) for operating system drives. If **Store recovery password and key packages** is selected, the BitLocker recovery password and the key package are stored in AD DS. Storing the key package supports the recovery of data from a drive that is physically corrupted. If **Store recovery password only** is selected, only the recovery password is stored in AD DS. -Select the **Do not enable BitLocker until recovery information is stored in AD DS for operating system drives** check box if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds. +Select the **Do not enable BitLocker until recovery information is stored in AD DS for operating system drives** check box if users need to be prevented from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds. > [!NOTE] > If the **Do not enable BitLocker until recovery information is stored in AD DS for operating system drives** check box is selected, a recovery password is automatically generated. -### Choose how users can recover BitLocker-protected drives (Windows Server 2008 and Windows Vista) +### Choose how users can recover BitLocker-protected drives (Windows Server 2008 and Windows Vista) This policy setting is used to configure recovery methods for BitLocker-protected drives on computers running Windows Server 2008 or Windows Vista. -| |   | +| Item | Info | |:---|:---| -|**Policy description**|With this policy setting, you can control whether the BitLocker Setup Wizard can display and specify BitLocker recovery options.| +|**Policy description**|With this policy setting, it can be controlled whether the BitLocker Setup Wizard can display and specify BitLocker recovery options.| |**Introduced**|Windows Server 2008 and Windows Vista| |**Drive type**|Operating system drives and fixed data drives on computers running Windows Server 2008 and Windows Vista| -|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption| -|**Conflicts**|This policy setting provides an administrative method of recovering data that is encrypted by BitLocker to prevent data loss due to lack of key information. If you choose the **Do not allow** option for both user recovery options, you must enable the **Store BitLocker recovery information in Active Directory Domain Services (Windows Server 2008 and Windows Vista)** policy setting to prevent a policy error.| -|**When enabled**|You can configure the options that the BitLocker Setup Wizard displays to users for recovering BitLocker encrypted data.| +|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption*| +|**Conflicts**|This policy setting provides an administrative method of recovering data that is encrypted by BitLocker to prevent data loss due to lack of key information. If the **Do not allow** option is chosen for both user recovery options, the **Store BitLocker recovery information in Active Directory Domain Services (Windows Server 2008 and Windows Vista)** policy setting must be enabled to prevent a policy error.| +|**When enabled**|The options that the BitLocker Setup Wizard displays to users for recovering BitLocker encrypted data can be configured.| |**When disabled or not configured**|The BitLocker Setup Wizard presents users with ways to store recovery options.| -**Reference** +#### Reference: Choose how users can recover BitLocker-protected drives (Windows Server 2008 and Windows Vista) -This policy is only applicable to computers running Windows Server 2008 or Windows Vista. This policy setting is applied when you turn on BitLocker. +This policy is only applicable to computers running Windows Server 2008 or Windows Vista. This policy setting is applied when BitLocker is turned on. Two recovery options can be used to unlock BitLocker-encrypted data in the absence of the required startup key information. Users can type a 48-digit numerical recovery password, or they can insert a USB drive that contains a 256-bit recovery key. -Saving the recovery password to a USB drive stores the 48-digit recovery password as a text file and the 256-bit recovery key as a hidden file. Saving the recovery password to a folder stores the 48-digit recovery password as a text file. Printing the recovery password sends the 48-digit recovery password to the default printer. For example, not allowing the 48-digit recovery password prevents users from printing or saving recovery information to a folder. +- Saving the recovery password to a USB drive stores the 48-digit recovery password as a text file and the 256-bit recovery key as a hidden file. +- Saving the recovery password to a folder stores the 48-digit recovery password as a text file. +- Printing the recovery password sends the 48-digit recovery password to the default printer. + +For example, not allowing the 48-digit recovery password prevents users from printing or saving recovery information to a folder. > [!IMPORTANT] > If TPM initialization is performed during the BitLocker setup, TPM owner information is saved or printed with the BitLocker recovery information. > The 48-digit recovery password isn't available in FIPS-compliance mode. > [!IMPORTANT] -> To prevent data loss, you must have a way to recover BitLocker encryption keys. If you don't allow both recovery options, you must enable the backup of BitLocker recovery information to AD DS. Otherwise, a policy error occurs. +> To prevent data loss, there must be a way to recover BitLocker encryption keys. If both recovery options are not allowed, backup of BitLocker recovery information to AD DS must be enabled. Otherwise, a policy error occurs. -### Store BitLocker recovery information in Active Directory Domain Services (Windows Server 2008 and Windows Vista) +### Store BitLocker recovery information in Active Directory Domain Services (Windows Server 2008 and Windows Vista) -This policy setting is used to configure the storage of BitLocker recovery information in AD DS. This provides an administrative method of recovering data that is encrypted by BitLocker to prevent data loss due to lack of key information. +This policy setting is used to configure the storage of BitLocker recovery information in AD DS. This policy setting provides an administrative method of recovering data that is encrypted by BitLocker to prevent data loss due to lack of key information. -| |   | +| Item | Info | |:---|:---| -|**Policy description**|With this policy setting, you can manage the AD DS backup of BitLocker Drive Encryption recovery information.| +|**Policy description**|This policy setting allows management of the AD DS backup of BitLocker Drive Encryption recovery information.| |**Introduced**|Windows Server 2008 and Windows Vista| |**Drive type**|Operating system drives and fixed data drives on computers running Windows Server 2008 and Windows Vista.| -|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption| +|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption*| |**Conflicts**|None| |**When enabled**|BitLocker recovery information is automatically and silently backed up to AD DS when BitLocker is turned on for a computer.| |**When disabled or not configured**|BitLocker recovery information isn't backed up to AD DS.| -**Reference** +#### Reference: Store BitLocker recovery information in Active Directory Domain Services (Windows Server 2008 and Windows Vista) This policy is only applicable to computers running Windows Server 2008 or Windows Vista. -This policy setting is applied when you turn on BitLocker. +This policy setting is applied when BitLocker is turned on. -BitLocker recovery information includes the recovery password and unique identifier data. You can also include a package that contains an encryption key for a BitLocker-protected drive. This key package is secured by one or more recovery passwords, and it can help perform specialized recovery when the disk is damaged or corrupted. +BitLocker recovery information includes the recovery password and unique identifier data. A package that contains an encryption key for a BitLocker-protected drive can also be included. This key package is secured by one or more recovery passwords, and it can help perform specialized recovery when the disk is damaged or corrupted. -If you select **Require BitLocker backup to AD DS**, BitLocker can't be turned on unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds. This option is selected by default to help ensure that BitLocker recovery is possible. +If **Require BitLocker backup to AD DS** is selected, BitLocker can't be turned on unless the computer is connected to the domain, and the backup of BitLocker recovery information to AD DS succeeds. This option is selected by default to help ensure that BitLocker recovery is possible. -A recovery password is a 48-digit number that unlocks access to a BitLocker-protected drive. A key package contains a drive’s BitLocker encryption key, which is secured by one or more recovery passwords. Key packages may help perform specialized recovery when the disk is damaged or corrupted. +A recovery password is a 48-digit number that unlocks access to a BitLocker-protected drive. A key package contains a drive's BitLocker encryption key, which is secured by one or more recovery passwords. Key packages may help perform specialized recovery when the disk is damaged or corrupted. If the **Require BitLocker backup to AD DS** option isn't selected, AD DS backup is attempted, but network or other backup failures don't prevent the BitLocker setup. The Backup process isn't automatically retried, and the recovery password might not be stored in AD DS during BitLocker setup. -TPM initialization might be needed during the BitLocker setup. Enable the **Turn on TPM backup to Active Directory Domain Services** policy setting in **Computer Configuration\\Administrative Templates\\System\\Trusted Platform Module Services** to ensure that TPM information is also backed up. +TPM initialization might be needed during the BitLocker setup. Enable the **Turn on TPM backup to Active Directory Domain Services** policy setting in **Computer Configuration** > **Administrative Templates** > **System** > **Trusted Platform Module Services** to ensure that TPM information is also backed up. For more information about this setting, see [TPM Group Policy settings](/windows/device-security/tpm/trusted-platform-module-services-group-policy-settings). -### Choose default folder for recovery password +### Choose default folder for recovery password This policy setting is used to configure the default folder for recovery passwords. -| |   | +| Item | Info | |:---|:---| -|**Policy description**|With this policy setting, you can specify the default path that is displayed when the BitLocker Setup Wizard prompts the user to enter the location of a folder in which to save the recovery password.| +|**Policy description**|With this policy setting, the default path that is displayed when the BitLocker Setup Wizard prompts the user to enter the location of a folder in which to save the recovery password can be specified.| |**Introduced**|Windows Vista| |**Drive type**|All drives| -|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption| +|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption*| |**Conflicts**|None| -|**When enabled**|You can specify the path that will be used as the default folder location when the user chooses the option to save the recovery password in a folder. You can specify a fully qualified path or include the target computer's environment variables in the path. If the path isn't valid, the BitLocker Setup Wizard displays the computer's top-level folder view.| +|**When enabled**|The path that will be used as the default folder location when the user chooses the option to save the recovery password in a folder can be specified. A fully qualified path can be specified. The target computer's environment variables can also be included in the path. If the path isn't valid, the BitLocker Setup Wizard displays the computer's top-level folder view.| |**When disabled or not configured**|The BitLocker Setup Wizard displays the computer's top-level folder view when the user chooses the option to save the recovery password in a folder.| -**Reference** +#### Reference: Choose default folder for recovery password -This policy setting is applied when you turn on BitLocker. +This policy setting is applied when BitLocker is turned on. > [!NOTE] > This policy setting doesn't prevent the user from saving the recovery password in another folder. -### Choose how BitLocker-protected fixed drives can be recovered +### Choose how BitLocker-protected fixed drives can be recovered This policy setting is used to configure recovery methods for fixed data drives. -| |   | +| Item | Info | |:---|:---| -|**Policy description**|With this policy setting, you can control how BitLocker-protected fixed data drives are recovered in the absence of the required credentials.| +|**Policy description**|With this policy setting, it can be controlled how BitLocker-protected fixed data drives are recovered in the absence of the required credentials.| |**Introduced**|Windows Server 2008 R2 and Windows 7| |**Drive type**|Fixed data drives| -|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives| -|**Conflicts**|You must disallow the use of recovery keys if the **Deny write access to removable drives not protected by BitLocker** policy setting is enabled.

    When using data recovery agents, you must enable and configure the **Provide the unique identifiers for your organization** policy setting.| -|**When enabled**|You can control the methods that are available to users to recover data from BitLocker-protected fixed data drives.| +|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Fixed Data Drives*| +|**Conflicts**|The use of recovery keys must be disallowed if the **Deny write access to removable drives not protected by BitLocker** policy setting is enabled.

    When using data recovery agents, the **Provide the unique identifiers for your organization** policy setting must be enabled.| +|**When enabled**|it can be controlled the methods that are available to users to recover data from BitLocker-protected fixed data drives.| |**When disabled or not configured**|The default recovery options are supported for BitLocker recovery. By default, a data recovery agent is allowed, the recovery options can be specified by the user (including the recovery password and recovery key), and recovery information isn't backed up to AD DS.| -**Reference** +#### Reference: Choose how BitLocker-protected fixed drives can be recovered -This policy setting is applied when you turn on BitLocker. +This policy setting is applied when BitLocker is turned on. The **Allow data recovery agent** check box is used to specify whether a data recovery agent can be used with BitLocker-protected fixed data drives. Before a data recovery agent can be used, it must be added from **Public Key Policies**, which is located in the Group Policy Management Console (GPMC) or in the Local Group Policy Editor. In **Configure user storage of BitLocker recovery information**, select whether users can be allowed, required, or not allowed to generate a 48-digit recovery password or a 256-bit recovery key. -Select **Omit recovery options from the BitLocker setup wizard** to prevent users from specifying recovery options when they enable BitLocker on a drive. This means that you can't specify which recovery option to use when you enable BitLocker. Instead, BitLocker recovery options for the drive are determined by the policy setting. +Select **Omit recovery options from the BitLocker setup wizard** to prevent users from specifying recovery options when they enable BitLocker on a drive. This policy setting means that which recovery option to use when BitLocker is enabled can't be specified. Instead, BitLocker recovery options for the drive are determined by the policy setting. -In **Save BitLocker recovery information to Active Directory Domain Services**, choose which BitLocker recovery information to store in AD DS for fixed data drives. If you select **Backup recovery password and key package**, the BitLocker recovery password and the key package are stored in AD DS. -Storing the key package supports recovering data from a drive that has been physically corrupted. To recover this data, you can use the `Repair-bde` command-line tool. If you select **Backup recovery password only**, only the recovery password is stored in AD DS. +In **Save BitLocker recovery information to Active Directory Domain Services**, choose which BitLocker recovery information to store in AD DS for fixed data drives. If **Backup recovery password and key package** is selected, the BitLocker recovery password and the key package are stored in AD DS. Storing the key package supports recovering data from a drive that has been physically corrupted. To recover this data, the `Repair-bde.exe` command-line tool can be used. If **Backup recovery password only** is selected, only the recovery password is stored in AD DS. For more information about the BitLocker repair tool, see [Repair-bde](/windows-server/administration/windows-commands/repair-bde). -Select the **Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives** check box if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds. +Select the **Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives** check box if users should be prevented from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds. > [!NOTE] > If the **Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives** check box is selected, a recovery password is automatically generated. -### Choose how BitLocker-protected removable drives can be recovered +### Choose how BitLocker-protected removable drives can be recovered This policy setting is used to configure recovery methods for removable data drives. -| |   | +| Item | Info | |:---|:---| -|**Policy description**|With this policy setting, you can control how BitLocker-protected removable data drives are recovered in the absence of the required credentials.| +|**Policy description**|With this policy setting, it can be controlled how BitLocker-protected removable data drives are recovered in the absence of the required credentials.| |**Introduced**|Windows Server 2008 R2 and Windows 7| |**Drive type**|Removable data drives| -|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives| -|**Conflicts**|You must disallow the use of recovery keys if the **Deny write access to removable drives not protected by BitLocker** policy setting is enabled.

    When using data recovery agents, you must enable and configure the **Provide the unique identifiers for your organization** policy setting.| -|**When enabled**|You can control the methods that are available to users to recover data from BitLocker-protected removable data drives.| +|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Removable Data Drives*| +|**Conflicts**|The use of recovery keys must be disallowed if the **Deny write access to removable drives not protected by BitLocker** policy setting is enabled.

    When using data recovery agents, the **Provide the unique identifiers for your organization** policy setting must be enabled.| +|**When enabled**|it can be controlled the methods that are available to users to recover data from BitLocker-protected removable data drives.| |**When disabled or not configured**|The default recovery options are supported for BitLocker recovery. By default, a data recovery agent is allowed, the recovery options can be specified by the user (including the recovery password and recovery key), and recovery information isn't backed up to AD DS.| -**Reference** +#### Reference: Choose how BitLocker-protected removable drives can be recovered -This policy setting is applied when you turn on BitLocker. +This policy setting is applied when BitLocker is turned on. The **Allow data recovery agent** check box is used to specify whether a data recovery agent can be used with BitLocker-protected removable data drives. Before a data recovery agent can be used, it must be added from **Public Key Policies** , which is accessed using the GPMC or the Local Group Policy Editor. In **Configure user storage of BitLocker recovery information**, select whether users can be allowed, required, or not allowed to generate a 48-digit recovery password. -Select **Omit recovery options from the BitLocker setup wizard** to prevent users from specifying recovery options when they enable BitLocker on a drive. This means that you can't specify which recovery option to use when you enable BitLocker. Instead, BitLocker recovery options for the drive are determined by the policy setting. +Select **Omit recovery options from the BitLocker setup wizard** to prevent users from specifying recovery options when they enable BitLocker on a drive. This policy setting means that which recovery option to use when BitLocker is enabled can't be specified. Instead, BitLocker recovery options for the drive are determined by the policy setting. -In **Save BitLocker recovery information to Active Directory Domain Services**, choose which BitLocker recovery information is to be stored in AD DS for removable data drives. If you select **Backup recovery password and key package**, the BitLocker recovery password and the key package are stored in AD DS. If you select **Backup recovery password only**, only the recovery password is stored in AD DS. +In **Save BitLocker recovery information to Active Directory Domain Services**, choose which BitLocker recovery information is to be stored in AD DS for removable data drives. If **Backup recovery password and key package** is selected, the BitLocker recovery password and the key package are stored in AD DS. If **Backup recovery password only** is selected, only the recovery password is stored in AD DS. -Select the **Do not enable BitLocker until recovery information is stored in AD DS for removable data drives** check box if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds. +Select the **Do not enable BitLocker until recovery information is stored in AD DS for removable data drives** check box if users should be prevented from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds. > [!NOTE] > If the **Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives** check box is selected, a recovery password is automatically generated. -### Configure the pre-boot recovery message and URL +### Configure the pre-boot recovery message and URL This policy setting is used to configure the entire recovery message and to replace the existing URL that is displayed on the pre-boot recovery screen when the operating system drive is locked. -| |   | +| Item | Info | |:---|:---| -|**Policy description**|With this policy setting, you can configure the BitLocker recovery screen to display a customized message and URL.| +|**Policy description**|With this policy setting, it can be configured the BitLocker recovery screen to display a customized message and URL.| |**Introduced**|Windows| |**Drive type**|Operating system drives| -|**Policy path**|Computer Configuration \ Administrative Templates \ Windows Components \ BitLocker Drive Encryption \ Operating System Drives \ Configure pre-boot recovery message and URL| +|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Operating System Drives* > *Configure pre-boot recovery message and URL*| |**Conflicts**|None| -|**When enabled**|The customized message and URL are displayed on the pre-boot recovery screen. If you have previously enabled a custom recovery message and URL and want to revert to the default message and URL, you must keep the policy setting enabled and select the **Use default recovery message and URL** option.| +|**When enabled**|The customized message and URL are displayed on the pre-boot recovery screen. If a custom recovery message and URL has been previously enabled and the message and URL need to be reverted back to the default message and URL, the policy setting must be enabled and the **Use default recovery message and URL** option selected.| |**When disabled or not configured**|If the setting hasn't been previously enabled, then the default pre-boot recovery screen is displayed for BitLocker recovery. If the setting previously was enabled and is later disabled, then the last message in Boot Configuration Data (BCD) is displayed whether it was the default recovery message or the custom message.| -**Reference** +#### Reference: Configure the pre-boot recovery message and URL -Enabling the **Configure the pre-boot recovery message and URL** policy setting allows you to customize the default recovery screen message and URL to assist customers in recovering their key. +Enabling the **Configure the pre-boot recovery message and URL** policy setting allows customization of the default recovery screen message and URL to assist customers in recovering their key. -Once you enable the setting, you have three options: +Once the setting is enabled, three options are available: -- If you select the **Use default recovery message and URL** option, the default BitLocker recovery message and URL will be displayed on the pre-boot recovery screen. -- If you select the **Use custom recovery message** option, type the custom message in the **Custom recovery message option** text box. The message that you type in the **Custom recovery message option** text box is displayed on the pre-boot recovery screen. If a recovery URL is available, include it in the message. -- If you select the **Use custom recovery URL** option, type the custom message URL in the **Custom recovery URL option** text box. The URL that you type in the **Custom recovery URL option** text box replaces the default URL in the default recovery message, which is displayed on the pre-boot recovery screen. +- If the **Use default recovery message and URL** option is selected, the default BitLocker recovery message and URL will be displayed on the pre-boot recovery screen. +- If the **Use custom recovery message** option is selected, enter the custom message in the **Custom recovery message option** text box. The message that is entered in the **Custom recovery message option** text box is displayed on the pre-boot recovery screen. If a recovery URL is available, include it in the message. +- If the **Use custom recovery URL** option is selected, enter the custom message URL in the **Custom recovery URL option** text box. The URL that is entered in the **Custom recovery URL option** text box replaces the default URL in the default recovery message, which is displayed on the pre-boot recovery screen. > [!IMPORTANT] -> Not all characters and languages are supported in the pre-boot environment. We strongly recommended that you verify the correct appearance of the characters that you use for the custom message and URL on the pre-boot recovery screen. +> Not all characters and languages are supported in the pre-boot environment. It is strongly recommended to verify the correct appearance of the characters that are used for the custom message and URL on the pre-boot recovery screen. > [!IMPORTANT] -> Because you can alter the BCDEdit commands manually before you have set Group Policy settings, you can't return the policy setting to the default setting by selecting the **Not Configured** option after you have configured this policy setting. To return to the default pre-boot recovery screen leave the policy setting enabled and select the **Use default message** options from the **Choose an option for the pre-boot recovery message** drop-down list box. +> Because BCDEdit commands can be altered manually before Group Policy settings have been set, the policy setting can't be returned to the default setting by selecting the **Not Configured** option after this policy setting has been configured. To return to the default pre-boot recovery screen leave the policy setting enabled and select the **Use default message** options from the **Choose an option for the pre-boot recovery message** drop-down list box. -### Allow Secure Boot for integrity validation +### Allow Secure Boot for integrity validation This policy controls how BitLocker-enabled system volumes are handled with the Secure Boot feature. Enabling this feature forces Secure Boot validation during the boot process and verifies Boot Configuration Data (BCD) settings according to the Secure Boot policy. -| |   | +| Item | Info | |:---|:---| -|**Policy description**|With this policy setting, you can configure whether Secure Boot will be allowed as the platform integrity provider for BitLocker operating system drives.| +|**Policy description**|With this policy setting, it can be configured whether Secure Boot will be allowed as the platform integrity provider for BitLocker operating system drives.| |**Introduced**|Windows Server 2012 and Windows 8| |**Drive type**|All drives| -|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives| -|**Conflicts**|If you enable **Allow Secure Boot for integrity validation**, make sure the **Configure TPM platform validation profile for native UEFI firmware configurations** Group Policy setting isn't enabled or include PCR 7 to allow BitLocker to use Secure Boot for platform or BCD integrity validation.

    For more information about PCR 7, see [Platform Configuration Register (PCR)](#bkmk-pcr) in this article.| +|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Operating System Drives*| +|**Conflicts**|If **Allow Secure Boot for integrity validation** is enabled, make sure the Configure TPM platform validation profile for native UEFI firmware configurations Group Policy setting isn't enabled, or include PCR 7 to allow BitLocker to use Secure Boot for platform or BCD integrity validation.

    For more information about PCR 7, see [About the Platform Configuration Register (PCR)](#about-the-platform-configuration-register-pcr) in this article.| |**When enabled or not configured**|BitLocker uses Secure Boot for platform integrity if the platform is capable of Secure Boot-based integrity validation.| |**When disabled**|BitLocker uses legacy platform integrity validation, even on systems that are capable of Secure Boot-based integrity validation.| -**Reference** +#### Reference: Allow Secure Boot for integrity validation Secure boot ensures that the computer's pre-boot environment loads only firmware that is digitally signed by authorized software publishers. Secure boot also started providing more flexibility for managing pre-boot configurations than BitLocker integrity checks prior to Windows Server 2012 and Windows 8. + When this policy is enabled and the hardware is capable of using secure boot for BitLocker scenarios, the **Use enhanced Boot Configuration Data validation profile** group policy setting is ignored, and secure boot verifies BCD settings according to the secure boot policy setting, which is configured separately from BitLocker. > [!WARNING] -> Disabling this policy might result in BitLocker recovery when manufacturer-specific firmware is updated. If you disable this policy, suspend BitLocker prior to applying firmware updates. +> Disabling this policy might result in BitLocker recovery when manufacturer-specific firmware is updated. If this policy is disabled, suspend BitLocker prior to applying firmware updates. -### Provide the unique identifiers for your organization +### Provide the unique identifiers for your organization -This policy setting is used to establish an identifier that is applied to all drives that are encrypted in your organization. +This policy setting is used to establish an identifier that is applied to all drives that are encrypted in an organization. -| |   | +| Item | Info | |:---|:---| -|**Policy description**|With this policy setting, you can associate unique organizational identifiers to a new drive that is enabled with BitLocker.| +|**Policy description**|With this policy setting, unique organizational identifiers can be associated to a new drive that is enabled with BitLocker.| |**Introduced**|Windows Server 2008 R2 and Windows 7| |**Drive type**|All drives| -|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption| +|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption*| |**Conflicts**|Identification fields are required to manage certificate-based data recovery agents on BitLocker-protected drives. BitLocker manages and updates certificate-based data recovery agents only when the identification field is present on a drive and it's identical to the value that is configured on the computer.| -|**When enabled**|You can configure the identification field on the BitLocker-protected drive and any allowed identification field that is used by your organization.| +|**When enabled**|The identification field on the BitLocker-protected drive and any allowed identification field that is used by an organization can be configured.| |**When disabled or not configured**|The identification field isn't required.| -**Reference** +#### Reference: Provide the unique identifiers for your organization -These identifiers are stored as the identification field and the allowed identification field. The identification field allows you to associate a unique organizational identifier to BitLocker-protected drives. This identifier is automatically added to new BitLocker-protected drives, and it can be updated on existing BitLocker-protected drives by using the [Manage-bde](/windows-server/administration/windows-commands/manage-bde) command-line tool. +These identifiers are stored as the identification field and the allowed identification field. The identification field allows association of a unique organizational identifier to BitLocker-protected drives. This identifier is automatically added to new BitLocker-protected drives, and it can be updated on existing BitLocker-protected drives by using the [Manage-bde](/windows-server/administration/windows-commands/manage-bde) command-line tool. An identification field is required to manage certificate-based data recovery agents on BitLocker-protected drives and for potential updates to the BitLocker To Go Reader. BitLocker manages and updates data recovery agents only when the identification field on the drive matches the value that is configured in the identification field. In a similar manner, BitLocker updates the BitLocker To Go Reader only when the identification field's value on the drive matches the value that is configured for the identification field. For more information about the tool to manage BitLocker, see [Manage-bde](/windows-server/administration/windows-commands/manage-bde). -The allowed identification field is used in combination with the **Deny write access to removable drives not protected by BitLocker** policy setting to help control the use of removable drives in your organization. It's a comma-separated list of identification fields from your organization or external organizations. +The allowed identification field is used in combination with the **Deny write access to removable drives not protected by BitLocker** policy setting to help control the use of removable drives in an organization. It's a comma-separated list of identification fields from an internal organization or external organizations. -You can configure the identification fields on existing drives by using the [Manage-bde](/windows-server/administration/windows-commands/manage-bde) command-line tool. +The identification fields on existing drives can be configured by using the [Manage-bde](/windows-server/administration/windows-commands/manage-bde) command-line tool. When a BitLocker-protected drive is mounted on another BitLocker-enabled computer, the identification field and the allowed identification field are used to determine whether the drive is from an external organization. Multiple values separated by commas can be entered in the identification and allowed identification fields. The identification field can be any value upto 260 characters. -### Prevent memory overwrite on restart +### Prevent memory overwrite on restart This policy setting is used to control whether the computer's memory will be overwritten the next time the computer is restarted. -| |   | +| Item | Info | |:---|:---| -|**Policy description**|With this policy setting, you can control computer restart performance at the risk of exposing BitLocker secrets.| +|**Policy description**|With this policy setting, it can be controlled computer restart performance at the risk of exposing BitLocker secrets.| |**Introduced**|Windows Vista| |**Drive type**|All drives| -|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption| +|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption*| |**Conflicts**|None| -|**When enabled**|The computer will not overwrite memory when it restarts. Preventing memory overwrite may improve restart performance, but it increases the risk of exposing BitLocker secrets.| +|**When enabled**|The computer won't overwrite memory when it restarts. Preventing memory overwrite may improve restart performance, but it increases the risk of exposing BitLocker secrets.| |**When disabled or not configured**|BitLocker secrets are removed from memory when the computer restarts.| -**Reference** +#### Reference: Prevent memory overwrite on restart -This policy setting is applied when you turn on BitLocker. BitLocker secrets include key material that is used to encrypt data. This policy setting applies only when BitLocker protection is enabled. +This policy setting is applied when BitLocker is turned on. BitLocker secrets include key material that is used to encrypt data. This policy setting applies only when BitLocker protection is enabled. -### Configure TPM platform validation profile for BIOS-based firmware configurations +### Configure TPM platform validation profile for BIOS-based firmware configurations This policy setting determines what values the TPM measures when it validates early boot components before it unlocks an operating system drive on a computer with a BIOS configuration or with UEFI firmware that has the Compatibility Support Module (CSM) enabled. -| |   | +| Item | Info | |:---|:---| -|**Policy description**|With this policy setting, you can configure how the computer's TPM security hardware secures the BitLocker encryption key.| +|**Policy description**|With this policy setting, it can be configured how the computer's TPM security hardware secures the BitLocker encryption key.| |**Introduced**|Windows Server 2012 and Windows 8| |**Drive type**|Operating system drives| -|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives| +|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Operating System Drives*| |**Conflicts**|None| -|**When enabled**|You can configure the boot components that the TPM validates before unlocking access to the BitLocker-encrypted operating system drive. If any of these components change while BitLocker protection is in effect, then the TPM doesn't release the encryption key to unlock the drive. Instead, the computer displays the BitLocker Recovery console and requires that the recovery password or the recovery key is provided to unlock the drive.| +|**When enabled**|The boot components that the TPM validates before unlocking access to the BitLocker-encrypted operating system drive can be configured. If any of these components change while BitLocker protection is in effect, then the TPM doesn't release the encryption key to unlock the drive. Instead, the computer displays the BitLocker Recovery console and requires that the recovery password or the recovery key is provided to unlock the drive.| |**When disabled or not configured**|The TPM uses the default platform validation profile or the platform validation profile that is specified by the setup script.| -**Reference** +#### Reference: Configure TPM platform validation profile for BIOS-based firmware configurations This policy setting doesn't apply if the computer doesn't have a compatible TPM or if BitLocker has already been turned on with TPM protection. > [!IMPORTANT] > This Group Policy setting only applies to computers with BIOS configurations or to computers with UEFI firmware with the CSM enabled. Computers that use a native UEFI firmware configuration store different values in the Platform Configuration Registers (PCRs). Use the **Configure TPM platform validation profile for native UEFI firmware configurations** Group Policy setting to configure the TPM PCR profile for computers that use native UEFI firmware. -A platform validation profile consists of a set of PCR indices that range from 0 to 23. The default platform validation profile secures the encryption key against changes to the following: +A platform validation profile consists of a set of PCR indices that range from 0 to 23. The default platform validation profile secures the encryption key against changes to the following PCRs: -- Core Root of Trust of Measurement (CRTM), BIOS, and Platform Extensions (PCR 0) -- Option ROM Code (PCR 2) -- Master Boot Record (MBR) Code (PCR 4) -- NTFS Boot Sector (PCR 8) -- NTFS Boot Block (PCR 9) -- Boot Manager (PCR 10) -- BitLocker Access Control (PCR 11) +- Core Root of Trust of Measurement (CRTM), BIOS, and Platform Extensions (PCR 0) +- Option ROM Code (PCR 2) +- Master Boot Record (MBR) Code (PCR 4) +- NTFS Boot Sector (PCR 8) +- NTFS Boot Block (PCR 9) +- Boot Manager (PCR 10) +- BitLocker Access Control (PCR 11) > [!NOTE] -> Changing from the default platform validation profile affects the security and manageability of your computer. BitLocker’s sensitivity to platform modifications (malicious or authorized) is increased or decreased depending on inclusion or exclusion (respectively) of the PCRs. +> Changing from the default platform validation profile affects the security and manageability of a computer. BitLocker's sensitivity to platform modifications (malicious or authorized) is increased or decreased depending on inclusion or exclusion (respectively) of the PCRs. The following list identifies all of the available PCRs: -- PCR 0: Core root-of-trust for measurement, BIOS, and platform extensions -- PCR 1: Platform and motherboard configuration and data. -- PCR 2: Option ROM code -- PCR 3: Option ROM data and configuration -- PCR 4: Master Boot Record (MBR) code -- PCR 5: Master Boot Record (MBR) partition table -- PCR 6: State transition and wake events -- PCR 7: Computer manufacturer-specific -- PCR 8: NTFS boot sector -- PCR 9: NTFS boot block -- PCR 10: Boot manager -- PCR 11: BitLocker access control -- PCR 12-23: Reserved for future use +- PCR 0: Core root-of-trust for measurement, BIOS, and platform extensions +- PCR 1: Platform and motherboard configuration and data. +- PCR 2: Option ROM code +- PCR 3: Option ROM data and configuration +- PCR 4: Master Boot Record (MBR) code +- PCR 5: Master Boot Record (MBR) partition table +- PCR 6: State transition and wake events +- PCR 7: Computer manufacturer-specific +- PCR 8: NTFS boot sector +- PCR 9: NTFS boot block +- PCR 10: Boot manager +- PCR 11: BitLocker access control +- PCR 12-23: Reserved for future use -### Configure TPM platform validation profile (Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2) +### Configure TPM platform validation profile (Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2) This policy setting determines what values the TPM measures when it validates early boot components before unlocking a drive on a computer running Windows Vista, Windows Server 2008, or Windows 7. -| |   | +| Item | Info | |:---|:---| -|**Policy description**|With this policy setting, you can configure how the computer's TPM security hardware secures the BitLocker encryption key.| +|**Policy description**|With this policy setting, it can be configured how the computer's TPM security hardware secures the BitLocker encryption key.| |**Introduced**|Windows Server 2008 and Windows Vista| |**Drive type**|Operating system drives| -|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives| +|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Operating System Drives*| |**Conflicts**|None| -|**When enabled**|You can configure the boot components that the TPM validates before unlocking access to the BitLocker-encrypted operating system drive. If any of these components change while BitLocker protection is in effect, the TPM doesn't release the encryption key to unlock the drive. Instead, the computer displays the BitLocker Recovery console and requires that the recovery password or the recovery key is provided to unlock the drive.| +|**When enabled**|The boot components that the TPM validates before unlocking access to the BitLocker-encrypted operating system drive can be configured. If any of these components change while BitLocker protection is in effect, the TPM doesn't release the encryption key to unlock the drive. Instead, the computer displays the BitLocker Recovery console and requires that the recovery password or the recovery key is provided to unlock the drive.| |**When disabled or not configured**|The TPM uses the default platform validation profile or the platform validation profile that is specified by the setup script.| -**Reference** +#### Reference: Configure TPM platform validation profile (Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2) This policy setting doesn't apply if the computer doesn't have a compatible TPM or if BitLocker is already turned on with TPM protection. -A platform validation profile consists of a set of PCR indices that range from 0 to 23. The default platform validation profile secures the encryption key against changes to the following: +A platform validation profile consists of a set of PCR indices that range from 0 to 23. The default platform validation profile secures the encryption key against changes to the following PCRs: -- Core Root of Trust of Measurement (CRTM), BIOS, and Platform Extensions (PCR 0) -- Option ROM Code (PCR 2) -- Master Boot Record (MBR) Code (PCR 4) -- NTFS Boot Sector (PCR 8) -- NTFS Boot Block (PCR 9) -- Boot Manager (PCR 10) -- BitLocker Access Control (PCR 11) +- Core Root of Trust of Measurement (CRTM), BIOS, and Platform Extensions (PCR 0) +- Option ROM Code (PCR 2) +- Master Boot Record (MBR) Code (PCR 4) +- NTFS Boot Sector (PCR 8) +- NTFS Boot Block (PCR 9) +- Boot Manager (PCR 10) +- BitLocker Access Control (PCR 11) > [!NOTE] > The default TPM validation profile PCR settings for computers that use an Extensible Firmware Interface (EFI) are the PCRs 0, 2, 4, and 11 only. The following list identifies all of the available PCRs: -- PCR 0: Core root-of-trust for measurement, EFI boot and run-time services, EFI drivers embedded in system ROM, ACPI static tables, embedded SMM code, and BIOS code -- PCR 1: Platform and motherboard configuration and data. Hand-off tables and EFI variables that affect system configuration -- PCR 2: Option ROM code -- PCR 3: Option ROM data and configuration -- PCR 4: Master Boot Record (MBR) code or code from other boot devices -- PCR 5: Master Boot Record (MBR) partition table. Various EFI variables and the GPT table -- PCR 6: State transition and wake events -- PCR 7: Computer manufacturer-specific -- PCR 8: NTFS boot sector -- PCR 9: NTFS boot block -- PCR 10: Boot manager -- PCR 11: BitLocker access control -- PCR 12 - 23: Reserved for future use +- PCR 0: Core root-of-trust for measurement, EFI boot and run-time services, EFI drivers embedded in system ROM, ACPI static tables, embedded SMM code, and BIOS code +- PCR 1: Platform and motherboard configuration and data. Hand-off tables and EFI variables that affect system configuration +- PCR 2: Option ROM code +- PCR 3: Option ROM data and configuration +- PCR 4: Master Boot Record (MBR) code or code from other boot devices +- PCR 5: Master Boot Record (MBR) partition table. Various EFI variables and the GPT table +- PCR 6: State transition and wake events +- PCR 7: Computer manufacturer-specific +- PCR 8: NTFS boot sector +- PCR 9: NTFS boot block +- PCR 10: Boot manager +- PCR 11: BitLocker access control +- PCR 12 - 23: Reserved for future use > [!WARNING] -> Changing from the default platform validation profile affects the security and manageability of your computer. BitLocker's sensitivity to platform modifications (malicious or authorized) is increased or decreased depending on inclusion or exclusion (respectively) of the PCRs. +> Changing from the default platform validation profile affects the security and manageability of a computer. BitLocker's sensitivity to platform modifications (malicious or authorized) is increased or decreased depending on inclusion or exclusion (respectively) of the PCRs. -### Configure TPM platform validation profile for native UEFI firmware configurations +### Configure TPM platform validation profile for native UEFI firmware configurations This policy setting determines what values the TPM measures when it validates early boot components before unlocking an operating system drive on a computer with native UEFI firmware configurations. -| |   | +| Item | Info | |:---|:---| -|**Policy description**|With this policy setting, you can configure how the computer's Trusted Platform Module (TPM) security hardware secures the BitLocker encryption key.| +|**Policy description**|With this policy setting, it can be configured how the computer's Trusted Platform Module (TPM) security hardware secures the BitLocker encryption key.| |**Introduced**|Windows Server 2012 and Windows 8| |**Drive type**|Operating system drives| -|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives| -|**Conflicts**|Setting this policy with PCR 7 omitted, overrides the **Allow Secure Boot for integrity validation** Group Policy setting, and it prevents BitLocker from using Secure Boot for platform or Boot Configuration Data (BCD) integrity validation.

    If your environments use TPM and Secure Boot for platform integrity checks, this policy is configured.

    For more information about PCR 7, see [Platform Configuration Register (PCR)](#bkmk-pcr) in this article.| -|**When enabled**|Before you turn on BitLocker, you can configure the boot components that the TPM validates before it unlocks access to the BitLocker-encrypted operating system drive. If any of these components change while BitLocker protection is in effect, the TPM doesn't release the encryption key to unlock the drive. Instead, the computer displays the BitLocker Recovery console and requires that the recovery password or the recovery key is provided to unlock the drive.| +|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Operating System Drives*| +|**Conflicts**|Setting this policy with PCR 7 omitted overrides the **Allow Secure Boot for integrity validation** Group Policy setting, and it prevents BitLocker from using Secure Boot for platform or Boot Configuration Data (BCD) integrity validation.

    If an environment uses TPM and Secure Boot for platform integrity checks, this policy is configured.

    For more information about PCR 7, see [About the Platform Configuration Register (PCR)](#about-the-platform-configuration-register-pcr) in this article.| +|**When enabled**|Before BitLocker is turned on, the boot components that the TPM validates before it unlocks access to the BitLocker-encrypted operating system drive can be configured. If any of these components change while BitLocker protection is in effect, the TPM doesn't release the encryption key to unlock the drive. Instead, the computer displays the BitLocker Recovery console and requires that the recovery password or the recovery key is provided to unlock the drive.| |**When disabled or not configured**|BitLocker uses the default platform validation profile or the platform validation profile that is specified by the setup script.| -**Reference** +#### Reference: Configure TPM platform validation profile for native UEFI firmware configurations This policy setting doesn't apply if the computer doesn't have a compatible TPM or if BitLocker is already turned on with TPM protection. @@ -1180,161 +1180,160 @@ A platform validation profile consists of a set of PCR indices ranging from 0 to The following list identifies all of the available PCRs: -- PCR 0: Core System Firmware executable code -- PCR 1: Core System Firmware data -- PCR 2: Extended or pluggable executable code -- PCR 3: Extended or pluggable firmware data -- PCR 4: Boot Manager -- PCR 5: GPT/Partition Table -- PCR 6: Resume from S4 and S5 Power State Events -- PCR 7: Secure Boot State +- PCR 0: Core System Firmware executable code +- PCR 1: Core System Firmware data +- PCR 2: Extended or pluggable executable code +- PCR 3: Extended or pluggable firmware data +- PCR 4: Boot Manager +- PCR 5: GPT/Partition Table +- PCR 6: Resume from S4 and S5 Power State Events +- PCR 7: Secure Boot State - For more information about this PCR, see [Platform Configuration Register (PCR)](#bkmk-pcr) in this article. + For more information about this PCR, see [About the Platform Configuration Register (PCR)](#about-the-platform-configuration-register-pcr) in this article. -- PCR 8: Initialized to 0 with no Extends (reserved for future use) -- PCR 9: Initialized to 0 with no Extends (reserved for future use) -- PCR 10: Initialized to 0 with no Extends (reserved for future use) -- PCR 11: BitLocker access control -- PCR 12: Data events and highly volatile events -- PCR 13: Boot Module Details -- PCR 14: Boot Authorities -- PCR 15 – 23: Reserved for future use +- PCR 8: Initialized to 0 with no Extends (reserved for future use) +- PCR 9: Initialized to 0 with no Extends (reserved for future use) +- PCR 10: Initialized to 0 with no Extends (reserved for future use) +- PCR 11: BitLocker access control +- PCR 12: Data events and highly volatile events +- PCR 13: Boot Module Details +- PCR 14: Boot Authorities +- PCR 15 - 23: Reserved for future use > [!WARNING] -> Changing from the default platform validation profile affects the security and manageability of your computer. BitLocker's sensitivity to platform modifications (malicious or authorized) is increased or decreased depending on inclusion or exclusion (respectively) of the PCRs. +> Changing from the default platform validation profile affects the security and manageability of a computer. BitLocker's sensitivity to platform modifications (malicious or authorized) is increased or decreased depending on inclusion or exclusion (respectively) of the PCRs. -### Reset platform validation data after BitLocker recovery +### Reset platform validation data after BitLocker recovery -This policy setting determines if you want platform validation data to refresh when Windows is started following a BitLocker recovery. A platform validation data profile consists of the values in a set of Platform Configuration Register (PCR) indices that range from 0 to 23. +This policy setting determines if platform validation data should refresh when Windows is started following a BitLocker recovery. A platform validation data profile consists of the values in a set of Platform Configuration Register (PCR) indices that range from 0 to 23. -| |   | +| Item | Info | |:---|:---| -|**Policy description**|With this policy setting, you can control whether platform validation data is refreshed when Windows is started following a BitLocker recovery.| +|**Policy description**|With this policy setting, it can be controlled whether platform validation data is refreshed when Windows is started following a BitLocker recovery.| |**Introduced**|Windows Server 2012 and Windows 8| |**Drive type**|Operating system drives| -|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives| +|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Operating System Drives*| |**Conflicts**|None| |**When enabled**|Platform validation data is refreshed when Windows is started following a BitLocker recovery.| |**When disabled**|Platform validation data isn't refreshed when Windows is started following a BitLocker recovery.| |**When not configured**|Platform validation data is refreshed when Windows is started following a BitLocker recovery.| -**Reference** +#### Reference: Reset platform validation data after BitLocker recovery For more information about the recovery process, see the [BitLocker recovery guide](bitlocker-recovery-guide-plan.md). -### Use enhanced Boot Configuration Data validation profile +### Use enhanced Boot Configuration Data validation profile This policy setting determines specific Boot Configuration Data (BCD) settings to verify during platform validation. A platform validation uses the data in the platform validation profile, which consists of a set of Platform Configuration Register (PCR) indices that range from 0 to 23. -| |   | +| Item | Info | |:---|:---| -|**Policy description**|With this policy setting, you can specify Boot Configuration Data (BCD) settings to verify during platform validation.| +|**Policy description**|With this policy setting, Boot Configuration Data (BCD) settings to verify during platform validation can be specified.| |**Introduced**|Windows Server 2012 and Windows 8| |**Drive type**|Operating system drives| -|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives| +|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Operating System Drives*| |**Conflicts**|When BitLocker is using Secure Boot for platform and Boot Configuration Data integrity validation, the **Use enhanced Boot Configuration Data validation profile** Group Policy setting is ignored (as defined by the **Allow Secure Boot for integrity validation** Group Policy setting).| -|**When enabled**|You can add additional BCD settings, exclude the BCD settings you specify, or combine inclusion and exclusion lists to create a customized BCD validation profile, which gives you the ability to verify those BCD settings.| +|**When enabled**|Additional BCD settings can be added and specified BCD settings can be excluded. Also a customized BCD validation profile can be created by combining inclusion and exclusion lists. The customized BCD validation profile gives the ability to verify BCD settings.| |**When disabled**|The computer reverts to a BCD profile validation similar to the default BCD profile that is used by Windows 7.| |**When not configured**|The computer verifies the default BCD settings in Windows.| -**Reference** +#### Reference: Use enhanced Boot Configuration Data validation profile > [!NOTE] > The setting that controls boot debugging (0x16000010) is always validated, and it has no effect if it's included in the inclusion or the exclusion list. -### Allow access to BitLocker-protected fixed data drives from earlier versions of Windows +### Allow access to BitLocker-protected fixed data drives from earlier versions of Windows This policy setting is used to control whether access to drives is allowed by using the BitLocker To Go Reader, and whether BitLocker To Go Reader can be installed on the drive. -| |   | +| Item | Info | |:---|:---| -|**Policy description**|With this policy setting, you can configure whether fixed data drives that are formatted with the FAT file system can be unlocked and viewed on computers running Windows Vista, Windows XP with Service Pack 3 (SP3), or Windows XP with Service Pack 2 (SP2).| +|**Policy description**|With this policy setting, it can be configured whether fixed data drives that are formatted with the FAT file system can be unlocked and viewed on computers running Windows Vista, Windows XP with Service Pack 3 (SP3), or Windows XP with Service Pack 2 (SP2).| |**Introduced**|Windows Server 2008 R2 and Windows 7| |**Drive type**|Fixed data drives| -|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives| +|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Fixed Data Drives*| |**Conflicts**|None| |**When enabled and When not configured**|Fixed data drives that are formatted with the FAT file system can be unlocked on computers running Windows Server 2008, Windows Vista, Windows XP with SP3, or Windows XP with SP2, and their content can be viewed. These operating systems have Read-only access to BitLocker-protected drives.| |**When disabled**|Fixed data drives that are formatted with the FAT file system and are BitLocker-protected can't be unlocked on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2. BitLocker To Go Reader (bitlockertogo.exe) isn't installed.| -**Reference** +#### Reference: Allow access to BitLocker-protected fixed data drives from earlier versions of Windows > [!NOTE] > This policy setting doesn't apply to drives that are formatted with the NTFS file system. When this policy setting is enabled, select the **Do not install BitLocker To Go Reader on FAT formatted fixed drives** check box to help prevent users from running BitLocker To Go Reader from their fixed drives. If BitLocker To Go Reader (bitlockertogo.exe) is present on a drive that doesn't have an identification field specified, or if the drive has the same identification field as specified in the **Provide unique identifiers for your organization** policy setting, the user is prompted to update BitLocker, and BitLocker To Go Reader is deleted from the drive. In this situation, for the fixed drive to be unlocked on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2, BitLocker To Go Reader must be installed on the computer. If this check box isn't selected, then BitLocker To Go Reader will be installed on the fixed drive to enable users to unlock the drive on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2. -### Allow access to BitLocker-protected removable data drives from earlier versions of Windows +### Allow access to BitLocker-protected removable data drives from earlier versions of Windows This policy setting controls access to removable data drives that are using the BitLocker To Go Reader and whether the BitLocker To Go Reader can be installed on the drive. -| |   | +| Item | Info | |:---|:---| -|**Policy description**|With this policy setting, you can configure whether removable data drives that are formatted with the FAT file system can be unlocked and viewed on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2.| +|**Policy description**|With this policy setting, it can be configured whether removable data drives that are formatted with the FAT file system can be unlocked and viewed on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2.| |**Introduced**|Windows Server 2008 R2 and Windows 7| |**Drive type**|Removable data drives| -|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives| +|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Removable Data Drives*| |**Conflicts**|None| |**When enabled and When not configured**|Removable data drives that are formatted with the FAT file system can be unlocked on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2, and their content can be viewed. These operating systems have Read-only access to BitLocker-protected drives.| |**When disabled**|Removable data drives that are formatted with the FAT file system that are BitLocker-protected can't be unlocked on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2. BitLocker To Go Reader (bitlockertogo.exe) isn't installed.| -**Reference** +#### Reference: Allow access to BitLocker-protected removable data drives from earlier versions of Windows > [!NOTE] > This policy setting doesn't apply to drives that are formatted with the NTFS file system. -When this policy setting is enabled, select the **Do not install BitLocker To Go Reader on FAT formatted removable drives** check box to help prevent users from running BitLocker To Go Reader from their removable drives. If BitLocker To Go Reader (bitlockertogo.exe) is present on a drive that doesn't have an identification field specified, or if the drive has the same identification field as specified in the **Provide unique identifiers for your organization** policy setting, the user will be prompted to update BitLocker, and BitLocker To Go Reader is deleted from the drive. In this situation, for the removable drive to be unlocked on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2, BitLocker To Go Reader must be installed on the computer. If this check box isn't selected, then BitLocker To Go Reader will be installed on the removable drive to enable users to unlock the drive on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2 that don't have BitLocker To Go Reader installed. +When this policy setting is enabled, select the **Do not install BitLocker To Go Reader on FAT formatted removable drives** check box to help prevent users from running BitLocker To Go Reader from their removable drives. If BitLocker To Go Reader (bitlockertogo.exe) is present on a drive that doesn't have an identification field specified, or if the drive has the same identification field as specified in the **Provide unique identifiers for your organization** policy setting, the user will be prompted to update BitLocker, and BitLocker To Go Reader is deleted from the drive. In this situation, for the removable drive to be unlocked on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2, BitLocker To Go Reader must be installed on the computer. If this check box isn't selected, then BitLocker To Go Reader will be installed on the removable drive to enable users to unlock the drive on computers running Windows Vista or Windows XP that don't have BitLocker To Go Reader installed. ## FIPS setting -You can configure the Federal Information Processing Standard (FIPS) setting for FIPS compliance. As an effect of FIPS compliance, users can't create or save a BitLocker password for recovery or as a key protector. The use of a recovery key is permitted. +The Federal Information Processing Standard (FIPS) setting for FIPS compliance can be configured. As an effect of FIPS compliance, users can't create or save a BitLocker password for recovery or as a key protector. The use of a recovery key is permitted. -| |   | +| Item | Info | |:---|:---| |**Policy description**|Notes| |**Introduced**|Windows Server 2003 with SP1| |**Drive type**|System-wide| -|**Policy path**|Local Policies\Security Options\System cryptography: **Use FIPS compliant algorithms for encryption, hashing, and signing**| +|**Policy path**|*Local Policies* > *Security Options* > *System cryptography*: **Use FIPS compliant algorithms for encryption, hashing, and signing**| |**Conflicts**|Some applications, such as Terminal Services, don't support FIPS-140 on all operating systems.| -|**When enabled**|Users will be unable to save a recovery password to any location. This includes AD DS and network folders. Also, you can't use WMI or the BitLocker Drive Encryption Setup wizard to create a recovery password.| +|**When enabled**|Users will be unable to save a recovery password to any location. This policy setting includes AD DS and network folders. Also, WMI or the BitLocker Drive Encryption Setup wizard can't be used to create a recovery password.| |**When disabled or not configured**|No BitLocker encryption key is generated| -**Reference** +### Reference: FIPS setting This policy must be enabled before any encryption key is generated for BitLocker. When this policy is enabled, BitLocker prevents creating or using recovery passwords, so recovery keys should be used instead. -You can save the optional recovery key to a USB drive. Because recovery passwords can't be saved to AD DS when FIPS is enabled, an error is caused if AD DS backup is required by Group Policy. +The optional recovery key can be saved to a USB drive. Because recovery passwords can't be saved to AD DS when FIPS is enabled, an error is caused if AD DS backup is required by Group Policy. -You can edit the FIPS setting by using the Security Policy Editor (Secpol.msc) or by editing the Windows registry. You must be an administrator to perform these procedures. +The FIPS setting can be edited by using the Security Policy Editor (`Secpol.msc`) or by editing the Windows registry. Only administrators can perform these procedures. For more information about setting this policy, see [System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing](../../threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md). ## Power management group policy settings: Sleep and Hibernate -PCs default power settings for a computer will cause the computer to enter Sleep mode frequently to conserve power when idle and to help extend the system’s battery life. When a computer transitions to Sleep, open programs and documents are persisted in memory. When a computer resumes from Sleep, users aren't required to reauthenticate with a PIN or USB startup key to access encrypted data. This might lead to conditions where data security is compromised. +PCs default power settings for a computer will cause the computer to enter Sleep mode frequently to conserve power when idle and to help extend the system's battery life. When a computer transitions to Sleep, open programs and documents are persisted in memory. When a computer resumes from Sleep, users aren't required to reauthenticate with a PIN or USB startup key to access encrypted data. Not needing to reauthenticate when resuming from Sleep might lead to conditions where data security is compromised. However, when a computer hibernates the drive is locked, and when it resumes from hibernation the drive is unlocked, which means that users will need to provide a PIN or a startup key if using multifactor authentication with BitLocker. Therefore, organizations that use BitLocker may want to use Hibernate instead of Sleep for improved security. This setting doesn't have an impact on TPM-only mode, because it provides a transparent user experience at startup and when resuming from the Hibernate states. -You can disable the following Group Policy settings, which are located in **Computer Configuration\\Administrative Templates\\System\\Power Management** to disable all available sleep states: +To disable all available sleep states, disable the Group Policy settings located in **Computer Configuration** > **Administrative Templates** > **System** > **Power Management** : -- Allow Standby States (S1-S3) When Sleeping (Plugged In) -- Allow Standby States (S1-S3) When Sleeping (Battery) +- **Allow Standby States (S1-S3) When Sleeping (Plugged In)** +- **Allow Standby States (S1-S3) When Sleeping (Battery)** -## About the Platform Configuration Register (PCR) +## About the Platform Configuration Register (PCR) A platform validation profile consists of a set of PCR indices that range from 0 to 23. The scope of the values can be specific to the version of the operating system. -Changing from the default platform validation profile affects the security and manageability of your computer. BitLocker’s sensitivity to platform modifications (malicious or authorized) is increased or decreased depending on inclusion or exclusion (respectively) of the PCRs. +Changing from the default platform validation profile affects the security and manageability of a computer. BitLocker's sensitivity to platform modifications (malicious or authorized) is increased or decreased depending on inclusion or exclusion (respectively) of the PCRs. -**About PCR 7** +### About PCR 7 -PCR 7 measures the state of Secure Boot. With PCR 7, BitLocker can use Secure Boot for integrity validation. Secure Boot ensures that the computer's preboot environment loads only firmware that is digitally signed by authorized software publishers. PCR 7 measurements indicate whether Secure Boot is on and which keys are trusted on the platform. If Secure Boot is on and the firmware measures PCR 7 correctly per the UEFI specification, BitLocker can bind to this information rather than to PCRs 0, 2, and 4, which have the measurements of the exact firmware and Bootmgr images loaded. This -reduces the likelihood of BitLocker starting in recovery mode as a result of firmware and image updates, and it provides you with greater flexibility to manage the preboot configuration. +PCR 7 measures the state of Secure Boot. With PCR 7, BitLocker can use Secure Boot for integrity validation. Secure Boot ensures that the computer's preboot environment loads only firmware that is digitally signed by authorized software publishers. PCR 7 measurements indicate whether Secure Boot is on and which keys are trusted on the platform. If Secure Boot is on and the firmware measures PCR 7 correctly per the UEFI specification, BitLocker can bind to this information rather than to PCRs 0, 2, and 4, which have the measurements of the exact firmware and Bootmgr images loaded. This process reduces the likelihood of BitLocker starting in recovery mode as a result of firmware and image updates, and it provides with greater flexibility to manage the preboot configuration. PCR 7 measurements must follow the guidance that is described in [Appendix A Trusted Execution Environment EFI Protocol](/windows-hardware/test/hlk/testref/trusted-execution-environment-efi-protocol). PCR 7 measurements are a mandatory logo requirement for systems that support Modern Standby (also known as Always On, Always Connected PCs), such as the Microsoft Surface RT. On such systems, if the TPM with PCR 7 measurement and secure boot are correctly configured, BitLocker binds to PCR 7 and PCR 11 by default. -## See also +## Related articles - [Trusted Platform Module](/windows/device-security/tpm/trusted-platform-module-overview) - [TPM Group Policy settings](/windows/device-security/tpm/trusted-platform-module-services-group-policy-settings) diff --git a/windows/security/information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md b/windows/security/information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md index 531619802d..6e918604ba 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md +++ b/windows/security/information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md @@ -4,56 +4,73 @@ description: This article for the IT professional explains how to deploy BitLock ms.reviewer: ms.prod: windows-client ms.localizationpriority: medium -author: dansimp -ms.author: dansimp +author: frankroj +ms.author: frankroj manager: aaroncz ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 02/28/2019 +ms.date: 11/08/2022 ms.custom: bitlocker ms.technology: itpro-security --- # BitLocker: How to deploy on Windows Server 2012 and later -> Applies to: Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019 +*Applies to:* + +- Windows Server 2012 +- Windows Server 2012 R2 +- Windows Server 2016 and above This article explains how to deploy BitLocker on Windows Server 2012 and later versions. For all Windows Server editions, BitLocker can be installed using Server Manager or Windows PowerShell cmdlets. BitLocker requires administrator privileges on the server on which it's to be installed. -## Installing BitLocker +## Installing BitLocker -### To install BitLocker using server manager +### To install BitLocker using server manager -1. Open server manager by selecting the server manager icon or running servermanager.exe. -2. Select **Manage** from the **Server Manager Navigation** bar and select **Add Roles and Features** to start the **Add Roles and Features Wizard.** -3. With the **Add Roles and Features** wizard open, select **Next** at the **Before you begin** pane (if shown). -4. Select **Role-based or feature-based installation** on the **Installation type** pane of the **Add Roles and Features** wizard and select **Next** to continue. -5. Select the **Select a server from the server pool** option in the **Server Selection** pane and confirm the server on which the BitLocker feature is to be installed. -6. Select **Next** on the **Server Roles** pane of the **Add Roles and Features** wizard to proceed to the **Features** pane. - **Note**: Server roles and features are installed by using the same wizard in Server Manager. -7. Select the check box next to **BitLocker Drive Encryption** within the **Features** pane of the **Add Roles and Features** wizard. The wizard shows the extra management features available for BitLocker. If you don't want to install these features, deselect the **Include management tools -** and select **Add Features**. Once optional features selection is complete, select **Next** to proceed in the wizard. +1. Open server manager by selecting the server manager icon or running servermanager.exe. - > **Note:**   The **Enhanced Storage** feature is a required feature for enabling BitLocker. This feature enables support for encrypted hard drives on capable systems. -   -8. Select **Install** on the **Confirmation** pane of the **Add Roles and Features** wizard to begin BitLocker feature installation. The BitLocker feature requires a restart for its installation to be complete. Selecting the **Restart the destination server automatically if required** option in the **Confirmation** pane forces a restart of the computer after installation is complete. -9. If the **Restart the destination server automatically if required** check box isn't selected, the **Results** pane of the **Add Roles and Features** wizard displays the success or failure of the BitLocker feature installation. If necessary, a notification of other action necessary to complete the feature installation, such as the restart of the computer, will be displayed in the results text. +2. Select **Manage** from the **Server Manager Navigation** bar and select **Add Roles and Features** to start the **Add Roles and Features Wizard.** -### To install BitLocker using Windows PowerShell +3. With the **Add Roles and Features** wizard open, select **Next** at the **Before you begin** pane (if shown). -Windows PowerShell offers administrators another option for BitLocker feature installation. Windows PowerShell installs features using the `servermanager` or `dism` module; however, the `servermanager` and `dism` modules don't always share feature name parity. Because of this, it's advisable to confirm the feature or role name prior to installation. +4. Select **Role-based or feature-based installation** on the **Installation type** pane of the **Add Roles and Features** wizard and select **Next** to continue. + +5. Select the **Select a server from the server pool** option in the **Server Selection** pane and confirm the server on which the BitLocker feature is to be installed. + +6. Select **Next** on the **Server Roles** pane of the **Add Roles and Features** wizard to proceed to the **Features** pane. + + > [!NOTE] + > Server roles and features are installed by using the same wizard in Server Manager. + +7. Select the check box next to **BitLocker Drive Encryption** within the **Features** pane of the **Add Roles and Features** wizard. The wizard shows the extra management features available for BitLocker. If the extra management features are not needed and/or don't need to be installed, deselect the **Include management tools**. + + > [!NOTE] + > The **Enhanced Storage** feature is a required feature for enabling BitLocker. This feature enables support for encrypted hard drives on capable systems. + +8. Select **Add Features**. Once optional features selection is complete, select **Next** to proceed in the wizard. + +9. Select **Install** on the **Confirmation** pane of the **Add Roles and Features** wizard to begin BitLocker feature installation. The BitLocker feature requires a restart for its installation to be complete. Selecting the **Restart the destination server automatically if required** option in the **Confirmation** pane forces a restart of the computer after installation is complete. + +10. If the **Restart the destination server automatically if required** check box isn't selected, the **Results** pane of the **Add Roles and Features** wizard displays the success or failure of the BitLocker feature installation. If necessary, a notification of other action necessary to complete the feature installation, such as the restart of the computer, will be displayed in the results text. + +### To install BitLocker using Windows PowerShell + +Windows PowerShell offers administrators another option for BitLocker feature installation. Windows PowerShell installs features using the `servermanager` or `dism.exe` module. However, the `servermanager` and `dism.exe` modules don't always share feature name parity. Because of this mismatch of feature name parity, it's advisable to confirm the feature or role name prior to installation. + +> [!NOTE] +> The server must be restarted to complete the installation of BitLocker. ->**Note:**  You must restart the server to complete the installation of BitLocker. -  ### Using the servermanager module to install BitLocker -The `servermanager` Windows PowerShell module can use either the `Install-WindowsFeature` or `Add-WindowsFeature` to install the BitLocker feature. The `Add-WindowsFeature` cmdlet is merely a stub to the `Install-WindowsFeature`. This example uses the `Install-WindowsFeature` cmdlet. The feature name for BitLocker in the `servermanager` module is `BitLocker`. +The `servermanager` Windows PowerShell module can use either the `Install-WindowsFeature` or `Add-WindowsFeature` to install the BitLocker feature. The `Add-WindowsFeature` cmdlet is merely a stub to the `Install-WindowsFeature`. This example uses the `Install-WindowsFeature` cmdlet. The feature name for BitLocker in the `servermanager` module is `BitLocker`. -By default, installation of features in Windows PowerShell doesn't include optional sub-features or management tools as part of the installation process. This can be seen using the `-WhatIf` option in Windows PowerShell. +By default, installation of features in Windows PowerShell doesn't include optional sub-features or management tools as part of the installation process. What is installed as part of the installation process can be seen using the `-WhatIf` option in Windows PowerShell. ```powershell Install-WindowsFeature BitLocker -WhatIf ``` + The results of this command show that only the BitLocker Drive Encryption feature is installed using this command. To see what would be installed with the BitLocker feature, including all available management tools and sub-features, use the following command: @@ -64,13 +81,13 @@ Install-WindowsFeature BitLocker -IncludeAllSubFeature -IncludeManagementTools - The result of this command displays the following list of all the administration tools for BitLocker, which would be installed along with the feature, including tools for use with Active Directory Domain Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS). -- BitLocker Drive Encryption -- BitLocker Drive Encryption Tools -- BitLocker Drive Encryption Administration Utilities -- BitLocker Recovery Password Viewer -- AD DS Snap-Ins and Command-Line Tools -- AD DS Tools -- AD DS and AD LDS Tools +- BitLocker Drive Encryption +- BitLocker Drive Encryption Tools +- BitLocker Drive Encryption Administration Utilities +- BitLocker Recovery Password Viewer +- AD DS Snap-Ins and Command-Line Tools +- AD DS Tools +- AD DS and AD LDS Tools The command to complete a full installation of the BitLocker feature with all available sub-features and then to reboot the server at completion is: @@ -78,19 +95,20 @@ The command to complete a full installation of the BitLocker feature with all av Install-WindowsFeature BitLocker -IncludeAllSubFeature -IncludeManagementTools -Restart ``` ->**Important:**  Installing the BitLocker feature using Windows PowerShell does not install the Enhanced Storage feature. Administrators wishing to support Encrypted Hard Drives in their environment will need to install the Enhanced Storage feature separately. -  +> [!IMPORTANT] +> Installing the BitLocker feature using Windows PowerShell does not install the Enhanced Storage feature. Administrators wishing to support Encrypted Hard Drives in their environment will need to install the Enhanced Storage feature separately. + ### Using the dism module to install BitLocker -The `dism` Windows PowerShell module uses the `Enable-WindowsOptionalFeature` cmdlet to install features. The BitLocker feature name for BitLocker is `BitLocker`. The `dism` module doesn't support wildcards when searching for feature names. To list feature names for the `dism` module, use the `Get-WindowsOptionalFeatures` cmdlet. The following command will list all of the optional features in an online (running) operating system. +The `dism.exe` Windows PowerShell module uses the `Enable-WindowsOptionalFeature` cmdlet to install features. The BitLocker feature name for BitLocker is `BitLocker`. The `dism.exe` module doesn't support wildcards when searching for feature names. To list feature names for the `dism.exe` module, use the `Get-WindowsOptionalFeatures` cmdlet. The following command will list all of the optional features in an online (running) operating system. ```powershell Get-WindowsOptionalFeature -Online | ft ``` -From this output, we can see that there are three BitLocker-related optional feature names: BitLocker, BitLocker-Utilities and BitLocker-NetworkUnlock. To install the BitLocker feature, the BitLocker and BitLocker-Utilities features are the only required items. +From this output, it can be seen that there are three BitLocker-related optional feature names: **BitLocker**, **BitLocker-Utilities** and **BitLocker-NetworkUnlock**. To install the BitLocker feature, the **BitLocker** and **BitLocker-Utilities** features are the only required items. -To install BitLocker using the `dism` module, use the following command: +To install BitLocker using the `dism.exe` module, use the following command: ```powershell Enable-WindowsOptionalFeature -Online -FeatureName BitLocker -All @@ -101,7 +119,8 @@ This command prompts the user for a reboot. The Enable-WindowsOptionalFeature cm ```powershell Enable-WindowsOptionalFeature -Online -FeatureName BitLocker, BitLocker-Utilities -All ``` -## More information + +## Related articles - [BitLocker overview](bitlocker-overview.md) - [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.yml) diff --git a/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md b/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md index 0865f08910..37481aac1c 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md +++ b/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md @@ -4,93 +4,99 @@ description: This article for the IT professional describes how BitLocker Networ ms.reviewer: ms.prod: windows-client ms.localizationpriority: medium -author: dansimp -ms.author: dansimp +author: frankroj +ms.author: frankroj manager: aaroncz ms.collection: - M365-security-compliance ms.topic: conceptual -ms.date: 02/28/2019 +ms.date: 11/08/2022 ms.custom: bitlocker ms.technology: itpro-security --- -# BitLocker: How to enable network unlock +# BitLocker: How to enable Network Unlock -**Applies to** +*Applies to:* - Windows 10 - Windows 11 - Windows Server 2016 and above -This topic describes how BitLocker network unlock works and how to configure it. +This article describes how BitLocker Network Unlock works and how to configure it. -Network Unlock was introduced in Windows 8 and Windows Server 2012 as a BitLocker protector option for operating system volumes. Network unlock enables easier management for BitLocker-enabled desktops and servers in a domain environment by providing automatic unlock of operating system volumes at system reboot when connected to a wired corporate network. This feature requires the client hardware to have a DHCP driver implemented in its UEFI firmware. -Without Network Unlock, operating system volumes protected by TPM+PIN protectors require a PIN to be entered when a computer reboots or resumes from hibernation (for example, by Wake on LAN). This can make it difficult to enterprises to roll out software patches to unattended desktops and remotely administered servers. +Network Unlock is a BitLocker protector option for operating system volumes. Network Unlock enables easier management for BitLocker-enabled desktops and servers in a domain environment by providing automatic unlock of operating system volumes at system reboot when connected to a wired corporate network. This feature requires the client hardware to have a DHCP driver implemented in its UEFI firmware. Without Network Unlock, operating system volumes protected by TPM+PIN protectors require a PIN to be entered when a computer reboots or resumes from hibernation (for example, by Wake on LAN). Requiring a PIN after a reboot can make it difficult to enterprises to roll out software patches to unattended desktops and remotely administered servers. -Network unlock allows BitLocker-enabled systems that have a TPM+PIN and that meet the hardware requirements to boot into Windows without user intervention. Network unlock works in a similar fashion to the TPM+StartupKey at boot. Rather than needing to read the StartupKey from USB media, however, the Network Unlock feature needs the key to be composed from a key stored in the TPM and an encrypted network key that is sent to the server, decrypted and returned to the client in a secure session. +Network Unlock allows BitLocker-enabled systems that have a TPM+PIN and that meet the hardware requirements to boot into Windows without user intervention. Network Unlock works in a similar fashion to the TPM+StartupKey at boot. Rather than needing to read the StartupKey from USB media, however, the Network Unlock feature needs the key to be composed from a key stored in the TPM and an encrypted network key that is sent to the server, decrypted and returned to the client in a secure session. -## Network unlock core requirements +## Network Unlock core requirements Network Unlock must meet mandatory hardware and software requirements before the feature can automatically unlock domain-joined systems. These requirements include: -- Windows 8 or Windows Server 2012 as the current operating system. -- Any supported operating system with UEFI DHCP drivers that can serve as Network Unlock clients. -- Network Unlock clients with a TPM chip and at least one TPM protector. -- A server running the Windows Deployment Services (WDS) role on any supported server operating system. -- BitLocker Network Unlock optional feature installed on any supported server operating system. -- A DHCP server, separate from the WDS server. -- Properly configured public/private key pairing. -- Network Unlock group policy settings configured. - -The network stack must be enabled to use the Network Unlock feature. Equipment manufacturers deliver their products in various states and with different BIOS menus; therefore, you need to confirm that the network stack has been enabled in the BIOS before starting the computer. +- Currently supported Windows operating system +- Any supported operating system with UEFI DHCP drivers that can serve as Network Unlock clients +- Network Unlock clients with a TPM chip and at least one TPM protector +- A server running the Windows Deployment Services (WDS) role on any supported server operating system +- BitLocker Network Unlock optional feature installed on any supported server operating system +- A DHCP server, separate from the WDS server +- Properly configured public/private key pairing +- Network Unlock group policy settings configured +- Network stack enabled in the UEFI firmware of client devices > [!NOTE] > To properly support DHCP within UEFI, the UEFI-based system should be in native mode and shouldn't have a compatibility support module (CSM) enabled. -On computers that run Windows 8 and later, the first network adapter on the computer, usually the onboard adapter, must be configured to support DHCP. This adapter must be used for Network Unlock. +For Network Unlock to work reliably on computers, the first network adapter on the computer, usually the onboard adapter, must be configured to support DHCP. This first network adapter must be used for Network Unlock. This configuration is especially worth noting when the device has multiple adapters, and some adapters are configured without DHCP, such as for use with a lights-out management protocol. This configuration is necessary because Network Unlock stops enumerating adapters when it reaches one with a DHCP port failure for any reason. Thus, if the first enumerated adapter doesn't support DHCP, isn't plugged into the network, or fails to report availability of the DHCP port for any reason, then Network Unlock fails. -For network unlock to work reliably on computers running Windows 8 and later versions, the first network adapter on the computer, usually the onboard adapter, must be configured to support DHCP and must be used for Network Unlock. This is especially worth noting when you have multiple adapters, and you wish to configure one without DHCP, such as for a lights-out management protocol. This configuration is necessary because network unlock stops enumerating adapters when it reaches one with a DHCP port failure for any reason. Thus, if the first enumerated adapter does not support DHCP, is not plugged into the network, or fails to report availability of the DHCP port for any reason, then Network Unlock fails. - The Network Unlock server component is installed on supported versions of Windows Server 2012 and later as a Windows feature that uses Server Manager or Windows PowerShell cmdlets. The feature name is BitLocker Network Unlock in Server Manager and BitLocker-NetworkUnlock in Windows PowerShell. This feature is a core requirement. -Network unlock requires Windows Deployment Services (WDS) in the environment where the feature will be utilized. Configuration of the WDS installation is not required; however, the WDS service must be running on the server. +Network Unlock requires Windows Deployment Services (WDS) in the environment where the feature will be utilized. Configuration of the WDS installation isn't required. However, the WDS service must be running on the server. The network key is stored on the system drive along with an AES 256 session key and encrypted with the 2048-bit RSA public key of the Unlock server certificate. The network key is decrypted with the help of a provider on a supported version of Windows Server running WDS, and returned encrypted with its corresponding session key. -## Network Unlock sequence +## Network Unlock sequence -The unlock sequence starts on the client side when the Windows boot manager detects the existence of network unlock protector. It leverages the DHCP driver in UEFI to obtain an IP address for IPv4 and then broadcasts a vendor-specific DHCP request that contains the network key and a session key for the reply, all encrypted by the server's Network Unlock certificate, as described above. The Network Unlock provider on the supported WDS server recognizes the vendor-specific request, decrypts it with the RSA private key, and returns the network key encrypted with the session key via its own vendor-specific DHCP reply. +The unlock sequence starts on the client side when the Windows boot manager detects the existence of Network Unlock protector. It uses the DHCP driver in UEFI to obtain an IP address for IPv4 and then broadcasts a vendor-specific DHCP request that contains the network key and a session key for the reply, all encrypted by the server's Network Unlock certificate, as described above. The Network Unlock provider on the supported WDS server recognizes the vendor-specific request, decrypts it with the RSA private key, and returns the network key encrypted with the session key via its own vendor-specific DHCP reply. -On the server side, the WDS server role has an optional plugin component, like a PXE provider, which is what handles the incoming network unlock requests. You can also configure the provider with subnet restrictions, which would require that the IP address provided by the client in the network unlock request belong to a permitted subnet to release the network key to the client. In instances where the Network Unlock provider is unavailable, BitLocker fails over to the next available protector to unlock the drive. In a typical configuration, this means the standard TPM+PIN unlock screen is presented to unlock the drive. +On the server side, the WDS server role has an optional plugin component, like a PXE provider, which is what handles the incoming Network Unlock requests. The provider can also be configured with subnet restrictions, which would require that the IP address provided by the client in the Network Unlock request belong to a permitted subnet to release the network key to the client. In instances where the Network Unlock provider is unavailable, BitLocker fails over to the next available protector to unlock the drive. In a typical configuration, the standard TPM+PIN unlock screen is presented to unlock the drive. The server side configuration to enable Network Unlock also requires provisioning a 2048-bit RSA public/private key pair in the form of an X.509 certificate, and distributing the public key certificate to the clients. This certificate must be managed and deployed through the Group Policy editor directly on a domain controller with at least a Domain Functional Level of Windows Server 2012. This certificate is the public key that encrypts the intermediate network key (which is one of the two secrets required to unlock the drive; the other secret is stored in the TPM). Manage and deploy this certificate through the Group Policy editor directly on a domain controller that has a domain functional level of at least Windows Server 2012. This certificate is the public key that encrypts the intermediate network key. The intermediate network key is one of the two secrets that are required to unlock the drive; the other secret is stored in the TPM. -![Diagram showing the BitLocker network unlock sequence.](images/bitlockernetworkunlocksequence.png) +![Diagram showing the BitLocker Network Unlock sequence.](images/bitlockernetworkunlocksequence.png) The Network Unlock process follows these phases: -1. The Windows boot manager detects a Network Unlock protector in the BitLocker configuration. -2. The client computer uses its DHCP driver in the UEFI to get a valid IPv4 IP address. -3. The client computer broadcasts a vendor-specific DHCP request that contains: - 1. A network key (a 256-bit intermediate key) that is encrypted by using the 2048-bit RSA Public Key of the network unlock certificate from the WDS server. - 2. An AES-256 session key for the reply. -4. The Network Unlock provider on the WDS server recognizes the vendor-specific request. -5. The provider decrypts the request by using the WDS server's BitLocker Network Unlock certificate RSA private key. -6. The WDS provider returns the network key encrypted with the session key by using its own vendor-specific DHCP reply to the client computer. This key is an intermediate key. -7. The returned intermediate key is combined with another local 256-bit intermediate key. This key can be decrypted only by the TPM. -8. This combined key is used to create an AES-256 key that unlocks the volume. -9. Windows continues the boot sequence. +1. The Windows boot manager detects a Network Unlock protector in the BitLocker configuration. -## Configure network unlock +2. The client computer uses its DHCP driver in the UEFI to get a valid IPv4 IP address. -The following steps allow an administrator to configure network unlock in a domain where the Domain Functional Level is at least Windows Server 2012. +3. The client computer broadcasts a vendor-specific DHCP request that contains: -### Install the WDS server role + 1. A network key (a 256-bit intermediate key) that is encrypted by using the 2048-bit RSA Public Key of the Network Unlock certificate from the WDS server. -The BitLocker network unlock feature installs the WDS role if it is not already installed. If you want to install it separately before you install BitLocker network unlock, you can use Server Manager or Windows PowerShell. To install the role using Server Manager, select the **Windows Deployment Services** role in Server Manager. + 2. An AES-256 session key for the reply. + +4. The Network Unlock provider on the WDS server recognizes the vendor-specific request. + +5. The provider decrypts the request by using the WDS server's BitLocker Network Unlock certificate RSA private key. + +6. The WDS provider returns the network key encrypted with the session key by using its own vendor-specific DHCP reply to the client computer. This key is an intermediate key. + +7. The returned intermediate key is combined with another local 256-bit intermediate key. This key can be decrypted only by the TPM. + +8. This combined key is used to create an AES-256 key that unlocks the volume. + +9. Windows continues the boot sequence. + +## Configure Network Unlock + +The following steps allow an administrator to configure Network Unlock in a domain where the Domain Functional Level is at least Windows Server 2012. + +### Install the WDS server role + +The BitLocker Network Unlock feature installs the WDS role if it isn't already installed. WDS can be installed separately before BitLocker Network Unlock is installed by using **Server Manager** or **Windows PowerShell**. To install the role using Server Manager, select the **Windows Deployment Services** role in **Server Manager**. To install the role by using Windows PowerShell, use the following command: @@ -98,94 +104,132 @@ To install the role by using Windows PowerShell, use the following command: Install-WindowsFeature WDS-Deployment ``` -You must configure the WDS server so that it can communicate with DHCP (and optionally AD DS) and the client computer. You can configure using the WDS management tool, wdsmgmt.msc, which starts the Windows Deployment Services Configuration wizard. +The WDS server must be configured so that it can communicate with DHCP (and optionally AD DS) and the client computer. The WDS server can be configured using the WDS management tool, `wdsmgmt.msc`, which starts the Windows Deployment Services Configuration wizard. -### Confirm the WDS service is running +### Confirm the WDS service is running -To confirm that the WDS service is running, use the Services Management Console or Windows PowerShell. To confirm that the service is running in Services Management Console, open the console using **services.msc** and check the status of the Windows Deployment Services service. +To confirm that the WDS service is running, use the Services Management Console or Windows PowerShell. To confirm that the service is running in Services Management Console, open the console using `services.msc` and check the status of the Windows Deployment Services service. To confirm that the service is running using Windows PowerShell, use the following command: ```powershell Get-Service WDSServer ``` -### Install the Network Unlock feature -To install the network unlock feature, use Server Manager or Windows PowerShell. To install the feature using Server Manager, select the **BitLocker Network Unlock** feature in the Server Manager console. +### Install the Network Unlock feature + +To install the Network Unlock feature, use Server Manager or Windows PowerShell. To install the feature using Server Manager, select the **BitLocker Network Unlock** feature in the Server Manager console. To install the feature by using Windows PowerShell, use the following command: ```powershell Install-WindowsFeature BitLocker-NetworkUnlock ``` -### Create the certificate template for Network Unlock + +### Create the certificate template for Network Unlock A properly configured Active Directory Services Certification Authority can use this certificate template to create and issue Network Unlock certificates. -1. Open the Certificates Template snap-in (certtmpl.msc). -2. Locate the User template, right-click the template name and select **Duplicate Template**. -3. On the **Compatibility** tab, change the **Certification Authority** and **Certificate recipient** fields to Windows Server 2012 and Windows 8, respectively. Ensure that the **Show resulting changes** dialog box is selected. -4. Select the **General** tab of the template. The **Template display name** and **Template name** should clearly identify that the template will be used for Network Unlock. Clear the check box for the **Publish certificate in Active Directory** option. -5. Select the **Request Handling** tab. Select **Encryption** from the **Purpose** drop-down menu. Ensure that the **Allow private key to be exported** option is selected. -6. Select the **Cryptography** tab. Set the **Minimum key size** to 2048. (Any Microsoft cryptographic provider that supports RSA can be used for this template, but for simplicity and forward compatibility, we recommend using **Microsoft Software Key Storage Provider**.) -7. Select the **Requests must use one of the following providers** option and clear all options except for the cryptography provider you selected, such as **Microsoft Software Key Storage Provider**. -8. Select the **Subject Name** tab. Select **Supply in the request**. Click **OK** if the certificate templates pop-up dialog appears. -9. Select the **Issuance Requirements** tab. Select both **CA certificate manager approval** and **Valid existing certificate** options. +1. Open the Certificates Template snap-in (`certtmpl.msc`). + +2. Locate the User template, right-click the template name and select **Duplicate Template**. + +3. On the **Compatibility** tab, change the **Certification Authority** and **Certificate recipient** fields to Windows Server 2012 and Windows 8, respectively. Ensure that the **Show resulting changes** dialog box is selected. + +4. Select the **General** tab of the template. The **Template display name** and **Template name** should clearly identify that the template will be used for Network Unlock. Clear the check box for the **Publish certificate in Active Directory** option. + +5. Select the **Request Handling** tab. Select **Encryption** from the **Purpose** drop-down menu. Ensure that the **Allow private key to be exported** option is selected. + +6. Select the **Cryptography** tab. Set the **Minimum key size** to 2048. Any Microsoft cryptographic provider that supports RSA can be used for this template, but for simplicity and forward compatibility, it is recommended to use **Microsoft Software Key Storage Provider**. + +7. Select the **Requests must use one of the following providers** option and clear all options except for the cryptography provider selected, such as **Microsoft Software Key Storage Provider**. + +8. Select the **Subject Name** tab. Select **Supply in the request**. Select **OK** if the certificate templates pop-up dialog appears. + +9. Select the **Issuance Requirements** tab. Select both **CA certificate manager approval** and **Valid existing certificate** options. + 10. Select the **Extensions** tab. Select **Application Policies** and choose **Edit…**. + 11. In the **Edit Application Policies Extension** options dialog box, select **Client Authentication**, **Encrypting File System**, **and Secure Email** and choose **Remove**. + 12. On the **Edit Application Policies Extension** dialog box, select **Add**. -13. On the **Add Application Policy** dialog box, select **New**. In the **New Application Policy** dialog box, enter the following information in the space provided and then click **OK** to create the BitLocker Network Unlock application policy: - - **Name:** **BitLocker Network Unlock** - - **Object Identifier:** **1.3.6.1.4.1.311.67.1.1** +13. On the **Add Application Policy** dialog box, select **New**. In the **New Application Policy** dialog box, enter the following information in the space provided and then select **OK** to create the BitLocker Network Unlock application policy: + + - *Name:* **BitLocker Network Unlock** + - *Object Identifier:* **1.3.6.1.4.1.311.67.1.1** + +14. Select the newly created **BitLocker Network Unlock** application policy and select **OK**. -14. Select the newly created **BitLocker Network Unlock** application policy and click **OK**. 15. With the **Extensions** tab still open, select the **Edit Key Usage Extension** dialog. Select the **Allow key exchange only with key encryption (key encipherment)** option. Select the **Make this extension critical** option. + 16. Select the **Security** tab. Confirm that the **Domain Admins** group has been granted **Enroll** permission. -17. Click **OK** to complete configuration of the template. + +17. Select **OK** to complete configuration of the template. To add the Network Unlock template to the certificate authority, open the certificate authority snap-in (`certsrv.msc`). Right-click **Certificate Templates**, and then choose **New, Certificate Template to issue**. Select the previously created BitLocker Network Unlock certificate. -After you add the Network Unlock template to the certificate authority, you can use this certificate to configure BitLocker Network Unlock. +After the Network Unlock template is added to the certificate authority, this certificate can be used to configure BitLocker Network Unlock. -### Create the Network Unlock certificate +### Create the Network Unlock certificate Network Unlock can use imported certificates from an existing public key infrastructure (PKI). Or it can use a self-signed certificate. To enroll a certificate from an existing certificate authority: -1. On the WDS server, open Certificate Manager by using `certmgr.msc`. -2. Under **Certificates - Current User**, right-click **Personal**. -3. Select **All Tasks** > **Request New Certificate**. -4. When the Certificate Enrollment wizard opens, select **Next**. -5. Select **Active Directory Enrollment Policy**. -6. Choose the certificate template that was created for Network Unlock on the domain controller. Then select **Enroll**. -1. When you're prompted for more information, select **Subject Name** and provide a friendly name value. Your friendly name should include information for the domain or organizational unit for the certificate. Here's an example: *BitLocker Network Unlock Certificate for Contoso domain*. -7. Create the certificate. Ensure the certificate appears in the **Personal** folder. -8. Export the public key certificate for Network Unlock: - 1. Create a .cer file by right-clicking the previously created certificate, selecting **All Tasks**, and then selecting **Export**. - 2. Select **No, do not export the private key**. - 3. Select **DER encoded binary X.509** and complete exporting the certificate to a file. - 4. Give the file a name such as BitLocker-NetworkUnlock.cer. +1. On the WDS server, open Certificate Manager by using `certmgr.msc`. -9. Export the public key with a private key for Network Unlock. +2. Under **Certificates - Current User**, right-click **Personal**. - 1. Create a .pfx file by right-clicking the previously created certificate, selecting **All Tasks**, and then selecting **Export**. - 2. Select **Yes, export the private key**. - 3. Complete the steps to create the *.pfx* file. +3. Select **All Tasks** > **Request New Certificate**. -To create a self-signed certificate, either use the `New-SelfSignedCertificate` cmdlet in Windows PowerShell or use `certreq`. +4. When the Certificate Enrollment wizard opens, select **Next**. -Here's a Windows PowerShell example: +5. Select **Active Directory Enrollment Policy**. + +6. Choose the certificate template that was created for Network Unlock on the domain controller. Then select **Enroll**. + +7. When prompted for more information, select **Subject Name** and provide a friendly name value. The friendly name should include information for the domain or organizational unit for the certificate. For example: + + *BitLocker Network Unlock Certificate for Contoso domain* + +8. Create the certificate. Ensure the certificate appears in the **Personal** folder. + +9. Export the public key certificate for Network Unlock: + + 1. Create a `.cer` file by right-clicking the previously created certificate, selecting **All Tasks**, and then selecting **Export**. + + 2. Select **No, do not export the private key**. + + 3. Select **DER encoded binary X.509** and complete exporting the certificate to a file. + + 4. Give the file a name such as BitLocker-NetworkUnlock.cer. + +10. Export the public key with a private key for Network Unlock. + + 1. Create a `.pfx` file by right-clicking the previously created certificate, selecting **All Tasks**, and then selecting **Export**. + + 2. Select **Yes, export the private key**. + + 3. Complete the steps to create the `.pfx` file. + +To create a self-signed certificate, either use the `New-SelfSignedCertificate` cmdlet in Windows PowerShell or use `certreq.exe`. For example: + +**Windows PowerShell:** ```powershell New-SelfSignedCertificate -CertStoreLocation Cert:\LocalMachine\My -Subject "CN=BitLocker Network Unlock certificate" -Provider "Microsoft Software Key Storage Provider" -KeyUsage KeyEncipherment -KeyUsageProperty Decrypt,Sign -KeyLength 2048 -HashAlgorithm sha512 -TextExtension @("1.3.6.1.4.1.311.21.10={text}OID=1.3.6.1.4.1.311.67.1.1","2.5.29.37={text}1.3.6.1.4.1.311.67.1.1") ``` -Here's a `certreq` example: +**certreq.exe:** -1. Create a text file with an .inf extension, for example, notepad.exe BitLocker-NetworkUnlock.inf. -2. Add the following contents to the previously created file: +1. Create a text file with an `.inf` extension, for example: + + ```cmd + notepad.exe BitLocker-NetworkUnlock.inf + ``` + +2. Add the following contents to the previously created file: ```ini [NewRequest] @@ -206,61 +250,82 @@ Here's a `certreq` example: _continue_ = "1.3.6.1.4.1.311.67.1.1" ``` -3. Open an elevated command prompt and use the `certreq` tool to create a new certificate. Use the following command, specifying the full path to the file that you created previously. Also specify the file name. +3. Open an elevated command prompt and use the `certreq.exe` tool to create a new certificate. Use the following command, specifying the full path to the file that was created previously along with the file name: ```cmd - certreq -new BitLocker-NetworkUnlock.inf BitLocker-NetworkUnlock.cer + certreq.exe -new BitLocker-NetworkUnlock.inf BitLocker-NetworkUnlock.cer ``` -4. Verify that certificate was properly created by the previous command by confirming that the .cer file exists. -5. Launch Certificates - Local Machine by running **certlm.msc**. -6. Create a .pfx file by opening the **Certificates – Local Computer\\Personal\\Certificates** path in the navigation pane, right-clicking the previously imported certificate, selecting **All Tasks**, and then selecting **Export**. Follow through the wizard to create the .pfx file. -### Deploy the private key and certificate to the WDS server +4. Verify that certificate was properly created by the previous command by confirming that the `.cer` file exists. -Now that you've created the certificate and key, deploy them to the infrastructure to properly unlock systems. To deploy the certificates: +5. Launch the **Certificates - Local Computer** console by running `certlm.msc`. -1. On the WDS server, open a new MMC and add the certificates snap-in. Select the computer account and local computer when given the options. -2. Right-click the Certificates (Local Computer) - BitLocker Drive Encryption Network Unlock item -, select **All Tasks**, and then select **Import**. -3. In the **File to Import** dialog, choose the .pfx file created previously. -4. Enter the password used to create the .pfx and complete the wizard. +6. Create a `.pfx` file by following the below steps the **Certificates - Local Computer** console: -### Configure group policy settings for network unlock + 1. Navigate to **Certificates - Local Computer** > **Personal** > **Certificates** -With certificate and key deployed to the WDS server for Network Unlock, the final step is to use group policy settings to deploy the public key certificate to computers that you want to be able to unlock using the Network Unlock key. Group policy settings for BitLocker can be found under **\\Computer Configuration\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption** using the Local Group Policy Editor or the Microsoft Management Console. + 2. Right-click the previously imported certificate, select **All Tasks**, and then select **Export** -The following steps describe how to enable the group policy setting that is a requirement for configuring network unlock. + 3. Follow through the wizard to create the `.pfx` file. -1. Open Group Policy Management Console (`gpmc.msc`). -2. Enable the policy **Require additional authentication at startup**, and then select **Require startup PIN with TPM** or **Allow startup PIN with TPM**. -3. Turn on BitLocker with TPM+PIN protectors on all domain-joined computers. +### Deploy the private key and certificate to the WDS server + +After creating the certificate and key, deploy them to the infrastructure to properly unlock systems. To deploy the certificates: + +1. On the WDS server, launch the **Certificates - Local Computer** console by running `certlm.msc`. + +2. Right-click **BitLocker Drive Encryption Network Unlock** item under **Certificates (Local Computer)**, select **All Tasks**, and then select **Import**. + +3. In the **File to Import** dialog, choose the `.pfx` file created previously. + +4. Enter the password used to create the `.pfx` and complete the wizard. + +### Configure group policy settings for Network Unlock + +With certificate and key deployed to the WDS server for Network Unlock, the final step is to use group policy settings to deploy the public key certificate to the desired computers that will use the Network Unlock key to unlock. Group policy settings for BitLocker can be found under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** using the Local Group Policy Editor or the Microsoft Management Console. + +The following steps describe how to enable the group policy setting that is a requirement for configuring Network Unlock. + +1. Open Group Policy Management Console (`gpmc.msc`). +2. Enable the policy **Require additional authentication at startup**, and then select **Require startup PIN with TPM** or **Allow startup PIN with TPM**. +3. Turn on BitLocker with TPM+PIN protectors on all domain-joined computers. The following steps describe how to deploy the required group policy setting: > [!NOTE] -> The group policy settings **Allow network unlock at startup** and **Add Network Unlock Certificate** were introduced in Windows Server 2012. - -1. Copy the *.cer* file that you created for Network Unlock to the domain controller. -2. On the domain controller, open Group Policy Management Console (`gpmc.msc`). -3. Create a new Group Policy Object or modify an existing object to enable the **Allow network unlock at startup** setting. -4. Deploy the public certificate to clients: - 1. Within group policy management console, navigate to the following location: **Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Public Key Policies\\BitLocker Drive Encryption Network Unlock Certificate**. - 2. Right-click the folder and select **Add Network Unlock Certificate**. - 3. Follow the wizard steps and import the .cer file that was copied earlier. +> The group policy settings **Allow Network Unlock at startup** and **Add Network Unlock Certificate** were introduced in Windows Server 2012. + +1. Copy the `.cer` file that was created for Network Unlock to the domain controller. + +2. On the domain controller, open Group Policy Management Console (`gpmc.msc`). + +3. Create a new Group Policy Object or modify an existing object to enable the **Allow Network Unlock at startup** setting. + +4. Deploy the public certificate to clients: + + 1. Within group policy management console, navigate to the following location: + + **Computer Configuration** > **Policies** > **Windows Settings** > **Security Settings** > **Public Key Policies** > **BitLocker Drive Encryption Network Unlock Certificate**. + + 2. Right-click the folder and select **Add Network Unlock Certificate**. + + 3. Follow the wizard steps and import the `.cer` file that was copied earlier. > [!NOTE] - > Only one network unlock certificate can be available at a time. If you need a new certificate, delete the current certificate before you deploy a new one. The Network Unlock certificate is located in the *HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\SystemCertificates\\FVE\_NKP* key on the client computer. + > Only one Network Unlock certificate can be available at a time. If a new certificate is needed, delete the current certificate before deploying a new one. The Network Unlock certificate is located under the **`HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\FVE_NKP`** registry key on the client computer. + +5. Reboot the clients after the Group Policy is deployed. -5. Reboot the clients after you deploy the Group Policy. > [!NOTE] > The **Network (Certificate Based)** protector will be added only after a reboot, with the policy enabled and a valid certificate present in the FVE_NKP store. - + ### Subnet policy configuration files on the WDS server (optional) -By default, all clients with the correct network unlock certificate and valid Network Unlock protectors that have wired access to a network unlock-enabled WDS server via DHCP are unlocked by the server. A subnet policy configuration file on the WDS server can be created to limit which are the subnet(s) the network unlock clients can use to unlock. +By default, all clients with the correct Network Unlock certificate and valid Network Unlock protectors that have wired access to a Network Unlock-enabled WDS server via DHCP are unlocked by the server. A subnet policy configuration file on the WDS server can be created to limit which are the subnet(s) the Network Unlock clients can use to unlock. -The configuration file, called bde-network-unlock.ini, must be located in the same directory as the network unlock provider DLL (%windir%\System32\Nkpprov.dll) and it applies to both IPv6 and IPv4 DHCP implementations. If the subnet configuration policy becomes corrupted, the provider fails and stops responding to requests. +The configuration file, called bde-network-unlock.ini, must be located in the same directory as the Network Unlock provider DLL (`%windir%\System32\Nkpprov.dll`) and it applies to both IPv6 and IPv4 DHCP implementations. If the subnet configuration policy becomes corrupted, the provider fails and stops responding to requests. -The subnet policy configuration file must use a “\[SUBNETS\]” section to identify the specific subnets. The named subnets may then be used to specify restrictions in certificate subsections. Subnets are defined as simple name–value pairs, in the common INI format, where each subnet has its own line, with the name on the left of the equal-sign, and the subnet identified on the right of the equal-sign as a Classless Inter-Domain Routing (CIDR) address or range. The key word “ENABLED” is disallowed for subnet names. +The subnet policy configuration file must use a **\[SUBNETS\]** section to identify the specific subnets. The named subnets may then be used to specify restrictions in certificate subsections. Subnets are defined as simple name-value pairs, in the common INI format, where each subnet has its own line, with the name on the left of the equal-sign, and the subnet identified on the right of the equal-sign as a Classless Inter-Domain Routing (CIDR) address or range. The key word **ENABLED** is disallowed for subnet names. ```ini [SUBNETS] @@ -269,13 +334,15 @@ SUBNET2=10.185.252.200/28 SUBNET3= 2001:4898:a:2::/64 ; an IPv6 subnet SUBNET4=2001:4898:a:3::/64; in production, the admin would likely give more useful names, like BUILDING9-EXCEPT-RECEP. ``` -Following the \[SUBNETS\] section, there can be sections for each Network Unlock certificate, identified by the certificate thumbprint formatted without any spaces, which define the subnets clients that can be unlocked from that certificate. + +Following the **\[SUBNETS\]** section, there can be sections for each Network Unlock certificate, identified by the certificate thumbprint formatted without any spaces, which define the subnets clients that can be unlocked from that certificate. > [!NOTE] > When specifying the certificate thumbprint, do not include any spaces. If spaces are included in the thumbprint, the subnet configuration fails because the thumbprint will not be recognized as valid. -Subnet restrictions are defined within each certificate section by denoting the allowed list of permitted subnets. If any subnets are listed in a certificate section, then only those subnets are permitted for that certificate. If no subnet is listed in a certificate section, then all subnets are permitted for that certificate. If a certificate does not have a section in the subnet policy configuration file, then no subnet restrictions are applied for unlocking with that certificate. This means for restrictions to apply to every certificate, there must be a certificate section for every network unlock certificate on the server, and an explicit allowed list set for each certificate section. -Subnet lists are created by putting the name of a subnet from the \[SUBNETS\] section on its own line below the certificate section header. Then, the server will only unlock clients with this certificate on the subnet(s) specified as in the list. For troubleshooting, a subnet can be quickly excluded without deleting it from the section by simply commenting it out with a prepended semi-colon. +Subnet restrictions are defined within each certificate section by denoting the allowed list of permitted subnets. If any subnets are listed in a certificate section, then only those subnets are permitted for that certificate. If no subnet is listed in a certificate section, then all subnets are permitted for that certificate. If a certificate doesn't have a section in the subnet policy configuration file, then no subnet restrictions are applied for unlocking with that certificate. For restrictions to apply to every certificate, there must be a certificate section for every Network Unlock certificate on the server, and an explicit allowed list set for each certificate section. + +Subnet lists are created by putting the name of a subnet from the **\[SUBNETS\]** section on its own line below the certificate section header. Then, the server will only unlock clients with this certificate on the subnet(s) specified as in the list. For troubleshooting, a subnet can be quickly excluded without deleting it from the section by commenting it out with a prepended semi-colon. ```ini [2158a767e1c14e88e27a4c0aee111d2de2eafe60] @@ -288,94 +355,115 @@ SUBNET3 To disallow the use of a certificate altogether, add a `DISABLED` line to its subnet list. -## Turn off Network Unlock +## Turn off Network Unlock - -To turn off the unlock server, the PXE provider can be unregistered from the WDS server or uninstalled altogether. However, to stop clients from creating network unlock protectors, the **Allow Network Unlock at startup** group policy setting should be disabled. When this policy setting is updated to **disabled** on client computers, any Network Unlock key protector on the computer is deleted. Alternatively, the BitLocker network unlock certificate policy can be deleted on the domain controller to accomplish the same task for an entire domain. +To turn off the unlock server, the PXE provider can be unregistered from the WDS server or uninstalled altogether. However, to stop clients from creating Network Unlock protectors, the **Allow Network Unlock at startup** group policy setting should be disabled. When this policy setting is updated to **disabled** on client computers, any Network Unlock key protector on the computer is deleted. Alternatively, the BitLocker Network Unlock certificate policy can be deleted on the domain controller to accomplish the same task for an entire domain. > [!NOTE] -> Removing the FVE_NKP certificate store that contains the network unlock certificate and key on the WDS server will also effectively disable the server’s ability to respond to unlock requests for that certificate. However, this is seen as an error condition and is not a supported or recommended method for turning off the network unlock server. - -## Update Network Unlock certificates +> Removing the FVE_NKP certificate store that contains the Network Unlock certificate and key on the WDS server will also effectively disable the server's ability to respond to unlock requests for that certificate. However, this is seen as an error condition and is not a supported or recommended method for turning off the Network Unlock server. -To update the certificates used by network unlock, administrators need to import or generate the new certificate for the server and then update the network unlock certificate group policy setting on the domain controller. +## Update Network Unlock certificates + +To update the certificates used by Network Unlock, administrators need to import or generate the new certificate for the server, and then update the Network Unlock certificate group policy setting on the domain controller. > [!NOTE] > Servers that don't receive the Group Policy Object (GPO) will require a PIN when they boot. In such cases, find out why the server didn't receive the GPO to update the certificate. -## Troubleshoot Network Unlock +## Troubleshoot Network Unlock -Troubleshooting network unlock issues begins by verifying the environment. Many times, a small configuration issue can be the root cause of the failure. Items to verify include: +Troubleshooting Network Unlock issues begins by verifying the environment. Many times, a small configuration issue can be the root cause of the failure. Items to verify include: + +- Verify that the client hardware is UEFI-based and is on firmware version 2.3.1 and that the UEFI firmware is in native mode without a Compatibility Support Module (CSM) for BIOS mode enabled. Verification can be done by checking that the firmware doesn't have an option enabled such as "Legacy mode" or "Compatibility mode" or that the firmware doesn't appear to be in a BIOS-like mode. -- Verify that the client hardware is UEFI-based and is on firmware version 2.3.1 and that the UEFI firmware is in native mode without a Compatibility Support Module (CSM) for BIOS mode enabled. Do this by checking that the firmware does not have an option enabled such as "Legacy mode" or "Compatibility mode" or that the firmware does not appear to be in a BIOS-like mode. - All required roles and services are installed and started. -- Public and private certificates have been published and are in the proper certificate containers. The presence of the network unlock certificate can be verified in the Microsoft Management Console (MMC.exe) on the WDS server with the certificate snap-ins for the local computer enabled. The client certificate can be verified by checking the registry key **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\SystemCertificates\\FVE\_NKP** on the client computer. -- Group policy for network unlock is enabled and linked to the appropriate domains. -- Verify whether group policy is reaching the clients properly. This can be done using the GPRESULT.exe or RSOP.msc utilities. + +- Public and private certificates have been published and are in the proper certificate containers. The presence of the Network Unlock certificate can be verified in the Microsoft Management Console (MMC.exe) on the WDS server with the certificate snap-ins for the local computer enabled. The client certificate can be verified by checking the registry key **`HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\FVE_NKP`** on the client computer. + +- Group policy for Network Unlock is enabled and linked to the appropriate domains. + +- Verify whether group policy is reaching the clients properly. Verification of group policy can be done using the `GPRESULT.exe` or `RSOP.msc` utilities. + - Verify whether the clients were rebooted after applying the policy. -- Verify whether the **Network (Certificate Based)** protector is listed on the client. This can be done using either manage-bde or Windows PowerShell cmdlets. For example, the following command will list the key protectors currently configured on the C: drive of the local computer: + +- Verify whether the **Network (Certificate Based)** protector is listed on the client. Verification of the protector can be done using either manage-bde or Windows PowerShell cmdlets. For example, the following command will list the key protectors currently configured on the C: drive of the local computer: ```powershell - manage-bde -protectors -get C: + manage-bde.exe -protectors -get C: ``` + > [!NOTE] - > Use the output of `manage-bde` along with the WDS debug log to determine whether the proper certificate thumbprint is being used for Network Unlock. - + > Use the output of `manage-bde.exe` along with the WDS debug log to determine whether the proper certificate thumbprint is being used for Network Unlock. + Gather the following files to troubleshoot BitLocker Network Unlock. - The Windows event logs. Specifically, get the BitLocker event logs and the Microsoft-Windows-Deployment-Services-Diagnostics-Debug log. - Debug logging is turned off by default for the WDS server role, so you need to enable it before you can retrieve it. Use either of the following two methods to turn on WDS debug logging. + Debug logging is turned off by default for the WDS server role. To retrieve WDS debug logs, the WDS debug logs first need to be enabled. Use either of the following two methods to turn on WDS debug logging. - - Start an elevated command prompt, and then run the following command: + - Start an elevated command prompt, and then run the following command: - ```cmd - wevtutil sl Microsoft-Windows-Deployment-Services-Diagnostics/Debug /e:true - ``` - - Open Event Viewer on the WDS server: + ```cmd + wevtutil.exe sl Microsoft-Windows-Deployment-Services-Diagnostics/Debug /e:true + ``` + + - Open **Event Viewer** on the WDS server: + + 1. In the left pane, navigate to **Applications and Services Logs** > **Microsoft** > **Windows** > **Deployment-Services-Diagnostics** > **Debug**. + 2. In the right pane, select **Enable Log**. - 1. In the left pane, select **Applications and Services Logs** > **Microsoft** > **Windows** > **Deployment-Services-Diagnostics** > **Debug**. - 1. In the right pane, select **Enable Log**. - The DHCP subnet configuration file (if one exists). -- The output of the BitLocker status on the volume. Gather this output into a text file by using `manage-bde -status`. Or in Windows PowerShell, use `Get-BitLockerVolume`. + +- The output of the BitLocker status on the volume. Gather this output into a text file by using `manage-bde.exe -status`. Or in Windows PowerShell, use `Get-BitLockerVolume`. + - The Network Monitor capture on the server that hosts the WDS role, filtered by client IP address. -## Configure Network Unlock Group Policy settings on earlier versions + -- [BitLocker overview](bitlocker-overview.md) -- [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.yml) -- [Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md) +## Related articles + +- [BitLocker overview](bitlocker-overview.md) +- [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.yml) +- [Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md) diff --git a/windows/security/information-protection/bitlocker/bitlocker-key-management-faq.yml b/windows/security/information-protection/bitlocker/bitlocker-key-management-faq.yml index 369d16d8e8..ed40610b48 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-key-management-faq.yml +++ b/windows/security/information-protection/bitlocker/bitlocker-key-management-faq.yml @@ -3,24 +3,26 @@ metadata: title: BitLocker Key Management FAQ (Windows 10) description: Browse frequently asked questions concerning the requirements to use, upgrade, deploy and administer, and key management policies for BitLocker. ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee - ms.reviewer: - ms.prod: m365-security + ms.prod: windows-client + ms.technology: itpro-security ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium - author: dansimp - ms.author: dansimp + author: frankroj + ms.author: frankroj manager: aaroncz audience: ITPro ms.collection: M365-security-compliance ms.topic: faq - ms.date: 02/28/2019 + ms.date: 11/08/2022 ms.custom: bitlocker title: BitLocker Key Management FAQ summary: | - **Applies to** - - Windows 10 + *Applies to:* + - Windows 10 + - Windows 11 + - Windows Server 2016 and above sections: @@ -28,9 +30,11 @@ sections: questions: - question: How can I authenticate or unlock my removable data drive? answer: | - You can unlock removable data drives by using a password, a smart card, or you can configure a SID protector to unlock a drive by using your domain credentials. After you've started encryption, the drive can also be automatically unlocked on a specific computer for a specific user account. System administrators can configure which options are available for users, as well as password complexity and minimum length requirements. To unlock by using a SID protector, use Manage-bde: + Removable data drives can be unlocked using a password or a smart card. An SID protector can also be configured to unlock a drive by using user domain credentials. After encryption has started, the drive can also be automatically unlocked on a specific computer for a specific user account. System administrators can configure which options are available for users including password complexity and minimum length requirements. To unlock by using a SID protector, use `manage-bde.exe`: - Manage-bde -protectors -add e: -sid domain\username + ```cmd + Manage-bde.exe -protectors -add e: -sid domain\username + ``` - question: What is the difference between a recovery password, recovery key, PIN, enhanced PIN, and startup key? answer: | @@ -38,83 +42,85 @@ sections: - question: How can the recovery password and recovery key be stored? answer: | - The recovery password and recovery key for an operating system drive or a fixed data drive can be saved to a folder, saved to one or more USB devices, saved to your Microsoft Account, or printed. + The recovery password and recovery key for an operating system drive or a fixed data drive can be saved to a folder, saved to one or more USB devices, saved to a Microsoft Account, or printed. - For removable data drives, the recovery password and recovery key can be saved to a folder, saved to your Microsoft Account, or printed. By default, you cannot store a recovery key for a removable drive on a removable drive. + For removable data drives, the recovery password and recovery key can be saved to a folder, saved to a Microsoft Account, or printed. By default, a recovery key for a removable drive can't be stored on a removable drive. - A domain administrator can additionally configure Group Policy to automatically generate recovery passwords and store them in Active Directory Domain Services (AD DS) for any BitLocker-protected drive. + A domain administrator can also configure Group Policy to automatically generate recovery passwords and store them in Active Directory Domain Services (AD DS) for any BitLocker-protected drive. - question: Is it possible to add an additional method of authentication without decrypting the drive if I only have the TPM authentication method enabled? answer: | - You can use the Manage-bde.exe command-line tool to replace your TPM-only authentication mode with a multifactor authentication mode. For example, if BitLocker is enabled with TPM authentication only and you want to add PIN authentication, use the following commands from an elevated command prompt, replacing *4-20 digit numeric PIN* with the numeric PIN you want to use: + The `Manage-bde.exe` command-line tool can be used to replace TPM-only authentication mode with a multifactor authentication mode. For example, if BitLocker is enabled with TPM authentication only and PIN authentication needs to be added, use the following commands from an elevated command prompt, replacing *4-20 digit numeric PIN* with the desired numeric PIN: - manage-bde –protectors –delete %systemdrive% -type tpm - - manage-bde –protectors –add %systemdrive% -tpmandpin 4-20 digit numeric PIN + ```cmd + manage-bde.exe -protectors -delete %systemdrive% -type tpm + + manage-bde.exe -protectors -add %systemdrive% -tpmandpin <4-20 digit numeric PIN> + ``` - question: When should an additional method of authentication be considered? answer: | - New hardware that meets [Windows Hardware Compatibility Program](/windows-hardware/design/compatibility/) requirements make a PIN less critical as a mitigation, and having a TPM-only protector is likely sufficient when combined with policies like device lockout. For example, Surface Pro and Surface Book do not have external DMA ports to attack. - For older hardware, where a PIN may be needed, it’s recommended to enable [enhanced PINs](bitlocker-group-policy-settings.md#bkmk-unlockpol2) that allow non-numeric characters such as letters and punctuation marks, and to set the PIN length based on your risk tolerance and the hardware anti-hammering capabilities available to the TPMs in your computers. + New hardware that meets [Windows Hardware Compatibility Program](/windows-hardware/design/compatibility/) requirements make a PIN less critical as a mitigation, and having a TPM-only protector is likely sufficient when combined with policies like device lockout. For example, Surface Pro and Surface Book don't have external DMA ports to attack. + For older hardware, where a PIN may be needed, it's recommended to enable [enhanced PINs](bitlocker-group-policy-settings.md#allow-enhanced-pins-for-startup) that allow non-numeric characters such as letters and punctuation marks, and to set the PIN length based on the risk tolerance and the hardware anti-hammering capabilities available to the TPMs on the computers. - question: If I lose my recovery information, will the BitLocker-protected data be unrecoverable? answer: | BitLocker is designed to make the encrypted drive unrecoverable without the required authentication. When in recovery mode, the user needs the recovery password or recovery key to unlock the encrypted drive. > [!IMPORTANT] - > Store the recovery information in AD DS, along with your Microsoft Account, or another safe location. + > Store the recovery information in AD DS, along with in a Microsoft Account, or another safe location. - question: Can the USB flash drive that is used as the startup key also be used to store the recovery key? - answer: While this is technically possible, it is not a best practice to use one USB flash drive to store both keys. If the USB flash drive that contains your startup key is lost or stolen, you also lose access to your recovery key. In addition, inserting this key would cause your computer to automatically boot from the recovery key even if TPM-measured files have changed, which circumvents the TPM's system integrity check. + answer: While using a USB flash drive as both the startup key and for storage of the recovery key is technically possible, it isn't a best practice to use one USB flash drive to store both keys. If the USB flash drive that contains the startup key is lost or stolen, the recovery key will also be lost. In addition, inserting this key would cause the computer to automatically boot from the recovery key even if TPM-measured files have changed, which circumvents the TPM's system integrity check. - question: Can I save the startup key on multiple USB flash drives? - answer: Yes, you can save a computer's startup key on multiple USB flash drives. Right-clicking a BitLocker-protected drive and selecting **Manage BitLocker** will provide you the options to duplicate the recovery keys as needed. + answer: Yes, computer's startup key can be saved on multiple USB flash drives. Right-clicking a BitLocker-protected drive and selecting **Manage BitLocker** will provide the options to save the recovery keys on additional USB flash drives as needed. - question: Can I save multiple (different) startup keys on the same USB flash drive? - answer: Yes, you can save BitLocker startup keys for different computers on the same USB flash drive. + answer: Yes, BitLocker startup keys for different computers can be saved on the same USB flash drive. - question: Can I generate multiple (different) startup keys for the same computer? - answer: You can generate different startup keys for the same computer through scripting. However, for computers that have a TPM, creating different startup keys prevents BitLocker from using the TPM's system integrity check. + answer: Generating different startup keys for the same computer can be done through scripting. However, for computers that have a TPM, creating different startup keys prevents BitLocker from using the TPM's system integrity check. - question: Can I generate multiple PIN combinations? - answer: You cannot generate multiple PIN combinations. + answer: Generating multiple PIN combinations can't be done. - question: What encryption keys are used in BitLocker? How do they work together? - answer: Raw data is encrypted with the full volume encryption key, which is then encrypted with the volume master key. The volume master key is in turn encrypted by one of several possible methods depending on your authentication (that is, key protectors or TPM) and recovery scenarios. + answer: Raw data is encrypted with the full volume encryption key, which is then encrypted with the volume master key. The volume master key is in turn encrypted by one of several possible methods depending on the authentication (that is, key protectors or TPM) and recovery scenarios. - question: Where are the encryption keys stored? answer: | The full volume encryption key is encrypted by the volume master key and stored in the encrypted drive. The volume master key is encrypted by the appropriate key protector and stored in the encrypted drive. If BitLocker has been suspended, the clear key that is used to encrypt the volume master key is also stored in the encrypted drive, along with the encrypted volume master key. - This storage process ensures that the volume master key is never stored unencrypted and is protected unless you disable BitLocker. The keys are also saved to two additional locations on the drive for redundancy. The keys can be read and processed by the boot manager. + This storage process ensures that the volume master key is never stored unencrypted and is protected unless BitLocker is disabled. The keys are also saved to two additional locations on the drive for redundancy. The keys can be read and processed by the boot manager. - question: Why do I have to use the function keys to enter the PIN or the 48-character recovery password? answer: | - The F1 through F10 keys are universally mapped scan codes available in the pre-boot environment on all computers and in all languages. The numeric keys 0 through 9 are not usable in the pre-boot environment on all keyboards. + The F1 through F10 keys are universally mapped scan codes available in the pre-boot environment on all computers and in all languages. The numeric keys 0 through 9 aren't usable in the pre-boot environment on all keyboards. When using an enhanced PIN, users should run the optional system check during the BitLocker setup process to ensure that the PIN can be entered correctly in the pre-boot environment. - question: How does BitLocker help prevent an attacker from discovering the PIN that unlocks my operating system drive? answer: | - It is possible that a personal identification number (PIN) can be discovered by an attacker performing a brute force attack. A brute force attack occurs when an attacker uses an automated tool to try different PIN combinations until the correct one is discovered. For BitLocker-protected computers, this type of attack, also known as a dictionary attack, requires that the attacker have physical access to the computer. + It's possible that a personal identification number (PIN) can be discovered by an attacker performing a brute force attack. A brute force attack occurs when an attacker uses an automated tool to try different PIN combinations until the correct one is discovered. For BitLocker-protected computers, this type of attack, also known as a dictionary attack, requires that the attacker has physical access to the computer. - The TPM has the built-in ability to detect and react to these types of attacks. Because different manufacturers' TPMs may support different PIN and attack mitigations, contact your TPM's manufacturer to determine how your computer's TPM mitigates PIN brute force attacks. - After you have determined your TPM's manufacturer, contact the manufacturer to gather the TPM's vendor-specific information. Most manufacturers use the PIN authentication failure count to exponentially increase lockout time to the PIN interface. However, each manufacturer has different policies regarding when and how the failure counter is decreased or reset. + The TPM has the built-in ability to detect and react to these types of attacks. Because different manufacturers' TPMs may support different PIN and attack mitigations, contact the TPM's manufacturer to determine how the computer's TPM mitigates PIN brute force attacks. + After the TPM's manufacturer has been determined, contact the manufacturer to gather the TPM's vendor-specific information. Most manufacturers use the PIN authentication failure count to exponentially increase lockout time to the PIN interface. However, each manufacturer has different policies regarding when and how the failure counter is decreased or reset. - question: How can I determine the manufacturer of my TPM? - answer: You can determine your TPM manufacturer in **Windows Defender Security Center** > **Device Security** > **Security processor details**. + answer: The TPM manufacturer can be determined in **Windows Defender Security Center** > **Device Security** > **Security processor details**. - question: How can I evaluate a TPM's dictionary attack mitigation mechanism? answer: | - The following questions can assist you when asking a TPM manufacturer about the design of a dictionary attack mitigation mechanism: + The following questions can assist when asking a TPM manufacturer about the design of a dictionary attack mitigation mechanism: - - How many failed authorization attempts can occur before lockout? - - What is the algorithm for determining the duration of a lockout based on the number of failed attempts and any other relevant parameters? - - What actions can cause the failure count and lockout duration to be decreased or reset? + - How many failed authorization attempts can occur before lockout? + - What is the algorithm for determining the duration of a lockout based on the number of failed attempts and any other relevant parameters? + - What actions can cause the failure count and lockout duration to be decreased or reset? - question: Can PIN length and complexity be managed with Group Policy? answer: | - Yes and No. You can configure the minimum personal identification number (PIN) length by using the **Configure minimum PIN length for startup** Group Policy setting and allow the use of alphanumeric PINs by enabling the **Allow enhanced PINs for startup** Group Policy setting. However, you cannot require PIN complexity by Group Policy. + Yes and No. The minimum personal identification number (PIN) length can be configured by using the **Configure minimum PIN length for startup** Group Policy setting and allow the use of alphanumeric PINs by enabling the **Allow enhanced PINs for startup** Group Policy setting. However, PIN complexity can't be required via Group Policy. For more info, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md). diff --git a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md b/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md index 55b4f6d837..e3bea9928b 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md +++ b/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md @@ -3,65 +3,61 @@ title: BitLocker Management Recommendations for Enterprises (Windows 10) description: Refer to relevant documentation, products, and services to learn about managing BitLocker for enterprises and see recommendations for different computers. ms.prod: windows-client ms.localizationpriority: medium -author: dansimp -ms.author: dansimp +author: frankroj +ms.author: frankroj manager: aaroncz ms.collection: - M365-security-compliance ms.topic: conceptual -ms.date: 02/28/2019 +ms.date: 11/08/2022 ms.custom: bitlocker ms.technology: itpro-security --- # BitLocker management for enterprises -The ideal solution for BitLocker management is to eliminate the need for IT administrators to set management policies using tools or other mechanisms by having Windows perform tasks that are more practical to automate. This vision leverages modern hardware developments. The growth of TPM 2.0, secure boot, and other hardware improvements, for example, have helped to alleviate the support burden on the helpdesk, and we are seeing a consequent decrease in support-call volumes, yielding improved user satisfaction. Windows continues to be the focus for new features and improvements for built-in encryption management, such as automatically enabling encryption on devices that support Modern Standby beginning with Windows 8.1. +The ideal solution for BitLocker management is to eliminate the need for IT administrators to set management policies using tools or other mechanisms by having Windows perform tasks that are more practical to automate. This vision leverages modern hardware developments. The growth of TPM 2.0, secure boot, and other hardware improvements, for example, have helped to alleviate the support burden on help desks and a decrease in support-call volumes, yielding improved user satisfaction. Windows continues to be the focus for new features and improvements for built-in encryption management, such as automatically enabling encryption on devices that support Modern Standby beginning with Windows 8.1. -Though much Windows BitLocker [documentation](bitlocker-overview.md) has been published, customers frequently ask for recommendations and pointers to specific, task-oriented documentation that is both easy to digest and focused on how to deploy and manage BitLocker. This article links to relevant documentation, products, and services to help answer this and other related frequently asked questions, and also provides BitLocker recommendations for different types of computers. - - -> [!IMPORTANT] -> Microsoft BitLocker Administration and Monitoring (MBAM) capabilities will be offered from [ConfigMgr in on-prem scenarios](/configmgr/core/get-started/2019/technical-preview-1909#bkmk_bitlocker/) in the future. +Though much Windows [BitLocker documentation](bitlocker-overview.md) has been published, customers frequently ask for recommendations and pointers to specific, task-oriented documentation that is both easy to digest and focused on how to deploy and manage BitLocker. This article links to relevant documentation, products, and services to help answer this and other related frequently asked questions, and also provides BitLocker recommendations for different types of computers. ## Managing domain-joined computers and moving to cloud -Companies that image their own computers using Configuration Manager can use an existing task sequence to [pre-provision BitLocker](/configmgr/osd/understand/task-sequence-steps#BKMK_PreProvisionBitLocker) encryption while in Windows Preinstallation Environment (WinPE) and can then [enable protection](/configmgr/osd/understand/task-sequence-steps#BKMK_EnableBitLocker). This can help ensure that computers are encrypted from the start, even before users receive them. As part of the imaging process, a company could also decide to use Configuration Manager to pre-set any desired [BitLocker Group Policy](./bitlocker-group-policy-settings.md). +Companies that image their own computers using Configuration Manager can use an existing task sequence to [pre-provision BitLocker](/configmgr/osd/understand/task-sequence-steps#BKMK_PreProvisionBitLocker) encryption while in Windows Preinstallation Environment (WinPE) and can then [enable protection](/configmgr/osd/understand/task-sequence-steps#BKMK_EnableBitLocker). These steps during an operating system deployment can help ensure that computers are encrypted from the start, even before users receive them. As part of the imaging process, a company could also decide to use Configuration Manager to pre-set any desired [BitLocker Group Policy](./bitlocker-group-policy-settings.md). Enterprises can use [Microsoft BitLocker Administration and Monitoring (MBAM)](/microsoft-desktop-optimization-pack/mbam-v25/) to manage client computers with BitLocker that are domain-joined on-premises until [mainstream support ends in July 2019](/lifecycle/products/?alpha=Microsoft%20BitLocker%20Administration%20and%20Monitoring%202.5%20Service%20Pack%201%2F) or they can receive extended support until April 2026. Thus, over the next few years, a good strategy for enterprises will be to plan and move to cloud-based management for BitLocker. Refer to the [PowerShell examples](#powershell-examples) to see how to store recovery keys in Azure Active Directory (Azure AD). +> [!IMPORTANT] +> Microsoft BitLocker Administration and Monitoring (MBAM) capabilities are offered through Configuration Manager BitLocker Management. See [Plan for BitLocker management](/mem/configmgr/protect/plan-design/bitlocker-management) in the Configuration Manager documentation for additional information. + ## Managing devices joined to Azure Active Directory -Devices joined to Azure AD are managed using Mobile Device Management (MDM) policy from an MDM solution such as Microsoft Intune. Without Windows 10, version 1809, or Windows 11, only local administrators can enable BitLocker via Intune policy. Starting with Windows 10, version 1809, or Windows 11, Intune can enable BitLocker for standard users. [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md#bitlocker-device-encryption) status can be queried from managed machines via the [Policy Configuration Settings Provider (CSP)](/windows/client-management/mdm/policy-configuration-service-provider/), which reports on whether BitLocker Device Encryption is enabled on the device. Compliance with BitLocker Device Encryption policy can be a requirement for [Conditional Access](https://www.microsoft.com/cloud-platform/conditional-access/) to services like Exchange Online and SharePoint Online. +Devices joined to Azure AD are managed using Mobile Device Management (MDM) policy from an MDM solution such as Microsoft Intune. Prior to Windows 10, version 1809, only local administrators can enable BitLocker via Intune policy. Starting with Windows 10, version 1809, Intune can enable BitLocker for standard users. [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md#bitlocker-device-encryption) status can be queried from managed machines via the [Policy Configuration Settings Provider (CSP)](/windows/client-management/mdm/policy-configuration-service-provider/), which reports on whether BitLocker Device Encryption is enabled on the device. Compliance with BitLocker Device Encryption policy can be a requirement for [Conditional Access](https://www.microsoft.com/cloud-platform/conditional-access/) to services like Exchange Online and SharePoint Online. -Starting with Windows 10 version 1703 (also known as the Windows Creators Update), or Windows 11, the enablement of BitLocker can be triggered over MDM either by the [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider/) or the [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp/). The BitLocker CSP adds policy options that go beyond ensuring that encryption has occurred, and is available on computers that run Windows 11, Windows 10, and on Windows phones. +Starting with Windows 10 version 1703, the enablement of BitLocker can be triggered over MDM either by the [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider/) or the [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp/). The BitLocker CSP adds policy options that go beyond ensuring that encryption has occurred, and is available on computers that run Windows 11, Windows 10, and on Windows phones. -For hardware that is compliant with Modern Standby and HSTI, when using either of these features, [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md#bitlocker-device-encryption) is automatically turned on whenever the user joins a device to Azure AD. Azure AD provides a portal where recovery keys are also backed up, so users can retrieve their own recovery key for self-service, if required. For older devices that are not yet encrypted, beginning with Windows 10 version 1703 (the Windows 10 Creators Update), or Windows 11, admins can use the [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp/) to trigger encryption and store the recovery key in Azure AD. - -This is applicable to Azure Hybrid AD as well. +For hardware that is compliant with Modern Standby and HSTI, when using either of these features, [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md#bitlocker-device-encryption) is automatically turned on whenever the user joins a device to Azure AD. Azure AD provides a portal where recovery keys are also backed up, so users can retrieve their own recovery key for self-service, if necessary. For older devices that aren't yet encrypted, beginning with Windows 10 version 1703, admins can use the [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp/) to trigger encryption and store the recovery key in Azure AD. This process and feature is applicable to Azure Hybrid AD as well. ## Managing workplace-joined PCs and phones For Windows PCs and Windows Phones that are enrolled using **Connect to work or school account**, BitLocker Device Encryption is managed over MDM, the same as devices joined to Azure AD. - ## Managing servers -Servers are often installed, configured, and deployed using PowerShell; therefore, the recommendation is to also use [PowerShell to enable BitLocker on a server](bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md#bitlocker-cmdlets-for-windows-powershell), ideally as part of the initial setup. BitLocker is an Optional Component (OC) in Windows Server; therefore, follow the directions in [BitLocker: How to deploy on Windows Server 2012 and later](bitlocker-how-to-deploy-on-windows-server.md) to add the BitLocker OC. +Servers are often installed, configured, and deployed using PowerShell; therefore, the recommendation is to also use [PowerShell to enable BitLocker on a server](bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md#bitlocker-cmdlets-for-windows-powershell), ideally as part of the initial setup. BitLocker is an Optional Component (OC) in Windows Server; therefore, follow the directions in [BitLocker: How to deploy on Windows Server 2012 and later](bitlocker-how-to-deploy-on-windows-server.md) to add the BitLocker OC. -The Minimal Server Interface is a prerequisite for some of the BitLocker administration tools. On a [Server Core](/windows-server/get-started/getting-started-with-server-core/) installation, you must add the necessary GUI components first. The steps to add shell components to Server Core are described in [Using Features on Demand with Updated Systems and Patched Images](/archive/blogs/server_core/using-features-on-demand-with-updated-systems-and-patched-images) and [How to update local source media to add roles and features](/archive/blogs/joscon/how-to-update-local-source-media-to-add-roles-and-features). +The Minimal Server Interface is a prerequisite for some of the BitLocker administration tools. On a [Server Core](/windows-server/get-started/getting-started-with-server-core/) installation, the necessary GUI components must be added first. The steps to add shell components to Server Core are described in [Using Features on Demand with Updated Systems and Patched Images](/archive/blogs/server_core/using-features-on-demand-with-updated-systems-and-patched-images) and [How to update local source media to add roles and features](/archive/blogs/joscon/how-to-update-local-source-media-to-add-roles-and-features). -If you are installing a server manually, such as a stand-alone server, then choosing [Server with Desktop Experience](/windows-server/get-started/getting-started-with-server-with-desktop-experience/) is the easiest path because you can avoid performing the steps to add a GUI to Server Core. +If a server is being installed manually, such as a stand-alone server, then choosing [Server with Desktop Experience](/windows-server/get-started/getting-started-with-server-with-desktop-experience/) is the easiest path because it avoids performing the steps to add a GUI to Server Core. - Additionally, lights-out data centers can take advantage of the enhanced security of a second factor while avoiding the need for user intervention during reboots by optionally using a combination of BitLocker (TPM+PIN) and BitLocker Network Unlock. BitLocker Network Unlock brings together the best of hardware protection, location dependence, and automatic unlock, while in the trusted location. For the configuration steps, see [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md). + Additionally, lights-out data centers can take advantage of the enhanced security of a second factor while avoiding the need for user intervention during reboots by optionally using a combination of BitLocker (TPM+PIN) and BitLocker Network Unlock. BitLocker Network Unlock brings together the best of hardware protection, location dependence, and automatic unlock, while in the trusted location. For the configuration steps, see [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md). + For more information, see the BitLocker FAQs article and other useful links in [Related Articles](#related-articles). - For more information, see the Bitlocker FAQs article and other useful links in [Related Articles](#related-articles). -  ## PowerShell examples For Azure AD-joined computers, including virtual machines, the recovery password should be stored in Azure AD. -*Example: Use PowerShell to add a recovery password and back it up to Azure AD before enabling BitLocker* +**Example**: *Use PowerShell to add a recovery password and back it up to Azure AD before enabling BitLocker* + ```powershell Add-BitLockerKeyProtector -MountPoint "C:" -RecoveryPasswordProtector @@ -70,9 +66,10 @@ $BLV = Get-BitLockerVolume -MountPoint "C:" BackupToAAD-BitLockerKeyProtector -MountPoint "C:" -KeyProtectorId $BLV.KeyProtector[0].KeyProtectorId ``` -For domain-joined computers, including servers, the recovery password should be stored in Active Directory Domain Services (AD DS). +For domain-joined computers, including servers, the recovery password should be stored in Active Directory Domain Services (AD DS). + +**Example**: *Use PowerShell to add a recovery password and back it up to AD DS before enabling BitLocker* -*Example: Use PowerShell to add a recovery password and back it up to AD DS before enabling BitLocker* ```powershell Add-BitLockerKeyProtector -MountPoint "C:" -RecoveryPasswordProtector @@ -81,55 +78,44 @@ $BLV = Get-BitLockerVolume -MountPoint "C:" Backup-BitLockerKeyProtector -MountPoint "C:" -KeyProtectorId $BLV.KeyProtector[0].KeyProtectorId ``` -Subsequently, you can use PowerShell to enable BitLocker. +PowerShell can then be used to enable BitLocker: + +**Example**: *Use PowerShell to enable BitLocker with a TPM protector* -*Example: Use PowerShell to enable BitLocker with a TPM protector* ```powershell Enable-BitLocker -MountPoint "D:" -EncryptionMethod XtsAes256 -UsedSpaceOnly -TpmProtector ``` -*Example: Use PowerShell to enable BitLocker with a TPM+PIN protector, in this case with a PIN set to 123456* +**Example**: *Use PowerShell to enable BitLocker with a TPM+PIN protector, in this case with a PIN set to 123456* + ```powershell $SecureString = ConvertTo-SecureString "123456" -AsPlainText -Force Enable-BitLocker -MountPoint "C:" -EncryptionMethod XtsAes256 -UsedSpaceOnly -Pin $SecureString -TPMandPinProtector -``` +``` ## Related Articles -[BitLocker: FAQs](bitlocker-frequently-asked-questions.yml) - -[Microsoft BitLocker Administration and Management (MBAM)](/microsoft-desktop-optimization-pack/mbam-v25/) - -[Overview of BitLocker Device Encryption in Windows](bitlocker-device-encryption-overview-windows-10.md#bitlocker-device-encryption) - -[BitLocker Group Policy Reference](./bitlocker-group-policy-settings.md) - -[Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune/) +- [BitLocker: FAQs](bitlocker-frequently-asked-questions.yml) +- [Microsoft BitLocker Administration and Management (MBAM)](/microsoft-desktop-optimization-pack/mbam-v25/) +- [Overview of BitLocker Device Encryption in Windows](bitlocker-device-encryption-overview-windows-10.md#bitlocker-device-encryption) +- [BitLocker Group Policy Reference](./bitlocker-group-policy-settings.md) +- [Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune/) *(Overview)* - -[Configuration Settings Providers](/windows/client-management/mdm/policy-configuration-service-provider) +- [Configuration Settings Providers](/windows/client-management/mdm/policy-configuration-service-provider) *(Policy CSP: See [Security-RequireDeviceEncryption](/windows/client-management/mdm/policy-csp-security#security-policies))* +- [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp/) -[BitLocker CSP](/windows/client-management/mdm/bitlocker-csp/) +### Windows Server setup tools -**Windows Server setup tools** +- [Windows Server Installation Options](/windows-server/get-started-19/install-upgrade-migrate-19/) +- [How to update local source media to add roles and features](/archive/blogs/joscon/how-to-update-local-source-media-to-add-roles-and-features) +- [How to add or remove optional components on Server Core](/archive/blogs/server_core/using-features-on-demand-with-updated-systems-and-patched-images) *(Features on Demand)* +- [BitLocker: How to deploy on Windows Server 2012 and newer](bitlocker-how-to-deploy-on-windows-server.md) +- [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md) +- [Shielded VMs and Guarded Fabric](https://blogs.technet.microsoft.com/windowsserver/2016/05/10/a-closer-look-at-shielded-vms-in-windows-server-2016/) -[Windows Server Installation Options](/windows-server/get-started-19/install-upgrade-migrate-19/) +### PowerShell -[How to update local source media to add roles and features](/archive/blogs/joscon/how-to-update-local-source-media-to-add-roles-and-features) - -[How to add or remove optional components on Server Core](/archive/blogs/server_core/using-features-on-demand-with-updated-systems-and-patched-images) *(Features on Demand)* - -[BitLocker: How to deploy on Windows Server 2012 and newer](bitlocker-how-to-deploy-on-windows-server.md) - -[BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md) - -[Shielded VMs and Guarded Fabric](https://blogs.technet.microsoft.com/windowsserver/2016/05/10/a-closer-look-at-shielded-vms-in-windows-server-2016/) - - -**PowerShell** - -[BitLocker cmdlets for Windows PowerShell](bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md#bitlocker-cmdlets-for-windows-powershell) - -[Surface Pro Specifications](https://www.microsoft.com/surface/support/surface-pro-specs/) \ No newline at end of file +- [BitLocker cmdlets for Windows PowerShell](bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md#bitlocker-cmdlets-for-windows-powershell) +- [Surface Pro Specifications](https://www.microsoft.com/surface/support/surface-pro-specs/) diff --git a/windows/security/information-protection/bitlocker/bitlocker-network-unlock-faq.yml b/windows/security/information-protection/bitlocker/bitlocker-network-unlock-faq.yml index 11fe756cf9..697e19e565 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-network-unlock-faq.yml +++ b/windows/security/information-protection/bitlocker/bitlocker-network-unlock-faq.yml @@ -2,24 +2,27 @@ metadata: title: BitLocker Network Unlock FAQ (Windows 10) description: Familiarize yourself with BitLocker Network Unlock. Learn how it can make desktop and server management easier within domain environments. - ms.prod: m365-security + ms.prod: windows-client + ms.technology: itpro-security ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium - author: dansimp - ms.author: dansimp + author: frankroj + ms.author: frankroj manager: aaroncz audience: ITPro ms.collection: M365-security-compliance ms.topic: faq - ms.date: 02/28/2019 + ms.date: 11/08/2022 ms.reviewer: ms.custom: bitlocker title: BitLocker Network Unlock FAQ summary: | - **Applies to** - - Windows 10 + *Applies to:* + - Windows 10 + - Windows 11 + - Windows Server 2016 and above sections: - name: Ignored @@ -29,10 +32,10 @@ sections: answer: | BitLocker Network Unlock enables easier management for BitLocker-enabled desktops and servers that use the TPM+PIN protection method in a domain environment. When a computer that is connected to a wired corporate network is rebooted, Network Unlock allows the PIN entry prompt to be bypassed. It automatically unlocks BitLocker-protected operating system volumes by using a trusted key that is provided by the Windows Deployment Services server as its secondary authentication method. - To use Network Unlock you must also have a PIN configured for your computer. When your computer isn't connected to the network you'll need to provide the PIN to unlock it. + To use Network Unlock, a PIN must be configured for the computer. When the computer isn't connected to the network, a PIN will need to be provided to unlock it. - BitLocker Network Unlock has software and hardware requirements for both client computers, Windows Deployment services, and domain controllers that must be met before you can use it. + BitLocker Network Unlock has software and hardware requirements for both client computers, Windows Deployment services, and domain controllers that must be met before it can be used. - Network Unlock uses two protectors, the TPM protector and the one provided by the network or by your PIN, whereas automatic unlock uses a single protector, the one stored in the TPM. If the computer is joined to a network without the key protector, it will prompt you to enter your PIN. If the PIN isn't available, you'll need to use the recovery key to unlock the computer if it can't be connected to the network. + Network Unlock uses two protectors - the TPM protector and the protector provided by the network or by the PIN. Automatic unlock uses a single protector - the one stored in the TPM. If the computer is joined to a network without the key protector, it will prompt to enter a PIN. If the PIN isn't available, the recovery key will need to be used to unlock the computer if it can't be connected to the network. For more info, see [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md). diff --git a/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.yml b/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.yml index 46325ab4f4..cb38246cbc 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.yml +++ b/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.yml @@ -3,27 +3,28 @@ metadata: title: BitLocker overview and requirements FAQ (Windows 10) description: This article for IT professionals answers frequently asked questions concerning the requirements to use BitLocker. ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee - ms.reviewer: - ms.prod: m365-security + ms.prod: windows-client + ms.technology: itpro-security ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium - author: dansimp - ms.author: dansimp + author: frankroj + ms.author: frankroj manager: aaroncz audience: ITPro ms.collection: - M365-security-compliance - highpri ms.topic: faq - ms.date: 07/27/2021 + ms.date: 11/08/2022 ms.custom: bitlocker title: BitLocker Overview and Requirements FAQ summary: | - **Applies to** - - Windows 10 - - Windows 11 + *Applies to:* + - Windows 10 + - Windows 11 + - Windows Server 2016 and above sections: @@ -33,21 +34,21 @@ sections: answer: | **How BitLocker works with operating system drives** - You can use BitLocker to mitigate unauthorized data access on lost or stolen computers by encrypting all user files and system files on the operating system drive, including the swap files and hibernation files, and checking the integrity of early boot components and boot configuration data. + BitLocker Can be used to mitigate unauthorized data access on lost or stolen computers by encrypting all user files and system files on the operating system drive, including the swap files and hibernation files, and checking the integrity of early boot components and boot configuration data. **How BitLocker works with fixed and removable data drives** - You can use BitLocker to encrypt the entire contents of a data drive. You can use Group Policy to require that BitLocker be enabled on a drive before the computer can write data to the drive. BitLocker can be configured with a variety of unlock methods for data drives, and a data drive supports multiple unlock methods. + BitLocker can be used to encrypt the entire contents of a data drive. Group Policy can be used to require BitLocker be enabled on a drive before the computer can write data to the drive. BitLocker can be configured with various unlock methods for data drives, and a data drive supports multiple unlock methods. - question: Does BitLocker support multifactor authentication? - answer: Yes, BitLocker supports multifactor authentication for operating system drives. If you enable BitLocker on a computer that has a TPM version 1.2 or later, you can use additional forms of authentication with the TPM protection. + answer: Yes, BitLocker supports multifactor authentication for operating system drives. If BitLocker is enabled on a computer that has a TPM version 1.2 or later, additional forms of authentication can be used with the TPM protection. - question: What are the BitLocker hardware and software requirements? answer: | For requirements, see [System requirements](bitlocker-overview.md#system-requirements). > [!NOTE] - > Dynamic disks are not supported by BitLocker. Dynamic data volumes will not be displayed in the Control Panel. Although the operating system volume will always be displayed in the Control Panel, regardless of whether it is a Dynamic disk, if it is a dynamic disk it cannot be protected by BitLocker. + > Dynamic disks aren't supported by BitLocker. Dynamic data volumes won't be displayed in the Control Panel. Although the operating system volume will always be displayed in the Control Panel, regardless of whether it's a Dynamic disk, if it's a dynamic disk it can't be protected by BitLocker. - question: Why are two partitions required? Why does the system drive have to be so large? answer: Two partitions are required to run BitLocker because pre-startup authentication and system integrity verification must occur on a separate partition from the encrypted operating system drive. This configuration helps protect the operating system and the information in the encrypted drive. @@ -57,27 +58,27 @@ sections: BitLocker supports TPM version 1.2 or higher. BitLocker support for TPM 2.0 requires Unified Extensible Firmware Interface (UEFI) for the device. > [!NOTE] - > TPM 2.0 is not supported in Legacy and CSM Modes of the BIOS. Devices with TPM 2.0 must have their BIOS mode configured as Native UEFI only. The Legacy and Compatibility Support Module (CSM) options must be disabled. For added security Enable the Secure Boot feature. + > TPM 2.0 isn't supported in Legacy and CSM Modes of the BIOS. Devices with TPM 2.0 must have their BIOS mode configured as Native UEFI only. The Legacy and Compatibility Support Module (CSM) options must be disabled. For added security, enable the Secure Boot feature. > - > Installed Operating System on hardware in legacy mode will stop the OS from booting when the BIOS mode is changed to UEFI. Use the tool [MBR2GPT](/windows/deployment/mbr-to-gpt) before changing the BIOS mode which will prepare the OS and the disk to support UEFI. + > Installed Operating System on hardware in legacy mode will stop the OS from booting when the BIOS mode is changed to UEFI. Use the tool [MBR2GPT](/windows/deployment/mbr-to-gpt) before changing the BIOS mode that will prepare the OS and the disk to support UEFI. - - question: How can I tell if a TPM is on my computer? - answer: Beginning with Windows 10, version 1803, you can check TPM status in **Windows Defender Security Center** > **Device Security** > **Security processor details**. In previous versions of Windows, open the TPM MMC console (tpm.msc) and look under the **Status** heading. You can also run [**Get-TPM**](/powershell/module/trustedplatformmodule/get-tpm?view=windowsserver2019-ps)** in PowerShell to get more details about the TPM on the current computer. + - question: How can I tell if a computer has a TPM? + answer: Beginning with Windows 10, version 1803, the TPM status can be checked in **Windows Defender Security Center** > **Device Security** > **Security processor details**. In previous versions of Windows, open the TPM MMC console (tpm.msc) and look under the **Status** heading. [**Get-TPM**](/powershell/module/trustedplatformmodule/get-tpm?view=windowsserver2019-ps)** can also be run in PowerShell to get more details about the TPM on the current computer. - question: Can I use BitLocker on an operating system drive without a TPM? answer: | - Yes, you can enable BitLocker on an operating system drive without a TPM version 1.2 or higher, if the BIOS or UEFI firmware has the ability to read from a USB flash drive in the boot environment. This is because BitLocker will not unlock the protected drive until BitLocker's own volume master key is first released by either the computer's TPM or by a USB flash drive containing the BitLocker startup key for that computer. However, computers without TPMs will not be able to use the system integrity verification that BitLocker can also provide. + Yes, BitLocker can be enabled on an operating system drive without a TPM version 1.2 or higher, if the BIOS or UEFI firmware has the ability to read from a USB flash drive in the boot environment. BitLocker won't unlock the protected drive until BitLocker's own volume master key is first released by either the computer's TPM or by a USB flash drive containing the BitLocker startup key for that computer. However, computers without TPMs won't be able to use the system integrity verification that BitLocker can also provide. To help determine whether a computer can read from a USB device during the boot process, use the BitLocker system check as part of the BitLocker setup process. This system check performs tests to confirm that the computer can properly read from the USB devices at the appropriate time and that the computer meets other BitLocker requirements. - question: How do I obtain BIOS support for the TPM on my computer? answer: | Contact the computer manufacturer to request a Trusted Computing Group (TCG)-compliant BIOS or UEFI boot firmware that meets the following requirements: - - It is compliant with the TCG standards for a client computer. - - It has a secure update mechanism to help prevent a malicious BIOS or boot firmware from being installed on the computer. + - It's compliant with the TCG standards for a client computer. + - It has a secure update mechanism to help prevent a malicious BIOS or boot firmware from being installed on the computer. - question: What credentials are required to use BitLocker? answer: To turn on, turn off, or change configurations of BitLocker on operating system and fixed data drives, membership in the local **Administrators** group is required. Standard users can turn on, turn off, or change configurations of BitLocker on removable data drives. - question: What is the recommended boot order for computers that are going to be BitLocker-protected? - answer: You should configure the startup options of your computer to have the hard disk drive first in the boot order, before any other drives such as CD/DVD drives or USB drives. If the hard disk is not first and you typically boot from hard disk, then a boot order change may be detected or assumed when removable media is found during boot. The boot order typically affects the system measurement that is verified by BitLocker and a change in boot order will cause you to be prompted for your BitLocker recovery key. For the same reason, if you have a laptop with a docking station, ensure that the hard disk drive is first in the boot order both when docked and undocked.  + answer: The computer's startup options should be configured to have the hard disk drive first in the boot order, before any other drives such as CD/DVD drives or USB drives. If the hard disk isn't first and the computer typically boots from the hard disk, then a boot order change may be detected or assumed when removable media is found during boot. The boot order typically affects the system measurement that is verified by BitLocker and a change in boot order will cause a prompt for the BitLocker recovery key. For the same reason, if a laptop is used with a docking station, ensure that the hard disk drive is first in the boot order both when the laptop is docked and undocked. diff --git a/windows/security/information-protection/bitlocker/bitlocker-overview.md b/windows/security/information-protection/bitlocker/bitlocker-overview.md index 10c1086676..8d97d00a81 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-overview.md +++ b/windows/security/information-protection/bitlocker/bitlocker-overview.md @@ -1,68 +1,69 @@ --- title: BitLocker -description: This topic provides a high-level overview of BitLocker, including a list of system requirements, practical applications, and deprecated features. -ms.author: dansimp +description: This article provides a high-level overview of BitLocker, including a list of system requirements, practical applications, and deprecated features. +ms.author: frankroj ms.prod: windows-client ms.localizationpriority: medium -author: dansimp +author: frankroj manager: aaroncz ms.collection: - M365-security-compliance - highpri ms.topic: conceptual -ms.date: 01/26/2018 +ms.date: 11/08/2022 ms.custom: bitlocker ms.technology: itpro-security --- # BitLocker -**Applies to** +*Applies to:* - Windows 10 - Windows 11 - Windows Server 2016 and above -This topic provides a high-level overview of BitLocker, including a list of system requirements, practical applications, and deprecated features. +This article provides a high-level overview of BitLocker, including a list of system requirements, practical applications, and deprecated features. -## BitLocker overview +## BitLocker overview BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers. -BitLocker provides the maximum protection when used with a Trusted Platform Module (TPM) version 1.2 or later versions. The TPM is a hardware component installed in many newer computers by the computer manufacturers. It works with BitLocker to help protect user data and to ensure that a computer has not been tampered with while the system was offline. +BitLocker provides the maximum protection when used with a Trusted Platform Module (TPM) version 1.2 or later versions. The TPM is a hardware component installed in many newer computers by the computer manufacturers. It works with BitLocker to help protect user data and to ensure that a computer hasn't been tampered with while the system was offline. -On computers that do not have a TPM version 1.2 or later versions, you can still use BitLocker to encrypt the Windows operating system drive. However, this implementation requires the user to insert a USB startup key to start the computer or resume from hibernation. Starting with Windows 8, you can use an operating system volume password to protect the operating system volume on a computer without TPM. Both options do not provide the pre-startup system integrity verification offered by BitLocker with a TPM. +On computers that don't have a TPM version 1.2 or later versions, BitLocker can still be used to encrypt the Windows operating system drive. However, this implementation requires the user to insert a USB startup key to start the computer or resume from hibernation. Starting with Windows 8, an operating system volume password can be used to protect the operating system volume on a computer without TPM. Both options don't provide the pre-startup system integrity verification offered by BitLocker with a TPM. -In addition to the TPM, BitLocker offers the option to lock the normal startup process until the user supplies a personal identification number (PIN) or inserts a removable device, such as a USB flash drive, that contains a startup key. These additional security measures provide multifactor authentication and assurance that the computer will not start or resume from hibernation until the correct PIN or startup key is presented. +In addition to the TPM, BitLocker offers the option to lock the normal startup process until the user supplies a personal identification number (PIN) or inserts a removable device (such as a USB flash drive) that contains a startup key. These additional security measures provide multifactor authentication and assurance that the computer won't start or resume from hibernation until the correct PIN or startup key is presented. -## Practical applications +## Practical applications Data on a lost or stolen computer is vulnerable to unauthorized access, either by running a software-attack tool against it or by transferring the computer's hard disk to a different computer. BitLocker helps mitigate unauthorized data access by enhancing file and system protections. BitLocker also helps render data inaccessible when BitLocker-protected computers are decommissioned or recycled. -There are two additional tools in the Remote Server Administration Tools which you can use to manage BitLocker. +There are two additional tools in the Remote Server Administration Tools that can be used to manage BitLocker. -- **BitLocker Recovery Password Viewer**. The BitLocker Recovery Password Viewer enables you to locate and view BitLocker Drive Encryption recovery passwords that have been backed up to Active Directory Domain Services (AD DS). You can use this tool to help recover data that is stored on a drive that has been encrypted by using BitLocker. The BitLocker Recovery Password Viewer tool is an extension for the Active Directory Users and Computers Microsoft Management Console (MMC) snap-in. - By using this tool, you can examine a computer object's **Properties** dialog box to view the corresponding BitLocker recovery passwords. Additionally, you can right-click a domain container and then search for a BitLocker recovery password across all the domains in the Active Directory forest. To view recovery passwords, you must be a domain administrator, or you must have been delegated permissions by a domain administrator. +- **BitLocker Recovery Password Viewer**. The BitLocker Recovery Password Viewer enables the BitLocker Drive Encryption recovery passwords that have been backed up to Active Directory Domain Services (AD DS) to be located and viewed. This tool can be used to help recover data that is stored on a drive that has been encrypted by using BitLocker. The BitLocker Recovery Password Viewer tool is an extension for the Active Directory Users and Computers Microsoft Management Console (MMC) snap-in. -- **BitLocker Drive Encryption Tools**. BitLocker Drive Encryption Tools include the command-line tools, manage-bde and repair-bde, and the BitLocker cmdlets for Windows PowerShell. Both manage-bde and the BitLocker cmdlets can be used to perform any task that can be accomplished through the -BitLocker control panel, and they are appropriate to be used for automated deployments and other scripting scenarios. Repair-bde is provided for disaster recovery scenarios in which a BitLocker-protected drive cannot be unlocked normally or by using the recovery console. + By using this tool, a computer object's **Properties** dialog box can be examined to view the corresponding BitLocker recovery passwords. Additionally, a domain container can be searched for a BitLocker recovery password across all the domains in the Active Directory forest by right clicking on the domain container. Viewing recovery passwords can only be viewed by domain administrator or having delegated permissions by a domain administrator. -## New and changed functionality +- **BitLocker Drive Encryption Tools**. BitLocker Drive Encryption Tools include the command-line tools, manage-bde and repair-bde, and the BitLocker cmdlets for Windows PowerShell. Both manage-bde and the BitLocker cmdlets can be used to perform any task that can be accomplished through the +BitLocker control panel, and they're appropriate to be used for automated deployments and other scripting scenarios. Repair-bde is provided for disaster recovery scenarios in which a BitLocker-protected drive can't be unlocked normally or by using the recovery console. + +## New and changed functionality + +To find out what's new in BitLocker for Windows, such as support for the XTS-AES encryption algorithm, see [What's new in Windows 10, versions 1507 and 1511 for IT Pros: BitLocker](/windows/whats-new/whats-new-windows-10-version-1507-and-1511#bitlocker). -To find out what's new in BitLocker for Windows, such as support for the XTS-AES encryption algorithm, see the [BitLocker](/windows/whats-new/whats-new-windows-10-version-1507-and-1511#bitlocker) section in "What's new in Windows 10." -  ## System requirements BitLocker has the following hardware requirements: -For BitLocker to use the system integrity check provided by a TPM, the computer must have TPM 1.2 or later versions. If your computer does not have a TPM, enabling BitLocker makes it mandatory for you to save a startup key on a removable device, such as a USB flash drive. +For BitLocker to use the system integrity check provided by a TPM, the computer must have TPM 1.2 or later versions. If a computer doesn't have a TPM, saving a startup key on a removable drive, such as a USB flash drive, becomes mandatory when enabling BitLocker. -A computer with a TPM must also have a Trusted Computing Group (TCG)-compliant BIOS or UEFI firmware. The BIOS or UEFI firmware establishes a chain of trust for the pre-operating system startup, and it must include support for TCG-specified Static Root of Trust Measurement. A computer without a TPM does not require TCG-compliant firmware. +A computer with a TPM must also have a Trusted Computing Group (TCG)-compliant BIOS or UEFI firmware. The BIOS or UEFI firmware establishes a chain of trust for the pre-operating system startup, and it must include support for TCG-specified Static Root of Trust Measurement. A computer without a TPM doesn't require TCG-compliant firmware. The system BIOS or UEFI firmware (for TPM and non-TPM computers) must support the USB mass storage device class, including reading small files on a USB flash drive in the pre-operating system environment. > [!IMPORTANT] -> From Windows 7, you can encrypt an OS drive without a TPM and USB flash drive. For this procedure, see [Tip of the Day: Bitlocker without TPM or USB](https://social.technet.microsoft.com/Forums/en-US/eac2cc67-8442-42db-abad-2ed173879751/bitlocker-without-tpm?forum=win10itprosetup). +> From Windows 7, an OS drive can be encrypted without a TPM and USB flash drive. For this procedure, see [Tip of the Day: Bitlocker without TPM or USB](https://social.technet.microsoft.com/Forums/en-US/eac2cc67-8442-42db-abad-2ed173879751/bitlocker-without-tpm?forum=win10itprosetup). > [!NOTE] > TPM 2.0 is not supported in Legacy and Compatibility Support Module (CSM) modes of the BIOS. Devices with TPM 2.0 must have their BIOS mode configured as native UEFI only. The Legacy and CSM options must be disabled. For added security, enable the secure boot feature. @@ -71,35 +72,31 @@ The system BIOS or UEFI firmware (for TPM and non-TPM computers) must support th The hard disk must be partitioned with at least two drives: -- The operating system drive (or boot drive) contains the operating system and its support files. It must be formatted with the NTFS file system. -- The system drive contains the files that are needed to load Windows after the firmware has prepared the system hardware. BitLocker is not enabled on this drive. For BitLocker to work, the system drive must not be encrypted, must differ from the operating system drive, and must be formatted with the FAT32 file system on computers that use UEFI-based firmware or with the NTFS file system on computers that use BIOS firmware. We recommend that system drive be approximately 350 MB in size. After BitLocker is turned on, it should have approximately 250 MB of free space. +- The operating system drive (or boot drive) contains the operating system and its support files. It must be formatted with the NTFS file system. +- The system drive contains the files that are needed to load Windows after the firmware has prepared the system hardware. BitLocker isn't enabled on this drive. For BitLocker to work, the system drive must not be encrypted, must differ from the operating system drive, and must be formatted with the FAT32 file system on computers that use UEFI-based firmware or with the NTFS file system on computers that use BIOS firmware. It's recommended that the system drive be approximately 350 MB in size. After BitLocker is turned on, it should have approximately 250 MB of free space. When installed on a new computer, Windows automatically creates the partitions that are required for BitLocker. -A partition subject to encryption cannot be marked as an active partition (this applies to the operating system, fixed data, and removable data drives). +A partition subject to encryption can't be marked as an active partition. This requirement applies to the operating system drives, fixed data drives, and removable data drives. - -When installing the BitLocker optional component on a server, you will also need to install the Enhanced Storage feature, which is used to support hardware encrypted drives. +When installing the BitLocker optional component on a server, the Enhanced Storage feature also needs to be installed. The Enhanced Storage feature is used to support hardware encrypted drives. ## In this section -| Topic | Description | +| Article | Description | | - | - | -| [Overview of BitLocker Device Encryption in Windows 10](bitlocker-device-encryption-overview-windows-10.md) | This topic provides an overview of the ways in which BitLocker Device Encryption can help protect data on devices running Windows 10. | -| [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.yml) | This topic answers frequently asked questions concerning the requirements to use, upgrade, deploy and administer, and key management policies for BitLocker.| -| [Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md)| This topic explains the procedure you can use to plan your BitLocker deployment. | -| [BitLocker basic deployment](bitlocker-basic-deployment.md) | This topic explains how BitLocker features can be used to protect your data through drive encryption. | -| [BitLocker: How to deploy on Windows Server](bitlocker-how-to-deploy-on-windows-server.md)| This topic explains how to deploy BitLocker on Windows Server.| -| [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md) | This topic describes how BitLocker Network Unlock works and how to configure it. | -| [BitLocker: Use BitLocker Drive Encryption Tools to manage BitLocker](bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md)| This topic describes how to use tools to manage BitLocker.| -| [BitLocker: Use BitLocker Recovery Password Viewer](bitlocker-use-bitlocker-recovery-password-viewer.md) | This topic describes how to use the BitLocker Recovery Password Viewer. | -| [BitLocker Group Policy settings](bitlocker-group-policy-settings.md) | This topic describes the function, location, and effect of each group policy setting that is used to manage BitLocker. | -| [BCD settings and BitLocker](bcd-settings-and-bitlocker.md) | This topic describes the BCD settings that are used by BitLocker.| -| [BitLocker Recovery Guide](bitlocker-recovery-guide-plan.md)| This topic describes how to recover BitLocker keys from AD DS. | -| [Protect BitLocker from pre-boot attacks](./bitlocker-countermeasures.md)| This detailed guide helps you understand the circumstances under which the use of pre-boot authentication is recommended for devices running Windows 10, Windows 8.1, Windows 8, or Windows 7; and when it can be safely omitted from a device’s configuration. | +| [Overview of BitLocker Device Encryption in Windows 10](bitlocker-device-encryption-overview-windows-10.md) | This article provides an overview of the ways in which BitLocker Device Encryption can help protect data on devices running Windows 10. | +| [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.yml) | This article answers frequently asked questions concerning the requirements to use, upgrade, deploy and administer, and key management policies for BitLocker.| +| [Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md)| This article explains the procedure you can use to plan your BitLocker deployment. | +| [BitLocker basic deployment](bitlocker-basic-deployment.md) | This article explains how BitLocker features can be used to protect your data through drive encryption. | +| [BitLocker: How to deploy on Windows Server](bitlocker-how-to-deploy-on-windows-server.md)| This article explains how to deploy BitLocker on Windows Server.| +| [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md) | This article describes how BitLocker Network Unlock works and how to configure it. | +| [BitLocker: Use BitLocker Drive Encryption Tools to manage BitLocker](bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md)| This article describes how to use tools to manage BitLocker.| +| [BitLocker: Use BitLocker Recovery Password Viewer](bitlocker-use-bitlocker-recovery-password-viewer.md) | This article describes how to use the BitLocker Recovery Password Viewer. | +| [BitLocker Group Policy settings](bitlocker-group-policy-settings.md) | This article describes the function, location, and effect of each group policy setting that is used to manage BitLocker. | +| [BCD settings and BitLocker](bcd-settings-and-bitlocker.md) | This article describes the BCD settings that are used by BitLocker.| +| [BitLocker Recovery Guide](bitlocker-recovery-guide-plan.md)| This article describes how to recover BitLocker keys from AD DS. | +| [Protect BitLocker from pre-boot attacks](./bitlocker-countermeasures.md)| This detailed guide helps you understand the circumstances under which the use of pre-boot authentication is recommended for devices running Windows 10, Windows 8.1, Windows 8, or Windows 7; and when it can be safely omitted from a device's configuration. | | [Troubleshoot BitLocker](troubleshoot-bitlocker.md) | This guide describes the resources that can help you troubleshoot BitLocker issues, and provides solutions for several common BitLocker issues. | -| [Protecting cluster shared volumes and storage area networks with BitLocker](protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md)| This topic describes how to protect CSVs and SANs with BitLocker.| -| [Enabling Secure Boot and BitLocker Device Encryption on Windows IoT Core](/windows/iot-core/secure-your-device/SecureBootAndBitLocker) | This topic describes how to use BitLocker with Windows IoT Core | - - - +| [Protecting cluster shared volumes and storage area networks with BitLocker](protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md)| This article describes how to protect CSVs and SANs with BitLocker.| +| [Enabling Secure Boot and BitLocker Device Encryption on Windows IoT Core](/windows/iot-core/secure-your-device/SecureBootAndBitLocker) | This article describes how to use BitLocker with Windows IoT Core | diff --git a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md index 390b943e87..752d1dd02c 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md +++ b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md @@ -1,6 +1,6 @@ --- title: BitLocker recovery guide -description: This article for IT professionals describes how to recover BitLocker keys from Active Directory Domain Services (AD DS). +description: This article for IT professionals describes how to recover BitLocker keys from Active Directory Domain Services (AD DS). ms.prod: windows-client ms.technology: itpro-security ms.localizationpriority: medium @@ -12,274 +12,322 @@ ms.collection: - M365-security-compliance - highpri ms.topic: conceptual -ms.date: 02/28/2019 +ms.date: 11/08/2022 ms.custom: bitlocker --- # BitLocker recovery guide -**Applies to:** +*Applies to:* - Windows 10 - Windows 11 -- Windows Server 2016 and later +- Windows Server 2016 and above This article describes how to recover BitLocker keys from AD DS. -Organizations can use BitLocker recovery information saved in Active Directory Domain Services (AD DS) to access BitLocker-protected data. It's recommended to create a recovery model for BitLocker while you are planning your BitLocker deployment. +Organizations can use BitLocker recovery information saved in Active Directory Domain Services (AD DS) to access BitLocker-protected data. It's recommended to create a recovery model for BitLocker while planning for BitLocker deployment. -This article assumes that you understand how to set up AD DS to back up BitLocker recovery information automatically, and what types of recovery information are saved to AD DS. +This article assumes that it's understood how to set up AD DS to back up BitLocker recovery information automatically, and what types of recovery information are saved to AD DS. -This article does not detail how to configure AD DS to store the BitLocker recovery information. +This article doesn't detail how to configure AD DS to store the BitLocker recovery information. +## What is BitLocker recovery? -## What is BitLocker recovery? +BitLocker recovery is the process by which access can be restored to a BitLocker-protected drive if the drive can't be unlocked normally. In a recovery scenario, the following options to restore access to the drive are available: -BitLocker recovery is the process by which you can restore access to a BitLocker-protected drive in the event that you cannot unlock the drive normally. In a recovery scenario, you have the following options to restore access to the drive: +- **The user can supply the recovery password.** If the organization allows users to print or store recovery passwords, the users can enter in the 48-digit recovery password that they printed or stored on a USB drive or with a Microsoft account online. Saving a recovery password with a Microsoft account online is only allowed when BitLocker is used on a PC that isn't a member of a domain. -- **The user can supply the recovery password.** If your organization allows users to print or store recovery passwords, the users can type in the 48-digit recovery password that they printed or stored on a USB drive or with your Microsoft account online. (Saving a recovery password with your Microsoft account online is only allowed when BitLocker is used on a PC that is not a member of a domain). -- **Data recovery agents can use their credentials to unlock the drive.** If the drive is an operating system drive, the drive must be mounted as a data drive on another computer for the data recovery agent to unlock it. -- **A domain administrator can obtain the recovery password from AD DS and use it to unlock the drive.** Storing recovery passwords in AD DS is recommended to provide a way for IT professionals to be able to obtain recovery passwords for drives in their organization if needed. This method makes it mandatory for you to enable this recovery method in the BitLocker group policy setting **Choose how BitLocker-protected operating system drives can be recovered** located at **Computer Configuration\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption\\Operating System Drives** in the Local Group Policy Editor. For more information, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md). +- **Data recovery agents can use their credentials to unlock the drive.** If the drive is an operating system drive, the drive must be mounted as a data drive on another computer for the data recovery agent to unlock it. + +- **A domain administrator can obtain the recovery password from AD DS and use it to unlock the drive.** Storing recovery passwords in AD DS is recommended to provide a way for IT professionals to be able to obtain recovery passwords for drives in an organization if needed. This method makes it mandatory to enable this recovery method in the BitLocker group policy setting **Choose how BitLocker-protected operating system drives can be recovered** located at **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > **Operating System Drives** in the Local Group Policy Editor. For more information, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md). ### What causes BitLocker recovery? The following list provides examples of specific events that will cause BitLocker to enter recovery mode when attempting to start the operating system drive: -- On PCs that use BitLocker Drive Encryption, or on devices such as tablets or phones that use [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md) only, when an attack is detected, the device will immediately reboot and enter into BitLocker recovery mode. To take advantage of this functionality, administrators can set the **Interactive logon: Machine account lockout threshold** Group Policy setting located in **\\Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options** in the Local Group Policy Editor. Or they can use the **MaxFailedPasswordAttempts** policy of [Exchange ActiveSync](/Exchange/clients/exchange-activesync/exchange-activesync) (also configurable through [Microsoft Intune](/mem/intune)), to limit the number of failed password attempts before the device goes into Device Lockout. -- On devices with TPM 1.2, changing the BIOS or firmware boot device order causes BitLocker recovery. However, devices with TPM 2.0 do not start BitLocker recovery in this case. TPM 2.0 does not consider a firmware change of boot device order as a security threat because the OS Boot Loader is not compromised. +- On PCs that use BitLocker Drive Encryption, or on devices such as tablets or phones that use [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md) only, when an attack is detected, the device will immediately reboot and enter into BitLocker recovery mode. To take advantage of this functionality, administrators can set the **Interactive logon: Machine account lockout threshold** Group Policy setting located in **Computer Configuration** > **Windows Settings** > **Security Settings** > **Local Policies** > **Security Options** in the Local Group Policy Editor. Or they can use the **MaxFailedPasswordAttempts** policy of [Exchange ActiveSync](/Exchange/clients/exchange-activesync/exchange-activesync) (also configurable through [Microsoft Intune](/mem/intune)), to limit the number of failed password attempts before the device goes into Device Lockout. + +- On devices with TPM 1.2, changing the BIOS or firmware boot device order causes BitLocker recovery. However, devices with TPM 2.0 don't start BitLocker recovery in this case. TPM 2.0 doesn't consider a firmware change of boot device order as a security threat because the OS Boot Loader isn't compromised. + - Having the CD or DVD drive before the hard drive in the BIOS boot order and then inserting or removing a CD or DVD. + - Failing to boot from a network drive before booting from the hard drive. -- Docking or undocking a portable computer. In some instances (depending on the computer manufacturer and the BIOS), the docking condition of the portable computer is part of the system measurement and must be consistent to validate the system status and unlock BitLocker. So if a portable computer is connected to its docking station when BitLocker is turned on, then it might also need to be connected to the docking station when it is unlocked. Conversely, if a portable computer is not connected to its docking station when BitLocker is turned on, then it might need to be disconnected from the docking station when it is unlocked. + +- Docking or undocking a portable computer. In some instances (depending on the computer manufacturer and the BIOS), the docking condition of the portable computer is part of the system measurement and must be consistent to validate the system status and unlock BitLocker. So if a portable computer is connected to its docking station when BitLocker is turned on, then it might also need to be connected to the docking station when it's unlocked. Conversely, if a portable computer isn't connected to its docking station when BitLocker is turned on, then it might need to be disconnected from the docking station when it's unlocked. + - Changes to the NTFS partition table on the disk including creating, deleting, or resizing a primary partition. + - Entering the personal identification number (PIN) incorrectly too many times so that the anti-hammering logic of the TPM is activated. Anti-hammering logic is software or hardware methods that increase the difficulty and cost of a brute force attack on a PIN by not accepting PIN entries until after a certain amount of time has passed. -- Turning off the support for reading the USB device in the pre-boot environment from the BIOS or UEFI firmware if you are using USB-based keys instead of a TPM. + +- Turning off the support for reading the USB device in the pre-boot environment from the BIOS or UEFI firmware if using USB-based keys instead of a TPM. + - Turning off, disabling, deactivating, or clearing the TPM. + - Upgrading critical early startup components, such as a BIOS or UEFI firmware upgrade, causing the related boot measurements to change. + - Forgetting the PIN when PIN authentication has been enabled. + - Updating option ROM firmware. + - Upgrading TPM firmware. + - Adding or removing hardware; for example, inserting a new card in the computer, including some PCMIA wireless cards. + - Removing, inserting, or completely depleting the charge on a smart battery on a portable computer. + - Changes to the master boot record on the disk. + - Changes to the boot manager on the disk. -- Hiding the TPM from the operating system. Some BIOS or UEFI settings can be used to prevent the enumeration of the TPM to the operating system. When implemented, this option can make the TPM hidden from the operating system. When the TPM is hidden, BIOS and UEFI secure startup are disabled, and the TPM does not respond to commands from any software. -- Using a different keyboard that does not correctly enter the PIN or whose keyboard map does not match the keyboard map assumed by the pre-boot environment. This problem can prevent the entry of enhanced PINs. + +- Hiding the TPM from the operating system. Some BIOS or UEFI settings can be used to prevent the enumeration of the TPM to the operating system. When implemented, this option can make the TPM hidden from the operating system. When the TPM is hidden, BIOS and UEFI secure startup are disabled, and the TPM doesn't respond to commands from any software. + +- Using a different keyboard that doesn't correctly enter the PIN or whose keyboard map doesn't match the keyboard map assumed by the pre-boot environment. This problem can prevent the entry of enhanced PINs. + - Modifying the Platform Configuration Registers (PCRs) used by the TPM validation profile. For example, including **PCR\[1\]** would result in BitLocker measuring most changes to BIOS settings, causing BitLocker to enter recovery mode even when non-boot critical BIOS settings change. > [!NOTE] > Some computers have BIOS settings that skip measurements to certain PCRs, such as **PCR\[2\]**. Changing this setting in the BIOS would cause BitLocker to enter recovery mode because the PCR measurement will be different. - Moving the BitLocker-protected drive into a new computer. + - Upgrading the motherboard to a new one with a new TPM. + - Losing the USB flash drive containing the startup key when startup key authentication has been enabled. + - Failing the TPM self-test. -- Having a BIOS, UEFI firmware, or an option ROM component that is not compliant with the relevant Trusted Computing Group standards for a client computer. For example, a non-compliant implementation may record volatile data (such as time) in the TPM measurements, causing different measurements on each startup and causing BitLocker to start in recovery mode. + +- Having a BIOS, UEFI firmware, or an option ROM component that isn't compliant with the relevant Trusted Computing Group standards for a client computer. For example, a non-compliant implementation may record volatile data (such as time) in the TPM measurements, causing different measurements on each startup and causing BitLocker to start in recovery mode. + - Changing the usage authorization for the storage root key of the TPM to a non-zero value. > [!NOTE] > The BitLocker TPM initialization process sets the usage authorization value to zero, so another user or process must explicitly have changed this value. - Disabling the code integrity check or enabling test signing on Windows Boot Manager (Bootmgr). + - Pressing the F8 or F10 key during the boot process. + - Adding or removing add-in cards (such as video or network cards), or upgrading firmware on add-in cards. + - Using a BIOS hot key during the boot process to change the boot order to something other than the hard drive. - > [!NOTE] -> Before you begin recovery, we recommend that you determine what caused recovery. This might help prevent the problem from occurring again in the future. For instance, if you determine that an attacker has modified your computer by obtaining physical access, you can create new security policies for tracking who has physical presence. After the recovery password has been used to recover access to the PC, BitLocker reseals the encryption key to the current values of the measured components. - -For planned scenarios, such as a known hardware or firmware upgrades, you can avoid initiating recovery by temporarily suspending BitLocker protection. Because suspending BitLocker leaves the drive fully encrypted, the administrator can quickly resume BitLocker protection after the planned task has been completed. Using suspend and resume also reseals the encryption key without requiring the entry of the recovery key. +> Before beginning recovery, it is recommend to determine what caused recovery. This might help prevent the problem from occurring again in the future. For instance, if it is determined that an attacker has modified the computer by obtaining physical access, new security policies can be created for tracking who has physical presence. After the recovery password has been used to recover access to the PC, BitLocker reseals the encryption key to the current values of the measured components. + +For planned scenarios, such as a known hardware or firmware upgrades, initiating recovery can be avoided by temporarily suspending BitLocker protection. Because suspending BitLocker leaves the drive fully encrypted, the administrator can quickly resume BitLocker protection after the planned task has been completed. Using suspend and resume also reseals the encryption key without requiring the entry of the recovery key. > [!NOTE] > If suspended BitLocker will automatically resume protection when the PC is rebooted, unless a reboot count is specified using the manage-bde command line tool. -If software maintenance requires the computer to be restarted and you are using two-factor authentication, you can enable BitLocker network unlock feature to provide the secondary authentication factor when the computers do not have an on-premises user to provide the additional authentication method. +If software maintenance requires the computer to be restarted and two-factor authentication is being used, the BitLocker network unlock feature can be enabled to provide the secondary authentication factor when the computers don't have an on-premises user to provide the additional authentication method. -Recovery has been described within the context of unplanned or undesired behavior, but you can also cause recovery as an intended production scenario, in order to manage access control. For example, when you redeploy desktop or laptop computers to other departments or employees in your enterprise, you can force BitLocker into recovery before the computer is given to a new user. +Recovery has been described within the context of unplanned or undesired behavior. However, recovery can also be caused as an intended production scenario, for example in order to manage access control. When desktop or laptop computers are redeployed to other departments or employees in the enterprise, BitLocker can be forced into recovery before the computer is given to a new user. -## Testing recovery +## Testing recovery -Before you create a thorough BitLocker recovery process, we recommend that you test how the recovery process works for both end users (people who call your helpdesk for the recovery password) and administrators (people who help the end user get the recovery password). The -forcerecovery command of manage-bde is an easy way for you to step through the recovery process before your users encounter a recovery situation. +Before a thorough BitLocker recovery process is created, it's recommended to test how the recovery process works for both end users (people who call the helpdesk for the recovery password) and administrators (people who help the end user get the recovery password). The `-forcerecovery` command of `manage-bde.exe` is an easy way to step through the recovery process before users encounter a recovery situation. **To force a recovery for the local computer:** -1. Select the **Start** button, type **cmd** in the **Start Search** box, and select and hold **cmd.exe**, and then select **Run as administrator**. -2. At the command prompt, type the following command and then press **ENTER**: +1. Select the **Start** button and type in **cmd** - `manage-bde -forcerecovery ` +2. Right select on **cmd.exe** or **Command Prompt** and then select **Run as administrator**. + +3. At the command prompt, enter the following command: + + ```cmd + manage-bde.exe -forcerecovery + ``` **To force recovery for a remote computer:** -1. On the Start screen, type **cmd.exe**, and then select **Run as administrator**. +1. Select the **Start** button and type in **cmd** -2. At the command prompt, type the following command and then press **ENTER**: +2. Right select on **cmd.exe** or **Command Prompt** and then select **Run as administrator**. - `manage-bde -ComputerName -forcerecovery ` +3. At the command prompt, enter the following command: + + ```cmd + manage-bde.exe -ComputerName -forcerecovery + ``` > [!NOTE] > Recovery triggered by `-forcerecovery` persists for multiple restarts until a TPM protector is added or protection is suspended by the user. When using Modern Standby devices (such as Surface devices), the `-forcerecovery` option is not recommended because BitLocker will have to be unlocked and disabled manually from the WinRE environment before the OS can boot up again. For more information, see [BitLocker Troubleshooting: Continuous reboot loop with BitLocker recovery on a slate device](https://social.technet.microsoft.com/wiki/contents/articles/18671.bitlocker-troubleshooting-continuous-reboot-loop-with-bitlocker-recovery-on-a-slate-device.aspx). +## Planning the recovery process -## Planning your recovery process +When planning the BitLocker recovery process, first consult the organization's current best practices for recovering sensitive information. For example: How does the enterprise handle lost Windows passwords? How does the organization perform smart card PIN resets? These best practices and related resources (people and tools) can be used to help formulate a BitLocker recovery model. -When planning the BitLocker recovery process, first consult your organization's current best practices for recovering sensitive information. For example: How does your enterprise handle lost Windows passwords? How does your organization perform smart card PIN resets? You can use these best practices and related resources (people and tools) to help formulate a BitLocker recovery model. +Organizations that rely on BitLocker Drive Encryption and BitLocker To Go to protect data on a large number of computers and removable drives running the Windows 11, Windows 10, Windows 8, or Windows 7 operating systems and Windows to Go should consider using the Microsoft BitLocker Administration and Monitoring (MBAM) Tool version 2.0, which is included in the Microsoft Desktop Optimization Pack (MDOP) for Microsoft Software Assurance. MBAM makes BitLocker implementations easier to deploy and manage and allows administrators to provision and monitor encryption for operating system and fixed drives. MBAM prompts the user before encrypting fixed drives. MBAM also manages recovery keys for fixed and removable drives, making recovery easier to manage. MBAM can be used as part of a Microsoft System Center deployment or as a stand-alone solution. For more info, see [Microsoft BitLocker Administration and Monitoring](/microsoft-desktop-optimization-pack/mbam-v25/). -Organizations that rely on BitLocker Drive Encryption and BitLocker To Go to protect data on a large number of computers and removable drives running the Windows 11, Windows 10, Windows 8, or Windows 7 operating systems and Windows to Go should consider using the Microsoft BitLocker Administration and Monitoring (MBAM) Tool version 2.0, which is included in the Microsoft Desktop Optimization Pack (MDOP) for Microsoft Software Assurance. MBAM makes BitLocker implementations easier to deploy and manage and allows administrators to provision and monitor encryption for operating system and fixed drives. MBAM prompts the user before encrypting fixed drives. MBAM also manages recovery keys for fixed and removable drives, making recovery easier to manage. MBAM can be used as part of a Microsoft System Center deployment or as a stand-alone solution. For more info, see [Microsoft BitLocker Administration and Monitoring](/microsoft-desktop-optimization-pack/mbam-v25/). +After a BitLocker recovery has been initiated, users can use a recovery password to unlock access to encrypted data. Consider both self-recovery and recovery password retrieval methods for the organization. -After a BitLocker recovery has been initiated, users can use a recovery password to unlock access to encrypted data. Consider both self-recovery and recovery password retrieval methods for your organization. +When the recovery process is determined: -When you determine your recovery process, you should: +- Become familiar with how a recovery password can be retrieved. See: -- Become familiar with how you can retrieve the recovery password. See: - - - [Self-recovery](#bkmk-selfrecovery) - - [Recovery password retrieval](#bkmk-recoveryretrieval) + - [Self-recovery](#self-recovery) + - [Recovery password retrieval](#recovery-password-retrieval) - Determine a series of steps for post-recovery, including analyzing why the recovery occurred and resetting the recovery password. See: - - [Post-recovery analysis](#bkmk-planningpostrecovery) + - [Post-recovery analysis](#post-recovery-analysis) +### Self-recovery -### Self-recovery +In some cases, users might have the recovery password in a printout or a USB flash drive and can perform self-recovery. It's recommended that the organization creates a policy for self-recovery. If self-recovery includes using a password or recovery key stored on a USB flash drive, the users must be warned not to store the USB flash drive in the same place as the PC, especially during travel. For example, if both the PC and the recovery items are in the same bag it would be easy for access to be gained to the PC by an unauthorized user. Another policy to consider is having users contact the Helpdesk before or after performing self-recovery so that the root cause can be identified. -In some cases, users might have the recovery password in a printout or a USB flash drive and can perform self-recovery. We recommend that your organization creates a policy for self-recovery. If self-recovery includes using a password or recovery key stored on a USB flash drive, the users must be warned not to store the USB flash drive in the same place as the PC, especially during travel. For example, if both the PC and the recovery items are in the same bag it would be very easy for access to be gained to the PC by an unauthorized user. Another policy to consider is having users contact the Helpdesk before or after performing self-recovery so that the root cause can be identified. +### Recovery password retrieval -### Recovery password retrieval +If the user doesn't have a recovery password printed or on a USB flash drive, the user will need to be able to retrieve the recovery password from an online source. If the PC is a member of a domain, the recovery password can be backed up to AD DS. **However, back up of the recovery password to AD DS does not happen by default.** Backup of the recovery password to AD DS has to be configured via the appropriate group policy settings **before** BitLocker was enabled on the PC. BitLocker group policy settings can be found in the Local Group Policy Editor or the Group Policy Management Console (GPMC) under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption**. The following policy settings define the recovery methods that can be used to restore access to a BitLocker-protected drive if an authentication method fails or is unable to be used. -If the user does not have a recovery password in a printout or on a USB flash drive, the user will need to be able to retrieve the recovery password from an online source. If the PC is a member of a domain, the recovery password can be backed up to AD DS. However, this does not happen by default; you must have configured the appropriate group policy settings before BitLocker was enabled on the PC. BitLocker group policy settings can be found in the Local Group Policy Editor or the Group Policy Management Console (GPMC) under **Computer Configuration\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption**. The following policy settings define the recovery methods that can be used to restore access to a BitLocker-protected drive if an authentication method fails or is unable to be used. +- **Choose how BitLocker-protected operating system drives can be recovered** -- **Choose how BitLocker-protected operating system drives can be recovered** -- **Choose how BitLocker-protected fixed drives can be recovered** -- **Choose how BitLocker-protected removable drives can be recovered** -In each of these policies, select **Save BitLocker recovery information to Active Directory Domain Services** and then choose which BitLocker recovery information to store in AD DS. Check the **Do not enable BitLocker until recovery information is stored in AD -DS** check box if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information for the drive to AD DS succeeds. +- **Choose how BitLocker-protected fixed drives can be recovered** + +- **Choose how BitLocker-protected removable drives can be recovered** + +In each of these policies, select **Save BitLocker recovery information to Active Directory Domain Services** and then choose which BitLocker recovery information to store in AD DS. Check the **Do not enable BitLocker until recovery information is stored in AD +DS** check box if it's desired to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information for the drive to AD DS succeeds. > [!NOTE] -> If the PCs are part of a workgroup, users are advised to save their BitLocker recovery password with their Microsoft account online. Having an online copy of your BitLocker recovery password is recommended to help ensure that you do not lose access to your data in the event of a recovery being required. - +> If the PCs are part of a workgroup, users are advised to save their BitLocker recovery password with their Microsoft account online. Having an online copy of the BitLocker recovery password is recommended to help ensure access to data is not lost in the event of a recovery being required. + The BitLocker Recovery Password Viewer for Active Directory Users and Computers tool allows domain administrators to view BitLocker recovery passwords for specific computer objects in Active Directory. -You can use the following list as a template for creating your own recovery process for recovery password retrieval. This sample process uses the BitLocker Recovery Password Viewer for Active Directory Users and Computers tool. +The following list can be used as a template for creating a recovery process for recovery password retrieval. This sample process uses the BitLocker Recovery Password Viewer for Active Directory Users and Computers tool. -- [Record the name of the user's computer](#bkmk-recordcomputername) -- [Verify the user's identity](#bkmk-verifyidentity) -- [Locate the recovery password in AD DS](#bkmk-locatepassword) -- [Gather information to determine why recovery occurred](#bkmk-gatherinfo) -- [Give the user the recovery password](#bkmk-givepassword) +- [Record the name of the user's computer](#record-the-name-of-the-users-computer) +- [Verify the user's identity](#verify-the-users-identity) +- [Locate the recovery password in AD DS](#locate-the-recovery-password-in-ad-ds) +- [Gather information to determine why recovery occurred](#gather-information-to-determine-why-recovery-occurred) +- [Give the user the recovery password](#give-the-user-the-recovery-password) +### Record the name of the user's computer -### Record the name of the user's computer +The name of the user's computer can be used to locate the recovery password in AD DS. If the user doesn't know the name of the computer, ask the user to read the first word of the **Drive Label** in the **BitLocker Drive Encryption Password Entry** user interface. This word is the computer name when BitLocker was enabled and is probably the current name of the computer. -You can use the name of the user's computer to locate the recovery password in AD DS. If the user does not know the name of the computer, ask the user to read the first word of the **Drive Label** in the **BitLocker Drive Encryption Password Entry** user interface. This is the computer name when BitLocker was enabled and is probably the current name of the computer. +### Verify the user's identity +The person who is asking for the recovery password should be verified as the authorized user of that computer. It should also be verified whether the computer for which the user provided the name belongs to the user. -### Verify the user's identity - -You should verify whether the person who is asking for the recovery password is truly the authorized user of that computer. You may also wish to verify whether the computer for which the user provided the name belongs to the user. - -### Locate the recovery password in AD DS - -Locate the computer object with the matching name in AD DS. Because computer object names are listed in the AD DS global catalog, you should be able to locate the object even if you have a multi-domain forest. +### Locate the recovery password in AD DS +Locate the computer object with the matching name in AD DS. Because computer object names are listed in the AD DS global catalog, the object should be able to be located even if it's a multi-domain forest. ### Multiple recovery passwords -If multiple recovery passwords are stored under a computer object in AD DS, the name of the BitLocker recovery information object includes the date on which the password was created. +If multiple recovery passwords are stored under a computer object in AD DS, the name of the BitLocker recovery information object includes the date on which the password was created. -If at any time you are unsure about the password to be provided, or if you think you might be providing the incorrect password, ask the user to read the 8-character password ID that is displayed in the recovery console. +To make sure the correct password is provided and/or to prevent providing the incorrect password, ask the user to read the eight character password ID that is displayed in the recovery console. -Since the password ID is a unique value that is associated with each recovery password stored in AD DS, running a query using this ID finds the correct password to unlock the encrypted volume. +Since the password ID is a unique value that is associated with each recovery password stored in AD DS, running a query using this ID finds the correct password to unlock the encrypted volume. +### Gather information to determine why recovery occurred -### Gather information to determine why recovery occurred +Before giving the user the recovery password, information should be gatherer that will help determine why the recovery was needed. This information can be used to analyze the root cause during the post-recovery analysis. For more information about post-recovery analysis, see [Post-recovery analysis](#post-recovery-analysis). -Before you give the user the recovery password, you should gather any information that will help determine why the recovery was needed, in order to analyze the root cause during the post-recovery analysis. For more information about post-recovery analysis, see [Post-recovery analysis](#bkmk-planningpostrecovery). +### Give the user the recovery password - -### Give the user the recovery password - -Because the recovery password is 48 digits long, the user may need to record the password by writing it down or typing it on a different computer. If you are using MBAM, the recovery password will be regenerated after it is recovered from the MBAM database to avoid the security risks associated with an uncontrolled password. +Because the recovery password is 48 digits long, the user may need to record the password by writing it down or typing it on a different computer. If using MBAM or Configuration Manager BitLocker Management, the recovery password will be regenerated after it's recovered from the MBAM or Configuration Manager database to avoid the security risks associated with an uncontrolled password. > [!NOTE] > Because the 48-digit recovery password is long and contains a combination of digits, the user might mishear or mistype the password. The boot-time recovery console uses built-in checksum numbers to detect input errors in each 6-digit block of the 48-digit recovery password, and offers the user the opportunity to correct such errors. -### Post-recovery analysis +### Post-recovery analysis -When a volume is unlocked using a recovery password, an event is written to the event log and the platform validation measurements are reset in the TPM to match the current configuration. Unlocking the volume means that the encryption key has been released and is ready for on-the-fly encryption when data is written to the volume, and on-the-fly decryption when data is read from the volume. After the volume is unlocked, BitLocker behaves the same way, regardless of how the access was granted. +When a volume is unlocked using a recovery password, an event is written to the event log, and the platform validation measurements are reset in the TPM to match the current configuration. Unlocking the volume means that the encryption key has been released and is ready for on-the-fly encryption when data is written to the volume, and on-the-fly decryption when data is read from the volume. After the volume is unlocked, BitLocker behaves the same way, regardless of how the access was granted. -If you notice that a computer is having repeated recovery password unlocks, you might want to have an administrator perform post-recovery analysis to determine the root cause of the recovery and refresh BitLocker platform validation so that the user no longer needs to enter a recovery password each time that the computer starts up. See: +If it's noticed that a computer is having repeated recovery password unlocks, an administrator might want to perform post-recovery analysis to determine the root cause of the recovery, and refresh BitLocker platform validation so that the user no longer needs to enter a recovery password each time that the computer starts up. For more information, see: -- [Determine the root cause of the recovery](#bkmk-determinecause) -- [Refresh BitLocker protection](#bkmk-refreshprotection) +- [Determine the root cause of the recovery](#determine-the-root-cause-of-the-recovery) +- [Resolve the root cause](#resolve-the-root-cause) -### Determine the root cause of the recovery +### Determine the root cause of the recovery -If a user needed to recover the drive, it is important to determine the root cause that initiated the recovery as soon as possible. Properly analyzing the state of the computer and detecting tampering may reveal threats that have broader implications for enterprise security. +If a user needed to recover the drive, it's important to determine the root cause that initiated the recovery as soon as possible. Properly analyzing the state of the computer and detecting tampering may reveal threats that have broader implications for enterprise security. While an administrator can remotely investigate the cause of recovery in some cases, the end user might need to bring the computer that contains the recovered drive on site to analyze the root cause further. -Review and answer the following questions for your organization: +Review and answer the following questions for the organization: -1. Which BitLocker protection mode is in effect (TPM, TPM + PIN, TPM + startup key, startup key only)? Which PCR profile is in use on the PC? -2. Did the user merely forget the PIN or lose the startup key? If a token was lost, where might the token be? -3. If TPM mode was in effect, was recovery caused by a boot file change? -4. If recovery was caused by a boot file change, is the boot file change due to an intended user action (for example, BIOS upgrade), or a malicious software? -5. When was the user last able to start the computer successfully, and what might have happened to the computer since then? -6. Might the user have encountered malicious software or left the computer unattended since the last successful startup? +1. Which BitLocker protection mode is in effect (TPM, TPM + PIN, TPM + startup key, startup key only)? Which PCR profile is in use on the PC? -To help you answer these questions, use the BitLocker command-line tool to view the current configuration and protection mode (for example, **manage-bde -status**). Scan the event log to find events that help indicate why recovery was initiated (for example, if a boot file change occurred). Both of these capabilities can be performed remotely. +2. Did the user merely forget the PIN or lose the startup key? If a token was lost, where might the token be? -### Resolve the root cause +3. If TPM mode was in effect, was recovery caused by a boot file change? -After you have identified what caused recovery, you can reset BitLocker protection and avoid recovery on every startup. +4. If recovery was caused by a boot file change, is the boot file change due to an intended user action (for example, BIOS upgrade), or a malicious software? -The details of this reset can vary according to the root cause of the recovery. If you cannot determine the root cause, or if a malicious software or a rootkit might have infected the computer, Helpdesk should apply best-practice virus policies to react appropriately. +5. When was the user last able to start the computer successfully, and what might have happened to the computer since then? + +6. Might the user have encountered malicious software or left the computer unattended since the last successful startup? + +To help answer these questions, use the BitLocker command-line tool to view the current configuration and protection mode: + +```cmd +manage-bde.exe -status +``` + +Scan the event log to find events that help indicate why recovery was initiated (for example, if a boot file change occurred). Both of these capabilities can be performed remotely. + +### Resolve the root cause + +After it has been identified what caused recovery, BitLocker protection can be reset to avoid recovery on every startup. + +The details of this reset can vary according to the root cause of the recovery. If root cause can't be determined, or if a malicious software or a rootkit might have infected the computer, Helpdesk should apply best-practice virus policies to react appropriately. > [!NOTE] -> You can perform a BitLocker validation profile reset by suspending and resuming BitLocker. +> BitLocker validation profile reset can be performed by suspending and resuming BitLocker. -- [Unknown PIN](#bkmk-unknownpin) -- [Lost startup key](#bkmk-loststartup) -- [Changes to boot files](#bkmk-changebootknown) +- [Unknown PIN](#unknown-pin) +- [Lost startup key](#lost-startup-key) +- [Changes to boot files](#changes-to-boot-files) +### Unknown PIN -### Unknown PIN +If a user has forgotten the PIN, the PIN must be reset while signed on to the computer in order to prevent BitLocker from initiating recovery each time the computer is restarted. -If a user has forgotten the PIN, you must reset the PIN while you are logged on to the computer in order to prevent BitLocker from initiating recovery each time the computer is restarted. +#### To prevent continued recovery due to an unknown PIN -**To prevent continued recovery due to an unknown PIN** +1. Unlock the computer using the recovery password. -1. Unlock the computer using the recovery password. -2. Reset the PIN: - 1. Select and hold the drive and then select **Change PIN** - 2. In the BitLocker Drive Encryption dialog, select **Reset a forgotten PIN**. If you are not logged in with an administrator account, you must provide administrative credentials at this time. - 3. In the PIN reset dialog, provide and confirm the new PIN to be used and then select **Finish**. -3. You will use the new PIN the next time you unlock the drive. +2. Reset the PIN: -### Lost startup key + 1. Select and hold the drive and then select **Change PIN** -If you have lost the USB flash drive that contains the startup key, then you must unlock the drive by using the recovery key and then create a new startup key. + 2. In the BitLocker Drive Encryption dialog, select **Reset a forgotten PIN**. If the signed in account isn't an administrator account, administrative credentials must be provided at this time. -**To prevent continued recovery due to a lost startup key** + 3. In the PIN reset dialog, provide and confirm the new PIN to be used and then select **Finish**. -1. Log on as an administrator to the computer that has its startup key lost. -2. Open Manage BitLocker. -3. Select **Duplicate start up key**, insert the clean USB drive on which you are going to write the key, and then select **Save**. +3. The new PIN can be used the next time the drive needs to be unlocked. -### Changes to boot files +### Lost startup key -This error occurs if you updated the firmware. As a best practice, you should suspend BitLocker before making changes to the firmware and then resume protection after the update has completed. This prevents the computer from going into recovery mode. However, if changes were made when BitLocker protection was on, you can simply log on to the computer using the recovery password and the platform validation profile will be updated so that recovery will not occur the next time. +If the USB flash drive that contains the startup key has been lost, then drive must be unlocked by using the recovery key. A new startup can then be created. + +#### To prevent continued recovery due to a lost startup key + +1. Sign in as an administrator to the computer that has its startup key lost. + +2. Open Manage BitLocker. + +3. Select **Duplicate start up key**, insert the clean USB drive where the key will be written, and then select **Save**. + +### Changes to boot files + +This error occurs if the firmware is updated. As a best practice, BitLocker should be suspended before making changes to the firmware. Protection should then be resumed after the firmware update has completed. Suspending BitLocker prevents the computer from going into recovery mode. However, if changes were made when BitLocker protection was on, the recovery password can be used to unlock the drive and the platform validation profile will be updated so that recovery won't occur the next time. ## Windows RE and BitLocker Device Encryption -Windows Recovery Environment (RE) can be used to recover access to a drive protected by [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md). If a PC is unable to boot after two failures, Startup Repair automatically starts. When Startup Repair is launched automatically due to boot failures, it executes only operating system and driver file repairs, provided that the boot logs or any available crash dump points to a specific corrupted file. In Windows 8.1 and later versions, devices that include firmware to support specific TPM measurements for PCR\[7\] **the TPM** can validate that Windows RE is a trusted operating environment and unlock any BitLocker-protected drives if Windows RE has not been modified. If the Windows RE environment has been modified, for example, the TPM has been disabled, the drives stay locked until the BitLocker recovery key is provided. If Startup Repair is not able to be run automatically from the PC and instead, Windows RE is manually started from a repair disk, the BitLocker recovery key must be provided to unlock the BitLocker–protected drives. +Windows Recovery Environment (RE) can be used to recover access to a drive protected by [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md). If a PC is unable to boot after two failures, Startup Repair automatically starts. When Startup Repair is launched automatically due to boot failures, it executes only operating system and driver file repairs if the boot logs or any available crash dump points to a specific corrupted file. In Windows 8.1 and later versions, devices that include firmware to support specific TPM measurements for PCR\[7\] **the TPM** can validate that Windows RE is a trusted operating environment and unlock any BitLocker-protected drives if Windows RE hasn't been modified. If the Windows RE environment has been modified, for example, the TPM has been disabled, the drives stay locked until the BitLocker recovery key is provided. If Startup Repair isn't able to run automatically from the PC and instead, Windows RE is manually started from a repair disk, the BitLocker recovery key must be provided to unlock the BitLocker-protected drives. -Windows RE will also ask for your BitLocker recovery key when you start a "Remove everything" reset from Windows RE on a device that uses the "TPM + PIN" or "Password for OS drive" protector. If you start BitLocker recovery on a keyboardless device with TPM-only protection, Windows RE, not the boot manager, will ask for the BitLocker recovery key. After you enter the key, you can access Windows RE troubleshooting tools or start Windows normally. +Windows RE will also ask for a BitLocker recovery key when a **Remove everything** reset from Windows RE is started on a device that uses **TPM + PIN** or **Password for OS drive** protectors. If BitLocker recovery is started on a keyboardless device with TPM-only protection, Windows RE, not the boot manager, will ask for the BitLocker recovery key. After the key is entered, Windows RE troubleshooting tools can be accessed, or Windows can be started normally. -The BitLocker recovery screen that's shown by Windows RE has the accessibility tools like narrator and on-screen keyboard to help you enter your BitLocker recovery key. If the BitLocker recovery key is requested by the Windows boot manager, those tools might not be available. +The BitLocker recovery screen that's shown by Windows RE has the accessibility tools like narrator and on-screen keyboard to help enter the BitLocker recovery key. If the BitLocker recovery key is requested by the Windows boot manager, those tools might not be available. -To activate the narrator during BitLocker recovery in Windows RE, press **Windows** + **CTRL** + **Enter**. -To activate the on-screen keyboard, tap on a text input control. +To activate the narrator during BitLocker recovery in Windows RE, press **Windows** + **CTRL** + **Enter**. To activate the on-screen keyboard, tap on a text input control. :::image type="content" source="images/bl-narrator.png" alt-text="A screenshot of the BitLocker recovery screen showing Narrator activated."::: @@ -287,44 +335,50 @@ To activate the on-screen keyboard, tap on a text input control. During BitLocker recovery, Windows displays a custom recovery message and a few hints that identify where a key can be retrieved from. These improvements can help a user during BitLocker recovery. - ### Custom recovery message -BitLocker Group Policy settings in Windows 10, version 1511, or Windows 11, let you configure a custom recovery message and URL on the BitLocker recovery screen, which can include the address of the BitLocker self-service recovery portal, the IT internal website, or a phone number for support. +BitLocker Group Policy settings starting in Windows 10, version 1511, allows configuring a custom recovery message and URL on the BitLocker recovery screen. The custom recovery message and URL can include the address of the BitLocker self-service recovery portal, the IT internal website, or a phone number for support. This policy can be configured using GPO under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > **Operating System Drives** > **Configure pre-boot recovery message and URL**. -It can also be configured using Intune mobile device management (MDM) in the BitLocker CSP: -*\./Device/Vendor/MSFT/BitLocker/SystemDrivesRecoveryMessage\* +It can also be configured using mobile device management (MDM), including in Intune, using the [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp): + +**`./Device/Vendor/MSFT/BitLocker/SystemDrivesRecoveryMessage`** ![Custom URL.](./images/bl-intune-custom-url.png) -Example of customized recovery screen: +Example of a customized recovery screen: ![Customized BitLocker Recovery Screen.](./images/bl-password-hint1.png) - ### BitLocker recovery key hints -BitLocker metadata has been enhanced in Windows 10, version 1903 or Windows 11 to include information about when and where the BitLocker recovery key was backed up. This information is not exposed through the UI or any public API. It is used solely by the BitLocker recovery screen in the form of hints to help a user locate a volume's recovery key. Hints are displayed on the recovery screen and refer to the location where the key has been saved. Hints are displayed on both the modern (blue) and legacy (black) recovery screen. This applies to both the boot manager recovery screen and the WinRE unlock screen. +BitLocker metadata has been enhanced starting in Windows 10, version 1903, to include information about when and where the BitLocker recovery key was backed up. This information isn't exposed through the UI or any public API. It's used solely by the BitLocker recovery screen in the form of hints to help a user locate a volume's recovery key. Hints are displayed on the recovery screen and refer to the location where the key has been saved. Hints are displayed on both the modern (blue) and legacy (black) recovery screen. The hints apply to both the boot manager recovery screen and the WinRE unlock screen. ![Customized BitLocker recovery screen.](./images/bl-password-hint2.png) > [!IMPORTANT] -> We don't recommend printing recovery keys or saving them to a file. Instead, use Active Directory backup or a cloud-based backup. Cloud-based backup includes Azure Active Directory (Azure AD) and Microsoft account. +> It is not recommend to print recovery keys or saving them to a file. Instead, use Active Directory backup or a cloud-based backup. Cloud-based backup includes Azure Active Directory (Azure AD) and Microsoft account. There are rules governing which hint is shown during the recovery (in the order of processing): 1. Always display custom recovery message if it has been configured (using GPO or MDM). -2. Always display generic hint: "For more information, go to https://aka.ms/recoverykeyfaq." -3. If multiple recovery keys exist on the volume, prioritize the last-created (and successfully backed up) recovery key. -4. Prioritize keys with successful backup over keys that have never been backed up. -5. Prioritize backup hints in the following order for remote backup locations: **Microsoft Account > Azure AD > Active Directory**. -6. If a key has been printed and saved to file, display a combined hint, “Look for a printout or a text file with the key,” instead of two separate hints. -7. If multiple backups of the same type (remove vs. local) have been performed for the same recovery key, prioritize backup info with latest backed-up date. -8. There is no specific hint for keys saved to an on-premises Active Directory. In this case, a custom message (if configured) or a generic message, “Contact your organization’s help desk,” is displayed. -9. If two recovery keys are present on the disk, but only one has been successfully backed up, the system asks for a key that has been backed up, even if another key is newer. +2. Always display generic hint: `For more information, go to https://aka.ms/recoverykeyfaq.` + +3. If multiple recovery keys exist on the volume, prioritize the last-created (and successfully backed up) recovery key. + +4. Prioritize keys with successful backup over keys that have never been backed up. + +5. Prioritize backup hints in the following order for remote backup locations: **Microsoft Account > Azure AD > Active Directory**. + +6. If a key has been printed and saved to file, display a combined hint, "Look for a printout or a text file with the key," instead of two separate hints. + +7. If multiple backups of the same type (remove vs. local) have been performed for the same recovery key, prioritize backup info with latest backed-up date. + +8. There's no specific hint for keys saved to an on-premises Active Directory. In this case, a custom message (if configured) or a generic message, "Contact your organization's help desk," is displayed. + +9. If two recovery keys are present on the disk, but only one has been successfully backed up, the system asks for a key that has been backed up, even if another key is newer. #### Example 1 (single recovery key with single backup) @@ -336,12 +390,10 @@ There are rules governing which hint is shown during the recovery (in the order | Printed | No | | Saved to file | No | - **Result:** The hints for the Microsoft account and custom URL are displayed. ![Example 1 of Customized BitLocker recovery screen.](./images/rp-example1.png) - #### Example 2 (single recovery key with single backup) | Custom URL | Yes | @@ -356,7 +408,6 @@ There are rules governing which hint is shown during the recovery (in the order ![Example 2 of customized BitLocker recovery screen.](./images/rp-example2.png) - #### Example 3 (single recovery key with multiple backups) | Custom URL | No | @@ -371,7 +422,6 @@ There are rules governing which hint is shown during the recovery (in the order ![Example 3 of customized BitLocker recovery screen.](./images/rp-example3.png) - #### Example 4 (multiple recovery passwords) | Custom URL | No | @@ -384,8 +434,8 @@ There are rules governing which hint is shown during the recovery (in the order | Creation time | **1PM** | | Key ID | A564F193 | -  -  +
    +
    | Custom URL | No | |----------------------|-----------------| @@ -401,7 +451,6 @@ There are rules governing which hint is shown during the recovery (in the order ![Example 4 of customized BitLocker recovery screen.](./images/rp-example4.png) - #### Example 5 (multiple recovery passwords) | Custom URL | No | @@ -414,9 +463,6 @@ There are rules governing which hint is shown during the recovery (in the order | Creation time | **1PM** | | Key ID | 99631A34 | -  -  - | Custom URL | No | |----------------------|-----------------| | Saved to Microsoft Account | No | @@ -431,70 +477,81 @@ There are rules governing which hint is shown during the recovery (in the order ![Example 5 of customized BitLocker recovery screen.](./images/rp-example5.png) - -## Using additional recovery information +## Using additional recovery information Besides the 48-digit BitLocker recovery password, other types of recovery information are stored in Active Directory. This section describes how this additional information can be used. - ### BitLocker key package -If the recovery methods discussed earlier in this document do not unlock the volume, you can use the BitLocker Repair tool to decrypt the volume at the block level. The tool uses the BitLocker key package to help recover encrypted data from severely damaged drives. You can then use this recovered data to salvage encrypted data, even after the correct recovery password has failed to unlock the damaged volume. We recommend that you still save the recovery password. A key package cannot be used without the corresponding recovery password. +If the recovery methods discussed earlier in this document don't unlock the volume, the BitLocker Repair tool can be used to decrypt the volume at the block level. The tool uses the BitLocker key package to help recover encrypted data from severely damaged drives. The recovered data can then be used to salvage encrypted data, even after the correct recovery password has failed to unlock the damaged volume. It's recommended to still save the recovery password. A key package can't be used without the corresponding recovery password. > [!NOTE] -> You must use the BitLocker Repair tool **repair-bde** to use the BitLocker key package. +> The BitLocker Repair tool `repair-bde.exe` must be used to use the BitLocker key package. -The BitLocker key package is not saved by default. To save the package along with the recovery password in AD DS you must select the **Backup recovery password and key package** option in the group policy settings that control the recovery method. You can also export the key package from a working volume. For more details on how to export key packages, see [Retrieving the BitLocker Key Package](#bkmk-appendixc). +The BitLocker key package isn't saved by default. To save the package along with the recovery password in AD DS, the **Backup recovery password and key package** option must be selected in the group policy settings that control the recovery method. The key package can also be exported from a working volume. For more information on how to export key packages, see [Retrieving the BitLocker Key Package](#retrieving-the-bitlocker-key-package). -## Resetting recovery passwords +## Resetting recovery passwords -You must invalidate a recovery password after it has been provided and used, and when you intentionally want to invalidate an existing recovery password for any reason. +It's recommended to invalidate a recovery password after it has been provided and used. The recovery password can be invalidated when it has been provided and used or for any other valid reason. -You can reset the recovery password in two ways: +The recovery password and be invalidated and reset in two ways: -- **Use manage-bde**: You can use manage-bde to remove the old recovery password and add a new recovery password. The procedure identifies the command and the syntax for this method. -- **Run a script**: You can run a script to reset the password without decrypting the volume. The sample script in the procedure illustrates this functionality. The sample script creates a new recovery password and invalidates all other passwords. +- **Use `manage-bde.exe`**: `manage-bde.exe` can be used to remove the old recovery password and add a new recovery password. The procedure identifies the command and the syntax for this method. -**To reset a recovery password using manage-bde:** +- **Run a script**: A script can be run to reset the password without decrypting the volume. The sample script in the procedure illustrates this functionality. The sample script creates a new recovery password and invalidates all other passwords. -1. Remove the previous recovery password. +### Resetting a recovery password using `manage-bde.exe` - ```powershell - Manage-bde –protectors –delete C: –type RecoveryPassword +1. Remove the previous recovery password. + + ```cmd + `manage-bde.exe` -protectors -delete C: -type RecoveryPassword ``` -2. Add the new recovery password. - ```powershell - Manage-bde –protectors –add C: -RecoveryPassword +2. Add the new recovery password. + + ```cmd + `manage-bde.exe` -protectors -add C: -RecoveryPassword ``` -3. Get the ID of the new recovery password. From the screen, copy the ID of the recovery password. - ```powershell - Manage-bde –protectors –get C: -Type RecoveryPassword +3. Get the ID of the new recovery password. From the screen, copy the ID of the recovery password. + + ```cmd + `manage-bde.exe` -protectors -get C: -Type RecoveryPassword ``` -4. Back up the new recovery password to AD DS. - ```powershell - Manage-bde –protectors –adbackup C: -id {EXAMPLE6-5507-4924-AA9E-AFB2EB003692} +4. Back up the new recovery password to AD DS. + + ```cmd + `manage-bde.exe` -protectors -adbackup C: -id {EXAMPLE6-5507-4924-AA9E-AFB2EB003692} ``` > [!WARNING] - > You must include the braces in the ID string. + > The braces `{}` must be included in the ID string. -**To run the sample recovery password script:** +### Running the sample recovery password script to reset the recovery passwords -1. Save the following sample script in a VBScript file. For example: ResetPassword.vbs. -2. At the command prompt, type a command similar to the following: +1. Save the following sample script in a VBScript file. For example: - **cscript ResetPassword.vbs** + `ResetPassword.vbs`. + +2. At the command prompt, enter the following command:: + + ```cmd + cscript.exe ResetPassword.vbs + ``` > [!IMPORTANT] - > This sample script is configured to work only for the C volume. You must customize the script to match the volume where you want to test password reset. + > This sample script is configured to work only for the C volume. If necessary, customize the script to match the volume where the password reset needs to be tested. > [!NOTE] -> To manage a remote computer, you must specify the remote computer name rather than the local computer name. +> To manage a remote computer, specify the remote computer name rather than the local computer name. -You can use the following sample VBScript to reset the recovery passwords: +The following sample VBScript can be used to reset the recovery passwords: + +
    +

    + Expand to view sample recovery password VBscript to reset the recovery passwords ```vb ' Target drive letter @@ -564,27 +621,36 @@ Next WScript.Echo "A new recovery password has been added. Old passwords have been removed." ' - some advanced output (hidden) 'WScript.Echo "" -'WScript.Echo "Type ""manage-bde -protectors -get " & strDriveLetter & " -type recoverypassword"" to view existing passwords." +'WScript.Echo "Type ""manage-bde.exe -protectors -get " & strDriveLetter & " -type recoverypassword"" to view existing passwords." ``` +
    -## Retrieving the BitLocker key package +## Retrieving the BitLocker key package -You can use two methods to retrieve the key package, as described in [Using Additional Recovery Information](#bkmk-usingaddrecovery): +Two methods can be used to retrieve the key package as described in [Using Additional Recovery Information](#using-additional-recovery-information): -- **Export a previously saved key package from AD DS.** You must have Read access to BitLocker recovery passwords that are stored in AD DS. -- **Export a new key package from an unlocked, BitLocker-protected volume.** You must have local administrator access to the working volume, before any damage has occurred. +- **Export a previously saved key package from AD DS.** Read access is required to BitLocker recovery passwords that are stored in AD DS. -The following sample script exports all previously saved key packages from AD DS. +- **Export a new key package from an unlocked, BitLocker-protected volume.** Local administrator access to the working volume is required before any damage occurred to the volume. -**To run the sample key package retrieval script:** +### Running the sample key package retrieval script that exports all previously saved key packages from AD DS -1. Save the following sample script in a VBScript file. For example: GetBitLockerKeyPackageADDS.vbs. -2. At the command prompt, type a command similar to the following sample script: +The following steps and sample script exports all previously saved key packages from AD DS. - **cscript GetBitLockerKeyPackageADDS.vbs -?** +1. Save the following sample script in a VBScript file. For example: `GetBitLockerKeyPackageADDS.vbs`. -You can use the following sample script to create a VBScript file to retrieve the BitLocker key package from AD DS: +2. At the command prompt, enter a command similar to the following sample script: + + ```cmd + cscript.exe GetBitLockerKeyPackageADDS.vbs -? + ``` + +The following sample script can be used to create a VBScript file to retrieve the BitLocker key package from AD DS: + +
    +
    + Expand to view sample key package retrieval VBscript that exports all previously saved key packages from AD DS ```vb ' -------------------------------------------------------------------------------- @@ -724,14 +790,23 @@ End Function WScript.Quit ``` -The following sample script exports a new key package from an unlocked, encrypted volume. +
    -**To run the sample key package retrieval script:** +### Running the sample key package retrieval script that exports a new key package from an unlocked, encrypted volume -1. Save the following sample script in a VBScript file. For example: GetBitLockerKeyPackage.vbs -2. Open an administrator command prompt, and then type a command similar to the following sample script: +The following steps and sample script exports a new key package from an unlocked, encrypted volume. - **cscript GetBitLockerKeyPackage.vbs -?** +1. Save the following sample script in a VBScript file. For example: `GetBitLockerKeyPackage.vbs` + +2. Open an administrator command prompt, and then enter a command similar to the following sample script: + + ```cmd + cscript.exe GetBitLockerKeyPackage.vbs -? + ``` + +
    +
    + Expand to view sample VBscript that exports a new key package from an unlocked, encrypted volume ```vb ' -------------------------------------------------------------------------------- @@ -826,7 +901,7 @@ End If ' Fail case: no recovery key protectors exist. If strDefaultKeyProtectorID = "" Then WScript.Echo "FAILURE: Cannot create backup key package because no recovery passwords or recovery keys exist. Check that BitLocker protection is on for this drive." -WScript.Echo "For help adding recovery passwords or recovery keys, type ""manage-bde -protectors -add -?""." +WScript.Echo "For help adding recovery passwords or recovery keys, enter ""manage-bde.exe -protectors -add -?""." WScript.Quit -1 End If End If @@ -886,7 +961,7 @@ End If WScript.Echo "Save this recovery password: " & sNumericalPassword ElseIf nDefaultKeyProtectorType = nExternalKeyProtectorType Then WScript.Echo "The saved key file is named " & strDefaultKeyProtectorID & ".BEK" -WScript.Echo "For help re-saving this external key file, type ""manage-bde -protectors -get -?""" +WScript.Echo "For help re-saving this external key file, enter ""manage-bde.exe -protectors -get -?""" End If '---------------------------------------------------------------------------------------- ' Utility functions to save binary data @@ -911,7 +986,8 @@ Function BinaryToString(Binary) End Function ``` +
    -## See also +## Related articles - [BitLocker overview](bitlocker-overview.md) diff --git a/windows/security/information-protection/bitlocker/bitlocker-recovery-loop-break.md b/windows/security/information-protection/bitlocker/bitlocker-recovery-loop-break.md index 30291fe4c7..4120e83475 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-recovery-loop-break.md +++ b/windows/security/information-protection/bitlocker/bitlocker-recovery-loop-break.md @@ -3,33 +3,41 @@ title: Breaking out of a BitLocker recovery loop description: This article for IT professionals describes how to break out of a BitLocker recovery loop. ms.prod: windows-client ms.localizationpriority: medium -author: aczechowski -ms.author: aaroncz +author: frankroj +ms.author: frankroj manager: aaroncz ms.collection: - M365-security-compliance - highpri ms.topic: conceptual -ms.date: 10/28/2019 +ms.date: 11/08/2022 ms.custom: bitlocker ms.technology: itpro-security --- # Breaking out of a BitLocker recovery loop -Sometimes, following a crash, you might be unable to successfully boot into your operating system, due to the recovery screen repeatedly prompting you to enter your recovery key. This experience can be frustrating. +Sometimes, following a crash, the operating system might not be able to successful boot due to the recovery screen repeatedly prompting to enter a recovery key. This experience can be frustrating. -If you've entered the correct BitLocker recovery key multiple times, and are still unable to continue past the initial recovery screen, follow these steps to break out of the loop. +If the correct BitLocker recovery key has been entered multiple times but are unable to continue past the initial recovery screen, follow these steps to break out of the loop: > [!NOTE] -> Try these steps only after you have restarted your device at least once. +> Try these steps only after the device has been restarted at least once. -1. On the initial recovery screen, don't enter your recovery key, instead, select **Skip this drive**. +1. On the initial recovery screen, don't enter The recovery key. Instead, select **Skip this drive**. 2. Navigate to **Troubleshoot** > **Advanced options**, and select **Command prompt**. -3. From the WinRE command prompt, manually unlock your drive: `manage-bde.exe -unlock C: -rp ` +3. From the WinRE command prompt, manually unlock the drive with the following command: -4. Suspend operating system drive protection: `manage-bde.exe -protectors -disable C:` +```cmd +manage-bde.exe -unlock C: -rp +``` -5. Once the last command is run, you can exit the command prompt and continue to boot into your operating system. +4. Suspend the protection on the operating system with the following command: + +```cmd +manage-bde.exe -protectors -disable C: +``` + +5. Once the command is run, exit the command prompt and continue to boot into the operating system. diff --git a/windows/security/information-protection/bitlocker/bitlocker-security-faq.yml b/windows/security/information-protection/bitlocker/bitlocker-security-faq.yml index 465a4c3d6d..e9cb42a381 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-security-faq.yml +++ b/windows/security/information-protection/bitlocker/bitlocker-security-faq.yml @@ -3,24 +3,26 @@ metadata: title: BitLocker Security FAQ (Windows 10) description: Learn more about how BitLocker security works. Browse frequently asked questions, such as, "What form of encryption does BitLocker use?" ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee - ms.reviewer: - ms.prod: m365-security + ms.prod: windows-client + ms.technology: itpro-security ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium - author: dansimp - ms.author: dansimp + author: frankroj + ms.author: frankroj manager: aaroncz audience: ITPro ms.collection: M365-security-compliance ms.topic: faq - ms.date: 03/14/2022 + ms.date: 11/08/2022 ms.custom: bitlocker title: BitLocker Security FAQ summary: | - **Applies to** - - Windows 10 + *Applies to:* + - Windows 10 + - Windows 11 + - Windows Server 2016 and above @@ -35,17 +37,17 @@ sections: - question: | What is the best practice for using BitLocker on an operating system drive? answer: | - The recommended practice for BitLocker configuration on an operating system drive is to implement BitLocker on a computer with a TPM version 1.2 or higher, and a Trusted Computing Group (TCG)-compliant BIOS or UEFI firmware implementation, along with a PIN. By requiring a PIN that was set by the user in addition to the TPM validation, a malicious user that has physical access to the computer cannot simply start the computer. + The recommended practice for BitLocker configuration on an operating system drive is to implement BitLocker on a computer with a TPM version 1.2 or higher, and a Trusted Computing Group (TCG)-compliant BIOS or UEFI firmware implementation, along with a PIN. By requiring a PIN that was set by the user in addition to the TPM validation, a malicious user that has physical access to the computer can't start the computer. - question: | What are the implications of using the sleep or hibernate power management options? answer: | - BitLocker on operating system drives in its basic configuration (with a TPM but without other startup authentication) provides extra security for the hibernate mode. However, BitLocker provides greater security when it is configured to use another startup authentication factor (TPM+PIN, TPM+USB, or TPM+PIN+USB) with the hibernate mode. This method is more secure because returning from hibernation requires authentication. In sleep mode, the computer is vulnerable to direct memory access attacks, since it remains unprotected data in RAM. Therefore, for improved security, we recommend disabling sleep mode and that you use TPM+PIN for the authentication method. Startup authentication can be configured by using [Group Policy](./bitlocker-group-policy-settings.md) or Mobile Device Management with the [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp). + BitLocker on operating system drives in its basic configuration (with a TPM but without other startup authentication) provides extra security for the hibernate mode. However, BitLocker provides greater security when it's configured to use another startup authentication factor (TPM+PIN, TPM+USB, or TPM+PIN+USB) with the hibernate mode. This method is more secure because returning from hibernation requires authentication. In sleep mode, the computer is vulnerable to direct memory access attacks, since unprotected data remains in RAM. Therefore, for improved security, it's recommended to disable sleep mode and to use TPM+PIN for the authentication method. Startup authentication can be configured by using [Group Policy](./bitlocker-group-policy-settings.md) or Mobile Device Management with the [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp). - question: | What are the advantages of a TPM? answer: | - Most operating systems use a shared memory space and rely on the operating system to manage physical memory. A TPM is a hardware component that uses its own internal firmware and logic circuits for processing instructions, thus shielding it from external software vulnerabilities. Attacking the TPM requires physical access to the computer. Additionally, the tools and skills necessary to attack hardware are often more expensive, and usually are not as available as the ones used to attack software. And because each TPM is unique to the computer that contains it, attacking multiple TPM computers would be difficult and time-consuming. + Most operating systems use a shared memory space and rely on the operating system to manage physical memory. A TPM is a hardware component that uses its own internal firmware and logic circuits for processing instructions, thus shielding it from external software vulnerabilities. Attacking the TPM requires physical access to the computer. Additionally, the tools and skills necessary to attack hardware are often more expensive, and usually aren't as available as the ones used to attack software. And because each TPM is unique to the computer that contains it, attacking multiple TPM computers would be difficult and time-consuming. > [!NOTE] > Configuring BitLocker with an additional factor of authentication provides even more protection against TPM hardware attacks. diff --git a/windows/security/information-protection/bitlocker/bitlocker-to-go-faq.yml b/windows/security/information-protection/bitlocker/bitlocker-to-go-faq.yml index e318b5ed29..1045a942fe 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-to-go-faq.yml +++ b/windows/security/information-protection/bitlocker/bitlocker-to-go-faq.yml @@ -3,24 +3,24 @@ metadata: title: BitLocker To Go FAQ (Windows 10) description: "Learn more about BitLocker To Go" ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee - ms.reviewer: - ms.author: dansimp - ms.prod: m365-security + ms.prod: windows-client + ms.technology: itpro-security + ms.author: frankroj ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium - author: dansimp + author: frankroj manager: aaroncz audience: ITPro ms.collection: M365-security-compliance ms.topic: faq - ms.date: 07/10/2018 + ms.date: 11/08/2022 ms.custom: bitlocker title: BitLocker To Go FAQ summary: | - **Applies to** - - Windows 10 + *Applies to:* + - Windows 10 sections: @@ -37,4 +37,4 @@ sections: Drive partitioning must meet the [BitLocker Drive Encryption Partitioning Requirements](/windows-hardware/manufacture/desktop/bitlocker-drive-encryption#bitlocker-drive-encryption-partitioning-requirements). - As with BitLocker, you can open drives that are encrypted by BitLocker To Go by using a password or smart card on another computer. In Control Panel, use **BitLocker Drive Encryption**. + As with BitLocker, drives that are encrypted by BitLocker To Go can be opened by using a password or smart card on another computer. In Control Panel, use **BitLocker Drive Encryption**. diff --git a/windows/security/information-protection/bitlocker/bitlocker-upgrading-faq.yml b/windows/security/information-protection/bitlocker/bitlocker-upgrading-faq.yml index 40fdb23d9d..ea7c705f38 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-upgrading-faq.yml +++ b/windows/security/information-protection/bitlocker/bitlocker-upgrading-faq.yml @@ -2,31 +2,34 @@ metadata: title: BitLocker Upgrading FAQ (Windows 10) description: Learn more about upgrading systems that have BitLocker enabled. Find frequently asked questions, such as, "Can I upgrade to Windows 10 with BitLocker enabled?" - ms.prod: m365-security + ms.prod: windows-client + ms.technology: itpro-security ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium - author: dansimp - ms.author: dansimp + author: frankroj + ms.author: frankroj manager: aaroncz audience: ITPro ms.collection: M365-security-compliance ms.topic: faq - ms.date: 02/28/2019 + ms.date: 11/08/2022 ms.reviewer: ms.custom: bitlocker title: BitLocker Upgrading FAQ summary: | - **Applies to** - - Windows 10 + *Applies to:* + - Windows 10 + - Windows 11 + - Windows Server 2016 and above sections: - name: Ignored questions: - question: | - Can I upgrade to Windows 10 with BitLocker enabled? + Can I upgrade to Windows 10 with BitLocker enabled? answer: | Yes. @@ -43,12 +46,12 @@ sections: No user action is required for BitLocker in order to apply updates from Microsoft, including [Windows quality updates and feature updates](/windows/deployment/update/waas-quick-start). Users need to suspend BitLocker for Non-Microsoft software updates, such as: - - Some TPM firmware updates if these updates clear the TPM outside of the Windows API. Not every TPM firmware update will clear the TPM and this happens if a known vulnerability has been discovered in the TPM firmware. Users don’t have to suspend BitLocker if the TPM firmware update uses Windows API to clear the TPM because in this case, BitLocker will be automatically suspended. We recommend users testing their TPM firmware updates if they don’t want to suspend BitLocker protection. + - Some TPM firmware updates if these updates clear the TPM outside of the Windows API. Not every TPM firmware update will clear the TPM. Users don't have to suspend BitLocker if the TPM firmware update uses Windows API to clear the TPM because in this case, BitLocker will be automatically suspended. It's recommended that users test their TPM firmware updates if they don't want to suspend BitLocker protection. - Non-Microsoft application updates that modify the UEFI\BIOS configuration. - Manual or third-party updates to secure boot databases (only if BitLocker uses Secure Boot for integrity validation). - - Updates to UEFI\BIOS firmware, installation of additional UEFI drivers, or UEFI applications without using the Windows update mechanism (only if you update and BitLocker does not use Secure Boot for integrity validation). - - You can check if BitLocker uses Secure Boot for integrity validation with manage-bde -protectors -get C: (and see if "Uses Secure Boot for integrity validation" is reported). + - Updates to UEFI\BIOS firmware, installation of additional UEFI drivers, or UEFI applications without using the Windows update mechanism (only if BitLocker doesn't use Secure Boot for integrity validation during updates). + - BitLocker can be checked if it uses Secure Boot for integrity validation with the command line `manage-bde.exe -protectors -get C:`. If Secure Boot for integrity validation is being used, it will be report **Uses Secure Boot for integrity validation**. > [!NOTE] - > If you have suspended BitLocker, you can resume BitLocker protection after you have installed the upgrade or update. Upon resuming protection, BitLocker will reseal the encryption key to the new values of the measured components that changed as a part of the upgrade or update. If these types of upgrades or updates are applied without suspending BitLocker, your computer will enter recovery mode when restarting and will require a recovery key or password to access the computer. + > If BitLocker has been suspended, BitLocker protection can be resumed after the upgrade or update has been installed. Upon resuming protection, BitLocker will reseal the encryption key to the new values of the measured components that changed as a part of the upgrade or update. If these types of upgrades or updates are applied without suspending BitLocker, the computer will enter recovery mode when restarting and will require a recovery key or password to access the computer. diff --git a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md b/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md index a78f47ee01..c88e87b23c 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md +++ b/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md @@ -4,21 +4,21 @@ description: This article for the IT professional describes how to use tools to ms.reviewer: ms.prod: windows-client ms.localizationpriority: medium -author: dansimp -ms.author: dansimp +author: frankroj +ms.author: frankroj manager: aaroncz ms.collection: - M365-security-compliance - highpri ms.topic: conceptual -ms.date: 02/28/2019 +ms.date: 11/08/2022 ms.custom: bitlocker ms.technology: itpro-security --- # BitLocker: Use BitLocker Drive Encryption Tools to manage BitLocker -**Applies to** +*Applies to:* - Windows 10 - Windows 11 @@ -32,96 +32,108 @@ Both manage-bde and the BitLocker cmdlets can be used to perform any task that c Repair-bde is a special circumstance tool that is provided for disaster recovery scenarios in which a BitLocker protected drive can't be unlocked normally or using the recovery console. -1. [Manage-bde](#bkmk-managebde) -2. [Repair-bde](#bkmk-repairbde) -3. [BitLocker cmdlets for Windows PowerShell](#bkmk-blcmdlets) +1. [Manage-bde](#manage-bde) +2. [Repair-bde](#repair-bde) +3. [BitLocker cmdlets for Windows PowerShell](#bitlocker-cmdlets-for-windows-powershell) -## Manage-bde +## Manage-bde -Manage-bde is a command-line tool that can be used for scripting BitLocker operations. Manage-bde offers additional options not displayed in the BitLocker control panel. For a complete list of the manage-bde options, see the [Manage-bde](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/ff829849(v=ws.11)) command-line reference. +Manage-bde is a command-line tool that can be used for scripting BitLocker operations. Manage-bde offers additional options not displayed in the BitLocker control panel. For a complete list of the `manage-bde.exe` options, see the [Manage-bde](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/ff829849(v=ws.11)) command-line reference. -Manage-bde includes fewer default settings and requires greater customization for configuring BitLocker. For example, using just the `manage-bde -on` command on a data volume will fully encrypt the volume without any authenticating protectors. A volume encrypted in this manner still requires user interaction to turn on BitLocker protection, even though the command successfully completed because an authentication method needs to be added to the volume for it to be fully protected. The following sections provide examples of common usage scenarios for manage-bde. +Manage-bde includes fewer default settings and requires greater customization for configuring BitLocker. For example, using just the `manage-bde.exe -on` command on a data volume will fully encrypt the volume without any authenticating protectors. A volume encrypted in this manner still requires user interaction to turn on BitLocker protection, even though the command successfully completed because an authentication method needs to be added to the volume for it to be fully protected. The following sections provide examples of common usage scenarios for manage-bde. ### Using manage-bde with operating system volumes -Listed below are examples of basic valid commands for operating system volumes. In general, using only the `manage-bde -on ` command will encrypt the operating system volume with a TPM-only protector and no recovery key. However, many environments require more secure protectors such as passwords or PIN and expect to be able to recover information with a recovery key. We recommend that you add at least one primary protector and a recovery protector to an operating system volume. +Listed below are examples of basic valid commands for operating system volumes. In general, using only the `manage-bde.exe -on ` command will encrypt the operating system volume with a TPM-only protector and no recovery key. However, many environments require more secure protectors such as passwords or PIN and expect information recovery with a recovery key. It's recommended to add at least one primary protector plus a recovery protector to an operating system volume. -A good practice when using manage-bde is to determine the volume status on the target system. Use the following command to determine volume status: +A good practice when using `manage-bde.exe` is to determine the volume status on the target system. Use the following command to determine volume status: -```powershell -manage-bde -status +```cmd +manage-bde.exe -status ``` This command returns the volumes on the target, current encryption status, encryption method, and volume type (operating system or data) for each volume: ![Using manage-bde to check encryption status.](images/manage-bde-status.png) -The following example illustrates enabling BitLocker on a computer without a TPM chip. Before beginning the encryption process, you must create the startup key needed for BitLocker and save it to the USB drive. When BitLocker is enabled for the operating system volume, the BitLocker will need to access the USB flash drive to obtain the encryption key (in this example, the drive letter E represents the USB drive). You will be prompted to reboot to complete the encryption process. +The following example illustrates enabling BitLocker on a computer without a TPM chip. Before beginning the encryption process, the startup key needed for BitLocker must be created and saved to a USB drive. When BitLocker is enabled for the operating system volume, BitLocker will need to access the USB flash drive to obtain the encryption key. In this example, the drive letter E represents the USB drive. Once the commands are run, it will prompt to reboot the computer to complete the encryption process. -```powershell -manage-bde –protectors -add C: -startupkey E: -manage-bde -on C: +```cmd +manage-bde.exe -protectors -add C: -startupkey E: +manage-bde.exe -on C: ``` > [!NOTE] > After the encryption is completed, the USB startup key must be inserted before the operating system can be started. - -An alternative to the startup key protector on non-TPM hardware is to use a password and an **ADaccountorgroup** protector to protect the operating system volume. In this scenario, you would add the protectors first. To add them, use this command: -```powershell -manage-bde -protectors -add C: -pw -sid +An alternative to the startup key protector on non-TPM hardware is to use a password and an **ADaccountorgroup** protector to protect the operating system volume. In this scenario, the protectors are added first. To add the protectors, enter the following command: + +```cmd +manage-bde.exe -protectors -add C: -pw -sid ``` -This command will require you to enter and then confirm the password protector before adding them to the volume. With the protectors enabled on the volume, you can then turn on BitLocker. +The above command will require the password protector to be entered and confirmed before adding them to the volume. With the protectors enabled on the volume, BitLocker can then be turned on. -On computers with a TPM, it's possible to encrypt the operating system volume without any defined protectors using manage-bde. Use this command: +On computers with a TPM, it's possible to encrypt the operating system volume without defining any protectors using `manage-bde.exe`. To enable BitLocker on a computer with a TPM without defining any protectors, enter the following command: -```powershell -manage-bde -on C: +```cmd +manage-bde.exe -on C: ``` -This command encrypts the drive using the TPM as the default protector. If you aren't sure if a TPM protector is available, to list the protectors available for a volume, run the following command: +The above command encrypts the drive using the TPM as the default protector. If verify if a TPM protector is available, the list of protectors available for a volume can be listed by running the following command: -```powershell - manage-bde -protectors -get +```cmd + manage-bde.exe -protectors -get ``` + ### Using manage-bde with data volumes -Data volumes use the same syntax for encryption as operating system volumes but they don't require protectors for the operation to complete. Encrypting data volumes can be done using the base command: `manage-bde -on ` or you can choose to add additional protectors to the volume first. We recommend that you add at least one primary protector and a recovery protector to a data volume. +Data volumes use the same syntax for encryption as operating system volumes but they don't require protectors for the operation to complete. Encrypting data volumes can be done using the base command: -A common protector for a data volume is the password protector. In the example below, we add a password protector to the volume and turn on BitLocker. +`manage-bde.exe -on ` -```powershell -manage-bde -protectors -add -pw C: -manage-bde -on C: +or additional protectors can be added to the volume first. It's recommended to add at least one primary protector plus a recovery protector to a data volume. + +A common protector for a data volume is the password protector. In the example below, a password protector is added to the volume and then BitLocker is turned on. + +```cmd +manage-bde.exe -protectors -add -pw C: +manage-bde.exe -on C: ``` -## Repair-bde +## Repair-bde -You may experience a problem that damages an area of a hard disk on which BitLocker stores critical information. This kind of problem may be caused by a hard disk failure or if Windows exits unexpectedly. +Hard disk areas on which BitLocker stores critical information could be damaged, for example, when a hard disk fails or if Windows exits unexpectedly. -The BitLocker Repair Tool (Repair-bde) can be used to access encrypted data on a severely damaged hard disk if the drive was encrypted by using BitLocker. Repair-bde can reconstruct critical parts of the drive and salvage recoverable data as long as a valid recovery password or recovery key is used to decrypt the data. If the BitLocker metadata data on the drive has become corrupt, you must be able to supply a backup key package in addition to the recovery password or recovery key. This key package is backed up in Active Directory Domain Services (AD DS) if you used the default setting for AD DS backup. With this key package and either the recovery password or recovery key, you can decrypt portions of a BitLocker-protected drive if the disk is corrupted. Each key package will work only for a drive that has the corresponding drive identifier. You can use the BitLocker Recovery Password Viewer to obtain this key package from AD DS. +The BitLocker Repair Tool (Repair-bde) can be used to access encrypted data on a severely damaged hard disk if the drive was encrypted with BitLocker. Repair-bde can reconstruct critical parts of the drive and salvage recoverable data as long as a valid recovery password or recovery key is used to decrypt the data. If the BitLocker metadata data on the drive has become corrupt, the backup key package in addition to the recovery password or recovery key must be supplied. This key package is backed up in Active Directory Domain Services (AD DS) if the default settings for AD DS backup are used. With this key package and either the recovery password or recovery key, portions of a corrupted BitLocker-protected drive can be decrypted. Each key package will work only for a drive that has the corresponding drive identifier. The BitLocker Recovery Password Viewer can be used to obtain this key package from AD DS. > [!TIP] -> If you aren't backing up recovery information to AD DS or if you want to save key packages alternatively, you can use the command `manage-bde -KeyPackage` to generate a key package for a volume. - -The Repair-bde command-line tool is intended for use when the operating system doesn't start or when you can't start the BitLocker Recovery Console. Use Repair-bde if the following conditions are true: +> If recovery information is not being backed up to AD DS or if key packages need to be saved in an alternative way, the command: +> +> `manage-bde.exe -KeyPackage` +> +> can be used to generate a key package for a volume. -- You have encrypted the drive by using BitLocker Drive Encryption. -- Windows doesn't start, or you can't start the BitLocker recovery console. -- You don't have a copy of the data that is contained on the encrypted drive. +The Repair-bde command-line tool is intended for use when the operating system doesn't start or when the BitLocker Recovery Console can't be started. Use Repair-bde if the following conditions are true: + +- The drive has been encrypted using BitLocker Drive Encryption. + +- Windows doesn't start, or the BitLocker recovery console can't be started. + +- There isn't a backup copy of the data that is contained on the encrypted drive. > [!NOTE] -> Damage to the drive may not be related to BitLocker. Therefore, we recommend that you try other tools to help diagnose and resolve the problem with the drive before you use the BitLocker Repair Tool. The Windows Recovery Environment (Windows RE) provides additional options to repair computers. - +> Damage to the drive may not be related to BitLocker. Therefore, it is recommended to try other tools to help diagnose and resolve the problem with the drive before using the BitLocker Repair Tool. The Windows Recovery Environment (Windows RE) provides additional options to repair computers. + The following limitations exist for Repair-bde: -- The Repair-bde command-line tool can't repair a drive that failed during the encryption or decryption process. -- The Repair-bde command-line tool assumes that if the drive has any encryption, then the drive has been fully encrypted. +- The Repair-bde command-line tool can't repair a drive that failed during the encryption or decryption process. + +- The Repair-bde command-line tool assumes that if the drive has any encryption, then the drive has been fully encrypted. For more information about using repair-bde, see [Repair-bde](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/ff829851(v=ws.11)). -## BitLocker cmdlets for Windows PowerShell +## BitLocker cmdlets for Windows PowerShell Windows PowerShell cmdlets provide a new way for administrators to use when working with BitLocker. Using Windows PowerShell's scripting capabilities, administrators can integrate BitLocker options into existing scripts with ease. The list below displays the available BitLocker cmdlets. @@ -139,18 +151,19 @@ Windows PowerShell cmdlets provide a new way for administrators to use when work |**Resume-BitLocker**|
  • Confirm
  • MountPoint
  • WhatIf| |**Suspend-BitLocker**|
  • Confirm
  • MountPoint
  • RebootCount
  • WhatIf| |**Unlock-BitLocker**|
  • AdAccountOrGroup
  • Confirm
  • MountPoint
  • Password
  • RecoveryKeyPath
  • RecoveryPassword
  • RecoveryPassword
  • WhatIf| - + Similar to manage-bde, the Windows PowerShell cmdlets allow configuration beyond the options offered in the control panel. As with manage-bde, users need to consider the specific needs of the volume they're encrypting prior to running Windows PowerShell cmdlets. -A good initial step is to determine the current state of the volume(s) on the computer. You can do this using the Get-BitLockerVolume cmdlet. +A good initial step is to determine the current state of the volume(s) on the computer. Determining the current state of the volume(s) can be done using the `Get-BitLockerVolume` cmdlet. -The Get-BitLockerVolume cmdlet output gives information on the volume type, protectors, protection status, and other details. +The `Get-BitLockerVolume` cmdlet output gives information on the volume type, protectors, protection status, and other details. > [!TIP] -> Occasionally, all protectors may not be shown when using `Get-BitLockerVolume` due to lack of space in the output display. If you don't see all of the protectors for a volume, you can use the Windows PowerShell pipe command (|) to format a full listing of the protectors. -`Get-BitLockerVolume C: | fl` - -If you want to remove the existing protectors prior to provisioning BitLocker on the volume, you could use the `Remove-BitLockerKeyProtector` cmdlet. Accomplishing this requires the GUID associated with the protector to be removed. +> Occasionally, all protectors may not be shown when using `Get-BitLockerVolume` due to lack of space in the output display. If all of the protectors for a volume are not seen, use the Windows PowerShell pipe command (|) to format a full listing of the protectors: +> +> `Get-BitLockerVolume C: | fl` + +To remove the existing protectors prior to provisioning BitLocker on the volume, use the `Remove-BitLockerKeyProtector` cmdlet. Running this cmdlet requires the GUID associated with the protector to be removed. A simple script can pipe the values of each Get-BitLockerVolume return out to another variable as seen below: @@ -159,9 +172,9 @@ $vol = Get-BitLockerVolume $keyprotectors = $vol.KeyProtector ``` -By using this script, you can display the information in the $keyprotectors variable to determine the GUID for each protector. +By using this script, the information in the $keyprotectors variable can be displayed to determine the GUID for each protector. -By using this information, you can then remove the key protector for a specific volume using the command: +By using this information, the key protector for a specific volume can be removed using the command: ```powershell Remove-BitLockerKeyProtector : -KeyProtectorID "{GUID}" @@ -169,10 +182,10 @@ Remove-BitLockerKeyProtector : -KeyProtectorID "{GUID}" > [!NOTE] > The BitLocker cmdlet requires the key protector GUID enclosed in quotation marks to execute. Ensure the entire GUID, with braces, is included in the command. - + ### Using the BitLocker Windows PowerShell cmdlets with operating system volumes -Using the BitLocker Windows PowerShell cmdlets is similar to working with the manage-bde tool for encrypting operating system volumes. Windows PowerShell offers users a lot of flexibility. For example, users can add the desired protector as part command for encrypting the volume. Below are examples of common user scenarios and steps to accomplish them in BitLocker Windows PowerShell. +Using the BitLocker Windows PowerShell cmdlets is similar to working with the manage-bde tool for encrypting operating system volumes. Windows PowerShell offers users flexibility. For example, users can add the desired protector as part command for encrypting the volume. Below are examples of common user scenarios and steps to accomplish them in BitLocker Windows PowerShell. The following example shows how to enable BitLocker on an operating system drive using only the TPM protector: @@ -199,11 +212,11 @@ Enable-BitLockerKeyProtector E: -PasswordProtector -Password $pw ### Using an AD Account or Group protector in Windows PowerShell -The **ADAccountOrGroup** protector, introduced in Windows 8 and Windows Server 2012, is an Active Directory SID-based protector. This protector can be added to both operating system and data volumes, although it doesn't unlock operating system volumes in the pre-boot environment. The protector requires the SID for the domain account or group to link with the protector. BitLocker can protect a cluster-aware disk by adding a SID-based protector for the Cluster Name Object (CNO) that lets the disk properly fail over to and be unlocked by any member computer of the cluster. +The **ADAccountOrGroup** protector, introduced in Windows 8 and Windows Server 2012, is an Active Directory SID-based protector. This protector can be added to both operating system and data volumes, although it doesn't unlock operating system volumes in the pre-boot environment. The protector requires the SID for the domain account or group to link with the protector. BitLocker can protect a cluster-aware disk by adding a SID-based protector for the Cluster Name Object (CNO) that lets the disk properly fail over to and become unlocked by any member computer of the cluster. > [!WARNING] > The **ADAccountOrGroup** protector requires the use of an additional protector for use (such as TPM, PIN, or recovery key) when used on operating system volumes - + To add an **ADAccountOrGroup** protector to a volume, use either the actual domain SID or the group name preceded by the domain and a backslash. In the example below, the CONTOSO\\Administrator account is added as a protector to the data volume G. ```powershell @@ -214,14 +227,14 @@ For users who wish to use the SID for the account or group, the first step is to > [!NOTE] > Use of this command requires the RSAT-AD-PowerShell feature. - + ```powershell get-aduser -filter {samaccountname -eq "administrator"} ``` > [!TIP] > In addition to the PowerShell command above, information about the locally logged on user and group membership can be found using: WHOAMI /ALL. This doesn't require the use of additional features. - + The following example adds an **ADAccountOrGroup** protector to the previously encrypted operating system volume using the SID of the account: ```powershell @@ -230,8 +243,8 @@ Add-BitLockerKeyProtector C: -ADAccountOrGroupProtector -ADAccountOrGroup S-1-5- > [!NOTE] > Active Directory-based protectors are normally used to unlock Failover Cluster enabled volumes. - -## More information + +## Related articles - [BitLocker overview](bitlocker-overview.md) - [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.yml) diff --git a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md b/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md index 5d93cacbd9..3101c1d0bd 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md +++ b/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md @@ -1,67 +1,73 @@ --- title: BitLocker Use BitLocker Recovery Password Viewer (Windows 10) -description: This topic for the IT professional describes how to use the BitLocker Recovery Password Viewer. +description: This article for the IT professional describes how to use the BitLocker Recovery Password Viewer. ms.reviewer: ms.prod: windows-client ms.localizationpriority: medium -author: dansimp -ms.author: dansimp +author: frankroj +ms.author: frankroj manager: aaroncz ms.collection: - M365-security-compliance - highpri ms.topic: conceptual -ms.date: 02/28/2019 +ms.date: 11/08/2022 ms.custom: bitlocker ms.technology: itpro-security --- # BitLocker: Use BitLocker Recovery Password Viewer -**Applies to** +*Applies to:* - Windows 10 - Windows 11 - Windows Server 2016 and above -This topic describes how to use the BitLocker Recovery Password Viewer. +This article describes how to use the BitLocker Recovery Password Viewer. -The BitLocker Recovery Password Viewer tool is an optional tool included with the Remote Server Administration Tools (RSAT). It lets you locate and view BitLocker recovery passwords that are stored in Active Directory Domain Services (AD DS). You can use this tool to help recover data that is stored on a drive that has been encrypted by using BitLocker. The BitLocker Active Directory Recovery Password Viewer tool is an extension for the Active Directory Users and Computers Microsoft Management Console (MMC) snap-in. Using this tool, you can examine a computer object's **Properties** dialog box to view the corresponding BitLocker recovery passwords. Additionally you can right-click a domain container and then search for a BitLocker recovery password across all the domains in the Active Directory forest. You can also search for a password by password identifier (ID). +The BitLocker Recovery Password Viewer tool is an optional tool included with the Remote Server Administration Tools (RSAT). It lets BitLocker recovery passwords that are stored in Active Directory Domain Services (AD DS) be located and viewed. This tool can be used to help recover data that is stored on a drive that has been encrypted by using BitLocker. The BitLocker Active Directory Recovery Password Viewer tool is an extension for the Active Directory Users and Computers Microsoft Management Console (MMC) snap-in. Using this tool, a computer object's **Properties** dialog box can be examined to view the corresponding BitLocker recovery passwords. -## Before you start +Additionally a domain container can be searched for BitLocker recovery password across all the domains in the Active Directory forest via a right-click. Passwords can also be searched by password identifier (ID). -To complete the procedures in this scenario: +## Before starting -- You must have domain administrator credentials. -- Your test computers must be joined to the domain. -- On the domain-joined test computers, BitLocker must have been turned on. +To complete the procedures in this scenario, the following requirements must be met: + +- Domain administrator credentials. +- Test computers must be joined to the domain. +- On the domain-joined test computers, BitLocker must have been turned on. The following procedures describe the most common tasks performed by using the BitLocker Recovery Password Viewer. -**To view the recovery passwords for a computer** +### To view the recovery passwords for a computer -1. In **Active Directory Users and Computers**, locate and then click the container in which the computer is located. -2. Right-click the computer object, and then click **Properties**. -3. In the **Properties** dialog box, click the **BitLocker Recovery** tab to view the BitLocker recovery passwords that are associated with the computer. +1. In **Active Directory Users and Computers**, locate and then select the container in which the computer is located. -**To copy the recovery passwords for a computer** +2. Right-click the computer object, and then select **Properties**. -1. Follow the steps in the previous procedure to view the BitLocker recovery passwords. -2. On the **BitLocker Recovery** tab of the **Properties** dialog box, right-click the BitLocker recovery password that you want to copy, and then click **Copy Details**. -3. Press CTRL+V to paste the copied text to a destination location, such as a text file or spreadsheet. +3. In the **Properties** dialog box, select the **BitLocker Recovery** tab to view the BitLocker recovery passwords that are associated with the computer. -**To locate a recovery password by using a password ID** +### To copy the recovery passwords for a computer -1. In Active Directory Users and Computers, right-click the domain container, and then click **Find BitLocker Recovery Password**. -2. In the **Find BitLocker Recovery Password** dialog box, type the first eight characters of the recovery password in the **Password ID (first 8 characters)** box, and then click **Search**. -By completing the procedures in this scenario, you have viewed and copied the recovery passwords for a computer and used a password ID to locate a recovery password. +1. Follow the steps in the previous procedure to view the BitLocker recovery passwords. -## More information +2. On the **BitLocker Recovery** tab of the **Properties** dialog box, right-click the BitLocker recovery password that needs to be copied, and then select **Copy Details**. + +3. Press CTRL+V to paste the copied text to a destination location, such as a text file or spreadsheet. + +### To locate a recovery password by using a password ID + +1. In Active Directory Users and Computers, right-click the domain container, and then select **Find BitLocker Recovery Password**. + +2. In the **Find BitLocker Recovery Password** dialog box, type the first eight characters of the recovery password in the **Password ID (first 8 characters)** box, and then select **Search**. + +By completing the procedures in this scenario, the recovery passwords for a computer have been viewed and copied and a password ID was used to locate a recovery password. + +## Replated articles - [BitLocker Overview](bitlocker-overview.md) - [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.yml) - [Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md) - [BitLocker: How to deploy on Windows Server 2012](bitlocker-how-to-deploy-on-windows-server.md) - [BitLocker: Use BitLocker Drive Encryption Tools to manage BitLocker](bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md) -  -  diff --git a/windows/security/information-protection/bitlocker/bitlocker-using-with-other-programs-faq.yml b/windows/security/information-protection/bitlocker/bitlocker-using-with-other-programs-faq.yml index bb221372e1..e688d0fd10 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-using-with-other-programs-faq.yml +++ b/windows/security/information-protection/bitlocker/bitlocker-using-with-other-programs-faq.yml @@ -1,26 +1,28 @@ ### YamlMime:FAQ metadata: title: Using BitLocker with other programs FAQ (Windows 10) - description: Learn how to integrate BitLocker with other software on your device. + description: Learn how to integrate BitLocker with other software on a device. ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee - ms.reviewer: - ms.prod: m365-security + ms.prod: windows-client + ms.technology: itpro-security ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium - author: dansimp - ms.author: dansimp + author: frankroj + ms.author: frankroj manager: aaroncz audience: ITPro ms.collection: M365-security-compliance ms.topic: faq - ms.date: 02/28/2019 + ms.date: 11/08/2022 ms.custom: bitlocker title: Using BitLocker with other programs FAQ summary: | - **Applies to** - - Windows 10 + *Applies to:* + - Windows 10 + - Windows 11 + - Windows Server 2016 and above sections: @@ -29,12 +31,12 @@ sections: - question: | Can I use EFS with BitLocker? answer: | - Yes, you can use Encrypting File System (EFS) to encrypt files on a BitLocker-protected drive. BitLocker helps protect the entire operating system drive against offline attacks, whereas EFS can provide additional user-based file level encryption for security separation between multiple users of the same computer. You can also use EFS in Windows to encrypt files on other drives that are not encrypted by BitLocker. The root secrets of EFS are stored by default on the operating system drive; therefore, if BitLocker is enabled for the operating system drive, data that is encrypted by EFS on other drives is also indirectly protected by BitLocker. + Yes, Encrypting File System (EFS) can be used to encrypt files on a BitLocker-protected drive. BitLocker helps protect the entire operating system drive against offline attacks, whereas EFS can provide additional user-based file level encryption for security separation between multiple users of the same computer. EFS can also be used in Windows to encrypt files on other drives that aren't encrypted by BitLocker. The root secrets of EFS are stored by default on the operating system drive; therefore, if BitLocker is enabled for the operating system drive, data that is encrypted by EFS on other drives is also indirectly protected by BitLocker. - question: | Can I run a kernel debugger with BitLocker? answer: | - Yes. However, the debugger should be turned on before enabling BitLocker. Turning on the debugger ensures that the correct measurements are calculated when sealing to the TPM, allowing the computer to start properly. If you need to turn debugging on or off when using BitLocker, be sure to suspend BitLocker first to avoid putting your computer into recovery mode. + Yes. However, the debugger should be turned on before enabling BitLocker. Turning on the debugger ensures that the correct measurements are calculated when sealing to the TPM, allowing the computer to start properly. If debugging needs to be turned on or off when using BitLocker, be sure to suspend BitLocker first to avoid putting the computer into recovery mode. - question: | How does BitLocker handle memory dumps? @@ -44,80 +46,82 @@ sections: - question: | Can BitLocker support smart cards for pre-boot authentication? answer: | - BitLocker does not support smart cards for pre-boot authentication. There is no single industry standard for smart card support in the firmware, and most computers either do not implement firmware support for smart cards, or only support specific smart cards and readers. This lack of standardization makes supporting them difficult. + BitLocker doesn't support smart cards for pre-boot authentication. There's no single industry standard for smart card support in the firmware, and most computers either don't implement firmware support for smart cards, or only support specific smart cards and readers. This lack of standardization makes supporting them difficult. - question: | Can I use a non-Microsoft TPM driver? answer: | - Microsoft does not support non-Microsoft TPM drivers and strongly recommends against using them with BitLocker. Attempting to use a non-Microsoft TPM driver with BitLocker may cause BitLocker to report that a TPM is not present on the computer and not allow the TPM to be used with BitLocker. + Microsoft doesn't support non-Microsoft TPM drivers and strongly recommends against using them with BitLocker. Attempting to use a non-Microsoft TPM driver with BitLocker may cause BitLocker to report that a TPM isn't present on the computer and not allow the TPM to be used with BitLocker. - question: | Can other tools that manage or modify the master boot record work with BitLocker? answer: | - We do not recommend modifying the master boot record on computers whose operating system drives are BitLocker-protected for a number of security, reliability, and product support reasons. Changes to the master boot record (MBR) could change the security environment and prevent the computer from starting normally, as well as complicate any efforts to recover from a corrupted MBR. Changes made to the MBR by anything other than Windows might force the computer into recovery mode or prevent it from booting entirely. + We don't recommend modifying the master boot record on computers whose operating system drives are BitLocker-protected for several security, reliability, and product support reasons. Changes to the master boot record (MBR) could change the security environment and prevent the computer from starting normally and complicate any efforts to recover from a corrupted MBR. Changes made to the MBR by anything other than Windows might force the computer into recovery mode or prevent it from booting entirely. - question: | - Why is the system check failing when I am encrypting my operating system drive? + Why is the system check failing when I'm encrypting my operating system drive? answer: | - The system check is designed to ensure your computer's BIOS or UEFI firmware is compatible with BitLocker and that the TPM is working correctly. The system check can fail for several reasons: + The system check is designed to ensure the computer's BIOS or UEFI firmware is compatible with BitLocker and that the TPM is working correctly. The system check can fail for several reasons: - - The computer's BIOS or UEFI firmware cannot read USB flash drives. - - The computer's BIOS, uEFI firmware, or boot menu does not have reading USB flash drives enabled. - - There are multiple USB flash drives inserted into the computer. - - The PIN was not entered correctly. - - The computer's BIOS or UEFI firmware only supports using the function keys (F1–F10) to enter numerals in the pre-boot environment. - - The startup key was removed before the computer finished rebooting. - - The TPM has malfunctioned and fails to unseal the keys. + - The computer's BIOS or UEFI firmware can't read USB flash drives. + - The computer's BIOS, uEFI firmware, or boot menu doesn't have reading USB flash drives enabled. + - There are multiple USB flash drives inserted into the computer. + - The PIN wasn't entered correctly. + - The computer's BIOS or UEFI firmware only supports using the function keys (F1-F10) to enter numerals in the pre-boot environment. + - The startup key was removed before the computer finished rebooting. + - The TPM has malfunctioned and fails to unseal the keys. - question: | - What can I do if the recovery key on my USB flash drive cannot be read? + What can I do if the recovery key on my USB flash drive can't be read? answer: | - Some computers cannot read USB flash drives in the pre-boot environment. First, check your BIOS or UEFI firmware and boot settings to ensure that the use of USB drives is enabled. If it is not enabled, enable the use of USB drives in the BIOS or UEFI firmware and boot settings and then try to read the recovery key from the USB flash drive again. If it still cannot be read, you will have to mount the hard drive as a data drive on another computer so that there is an operating system to attempt to read the recovery key from the USB flash drive. If the USB flash drive has been corrupted or damaged, you may need to supply a recovery password or use the recovery information that was backed up to AD DS. Also, if you are using the recovery key in the pre-boot environment, ensure that the drive is formatted by using the NTFS, FAT16, or FAT32 file system. + Some computers can't read USB flash drives in the pre-boot environment. First, check the BIOS or UEFI firmware and boot settings to ensure that the use of USB drives is enabled. If it isn't enabled, enable the use of USB drives in the BIOS or UEFI firmware and boot settings, and then try to read the recovery key from the USB flash drive again. If the USB flash drive still can't be read, the hard drive will need to be mounted as a data drive on another computer so that there's an operating system to attempt to read the recovery key from the USB flash drive. If the USB flash drive has been corrupted or damaged, a recovery password may need to be supplied or use the recovery information that was backed up to AD DS. Also, if the recovery key is being used in the pre-boot environment, ensure that the drive is formatted by using the NTFS, FAT16, or FAT32 file system. - question: | Why am I unable to save my recovery key to my USB flash drive? answer: | - The **Save to USB** option is not shown by default for removable drives. If the option is unavailable, it means that a system administrator has disallowed the use of recovery keys. + The **Save to USB** option isn't shown by default for removable drives. If the option is unavailable, it means that a system administrator has disallowed the use of recovery keys. - question: | Why am I unable to automatically unlock my drive? answer: | - Automatic unlocking for fixed data drives requires the operating system drive to also be protected by BitLocker. If you are using a computer that does not have a BitLocker-protected operating system drive, the drive cannot be automatically unlocked. For removable data drives, you can add automatic unlocking by right-clicking the drive in Windows Explorer and clicking **Manage BitLocker**. You will still be able to use the password or smart card credentials you supplied when you turned on BitLocker to unlock the removable drive on other computers. + Automatic unlocking for fixed data drives requires the operating system drive to also be protected by BitLocker. If a computer is being used that doesn't have a BitLocker-protected operating system drive, then the fixed drive can't be automatically unlocked. For removable data drives, automatic unlocking can be added by right-clicking the drive in Windows Explorer and selecting **Manage BitLocker**. Password or smart card credentials that were supplied when BitLocker was turned on can still be used to unlock the removable drive on other computers. - question: | Can I use BitLocker in Safe Mode? answer: | - Limited BitLocker functionality is available in Safe Mode. BitLocker-protected drives can be unlocked and decrypted by using the **BitLocker Drive Encryption** Control Panel item. Right-clicking to access BitLocker options from Windows Explorer is not available in Safe Mode. + Limited BitLocker functionality is available in Safe Mode. BitLocker-protected drives can be unlocked and decrypted by using the **BitLocker Drive Encryption** Control Panel item. Right-clicking to access BitLocker options from Windows Explorer isn't available in Safe Mode. - question: | How do I "lock" a data drive? answer: | - Both fixed and removable data drives can be locked by using the Manage-bde command-line tool and the –lock command. + Both fixed and removable data drives can be locked by using the Manage-bde command-line tool and the -lock command. > [!NOTE] > Ensure all data is saved to the drive before locking it. Once locked, the drive will become inaccessible. The syntax of this command is: - manage-bde driveletter -lock + ```cmd + manage-bde.exe -lock + ```` Outside of using this command, data drives will be locked on shutdown and restart of the operating system. A removable data drive will also be locked automatically when the drive is removed from the computer. - question: | Can I use BitLocker with the Volume Shadow Copy Service? answer: | - Yes. However, shadow copies made prior to enabling BitLocker will be automatically deleted when BitLocker is enabled on software-encrypted drives. If you are using a hardware encrypted drive, the shadow copies are retained. + Yes. However, shadow copies made prior to enabling BitLocker will be automatically deleted when BitLocker is enabled on software-encrypted drives. If a hardware encrypted drive is being used, the shadow copies are retained. - question: | Does BitLocker support virtual hard disks (VHDs)? answer: | BitLocker should work like any specific physical machine within its hardware limitations as long as the environment (physical or virtual) meets Windows Operating System requirements to run. - - With TPM: Yes, it is supported. - - Without TPM: Yes, it is supported (with password protector). + - With TPM: Yes, it's supported. + - Without TPM: Yes, it's supported (with password protector). - BitLocker is also supported on data volume VHDs, such as those used by clusters, if you are running Windows 10, Windows 8.1, Windows 8, Windows Server 2016, Windows Server 2012 R2, or Windows Server 2012. + BitLocker is also supported on data volume VHDs, such as those used by clusters, if running Windows 10, Windows 8.1, Windows 8, Windows Server 2016, Windows Server 2012 R2, or Windows Server 2012. - question: | Can I use BitLocker with virtual machines (VMs)? answer: | - Yes. Password protectors and virtual TPMs can be used with BitLocker to protect virtual machines. VMs can be domain joined, Azure AD-joined, or workplace-joined (via **Settings** > **Accounts** > **Access work or school** > **Connect**) to receive policy. You can enable encryption either while creating the VM or by using other existing management tools such as the BitLocker CSP, or even by using a startup script or logon script delivered by Group Policy. Windows Server 2016 also supports [Shielded VMs and guarded fabric](/windows-server/virtualization/guarded-fabric-shielded-vm/guarded-fabric-and-shielded-vms-top-node) to protect VMs from malicious administrators. + Yes. Password protectors and virtual TPMs can be used with BitLocker to protect virtual machines. VMs can be domain joined, Azure AD-joined, or workplace-joined (via **Settings** > **Accounts** > **Access work or school** > **Connect**) to receive policy. Encryption can be enabled either while creating the VM or by using other existing management tools such as the BitLocker CSP, or even by using a startup script or sign-in script delivered by Group Policy. Windows Server 2016 also supports [Shielded VMs and guarded fabric](/windows-server/virtualization/guarded-fabric-shielded-vm/guarded-fabric-and-shielded-vms-top-node) to protect VMs from malicious administrators. diff --git a/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md b/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md index 054be23605..a76b56a2d3 100644 --- a/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md +++ b/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md @@ -1,23 +1,23 @@ --- -title: Prepare your organization for BitLocker Planning and policies (Windows 10) -description: This article for the IT professional explains how can you plan your BitLocker deployment. +title: Prepare the organization for BitLocker Planning and policies (Windows 10) +description: This article for the IT professional explains how can to plan for a BitLocker deployment. ms.reviewer: ms.prod: windows-client ms.localizationpriority: medium -author: dansimp -ms.author: dansimp +author: frankroj +ms.author: frankroj manager: aaroncz ms.collection: - M365-security-compliance ms.topic: conceptual -ms.date: 04/24/2019 +ms.date: 11/08/2022 ms.custom: bitlocker ms.technology: itpro-security --- -# Prepare your organization for BitLocker: Planning and policies +# Prepare an organization for BitLocker: Planning and policies -**Applies to** +*Applies to:* - Windows 10 - Windows 11 @@ -25,18 +25,22 @@ ms.technology: itpro-security This article for the IT professional explains how to plan BitLocker deployment. -When you design your BitLocker deployment strategy, define the appropriate policies and configuration requirements based on the business requirements of your organization. The following sections will help you collect information. Use this information to help with your decision-making process about deploying and managing BitLocker systems. +When BitLocker deployment strategy is defined, define the appropriate policies and configuration requirements based on the business requirements of the organization. The following sections will help with collecting information. Use this information to help with the decision-making process about deploying and managing BitLocker systems. -## Audit your environment +## Audit the environment -To plan your BitLocker deployment, understand your current environment. Do an informal audit to define your current policies, procedures, and hardware environment. Review your existing disk encryption software corporate security policies. If your organization isn't using disk encryption software, then none of these policies will exist. If you use disk encryption software, then you might need to change your organization's policies to use the BitLocker features. +To plan a BitLocker deployment, understand the current environment. Perform an informal audit to define the current policies, procedures, and hardware environment. Review the existing disk encryption software corporate security policies. If the organization isn't using disk encryption software, then none of these policies will exist. If disk encryption software is being used, then the organization's policies might need to be changed to use the BitLocker features. -To help you document your organization's current disk encryption security policies, answer the following questions: +To help document the organization's current disk encryption security policies, answer the following questions: 1. Are there policies to determine which computers will use BitLocker and which computers won't use BitLocker? + 2. What policies exist to control recovery password and recovery key storage? + 3. What are the policies for validating the identity of users who need to perform BitLocker recovery? + 4. What policies exist to control who in the organization has access to recovery data? + 5. What policies exist to control computer decommissioning or retirement? ## Encryption keys and authentication @@ -48,51 +52,52 @@ BitLocker helps prevent unauthorized access to data on lost or stolen computers The trusted platform module (TPM) is a hardware component installed in many newer computers by the computer manufacturers. It works with BitLocker to help protect user data. And, help make sure a computer hasn't been tampered with while the system was offline. -Also, BitLocker can lock the normal startup process until the user supplies a personal identification number (PIN) or inserts a removable USB device, such as a flash drive, that contains a startup key. These extra security measures provide multifactor authentication. They also make sure that the computer won't start or resume from hibernation until the correct PIN or startup key is presented. +Also, BitLocker can lock the normal startup process until the user supplies a personal identification number (PIN) or inserts a removable USB device that contains a startup key. These extra security measures provide multifactor authentication. They also make sure that the computer won't start or resume from hibernation until the correct PIN or startup key is presented. -On computers that don't have a TPM version 1.2 or higher, you can still use BitLocker to encrypt the Windows operating system volume. However, this implementation requires the user to insert a USB startup key to start the computer or resume from hibernation. It doesn't provide the pre-startup system integrity verification offered by BitLocker working with a TPM. +On computers that don't have a TPM version 1.2 or higher, BitLocker can still be used to encrypt the Windows operating system volume. However, this implementation requires the user to insert a USB startup key to start the computer or resume from hibernation. It doesn't provide the pre-startup system integrity verification offered by BitLocker working with a TPM. ### BitLocker key protectors + | Key protector | Description | | - | - | -| TPM | A hardware device used to help establish a secure root-of-trust. BitLocker only supports TPM 1.2 or higher versions.| -| PIN | A user-entered numeric key protector that can only be used in addition to the TPM.| -| Enhanced PIN | A user-entered alphanumeric key protector that can only be used in addition to the TPM.| -| Startup key | An encryption key that can be stored on most removable media. This key protector can be used alone on non-TPM computers, or in conjunction with a TPM for added security.| -| Recovery password | A 48-digit number used to unlock a volume when it is in recovery mode. Numbers can often be typed on a regular keyboard. If the numbers on the normal keyboard are not responding, you can always use the function keys (F1-F10) to input the numbers.| -| Recovery key| An encryption key stored on removable media that can be used for recovering data encrypted on a BitLocker volume.| +| *TPM* | A hardware device used to help establish a secure root-of-trust. BitLocker only supports TPM 1.2 or higher versions.| +| *PIN* | A user-entered numeric key protector that can only be used in addition to the TPM.| +| *Enhanced PIN* | A user-entered alphanumeric key protector that can only be used in addition to the TPM.| +| *Startup key* | An encryption key that can be stored on most removable media. This key protector can be used alone on non-TPM computers, or with a TPM for added security.| +| *Recovery password* | A 48-digit number used to unlock a volume when it is in recovery mode. Numbers can often be typed on a regular keyboard. If the numbers on the normal keyboard aren't responding, the function keys (F1-F10) can be used to input the numbers.| +| *Recovery key*| An encryption key stored on removable media that can be used for recovering data encrypted on a BitLocker volume.| ### BitLocker authentication methods | Authentication method | Requires user interaction | Description | | - | - | - | -| TPM only| No| TPM validates early boot components.| -| TPM + PIN | Yes| TPM validates early boot components. The user must enter the correct PIN before the start-up process can continue, and before the drive can be unlocked. The TPM enters lockout if the incorrect PIN is entered repeatedly, to protect the PIN from brute force attacks. The number of repeated attempts that will trigger a lockout is variable.| -| TPM + Network key | No | The TPM successfully validates early boot components, and a valid encrypted network key has been provided from the WDS server. This authentication method provides automatic unlock of operating system volumes at system reboot while still maintaining multifactor authentication. | -| TPM + startup key| Yes| The TPM successfully validates early boot components, and a USB flash drive containing the startup key has been inserted.| -| Startup key only | Yes| The user is prompted for the USB flash drive that has the recovery key and/or startup key, and then reboot the computer.| +| *TPM only*| No| TPM validates early boot components.| +| *TPM + PIN* | Yes| TPM validates early boot components. The user must enter the correct PIN before the start-up process can continue, and before the drive can be unlocked. The TPM enters lockout if the incorrect PIN is entered repeatedly, to protect the PIN from brute force attacks. The number of repeated attempts that will trigger a lockout is variable.| +| *TPM + Network key* | No | The TPM successfully validates early boot components, and a valid encrypted network key has been provided from the WDS server. This authentication method provides automatic unlock of operating system volumes at system reboot while still maintaining multifactor authentication. | +| *TPM + startup key* | Yes| The TPM successfully validates early boot components, and a USB flash drive containing the startup key has been inserted.| +| *Startup key only* | Yes| The user is prompted for the USB flash drive that has the recovery key and/or startup key, and then reboot the computer.| -**Will you support computers without TPM 1.2 or higher versions?** +#### Will computers without TPM 1.2 or higher versions be supported? -Determine whether you will support computers that don't have a TPM 1.2 or higher versions in your environment. If you choose to support BitLocker on this type of computer, a user must use a USB startup key to boot the system. This startup key requires extra support processes similar to multifactor authentication. +Determine whether computers that don't have a TPM 1.2 or higher versions in the environment will be supported. If it's decided to support computers with TPM 1.2 or higher versions, a user must use a USB startup key to boot the system. This startup key requires extra support processes similar to multifactor authentication. -**What areas of your organization need a baseline level of data protection?** +#### What areas of the organization need a baseline level of data protection? The TPM-only authentication method provides the most transparent user experience for organizations that need a baseline level of data protection to meet security policies. It has the lowest total cost of ownership. TPM-only might also be more appropriate for computers that are unattended or that must reboot unattended. -However, TPM-only authentication method offers the lowest level of data protection. This authentication method protects against attacks that modify early boot components. But, the level of protection can be affected by potential weaknesses in hardware or in the early boot components. BitLocker’s multifactor authentication methods significantly increase the overall level of data protection. +However, TPM-only authentication method offers the lowest level of data protection. This authentication method protects against attacks that modify early boot components. But, the level of protection can be affected by potential weaknesses in hardware or in the early boot components. BitLocker's multifactor authentication methods significantly increase the overall level of data protection. -**What areas of your organization need a more secure level of data protection?** +#### What areas of the organization need a more secure level of data protection? -If there are user computers with highly sensitive data, then deploy BitLocker with multifactor authentication on those systems. Requiring the user to input a PIN significantly increases the level of protection for the system. You can also use BitLocker Network Unlock to allow these computers to automatically unlock when connected to a trusted wired network that can provide the Network Unlock key. +If there are user computers with highly sensitive data, then deploy BitLocker with multifactor authentication on those systems. Requiring the user to input a PIN significantly increases the level of protection for the system. BitLocker Network Unlock can also be used to allow these computers to automatically unlock when connected to a trusted wired network that can provide the Network Unlock key. -**What multifactor authentication method does your organization prefer?** +#### What multifactor authentication method does the organization prefer? The protection differences provided by multifactor authentication methods can't be easily quantified. Consider each authentication method's impact on Helpdesk support, user education, user productivity, and any automated systems management processes. ## TPM hardware configurations -In your deployment plan, identify what TPM-based hardware platforms will be supported. Document the hardware models from an OEM of your choice so that their configurations can be tested and supported. TPM hardware requires special consideration during all aspects of planning and deployment. +In the deployment plan, identify what TPM-based hardware platforms will be supported. Document the hardware models from an OEM(s) being used by the organization so that their configurations can be tested and supported. TPM hardware requires special consideration during all aspects of planning and deployment. ### TPM 1.2 states and initialization @@ -102,7 +107,7 @@ For TPM 1.2, there are multiple possible states. Windows automatically initializ For a TPM to be usable by BitLocker, it must contain an endorsement key, which is an RSA key pair. The private half of the key pair is held inside the TPM and is never revealed or accessible outside the TPM. If the TPM doesn't have an endorsement key, BitLocker will force the TPM to generate one automatically as part of BitLocker setup. -An endorsement key can be created at various points in the TPM’s lifecycle, but needs to be created only once for the lifetime of the TPM. If an endorsement key doesn't exist for the TPM, it must be created before TPM ownership can be taken. +An endorsement key can be created at various points in the TPM's lifecycle, but needs to be created only once for the lifetime of the TPM. If an endorsement key doesn't exist for the TPM, it must be created before TPM ownership can be taken. For more information about the TPM and the TCG, see the Trusted Computing Group: Trusted Platform Module (TPM) Specifications (). @@ -110,13 +115,13 @@ For more information about the TPM and the TCG, see the Trusted Computing Group: Devices that don't include a TPM can still be protected by drive encryption. Windows To Go workspaces can be BitLocker protected using a startup password and PCs without a TPM can use a startup key. -Use the following questions to identify issues that might affect your deployment in a non-TPM configuration: +Use the following questions to identify issues that might affect the deployment in a non-TPM configuration: - Are password complexity rules in place? -- Do you have budget for USB flash drives for each of these computers? -- Do your existing non-TPM devices support USB devices at boot time? +- Is there a budget for USB flash drives for each of these computers? +- Do existing non-TPM devices support USB devices at boot time? -Test your individual hardware platforms with the BitLocker system check option while you're enabling BitLocker. The system check makes sure that BitLocker can read the recovery information from a USB device and encryption keys correctly before it encrypts the volume. CD and DVD drives can't act as a block storage device and can't be used to store the BitLocker recovery material. +Test the individual hardware platforms with the BitLocker system check option while enabling BitLocker. The system check makes sure that BitLocker can read the recovery information from a USB device and encryption keys correctly before it encrypts the volume. CD and DVD drives can't act as a block storage device and can't be used to store the BitLocker recovery material. ## Disk configuration considerations @@ -125,17 +130,17 @@ To function correctly, BitLocker requires a specific disk configuration. BitLock - The operating system partition contains the operating system and its support files; it must be formatted with the NTFS file system - The system partition (or boot partition) includes the files needed to load Windows after the BIOS or UEFI firmware has prepared the system hardware. BitLocker isn't enabled on this partition. For BitLocker to work, the system partition must not be encrypted, and must be on a different partition than the operating system. On UEFI platforms, the system partition must be formatted with the FAT 32-file system. On BIOS platforms, the system partition must be formatted with the NTFS file system. It should be at least 350 MB in size. -Windows setup automatically configures the disk drives of your computer to support BitLocker encryption. +Windows setup automatically configures the disk drives of computers to support BitLocker encryption. Windows Recovery Environment (Windows RE) is an extensible recovery platform that is based on Windows Pre-installation Environment (Windows PE). When the computer fails to start, Windows automatically transitions into this environment, and the Startup Repair tool in Windows RE automates the diagnosis and repair of an unbootable Windows installation. Windows RE also contains the drivers and tools that are needed to unlock a volume protected by BitLocker by providing a recovery key or recovery password. To use Windows RE with BitLocker, the Windows RE boot image must be on a volume that isn't protected by BitLocker. -Windows RE can also be used from boot media other than the local hard disk. If you don't install Windows RE on the local hard disk of BitLocker-enabled computers, then you can use different boot methods. For example, you can use Windows Deployment Services, CD-ROM, or USB flash drive for recovery. +Windows RE can also be used from boot media other than the local hard disk. If Windows RE isn't installed on the local hard disk of BitLocker-enabled computers, then different methods can be used to boot Windows RE. For example, Windows Deployment Services (WDS), CD-ROM, or USB flash drive can be used for recovery. ## BitLocker provisioning In Windows Vista and Windows 7, BitLocker was provisioned after the installation for system and data volumes. It used the `manage-bde` command line interface or the Control Panel user interface. With newer operating systems, BitLocker can be provisioned before the operating system is installed. Preprovisioning requires the computer have a TPM. -To check the BitLocker status of a particular volume, administrators can look at the drive status in the BitLocker control panel applet or Windows Explorer. The "Waiting For Activation" status with a yellow exclamation icon means that the drive was preprovisioned for BitLocker. This status means that there was only a clear protector used when encrypting the volume. In this case, the volume isn't protected, and needs to have a secure key added to the volume before the drive is considered fully protected. Administrators can use the control panel options, `manage-bde` tool, or WMI APIs to add an appropriate key protector. The volume status will be updated. +To check the BitLocker status of a particular volume, administrators can look at the drive status in the BitLocker control panel applet or Windows Explorer. The "Waiting For Activation" status with a yellow exclamation icon means that the drive was preprovisioned for BitLocker. This status means that there was only a clear protector used when encrypting the volume. In this case, the volume isn't protected, and needs to have a secure key added to the volume before the drive is considered fully protected. Administrators can use the control panel options, the **manage-bde** tool, or WMI APIs to add an appropriate key protector. The volume status will be updated. When using the control panel options, administrators can choose to **Turn on BitLocker** and follow the steps in the wizard to add a protector, such as a PIN for an operating system volume (or a password if no TPM exists), or a password or smart card protector to a data volume. Then the drive security window is presented before changing the volume status. @@ -145,7 +150,7 @@ Administrators can enable BitLocker before to operating system deployment from t The BitLocker Setup wizard provides administrators the ability to choose the Used Disk Space Only or Full encryption method when enabling BitLocker for a volume. Administrators can use the new BitLocker group policy setting to enforce either Used Disk Space Only or Full disk encryption. -Launching the BitLocker Setup wizard prompts for the authentication method to be used (password and smart card are available for data volumes). Once the method is chosen and the recovery key is saved, you're asked to choose the drive encryption type. Select Used Disk Space Only or Full drive encryption. +Launching the BitLocker Setup wizard prompts for the authentication method to be used (password and smart card are available for data volumes). Once the method is chosen and the recovery key is saved, the wizard asks to choose the drive encryption type. Select Used Disk Space Only or Full drive encryption. With Used Disk Space Only, just the portion of the drive that contains data will be encrypted. Unused space will remain unencrypted. This behavior causes the encryption process to be much faster, especially for new PCs and data drives. When BitLocker is enabled with this method, as data is added to the drive, the portion of the drive used is encrypted. So, there's never unencrypted data stored on the drive. @@ -155,7 +160,7 @@ With Full drive encryption, the entire drive is encrypted, whether data is store BitLocker integrates with Active Directory Domain Services (AD DS) to provide centralized key management. By default, no recovery information is backed up to Active Directory. Administrators can configure the following group policy setting for each drive type to enable backup of BitLocker recovery information: -Computer Configuration\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption\\*drive type*\\Choose how BitLocker-protected drives can be recovered. +**Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > ***drive type*** > **Choose how BitLocker-protected drives can be recovered**. By default, only Domain Admins have access to BitLocker recovery information, but [access can be delegated to others](/archive/blogs/craigf/delegating-access-in-ad-to-bitlocker-recovery-information). @@ -167,7 +172,7 @@ The following recovery data is saved for each computer object: - **Key package data** - With this key package and the recovery password, you will be able to decrypt portions of a BitLocker-protected volume if the disk is severely damaged. Each key package works only with the volume it was created on, which is identified by the corresponding volume ID. + With this key package and the recovery password, portions of a BitLocker-protected volume can be decrypted if the disk is severely damaged. Each key package works only with the volume it was created on, which is identified by the corresponding volume ID. ## FIPS support for recovery password protector @@ -176,21 +181,25 @@ Functionality introduced in Windows Server 2012 R2 and Windows 8.1 allows BitLoc > [!NOTE] > The United States Federal Information Processing Standard (FIPS) defines security and interoperability requirements for computer systems that are used by the U.S. Federal Government. The FIPS-140 standard defines approved cryptographic algorithms. The FIPS-140 standard also sets forth requirements for key generation and for key management. The National Institute of Standards and Technology (NIST) uses the Cryptographic Module Validation Program (CMVP) to determine whether a particular implementation of a cryptographic algorithm is compliant with the FIPS-140 standard. An implementation of a cryptographic algorithm is considered FIPS-140-compliant only if it has been submitted for and has passed NIST validation. An algorithm that has not been submitted cannot be considered FIPS-compliant even if the implementation produces identical data as a validated implementation of the same algorithm. -Before these supported versions of Windows, when Windows was in FIPS mode, BitLocker prevented the creation or use of recovery passwords and instead forced the user to use recovery keys. For more information about these issues, see the support article [kb947249](/troubleshoot/windows-client/windows-security/bitlocker-recovery-password-not-fips-compliant). +Before these supported versions of Windows, when Windows was in FIPS mode, BitLocker prevented the creation or use of recovery passwords and instead forced the user to use recovery keys. For more information about these issues, see the support article [The recovery password for Windows BitLocker isn't available when FIPS compliant policy is set in Windows](/troubleshoot/windows-client/windows-security/bitlocker-recovery-password-not-fips-compliant). -But on computers running these supported systems with BitLocker enabled: +However, on computers running these supported systems with BitLocker enabled: - FIPS-compliant recovery password protectors can be created when Windows is in FIPS mode. These protectors use the FIPS-140 NIST SP800-132 algorithm. + - Recovery passwords created in FIPS mode on Windows 8.1 can be distinguished from recovery passwords created on other systems. + - Recovery unlock using the FIPS-compliant, algorithm-based recovery password protector works in all cases that currently work for recovery passwords. + - When FIPS-compliant recovery passwords unlock volumes, the volume is unlocked to allow read/write access even while in FIPS mode. + - FIPS-compliant recovery password protectors can be exported and stored in AD a while in FIPS mode. The BitLocker Group Policy settings for recovery passwords work the same for all Windows versions that support BitLocker, whether in FIPS mode or not. -On Windows Server 2012 R2 and Windows 8.1 and older, you can't use recovery passwords generated on a system in FIPS mode. Recovery passwords created on Windows Server 2012 R2 and Windows 8.1 are incompatible with BitLocker on operating systems older than Windows Server 2012 R2 and Windows 8.1. So, recovery keys should be used instead. +On Windows Server 2012 R2 and Windows 8.1 and older, recovery passwords generated on a system in FIPS mode can't be used. Recovery passwords created on Windows Server 2012 R2 and Windows 8.1 are incompatible with BitLocker on operating systems older than Windows Server 2012 R2 and Windows 8.1. So, recovery keys should be used instead. -## More information +## Related articles - [Trusted Platform Module](../tpm/trusted-platform-module-top-node.md) - [TPM Group Policy settings](../tpm/trusted-platform-module-services-group-policy-settings.md) diff --git a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md b/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md index e8b8312363..ad33dd9dfd 100644 --- a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md +++ b/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md @@ -4,26 +4,27 @@ description: This article for IT pros describes how to protect CSVs and SANs wit ms.reviewer: ms.prod: windows-client ms.localizationpriority: medium -author: dansimp -ms.author: dansimp +author: frankroj +ms.author: frankroj manager: aaroncz ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 02/28/2019 +ms.date: 11/08/2022 ms.custom: bitlocker ms.technology: itpro-security --- # Protecting cluster shared volumes and storage area networks with BitLocker -**Applies to** -- Windows Server 2016 +*Applies to:* + +- Windows Server 2016 and above This article describes the procedure to protect cluster shared volumes (CSVs) and storage area networks (SANs) by using BitLocker. BitLocker protects both physical disk resources and cluster shared volumes version 2.0 (CSV2.0). BitLocker on clustered volumes provides an extra layer of protection that can be used by administrators wishing to protect sensitive, highly available data. The administrators use this extra layer of protection to increase the security to resources. Only certain user accounts provided access to unlock the BitLocker volume. -## Configuring BitLocker on Cluster Shared Volumes +## Configuring BitLocker on Cluster Shared Volumes ### Using BitLocker with clustered volumes @@ -31,146 +32,150 @@ Volumes within a cluster are managed with the help of BitLocker based on how the > [!IMPORTANT] > SANs used with BitLocker must have obtained Windows Hardware Certification. For more info, see [Windows Hardware Lab Kit](/windows-hardware/drivers/). - + Instead, the volume can be a cluster-shared volume. Windows Server 2012 expanded the CSV architecture, now known as CSV2.0, to enable support for BitLocker. The volumes that are designated for a cluster must do the following tasks: - It must turn on BitLocker—only after this task is done, can the volumes be added to the storage pool. - It must put the resource into maintenance mode before BitLocker operations are completed. -Windows PowerShell or the manage-bde command-line interface is the preferred method to manage BitLocker on CSV2.0 volumes. This method is recommended over the BitLocker Control Panel item because CSV2.0 volumes are mount points. Mount points are an NTFS object that is used to provide an entry point to other volumes. Mount points don't require the use of a drive letter. Volumes that lack drive letters don't appear in the BitLocker Control Panel item. Additionally, the new Active Directory-based protector option required for cluster disk resource or CSV2.0 resources isn't available in the Control Panel item. +Windows PowerShell or the `manage-bde.exe` command-line tool is the preferred method to manage BitLocker on CSV2.0 volumes. This method is recommended over the BitLocker Control Panel item because CSV2.0 volumes are mount points. Mount points are an NTFS object that is used to provide an entry point to other volumes. Mount points don't require the use of a drive letter. Volumes that lack drive letters don't appear in the BitLocker Control Panel item. Additionally, the new Active Directory-based protector option required for cluster disk resource or CSV2.0 resources isn't available in the Control Panel item. > [!NOTE] > Mount points can be used to support remote mount points on SMB-based network shares. This type of share is not supported for BitLocker encryption. - -If there's a thinly provisioned storage, such as a dynamic virtual hard disk (VHD), BitLocker runs in **Used Disk Space Only** encryption mode. You can't use the **manage-bde -WipeFreeSpace** command to transition the volume to full-volume encryption on thinly provisioned storage volumes. The usage of **manage-bde -WipeFreeSpace** command is blocked to avoid expanding thinly provisioned volumes to occupy the entire backing store while wiping the unoccupied (free) space. + +If there's a thinly provisioned storage, such as a dynamic virtual hard disk (VHD), BitLocker runs in **Used Disk Space Only** encryption mode. The **`manage-bde.exe -WipeFreeSpace`** command can't be used to transition the volume to full-volume encryption on thinly provisioned storage volumes. The usage of **`manage-bde.exe -WipeFreeSpace`** command is blocked to avoid expanding thinly provisioned volumes to occupy the entire backing store while wiping the unoccupied (free) space. ### Active Directory-based protector -You can also use an Active Directory Domain Services (AD DS) protector for protecting clustered volumes held within your AD DS infrastructure. The **ADAccountOrGroup** protector is a domain security identifier (SID)-based protector that can be bound to a user account, machine account, or group. When an unlock request is made for a protected volume, the following events take place: +An Active Directory Domain Services (AD DS) protector can also be used for protecting clustered volumes held within the AD DS infrastructure. The **ADAccountOrGroup** protector is a domain security identifier (SID)-based protector that can be bound to a user account, machine account, or group. When an unlock request is made for a protected volume, the following events take place: -- BitLocker service interrupts the request and uses the BitLocker protect/unprotect APIs to unlock or deny the request. +- BitLocker service interrupts the request and uses the BitLocker protect/unprotect APIs to unlock or deny the request. - BitLocker will unlock protected volumes without user intervention by attempting protectors in the following order: - 1. Clear key - 2. Driver-based auto-unlock key - 3. **ADAccountOrGroup** protector - + 1. Clear key + 2. Driver-based auto-unlock key + 3. **ADAccountOrGroup** protector + a. Service context protector - + b. User protector - - 4. Registry-based auto-unlock key + + 4. Registry-based auto-unlock key > [!NOTE] > A Windows Server 2012 or later domain controller is required for this feature to work properly. - + ### Turning on BitLocker before adding disks to a cluster using Windows PowerShell BitLocker encryption is available for disks before these disks are added to a cluster storage pool. > [!NOTE] -> The advantage of The Bitlocker encryption can even be made available for disks after they are added to a cluster storage pool. -The advantage of encrypting volumes prior to adding them to a cluster is that the disk resource need not be suspended to complete the operation. +> The advantage of The Bitlocker encryption can even be made available for disks after they are added to a cluster storage pool. +The advantage of encrypting volumes prior to adding them to a cluster is that the disk resource need not be suspended to complete the operation. To turn on BitLocker for a disk before adding it to a cluster: -1. Install the BitLocker Drive Encryption feature if it isn't already installed. -2. Ensure the disk is an NTFS-formatted one and has a drive letter assigned to it. -3. Identify the name of the cluster with Windows PowerShell. +1. Install the BitLocker Drive Encryption feature if it isn't already installed. + +2. Ensure the disk is an NTFS-formatted one and has a drive letter assigned to it. + +3. Identify the name of the cluster with Windows PowerShell. ```powershell Get-Cluster ``` -4. Enable BitLocker on the volume of your choice with an **ADAccountOrGroup** protector, using the cluster name. For example, use a command such as: + +4. Enable BitLocker on a volume with an **ADAccountOrGroup** protector, using the cluster name. For example, use a command such as: ```powershell Enable-BitLocker E: -ADAccountOrGroupProtector -ADAccountOrGroup CLUSTER$ ``` - > [!WARNING] - > You must configure an **ADAccountOrGroup** protector using the cluster CNO for a BitLocker enabled volume to either be shared in a Cluster Shared Volume or to fail over properly in a traditional failover cluster. - -5. Repeat the preceding steps for each disk in the cluster. -6. Add the volume(s) to the cluster. + > [!WARNING] + > An **ADAccountOrGroup** protector must be configured using the cluster CNO for a BitLocker enabled volume to either be shared in a Cluster Shared Volume or to fail over properly in a traditional failover cluster. + +5. Repeat the preceding steps for each disk in the cluster. + +6. Add the volume(s) to the cluster. ### Turning on BitLocker for a clustered disk using Windows PowerShell -When the cluster service owns a disk resource already, the disk resource needs to be set into maintenance mode before BitLocker can be enabled. To turn on the Bitlocker for a clustered disk using Windows PowerShell, perform the following steps: +When the cluster service owns a disk resource already, the disk resource needs to be set into maintenance mode before BitLocker can be enabled. To turn on the BitLocker for a clustered disk using Windows PowerShell, perform the following steps: -1. Install the BitLocker drive encryption feature if it isn't already installed. -2. Check the status of the cluster disk using Windows PowerShell. +1. Install the BitLocker drive encryption feature if it isn't already installed. + +2. Check the status of the cluster disk using Windows PowerShell. ```powershell Get-ClusterResource "Cluster Disk 1" ``` -3. Put the physical disk resource into maintenance mode using Windows PowerShell. + +3. Put the physical disk resource into maintenance mode using Windows PowerShell. ```powershell Get-ClusterResource "Cluster Disk 1" | Suspend-ClusterResource ``` -4. Identify the name of the cluster with Windows PowerShell. + +4. Identify the name of the cluster with Windows PowerShell. ```powershell Get-Cluster ``` -5. Enable BitLocker on the volume of your choice with an **ADAccountOrGroup** protector, using the cluster name. For example, use a command such as: + +5. Enable BitLocker a volume with an **ADAccountOrGroup** protector, using the cluster name. For example, use a command such as: ```powershell Enable-BitLocker E: -ADAccountOrGroupProtector -ADAccountOrGroup CLUSTER$ ``` > [!WARNING] - > You must configure an **ADAccountOrGroup** protector using the cluster CNO for a BitLocker-enabled volume to either be shared in a cluster-shared Volume or to fail over properly in a traditional failover cluster. - -6. Use **Resume-ClusterResource** to take back the physical disk resource out of maintenance mode: + > An **ADAccountOrGroup** protector must be configured using the cluster CNO for a BitLocker-enabled volume to either be shared in a cluster-shared Volume or to fail over properly in a traditional failover cluster. + +6. Use **Resume-ClusterResource** to take back the physical disk resource out of maintenance mode: ```powershell Get-ClusterResource "Cluster Disk 1" | Resume-ClusterResource ``` -7. Repeat the preceding steps for each disk in the cluster. -### Adding BitLocker-encrypted volumes to a cluster using manage-bde +7. Repeat the preceding steps for each disk in the cluster. -You can also use **manage-bde** to enable BitLocker on clustered volumes. The steps needed to add a physical disk resource or CSV2.0 volume to an existing cluster are: +### Adding BitLocker-encrypted volumes to a cluster using `manage-bde.exe` -1. Verify that the BitLocker drive encryption feature is installed on the computer. -2. Ensure new storage is formatted as NTFS. -3. Encrypt the volume, add a recovery key and add the cluster administrator as a protector key using the**manage-bde** command line interface (see example): +**`Manage-bde.exe`** can also be used to enable BitLocker on clustered volumes. The steps needed to add a physical disk resource or CSV2.0 volume to an existing cluster are: - - `Manage-bde -on -used -RP -sid domain\CNO$ -sync` +1. Verify that the BitLocker drive encryption feature is installed on the computer. - 1. BitLocker will check to see if the disk is already part of a cluster. If it is, administrators will encounter a hard block. Otherwise, the encryption continues. - 2. Using the -sync parameter is optional. However, using -sync parameter has the following advantage: - - The -sync parameter ensures the command waits until the encryption for the volume is completed. The volume is then released for use in the cluster storage pool. +2. Ensure new storage is formatted as NTFS. -4. Open the Failover Cluster Manager snap-in or cluster PowerShell cmdlets to enable the disk to be clustered. +3. Encrypt the volume, add a recovery key and add the cluster administrator as a protector key using **`manage-bde.exe`** in a command prompt window. For example: + ```cmd + manage-bde.exe -on -used -RP -sid domain\CNO$ -sync + ``` - - Once the disk is clustered, it's enabled for CSV. + 1. BitLocker will check to see if the disk is already part of a cluster. If it is, administrators will encounter a hard block. Otherwise, the encryption continues. + 2. Using the -sync parameter is optional. However, using the -sync parameter has the advantage of ensuring the command waits until the encryption for the volume is completed. The volume is then released for use in the cluster storage pool. -5. During the resource online operation, cluster checks whether the disk is BitLocker encrypted. +4. Open the Failover Cluster Manager snap-in or cluster PowerShell cmdlets to enable the disk to be clustered. - 1. If the volume isn't BitLocker enabled, traditional cluster online operations occur. - 2. If the volume is BitLocker enabled, the following check occurs: + - Once the disk is clustered, it's enabled for CSV. +5. During the resource online operation, cluster checks whether the disk is BitLocker encrypted. - - If volume is **locked**, BitLocker impersonates the CNO and unlocks the volume using the CNO protector. If these actions by BitLocker fail, an event is logged. The logged event will state that the volume couldn't be unlocked and the online operation has failed. + 1. If the volume isn't BitLocker enabled, traditional cluster online operations occur. -6. Once the disk is online in the storage pool, it can be added to a CSV by right-clicking the disk resource and choosing "**Add to cluster shared volumes**". -CSVs include both encrypted and unencrypted volumes. To check the status of a particular volume for BitLocker encryption: administrators must do the following task: + 2. If the volume is BitLocker enabled, BitLocker checks if the volume is **locked**. If the volume is **locked**, BitLocker impersonates the CNO and unlocks the volume using the CNO protector. If these actions by BitLocker fail, an event is logged. The logged event will state that the volume couldn't be unlocked and the online operation has failed. -- Utilize the **manage-bde -status** command with a path to the volume. +6. Once the disk is online in the storage pool, it can be added to a CSV by right-clicking the disk resource, and choosing "**Add to cluster shared volumes**". - The path must be one that is inside the CSV namespace as seen in the example command line below. +CSVs include both encrypted and unencrypted volumes. To check the status of a particular volume for BitLocker encryption run the `manage-bde.exe -status` command as an administrator with a path to the volume. The path must be one that is inside the CSV namespace. For example: - -```powershell -manage-bde -status "C:\ClusterStorage\volume1" +```cmd +manage-bde.exe -status "C:\ClusterStorage\volume1" ``` ### Physical disk resources - -Unlike CSV2.0 volumes, physical disk resources can only be accessed by one cluster node at a time. This condition means that operations such as encrypting, decrypting, locking or unlocking volumes require a context to perform. For example, you can't unlock or decrypt a physical disk resource if you aren't administering the cluster node that owns the disk resource because the disk resource isn't available. +Unlike CSV2.0 volumes, physical disk resources can only be accessed by one cluster node at a time. This condition means that operations such as encrypting, decrypting, locking, or unlocking volumes require a context to perform. For example, a physical disk resource can't unlock or decrypt if it isn't administering the cluster node that owns the disk resource because the disk resource isn't available. ### Restrictions on BitLocker actions with cluster volumes @@ -178,31 +183,38 @@ The following table contains information about both physical disk resources (tha | Action | On owner node of failover volume | On Metadata Server (MDS) of CSV | On (Data Server) DS of CSV | Maintenance Mode | |--- |--- |--- |--- |--- | -|**Manage-bde –on**|Blocked|Blocked|Blocked|Allowed| -|**Manage-bde –off**|Blocked|Blocked|Blocked|Allowed| -|**Manage-bde Pause/Resume**|Blocked|Blocked**|Blocked|Allowed| -|**Manage-bde –lock**|Blocked|Blocked|Blocked|Allowed| -|**manage-bde –wipe**|Blocked|Blocked|Blocked|Allowed| +|**`Manage-bde.exe -on`**|Blocked|Blocked|Blocked|Allowed| +|**`Manage-bde.exe -off`**|Blocked|Blocked|Blocked|Allowed| +|**`Manage-bde.exe Pause/Resume`**|Blocked|Blocked**|Blocked|Allowed| +|**`Manage-bde.exe -lock`**|Blocked|Blocked|Blocked|Allowed| +|**`Manage-bde.exe -wipe`**|Blocked|Blocked|Blocked|Allowed| |**Unlock**|Automatic via cluster service|Automatic via cluster service|Automatic via cluster service|Allowed| -|**manage-bde –protector –add**|Allowed|Allowed|Blocked|Allowed| -|**manage-bde -protector -delete**|Allowed|Allowed|Blocked|Allowed| -|**manage-bde –autounlock**|Allowed (not recommended)|Allowed (not recommended)|Blocked|Allowed (not recommended)| -|**Manage-bde -upgrade**|Allowed|Allowed|Blocked|Allowed| +|**`Manage-bde.exe -protector -add`**|Allowed|Allowed|Blocked|Allowed| +|**`Manage-bde.exe -protector -delete`**|Allowed|Allowed|Blocked|Allowed| +|**`Manage-bde.exe -autounlock`**|Allowed (not recommended)|Allowed (not recommended)|Blocked|Allowed (not recommended)| +|**`Manage-bde.exe -upgrade`**|Allowed|Allowed|Blocked|Allowed| |**Shrink**|Allowed|Allowed|Blocked|Allowed| |**Extend**|Allowed|Allowed|Blocked|Allowed| > [!NOTE] -> Although the **manage-bde -pause** command is blocked in clusters, the cluster service automatically resumes a paused encryption or decryption from the MDS node. - +> Although the **`manage-bde.exe -pause`** command is blocked in clusters, the cluster service automatically resumes a paused encryption or decryption from the MDS node. + In the case where a physical disk resource experiences a failover event during conversion, the new owning node detects that the conversion isn't complete and completes the conversion process. ### Other considerations when using BitLocker on CSV2.0 Some other considerations to take into account for BitLocker on clustered storage include: -- BitLocker volumes have to be initialized and begin encryption before they're available to add to a CSV2.0 volume. -- If an administrator needs to decrypt a CSV volume, remove the volume from the cluster or put it into disk maintenance mode. You can add the CSV back to the cluster while waiting for decryption to complete. -- If an administrator needs to start encrypting a CSV volume, remove the volume from the cluster or put it into maintenance mode. -- If conversion is paused with encryption in progress and the CSV volume is offline from the cluster, the cluster thread (health check) automatically resumes conversion when the volume is online to the cluster. -- If conversion is paused with encryption in progress and a physical disk resource volume is offline from the cluster, the BitLocker driver automatically resumes conversion when the volume is online to the cluster. -- If conversion is paused with encryption in progress, while the CSV volume is in maintenance mode, the cluster thread (health check) automatically resumes conversion when moving the volume back from maintenance. -- If conversion is paused with encryption in progress, while the disk resource volume is in maintenance mode, the BitLocker driver automatically resumes conversion when the volume is moved back from maintenance mode. + +- BitLocker volumes have to be initialized and begin encryption before they're available to add to a CSV2.0 volume. + +- If an administrator needs to decrypt a CSV volume, remove the volume from the cluster or put it into disk maintenance mode. The CSV can be added back to the cluster while waiting for decryption to complete. + +- If an administrator needs to start encrypting a CSV volume, remove the volume from the cluster or put it into maintenance mode. + +- If conversion is paused with encryption in progress and the CSV volume is offline from the cluster, the cluster thread (health check) automatically resumes conversion when the volume is online to the cluster. + +- If conversion is paused with encryption in progress and a physical disk resource volume is offline from the cluster, the BitLocker driver automatically resumes conversion when the volume is online to the cluster. + +- If conversion is paused with encryption in progress, while the CSV volume is in maintenance mode, the cluster thread (health check) automatically resumes conversion when moving the volume back from maintenance. + +- If conversion is paused with encryption in progress, while the disk resource volume is in maintenance mode, the BitLocker driver automatically resumes conversion when the volume is moved back from maintenance mode. diff --git a/windows/security/information-protection/bitlocker/troubleshoot-bitlocker.md b/windows/security/information-protection/bitlocker/troubleshoot-bitlocker.md index c9c1de7322..3a2eab807c 100644 --- a/windows/security/information-protection/bitlocker/troubleshoot-bitlocker.md +++ b/windows/security/information-protection/bitlocker/troubleshoot-bitlocker.md @@ -5,52 +5,55 @@ ms.reviewer: kaushika ms.technology: itpro-security ms.prod: windows-client ms.localizationpriority: medium -author: Teresa-Motiv -ms.author: v-tappelgate -manager: kaushika +author: frankroj +ms.author: frankroj +manager: aaroncz ms.collection: Windows Security Technologies\BitLocker ms.topic: troubleshooting -ms.date: 10/17/2019 +ms.date: 11/08/2022 ms.custom: bitlocker --- # Guidelines for troubleshooting BitLocker -This article addresses common issues in BitLocker and provides guidelines to troubleshoot these issues. This article also provides information such as what data to collect and what settings to check. This information makes your troubleshooting process much easier. +This article addresses common issues in BitLocker and provides guidelines to troubleshoot these issues. This article also provides information such as what data to collect and what settings to check. This information makes the troubleshooting process much easier. ## Review the event logs -Open Event Viewer and review the following logs under Applications and Services logs\\Microsoft\\Windows: +Open **Event Viewer** and review the following logs under **Applications and Services Logs** > **Microsoft** > **Windows**: -- **BitLocker-API**. Review the management log, the operational log, and any other logs that are generated in this folder. The default logs have the following unique names: - - Microsoft-Windows-BitLocker-API/BitLocker Operational - - Microsoft-Windows-BitLocker-API/BitLocker Management +- **BitLocker-API**. Review the **Management** log, the **Operational** log, and any other logs that are generated in this folder. The default logs have the following unique names: -- **BitLocker-DrivePreparationTool**. Review the admin log, the operational log, and any other logs that are generated in this folder. The default logs have the following unique names: - - Microsoft-Windows-BitLocker-DrivePreparationTool/Operational - - Microsoft-Windows-BitLocker-DrivePreparationTool/Admin + - **Microsoft-Windows-BitLocker-API/Management** + - **Microsoft-Windows-BitLocker-API/Operational** + - **Microsoft-Windows-BitLocker-API/Tracing** - only displayed when **Show Analytic and Debug Logs** is enabled -Additionally, review the Windows logs\\System log for events that were produced by the TPM and TPM-WMI event sources. +- **BitLocker-DrivePreparationTool**. Review the **Admin** log, the **Operational** log, and any other logs that are generated in this folder. The default logs have the following unique names: -To filter and display or export logs, you can use the [wevtutil.exe](/windows-server/administration/windows-commands/wevtutil) command-line tool or the [Get-WinEvent](/powershell/module/microsoft.powershell.diagnostics/get-winevent?view=powershell-6&preserve-view=true) cmdlet. + - **Microsoft-Windows-BitLocker-DrivePreparationTool/Admin** + - **Microsoft-Windows-BitLocker-DrivePreparationTool/Operational** +Additionally, review the **Windows Logs** > **System** log for events that were produced by the TPM and TPM-WMI event sources. -For example, to use wevtutil to export the contents of the operational log from the BitLocker-API folder to a text file that is named BitLockerAPIOpsLog.txt, open a Command Prompt window, and run the following command: +To filter and display or export logs, the [wevtutil.exe](/windows-server/administration/windows-commands/wevtutil) command-line tool or the [Get-WinEvent](/powershell/module/microsoft.powershell.diagnostics/get-winevent?view=powershell-6&preserve-view=true) PowerShell cmdlet can be used. + +For example, to use `wevtutil.exe` to export the contents of the operational log from the BitLocker-API folder to a text file that is named `BitLockerAPIOpsLog.txt`, open a Command Prompt window, and run the following command: ```cmd -wevtutil qe "Microsoft-Windows-BitLocker/BitLocker Operational" /f:text > BitLockerAPIOpsLog.txt +wevtutil.exe qe "Microsoft-Windows-BitLocker/BitLocker Operational" /f:text > BitLockerAPIOpsLog.txt ``` -To use the **Get-WinEvent** cmdlet to export the same log to a comma-separated text file, open a Windows Powershell window and run the following command: +To use the **Get-WinEvent** cmdlet to export the same log to a comma-separated text file, open a Windows PowerShell window and run the following command: -```ps -Get-WinEvent -logname "Microsoft-Windows-BitLocker/BitLocker Operational"  | Export-Csv -Path Bitlocker-Operational.csv +```powershell +Get-WinEvent -logname "Microsoft-Windows-BitLocker/BitLocker Operational" | Export-Csv -Path Bitlocker-Operational.csv ``` -You can use Get-WinEvent in an elevated PowerShell window to display filtered information from the system or application log by using the following syntax: +The Get-WinEvent can be used in an elevated PowerShell window to display filtered information from the system or application log by using the following syntax: - To display BitLocker-related information: - ```ps + + ```powershell Get-WinEvent -FilterHashtable @{LogName='System'} | Where-Object -Property Message -Match 'BitLocker' | fl ``` @@ -59,17 +62,20 @@ You can use Get-WinEvent in an elevated PowerShell window to display filtered in ![Display of events that is produced by using Get-WinEvent and a BitLocker filter.](./images/psget-winevent-1.png) - To export BitLocker-related information: - ```ps + + ```powershell Get-WinEvent -FilterHashtable @{LogName='System'} | Where-Object -Property Message -Match 'BitLocker' | Export-Csv -Path System-BitLocker.csv ``` - To display TPM-related information: - ```ps + + ```powershell Get-WinEvent -FilterHashtable @{LogName='System'} | Where-Object -Property Message -Match 'TPM' | fl ``` - To export TPM-related information: - ```ps + + ```powershell Get-WinEvent -FilterHashtable @{LogName='System'} | Where-Object -Property Message -Match 'TPM' | Export-Csv -Path System-TPM.csv ``` @@ -78,59 +84,69 @@ You can use Get-WinEvent in an elevated PowerShell window to display filtered in ![Display of events that is produced by using Get-WinEvent and a TPM filter.](./images/psget-winevent-2.png) > [!NOTE] -> If you intend to contact Microsoft Support, we recommend that you export the logs listed in this section. +> When contacting Microsoft Support, it is recommended to export the logs listed in this section. ## Gather status information from the BitLocker technologies -Open an elevated Windows PowerShell window, and run each of the following commands. +Open an elevated Windows PowerShell window, and run each of the following commands: -|Command |Notes | -| --- | --- | -|[**get-tpm \> C:\\TPM.txt**](/powershell/module/trustedplatformmodule/get-tpm?view=win10-ps&preserve-view=true) |Exports information about the local computer's Trusted Platform Module (TPM). This cmdlet shows different values depending on whether the TPM chip is version 1.2 or 2.0. This cmdlet is not supported in Windows 7. | -|[**manage-bde –status \> C:\\BDEStatus.txt**](/windows-server/administration/windows-commands/manage-bde-status) |Exports information about the general encryption status of all drives on the computer. | -|[**manage-bde c:
    -protectors -get \> C:\\Protectors**](/windows-server/administration/windows-commands/manage-bde-protectors) |Exports information about the protection methods that are used for the BitLocker encryption key. | -|[**reagentc /info \> C:\\reagent.txt**](/windows-hardware/manufacture/desktop/reagentc-command-line-options) |Exports information about an online or offline image about the current status of the Windows Recovery Environment (WindowsRE) and any available recovery image. | -|[**get-BitLockerVolume \| fl**](/powershell/module/bitlocker/get-bitlockervolume?view=win10-ps&preserve-view=true) |Gets information about volumes that BitLocker Drive Encryption can protect. | +|Command |Notes | More Info | +| --- | --- | --- | +|**`Get-Tpm > C:\TPM.txt`** |PowerShell cmdlet that exports information about the local computer's Trusted Platform Module (TPM). This cmdlet shows different values depending on whether the TPM chip is version 1.2 or 2.0. This cmdlet isn't supported in Windows 7. | [Get-Tpm](/powershell/module/trustedplatformmodule/get-tpm)| +|**`manage-bde.exe -status > C:\BDEStatus.txt`** |Exports information about the general encryption status of all drives on the computer. | [manage-bde.exe status](/windows-server/administration/windows-commands/manage-bde-status) | +|**`manage-bde.exe c: -protectors -get > C:\Protectors`** |Exports information about the protection methods that are used for the BitLocker encryption key. | [manage-bde.exe protectors](/windows-server/administration/windows-commands/manage-bde-protectors)| +|**`reagentc.exe /info > C:\reagent.txt`** |Exports information about an online or offline image about the current status of the Windows Recovery Environment (WindowsRE) and any available recovery image. | [reagentc.exe](/windows-hardware/manufacture/desktop/reagentc-command-line-options) | +|**`Get-BitLockerVolume \| fl`** |PowerShell cmdlet that gets information about volumes that BitLocker Drive Encryption can protect. | [Get-BitLockerVolume](/powershell/module/bitlocker/get-bitlockervolume) | ## Review the configuration information -1. Open an elevated Command Prompt window, and run the following commands. +1. Open an elevated Command Prompt window, and run the following commands: - |Command |Notes | - | --- | --- | - |[**gpresult /h \**](/windows-server/administration/windows-commands/gpresult) |Exports the Resultant Set of Policy information, and saves the information as an HTML file. | - |[**msinfo /report \ /computer \**](/windows-server/administration/windows-commands/msinfo32) |Exports comprehensive information about the hardware, system components, and software environment on the local computer. The **/report** option saves the information as a .txt file. | + |Command |Notes | More Info | + | --- | --- | --- | + |**`gpresult.exe /h `** |Exports the Resultant Set of Policy information, and saves the information as an HTML file. | [gpresult.exe](/windows-server/administration/windows-commands/gpresult) | + |**`msinfo.exe /report /computer `** |Exports comprehensive information about the hardware, system components, and software environment on the local computer. The **/report** option saves the information as a .txt file. |[msinfo.exe](/windows-server/administration/windows-commands/msinfo32) | -1. Open Registry Editor, and export the entries in the following subkeys: +2. Open Registry Editor, and export the entries in the following subkeys: - - **HKLM\\SOFTWARE\\Policies\\Microsoft\\FVE** - - **HKLM\\SYSTEM\\CurrentControlSet\\Services\\TPM\\** + - **`HKLM\SOFTWARE\Policies\Microsoft\FVE`** + - **`HKLM\SYSTEM\CurrentControlSet\Services\TPM\`** ## Check the BitLocker prerequisites Common settings that can cause issues for BitLocker include the following scenarios: -- The TPM must be unlocked. You can check the output of the **get-tpm** command for the status of the TPM. -- Windows RE must be enabled. You can check the output of the **reagentc** command for the status of WindowsRE. +- The TPM must be unlocked. Check the output of the **`get-tpm`** PowerShell cmdlet command for the status of the TPM. + +- Windows RE must be enabled. Check the output of the **`reagentc.exe`** command for the status of WindowsRE. + - The system-reserved partition must use the correct format. + - On Unified Extensible Firmware Interface (UEFI) computers, the system-reserved partition must be formatted as FAT32. - On legacy computers, the system-reserved partition must be formatted as NTFS. -- If the device that you are troubleshooting is a slate or tablet PC, use to verify the status of the **Enable use of BitLocker authentication requiring preboot keyboard input on slates** option. + +- If the device being troubleshot is a slate or tablet PC, use to verify the status of the **Enable use of BitLocker authentication requiring preboot keyboard input on slates** option. For more information about the BitLocker prerequisites, see [BitLocker basic deployment: Using BitLocker to encrypt volumes](./bitlocker-basic-deployment.md#using-bitlocker-to-encrypt-volumes) ## Next steps -If the information that you have examined so far indicates a specific issue (for example, WindowsRE is not enabled), the issue may have a straightforward fix. +If the information examined so far indicates a specific issue (for example, WindowsRE isn't enabled), the issue may have a straightforward fix. -Resolving issues that do not have obvious causes depends on exactly which components are involved and what behavior you see. The information that you have gathered helps you narrow down the areas to investigate. +Resolving issues that don't have obvious causes depends on exactly which components are involved and what behavior is being see. The gathered information helps narrow down the areas to investigate. -- If you are working on a device that is managed by Microsoft Intune, see [Enforcing BitLocker policies by using Intune: known issues](ts-bitlocker-intune-issues.md). -- If BitLocker does not start or cannot encrypt a drive and you notice errors or events that are related to the TPM, see [BitLocker cannot encrypt a drive: known TPM issues](ts-bitlocker-cannot-encrypt-tpm-issues.md). -- If BitLocker does not start or cannot encrypt a drive, see [BitLocker cannot encrypt a drive: known issues](ts-bitlocker-cannot-encrypt-issues.md). -- If BitLocker Network Unlock does not behave as expected, see [BitLocker Network Unlock: known issues](ts-bitlocker-network-unlock-issues.md). -- If BitLocker does not behave as expected when you recover an encrypted drive, or if you did not expect BitLocker to recover the drive, see [BitLocker recovery: known issues](ts-bitlocker-recovery-issues.md). -- If BitLocker or the encrypted drive does not behave as expected, and you notice errors or events that are related to the TPM, see [BitLocker and TPM: other known issues](ts-bitlocker-tpm-issues.md). -- If BitLocker or the encrypted drive does not behave as expected, see [BitLocker configuration: known issues](ts-bitlocker-config-issues.md). +- If the device being troubleshot is managed by Microsoft Intune, see [Enforcing BitLocker policies by using Intune: known issues](ts-bitlocker-intune-issues.md). -We recommend that you keep the information that you have gathered handy in case you decide to contact Microsoft Support for help to resolve your issue. +- If BitLocker doesn't start or can't encrypt a drive and errors or events that are related to the TPM are occurring, see [BitLocker cannot encrypt a drive: known TPM issues](ts-bitlocker-cannot-encrypt-tpm-issues.md). + +- If BitLocker doesn't start or can't encrypt a drive, see [BitLocker cannot encrypt a drive: known issues](ts-bitlocker-cannot-encrypt-issues.md). + +- If BitLocker Network Unlock doesn't behave as expected, see [BitLocker Network Unlock: known issues](ts-bitlocker-network-unlock-issues.md). + +- If BitLocker doesn't behave as expected when an encrypted drive is recovered, or if BitLocker unexpectedly recovered a drive, see [BitLocker recovery: known issues](ts-bitlocker-recovery-issues.md). + +- If BitLocker or the encrypted drive doesn't behave as expected, and errors or events that are related to the TPM are occurring, see [BitLocker and TPM: other known issues](ts-bitlocker-tpm-issues.md). + +- If BitLocker or the encrypted drive doesn't behave as expected, see [BitLocker configuration: known issues](ts-bitlocker-config-issues.md). + +It's recommended to keep the gathered information handy in case Microsoft Support is contacted for help with resolving the issue. diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-issues.md index 9929bc59ea..21e5e1fe33 100644 --- a/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-issues.md +++ b/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-issues.md @@ -5,12 +5,12 @@ ms.reviewer: kaushika ms.technology: itpro-security ms.prod: windows-client ms.localizationpriority: medium -author: Teresa-Motiv -ms.author: v-tappelgate -manager: kaushika +author: frankroj +ms.author: frankroj +manager: aaroncz ms.collection: Windows Security Technologies\BitLocker ms.topic: troubleshooting -ms.date: 10/17/2019 +ms.date: 11/08/2022 ms.custom: bitlocker --- @@ -19,53 +19,58 @@ ms.custom: bitlocker This article describes common issues that prevent BitLocker from encrypting a drive. This article also provides guidance to address these issues. > [!NOTE] -> If you have determined that your BitLocker issue involves the trusted platform module (TPM), see [BitLocker cannot encrypt a drive: known TPM issues](ts-bitlocker-cannot-encrypt-tpm-issues.md). +> If it is determined that the BitLocker issue involves the trusted platform module (TPM), see [BitLocker cannot encrypt a drive: known TPM issues](ts-bitlocker-cannot-encrypt-tpm-issues.md). -## Error 0x80310059: BitLocker drive encryption is already performing an operation on this drive +## **Error 0x80310059: BitLocker drive encryption is already performing an operation on this drive** -When you turn on BitLocker Drive Encryption on a computer that is running Windows 10 Professional or Windows 11, you receive a message that resembles the following: +When BitLocker Drive Encryption is turned on a computer that is running Windows 10 Professional or Windows 11, the following message may appear: -> **ERROR:** An error occurred (code 0x80310059):BitLocker Drive Encryption is already performing an operation on this drive. Please complete all operations before continuing.NOTE: If the -on switch has failed to add key protectors or start encryption,you may need to call manage-bde -off before attempting -on again. +> **ERROR: An error occurred (code 0x80310059): BitLocker Drive Encryption is already performing an operation on this drive. Please complete all operations before continuing. NOTE: If the -on switch has failed to add key protectors or start encryption, you may need to call manage-bde -off before attempting -on again.** -### Cause +### Cause of **Error 0x80310059** This issue may be caused by settings that are controlled by group policy objects (GPOs). -### Resolution +### Resolution for **Error 0x80310059** > [!IMPORTANT] -> Follow the steps in this section carefully. Serious problems might occur if you modify the registry incorrectly. Before you modify it, [back up the registry for restoration](https://support.microsoft.com/help/322756) in case problems occur. +> Follow the steps in this section carefully. Serious problems might occur if the registry is modified incorrectly. Before modifying the registry, [back up the registry for restoration](https://support.microsoft.com/help/322756) in case problems occur. To resolve this issue, follow these steps: 1. Start Registry Editor, and navigate to the following subkey: - **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\FVE** + **`HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE`** -1. Delete the following entries: - - **OSPlatformValidation\_BIOS** - - **OSPlatformValidation\_UEFI** - - **PlatformValidation** +2. Delete the following entries: -1. Exit registry editor, and turn on BitLocker drive encryption again. + - **`OSPlatformValidation_BIOS`** + - **`OSPlatformValidation_UEFI`** + - **`PlatformValidation`** -## "Access is denied" message when you try to encrypt removable drives +3. Exit registry editor, and turn on BitLocker drive encryption again. -You have a computer that is running Windows 10, version 1709 or version 1607, or Windows 11. You try to encrypt a USB drive by following these steps: + \ No newline at end of file diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-tpm-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-tpm-issues.md index faea2fc7bb..78b5691523 100644 --- a/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-tpm-issues.md +++ b/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-tpm-issues.md @@ -1,16 +1,16 @@ --- title: BitLocker cannot encrypt a drive known TPM issues -description: Provides guidance for troubleshooting known issues that may prevent BitLocker Drive Encryption from encrypting a drive, and that you can attribute to the TPM +description: Provides guidance for troubleshooting known issues that may prevent BitLocker Drive Encryption from encrypting a drive that can be attributed to the TPM ms.reviewer: kaushika ms.technology: itpro-security ms.prod: windows-client ms.localizationpriority: medium -author: Teresa-Motiv -ms.author: v-tappelgate -manager: kaushika +author: frankroj +ms.author: frankroj +manager: aaroncz ms.collection: Windows Security Technologies\BitLocker ms.topic: troubleshooting -ms.date: 10/18/2019 +ms.date: 11/08/2022 ms.custom: bitlocker --- @@ -19,19 +19,21 @@ ms.custom: bitlocker This article describes common issues that affect the Trusted Platform Module (TPM) that might prevent BitLocker from encrypting a drive. This article also provides guidance to address these issues. > [!NOTE] -> If you have determined that your BitLocker issue does not involve the TPM, see [BitLocker cannot encrypt a drive: known issues](ts-bitlocker-cannot-encrypt-issues.md). +> If it's been determined that the BitLocker issue does not involve the TPM, see [BitLocker cannot encrypt a drive: known issues](ts-bitlocker-cannot-encrypt-issues.md). -## The TPM is locked and you see "The TPM is defending against dictionary attacks and is in a time-out period" +## The TPM is locked and the error **`The TPM is defending against dictionary attacks and is in a time-out period`** is displayed -When you turn on BitLocker drive encryption, it does not start. Instead, you receive a message that resembles "The TPM is defending against dictionary attacks and is in a time-out period." +It's attempted to turn on BitLocker drive encryption on a device but it fails with an error message similar to the following error message: -### Cause +> **The TPM is defending against dictionary attacks and is in a time-out period.** + +### Cause of the TPM being locked The TPM is locked out. -### Resolution +### Resolution for the TPM being locked -To resolve this issue, follow these steps: +To resolve this issue, the TPM needs to be reset and cleared. The TPM can be reset and cleared with the following steps: 1. Open an elevated PowerShell window and run the following script: @@ -40,49 +42,72 @@ To resolve this issue, follow these steps: $ConfirmationStatus = $Tpm.GetPhysicalPresenceConfirmationStatus(22).ConfirmationStatus if($ConfirmationStatus -ne 4) {$Tpm.SetPhysicalPresenceRequest(22)} ``` -2. Restart the computer. If you are prompted at the restart screen, press F12 to agree.8 -3. Retry starting BitLocker drive encryption. -## You cannot prepare the TPM, and you see "The TPM is defending against dictionary attacks and is in a time-out period" +2. Restart the computer. If a prompt is displayed confirming the clearing of the TPM, agree to clear the TPM. -You cannot turn on BitLocker drive encryption on a device. You use the TPM management console (tpm.msc) to prepare the TPM on a device. The operation fails and you receive a message that resembles "The TPM is defending against dictionary attacks and is in a time-out period." +3. Sign on to Windows and retry starting BitLocker drive encryption. -### Cause +> [!WARNING] +> Resetting and clearing the TPM can cause data loss. + +## The TPM fails to prepare with the error **`The TPM is defending against dictionary attacks and is in a time-out period`** + +It's attempted to turn on BitLocker drive encryption on a device but it fails. While troubleshooting, the TPM management console (`tpm.msc`) is used to attempt to prepare the TPM on the device. The operation fails with an error message similar to the following error message: + +> **The TPM is defending against dictionary attacks and is in a time-out period.** + +### Cause of TPM failing to prepare The TPM is locked out. -### Resolution +### Resolution for TPM failing to prepare -To resolve this issue, disable and re-enable the TPM. To do this, follow these steps: +To resolve this issue, disable and re-enable the TPM with the following steps: -1. Restart the device, and change the BIOS configuration to disable the TPM. -2. Restart the device again, and return to the TPM management console. Following message is displayed: - > Compatible Trusted Platform Module (TPM) cannot be found on this computer. Verify that this computer has 1.2 TPM and it is turned on in the BIOS. +1. Enter the UEFI/BIOS configuration screens of the device by restarting the device and hitting the appropriate key combination as the device boots. Consult with the device manufacturer for the appropriate key combination for entering into the UEFI/BIOS configuration screens. -3. Restart the device, and change the BIOS configuration to enable the TPM. -4. Restart the device, and return to the TPM management console. +2. Once in the UEFI/BIOS configuration screens, disable the TPM. Consult with the device manufacturer for instructions on how to disable the TPM in the UEFI/BIOS configuration screens. -If you still cannot prepare the TPM, clear the existing TPM keys. To do this, follow the instructions in [Troubleshoot the TPM: Clear all the keys from the TPM](../tpm/initialize-and-configure-ownership-of-the-tpm.md#clear-all-the-keys-from-the-tpm). +3. Save the UEFI/BIOS configuration with the TPM disabled and restart the device to boot into Windows. + +4. Once signed into Windows, return to the TPM management console. An error message similar to the following error message is displayed: + + > **Compatible TPM cannot be found** + > + > **Compatible Trusted Platform Module (TPM) cannot be found on this computer. Verify that this computer has 1.2 TPM and it is turned on in the BIOS.** + + This message is expected since the TPM is currently disabled in the UEFI firmware/BIOS of the device. + +5. Restart the device and enter the UEFI/BIOS configuration screens again. + +6. Reenable the TPM in the UEFI/BIOS configuration screens. + +7. Save the UEFI/BIOS configuration with the TPM enabled and restart the device to boot into Windows. + +8. Once signed into Windows, return to the TPM management console. + +If the TPM still can't be prepared, clear the existing TPM keys by following the instructions in the article [Troubleshoot the TPM: Clear all the keys from the TPM](../tpm/initialize-and-configure-ownership-of-the-tpm.md#clear-all-the-keys-from-the-tpm). > [!WARNING] > Clearing the TPM can cause data loss. -## Access Denied: Failed to backup TPM Owner Authorization information to Active Directory Domain Services. Errorcode: 0x80070005 +## BitLocker fails to enable with the error **`Access Denied: Failed to backup TPM Owner Authorization information to Active Directory Domain Services. Errorcode: 0x80070005`** or **`Insufficient Rights`** -You have an environment that enforces the **Do not enable BitLocker until recovery information is stored in AD DS** policy. You try to turn on BitLocker drive encryption on a computer that runs Windows 7, but the operation fails. You receive a message that resembles "Access Denied" or "Insufficient Rights." +The **Do not enable BitLocker until recovery information is stored in AD DS** policy is enforced in the environment. It's attempted to turn on BitLocker drive encryption on a device but it fails with the error message of **`Access Denied: Failed to backup TPM Owner Authorization information to Active Directory Domain Services. Errorcode: 0x80070005`** or **`Insufficient Rights`**. -### Cause +### Cause of **`Access Denied`** or **`Insufficient Rights`** -The TPM did not have sufficient permissions on the TPM devices container in Active Directory Domain Services (AD DS). Therefore, the BitLocker recovery information could not be backed up to AD DS, and BitLocker drive encryption could not run. +The TPM didn't have sufficient permissions on the TPM devices container in Active Directory Domain Services (AD DS). Therefore, the BitLocker recovery information couldn't be backed up to AD DS, and BitLocker drive encryption couldn't turn on. This issue appears to be limited to computers that run versions of Windows that are earlier than Windows 10. -### Resolution +### Resolution for **`Access Denied`** or **`Insufficient Rights`** -To verify that you have correctly identified this issue, use one of the following methods: +To verify this issue is occurring, use one of the following two methods: -- Disable the policy or remove the computer from the domain. Then try to turn on BitLocker drive encryption again. The operation should now succeed. -- Use LDAP and network trace tools to examine the LDAP exchanges between the client and the AD DS domain controller to identify the cause of the "Access Denied" or "Insufficient Rights" error. In this case, you should see the error when the client tries to access its object in the "CN=TPM Devices,DC=\<*domain*>,DC=com" container. +- Disable the policy or remove the computer from the domain followed by trying to turn on BitLocker drive encryption again. If the operation succeeds, then the issue was caused by the policy. + +- Use LDAP and network trace tools to examine the LDAP exchanges between the client and the AD DS domain controller to identify the cause of the **Access Denied** or **Insufficient Rights** error. In this case, an error should be displayed when the client tries to access its object in the **`CN=TPM Devices,DC=,DC=com`** container. 1. To review the TPM information for the affected computer, open an elevated Windows PowerShell window and run the following command: @@ -92,38 +117,41 @@ To verify that you have correctly identified this issue, use one of the followin In this command, *ComputerName* is the name of the affected computer. -1. To resolve the issue, use a tool such as dsacls.exe to ensure that the access control list of msTPM-TPMInformationForComputer grants both Read and Write permissions to NTAUTHORITY/SELF. +2. To resolve the issue, use a tool such as `dsacls.exe` to ensure that the access control list of msTPM-TPMInformationForComputer grants both **Read** and **Write** permissions to **NTAUTHORITY/SELF**. -## Cannot prepare the TPM, error 0x80072030: "There is no such object on the server" +## The TPM fails to be prepared with the error **`0x80072030: There is no such object on the server`** -Your domain controllers were upgraded from Windows Server 2008 R2 to Windows Server 2012 R2. A group policy object (GPO) enforces the **Do not enable BitLocker until recovery information is stored in AD DS** policy. +Domain controllers were upgraded from Windows Server 2008 R2 to Windows Server 2012 R2. A group policy object (GPO) exists that enforces the **Do not enable BitLocker until recovery information is stored in AD DS** policy. -You cannot turn on BitLocker drive encryption on a device. You use the TPM management console (tpm.msc) to prepare the TPM on a device. The operation fails and you see a message that resembles the following: +It's attempted to turn on BitLocker drive encryption on a device but it fails. While troubleshooting, the TPM management console (`tpm.msc`) is used to attempt to prepare the TPM on the device. The operation fails with an error message similar to the following error message: -> 0x80072030 There is no such object on the server when a policy to back up TPM information to active directory is enabled +> **0x80072030 There is no such object on the server when a policy to back up TPM information to active directory is enabled** -You have confirmed that the **ms-TPM-OwnerInformation** and **msTPM-TpmInformationForComputer** attributes are present. +It's been confirmed that the **ms-TPM-OwnerInformation** and **msTPM-TpmInformationForComputer** attributes are present. -### Cause +### Cause of **0x80072030: There is no such object on the server** The domain and forest functional level of the environment may still be set to Windows 2008 R2. Additionally, the permissions in AD DS might not be correctly set. -### Resolution +### Resolution for **0x80072030: There is no such object on the server** -To resolve this issue, follow these steps: +The issue can be resolved with the following steps: 1. Upgrade the functional level of the domain and forest to Windows Server 2012 R2. + 2. Download [Add-TPMSelfWriteACE.vbs](/samples/browse/?redirectedfrom=TechNet-Gallery). -3. In the script, modify the value of **strPathToDomain** to your domain name. + +3. In the script, modify the value of **strPathToDomain** to the organization's domain name. + 4. Open an elevated PowerShell window, and run the following command: - ```powershell - cscript Add-TPMSelfWriteACE.vbs + ```cmd + cscript.exe \Add-TPMSelfWriteACE.vbs ``` - In this command \<*Path*> is the path to the script file. + In this command, \<*Path*> is the path to the script file. For more information, see the following articles: - [Back up the TPM recovery information to AD DS](../tpm/backup-tpm-recovery-information-to-ad-ds.md) -- [Prepare your organization for BitLocker: Planning and policies](./prepare-your-organization-for-bitlocker-planning-and-policies.md) \ No newline at end of file +- [Prepare your organization for BitLocker: Planning and policies](./prepare-your-organization-for-bitlocker-planning-and-policies.md) diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-config-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-config-issues.md index 61e63f2090..bac3ad9030 100644 --- a/windows/security/information-protection/bitlocker/ts-bitlocker-config-issues.md +++ b/windows/security/information-protection/bitlocker/ts-bitlocker-config-issues.md @@ -1,86 +1,96 @@ --- title: BitLocker configuration known issues -description: Describes common issues that involve your BitLocker configuration and BitLocker's general functionality, and provides guidance for addressing those issues. +description: Describes common issues that involve BitLocker configuration and BitLocker's general functionality, and provides guidance for addressing those issues. ms.reviewer: kaushika ms.technology: itpro-security ms.prod: windows-client ms.localizationpriority: medium -author: Teresa-Motiv -ms.author: v-tappelgate -manager: kaushika +author: frankroj +ms.author: frankroj +manager: aaroncz ms.collection: Windows Security Technologies\BitLocker ms.topic: troubleshooting -ms.date: 10/17/2019 +ms.date: 11/08/2022 ms.custom: bitlocker --- # BitLocker configuration: known issues -This article describes common issues that affect your BitLocker's configuration and general functionality. This article also provides guidance to address these issues. +This article describes common issues that affect BitLocker's configuration and general functionality. This article also provides guidance to address these issues. -## BitLocker encryption is slower in Windows 10 and Windows 11 +## BitLocker encryption is slower in Windows 10 and Windows 11 -In both Windows 11, Windows 10, and Windows 7, BitLocker runs in the background to encrypt drives. However, in Windows 11 and Windows 10, BitLocker is less aggressive about requesting resources. This behavior reduces the chance that BitLocker will affect the computer's performance. +BitLocker runs in the background to encrypt drives. However, in Windows 11 and Windows 10, BitLocker is less aggressive about requesting resources than in previous versions of Windows. This behavior reduces the chance that BitLocker will affect the computer's performance. -To compensate for these changes, BitLocker uses a new conversion model. This model, (referred to as Encrypt-On-Write), makes sure that any new disk writes on all client SKUs and that any internal drives are always encrypted *as soon as you turn on BitLocker*. +To compensate for these changes, BitLocker uses a conversion model called Encrypt-On-Write. This model makes sure that any new disk writes are encrypted as soon as BitLocker is enabled. This behavior happens on all client editions and for any internal drives. > [!IMPORTANT] > To preserve backward compatibility, BitLocker uses the previous conversion model to encrypt removable drives. ### Benefits of using the new conversion model -By using the previous conversion model, you cannot consider an internal drive to be protected (and compliant with data protection standards) until the BitLocker conversion is 100 percent complete. Before the process finishes, the data that existed on the drive before encryption began—that is, potentially compromised data—can still be read and written without encryption. Therefore, you must wait for the encryption process to finish before you store sensitive data on the drive. Depending on the size of the drive, this delay can be substantial. +By using the previous conversion model, an internal drive can't be considered protected and compliant with data protection standards until the BitLocker conversion is 100 percent complete. Before the process finishes, the data that existed on the drive before encryption began - that is, potentially compromised data - can still be read and written without encryption. Therefore, for data to be considered protected and compliant with data protection standards, the encryption process has to finish before sensitive data is stored on the drive. Depending on the size of the drive, this delay can be substantial. -By using the new conversion model, you can safely store sensitive data on the drive as soon as you turn on BitLocker. You don't have to wait for the encryption process to finish, and encryption does not adversely affect performance. The tradeoff is that the encryption process for pre-existing data takes more time. +By using the new conversion model, sensitive data can be stored on the drive as soon as BitLocker is turned on. The encryption process doesn't need to finish first, and encryption doesn't adversely affect performance. The tradeoff is that the encryption process for pre-existing data takes more time. ### Other BitLocker enhancements -After Windows 7 was released, several other areas of BitLocker were improved: +Several other areas of BitLocker were improved in versions of Windows released after Windows 7: -- **New encryption algorithm, XTS-AES**. The new algorithm provides additional protection from a class of attacks on encrypted data that rely on manipulating cipher text to cause predictable changes in plain text. +- **New encryption algorithm, XTS-AES** - Added in Windows 10 version 1511, this algorithm provides additional protection from a class of attacks on encrypted data that rely on manipulating cipher text to cause predictable changes in plain text. By default, this algorithm complies with the Federal Information Processing Standards (FIPS). FIPS is a United States Government standard that provides a benchmark for implementing cryptographic software. -- **Improved administration features**. You can manage BitLocker on PCs or other devices by using the following interfaces: - - BitLocker Wizard - - manage-bde - - Group Policy Objects (GPOs) - - Mobile Device Management (MDM) policy - - Windows PowerShell - - Windows Management Interface (WMI) +- **Improved administration features**. BitLocker can be managed on PCs or other devices by using the following interfaces: -- **Integration with Azure Active Directory** (Azure AD). BitLocker can store recovery information in Azure AD to make it easier to recover. + - BitLocker Wizard + - manage-bde.exe + - Group Policy Objects (GPOs) + - Mobile Device Management (MDM) policy + - Windows PowerShell + - Windows Management Interface (WMI) -- **[Direct memory access (DMA) Port Protection](../kernel-dma-protection-for-thunderbolt.md)**. By using MDM policies to manage BitLocker, you can block a device's DMA ports and secure the device during its startup. +- **Integration with Azure Active Directory** (Azure AD) - BitLocker can store recovery information in Azure AD to make it easier to recover. -- **[BitLocker Network Unlock](./bitlocker-how-to-enable-network-unlock.md)**. If your BitLocker-enabled desktop or server computer is connected to a wired corporate network in a domain environment, you can automatically unlock its operating system volume during a system restart. +- **[Direct memory access (DMA) Port Protection](../kernel-dma-protection-for-thunderbolt.md)** - By using MDM policies to manage BitLocker, a device's DMA ports can be blocked which secures the device during its startup. -- **Support for [Encrypted Hard Drives](../encrypted-hard-drive.md)**. Encrypted Hard Drives are a new class of hard drives that are self-encrypting at a hardware level and allow for full disk hardware encryption. By taking on that workload, Encrypted Hard Drives increase BitLocker performance and reduce CPU usage and power consumption. +- **[BitLocker Network Unlock](./bitlocker-how-to-enable-network-unlock.md)** - If the BitLocker-enabled desktop or server computer is connected to a wired corporate network in a domain environment, its operating system volume can be automatically unlocked during a system restart. -- **Support for classes of HDD/SSD hybrid disks**. BitLocker can encrypt a disk that uses a small SSD as a non-volatile cache in front of the HDD, such as Intel Rapid Storage Technology. +- **Support for [Encrypted Hard Drives](../encrypted-hard-drive.md)** - Encrypted Hard Drives are a new class of hard drives that are self-encrypting at a hardware level and allow for full disk hardware encryption. By taking on that workload, Encrypted Hard Drives increase BitLocker performance and reduce CPU usage and power consumption. -## Hyper-V Gen 2 VM: Cannot access the volume after BitLocker encryption +- **Support for classes of HDD/SSD hybrid disks** - BitLocker can encrypt a disk that uses a small SSD as a non-volatile cache in front of the HDD, such as Intel Rapid Storage Technology. + +## Hyper-V Gen 2 VM: Can't access the volume after BitLocker encryption Consider the following scenario: -1. You turn on BitLocker on a generation-2 virtual machine (VM) that runs on Hyper-V. -1. You add data to the data disk as it encrypts. -1. You restart the VM, and observe the following: - - The system volume is not encrypted. - - The encrypted volume is not accessible, and the computer lists the volume's file system as "Unknown." - - You see a message that resembles: "You need to format the disk in \<*x:*> drive before you can use it" +1. BitLocker is turned on a generation 2 virtual machine (VM) that runs on Hyper-V. -### Cause +2. Data is added to the data disk as it encrypts. -This issue occurs because the third-party filter driver Stcvsm.sys (from StorageCraft) is installed on the VM. +3. The VM is restarted and the following behavior is observed: -### Resolution + - The system volume isn't encrypted. + + - The encrypted volume isn't accessible, and the computer lists the volume's file system as **Unknown**. + + - A message similar to the following message is displayed: + + > **You need to format the disk in \<*drive_letter:*> drive before you can use it** + +### Cause of not being able to access the volume after BitLocker encryption on a Hyper-V Gen 2 VM + +This issue occurs because the third-party filter driver `Stcvsm.sys` (from StorageCraft) is installed on the VM. + +### Resolution for not being able to access the volume after BitLocker encryption on a Hyper-V Gen 2 VM To resolve this issue, remove the third-party software. ## Production snapshots fail for virtualized domain controllers that use BitLocker-encrypted disks -You have a Windows Server 2019 or 2016 Hyper-V Server that is hosting VMs (guests) that are configured as Windows domain controllers. BitLocker has encrypted the disks that store the Active Directory database and log files. When you run a “production snapshot” of the domain controller guests, the Volume Snap-Shot (VSS) service does not correctly process the backup. +Consider the following scenario: + +A Windows Server 2019 or 2016 Hyper-V Server is hosting VMs (guests) that are configured as Windows domain controllers. On a domain controller guest VM, BitLocker has encrypted the disks that store the Active Directory database and log files. When a "production snapshot" of the domain controller guest VM is attempted, the Volume Snap-Shot (VSS) service doesn't correctly process the backup. This issue occurs regardless of any of the following variations in the environment: @@ -88,94 +98,94 @@ This issue occurs regardless of any of the following variations in the environme - Whether the VMs are generation 1 or generation 2. - Whether the guest operating system is Windows Server 2019, 2016 or 2012 R2. -In the domain controller application log, the VSS event source records event ID 8229: +In the guest VM domain controller **Windows Logs** > **Application** Event Viewer log, the VSS event source records event **ID 8229**: -> ID: 8229 -> Level: Warning -> ‎Source: VSS -> Message: A VSS writer has rejected an event with error 0x800423f4. The writer experienced a non-transient error. If the backup process is retried, the error is likely to reoccur. -> -> Changes that the writer made to the writer components while handling the event will not be available to the requester. -> -> Check the event log for related events from the application hosting the VSS writer. -> -> Operation: +> ID: 8229
    +> Level: Warning
    +> Source: VSS
    +> Message: A VSS writer has rejected an event with error 0x800423f4. The writer experienced a non-transient error. If the backup process is retried, the error is likely to reoccur.
    +> +> Changes that the writer made to the writer components while handling the event will not be available to the requester.
    +> +> Check the event log for related events from the application hosting the VSS writer. +> +> Operation:
    > PostSnapshot Event -> -> Context: -> Execution Context: Writer -> Writer Class Id: {b2014c9e-8711-4c5c-a5a9-3cf384484757} -> Writer Name: NTDS -> Writer Instance ID: {d170b355-a523-47ba-a5c8-732244f70e75} -> Command Line: C:\\Windows\\system32\\lsass.exe -> -> Process ID: 680 +> +> Context:
    +> Execution Context: Writer
    +> Writer Class Id: {b2014c9e-8711-4c5c-a5a9-3cf384484757}
    +> Writer Name: NTDS
    +> Writer Instance ID: {d170b355-a523-47ba-a5c8-732244f70e75}
    +> Command Line: C:\\Windows\\system32\\lsass.exe
    +> +> Process ID: 680 -In the domain controller Directory Services event log, you see an event that resembles the following: +In the guest VM domain controller **Applications and Services Logs** > **Directory Service** Event Viewer log, there's an event logged similar to the following event: -> Error Microsoft-Windows-ActiveDirectory\_DomainService 1168 +> Error Microsoft-Windows-ActiveDirectory\_DomainService 1168
    > Internal Processing Internal error: An Active Directory Domain Services error has occurred. -> ->‎  Additional Data -> ‎  Error value (decimal): -1022 -> -> Error value (hex): fffffc02 -> -> Internal ID: 160207d9 +> +> Additional Data
    +> Error value (decimal): -1022
    +> +> Error value (hex): fffffc02 +> +> Internal ID: 160207d9 > [!NOTE] -> The internal ID of this event may differ based on your operating system release and path level. +> The internal ID of this event may differ based on the operating system release version and patch level. -After this issue occurs, if you run the **VSSADMIN list writers** command, you see output that resembles the following for the Active Directory Domain Services (NTDS) VSS Writer: +When this issue occurs, the **Active Directory Domain Services (NTDS) VSS Writer** will display the following error when the **`vssadmin.exe list writers`** command is run: -> Writer name: 'NTDS' ->   Writer Id: {b2014c9e-8711-4c5c-a5a9-3cf384484757} ->   Writer Instance Id: {08321e53-4032-44dc-9b03-7a1a15ad3eb8} ->   State: \[11\] Failed ->   Last error: Non-retryable error +```Error +Writer name: 'NTDS' + Writer Id: {b2014c9e-8711-4c5c-a5a9-3cf384484757} + Writer Instance Id: {08321e53-4032-44dc-9b03-7a1a15ad3eb8} + State: [11] Failed + Last error: Non-retryable error +``` -Additionally, you cannot back up the VMs until you restart them. +Additionally, the VMs can't be backed up until they're restarted. -### Cause +### Cause of production snapshots fail for virtualized domain controllers that use BitLocker-encrypted disks -After VSS creates a snapshot of a volume, the VSS writer takes "post snapshot" actions. In the case of a "production snapshot," which you initiate from the host server, Hyper-V tries to mount the snapshotted volume. However, it cannot unlock the volume for unencrypted access. BitLocker on the Hyper-V server does not recognize the volume. Therefore, the access attempt fails and then the snapshot operation fails. +After VSS creates a snapshot of a volume, the VSS writer takes "post snapshot" actions. When a "production snapshot" is initiated from the host server, Hyper-V tries to mount the snapshotted volume. However, it can't unlock the volume for unencrypted access. BitLocker on the Hyper-V server doesn't recognize the volume. Therefore, the access attempt fails and then the snapshot operation fails. This behavior is by design. -### Workaround +### Workaround for production snapshots fail for virtualized domain controllers that use BitLocker-encrypted disks -There is one supported way to perform backup and restore of a virtualized domain controller: +A supported way to perform backup and restore of a virtualized domain controller is to run **Windows Server Backup** in the guest operating system. -- Run Windows Server Backup in the guest operating system. - -If you have to take a production snapshot of a virtualized domain controller, you can suspend BitLocker in the guest operating system before you start the production snapshot. However, this approach is not recommended. +If a production snapshot of a virtualized domain controller needs to be taken, BitLocker can be suspended in the guest operating system before the production snapshot is started. However, this approach isn't recommended. For more information and recommendations about backing up virtualized domain controllers, see [Virtualizing Domain Controllers using Hyper-V: Backup and Restore Considerations for Virtualized Domain Controllers](/windows-server/identity/ad-ds/get-started/virtual-dc/virtualized-domain-controllers-hyper-v#backup-and-restore-considerations-for-virtualized-domain-controllers) ### More information -When the VSS NTDS writer requests access to the encrypted drive, the Local Security Authority Subsystem Service (LSASS) generates an error entry that resembles the following: +When the VSS NTDS writer requests access to the encrypted drive, the Local Security Authority Subsystem Service (LSASS) generates an error entry similar to the following error: ```console \# for hex 0xc0210000 / decimal -1071579136 -‎ STATUS\_FVE\_LOCKED\_VOLUME ntstatus.h -‎ \# This volume is locked by BitLocker Drive Encryption. +STATUS\_FVE\_LOCKED\_VOLUME ntstatus.h +\# This volume is locked by BitLocker Drive Encryption. ``` The operation produces the following call stack: ```console \# Child-SP RetAddr Call Site -‎ 00 00000086\`b357a800 00007ffc\`ea6e7a4c KERNELBASE\!FindFirstFileExW+0x1ba \[d:\\rs1\\minkernel\\kernelbase\\filefind.c @ 872\] -‎ 01 00000086\`b357abd0 00007ffc\`e824accb KERNELBASE\!FindFirstFileW+0x1c \[d:\\rs1\\minkernel\\kernelbase\\filefind.c @ 208\] -‎ 02 00000086\`b357ac10 00007ffc\`e824afa1 ESENT\!COSFileFind::ErrInit+0x10b \[d:\\rs1\\onecore\\ds\\esent\\src\\os\\osfs.cxx @ 2476\] -‎ 03 00000086\`b357b700 00007ffc\`e827bf02 ESENT\!COSFileSystem::ErrFileFind+0xa1 \[d:\\rs1\\onecore\\ds\\esent\\src\\os\\osfs.cxx @ 1443\] -‎ 04 00000086\`b357b960 00007ffc\`e82882a9 ESENT\!JetGetDatabaseFileInfoEx+0xa2 \[d:\\rs1\\onecore\\ds\\esent\\src\\ese\\jetapi.cxx @ 11503\] -‎ 05 00000086\`b357c260 00007ffc\`e8288166 ESENT\!JetGetDatabaseFileInfoExA+0x59 \[d:\\rs1\\onecore\\ds\\esent\\src\\ese\\jetapi.cxx @ 11759\] -‎ 06 00000086\`b357c390 00007ffc\`e84c64fb ESENT\!JetGetDatabaseFileInfoA+0x46 \[d:\\rs1\\onecore\\ds\\esent\\src\\ese\\jetapi.cxx @ 12076\] -‎ 07 00000086\`b357c3f0 00007ffc\`e84c5f23 ntdsbsrv\!CVssJetWriterLocal::RecoverJetDB+0x12f \[d:\\rs1\\ds\\ds\\src\\jetback\\snapshot.cxx @ 2009\] -‎ 08 00000086\`b357c710 00007ffc\`e80339e0 ntdsbsrv\!CVssJetWriterLocal::OnPostSnapshot+0x293 \[d:\\rs1\\ds\\ds\\src\\jetback\\snapshot.cxx @ 2190\] -‎ 09 00000086\`b357cad0 00007ffc\`e801fe6d VSSAPI\!CVssIJetWriter::OnPostSnapshot+0x300 \[d:\\rs1\\base\\stor\\vss\\modules\\jetwriter\\ijetwriter.cpp @ 1704\] -‎ 0a 00000086\`b357ccc0 00007ffc\`e8022193 VSSAPI\!CVssWriterImpl::OnPostSnapshotGuard+0x1d \[d:\\rs1\\base\\stor\\vss\\modules\\vswriter\\vswrtimp.cpp @ 5228\] -‎ 0b 00000086\`b357ccf0 00007ffc\`e80214f0 VSSAPI\!CVssWriterImpl::PostSnapshotInternal+0xc3b \[d:\\rs1\\base\\stor\\vss\\modules\\vswriter\\vswrtimp.cpp @ 3552\] -``` \ No newline at end of file + 00 00000086\`b357a800 00007ffc\`ea6e7a4c KERNELBASE\!FindFirstFileExW+0x1ba \[d:\\rs1\\minkernel\\kernelbase\\filefind.c @ 872\] + 01 00000086\`b357abd0 00007ffc\`e824accb KERNELBASE\!FindFirstFileW+0x1c \[d:\\rs1\\minkernel\\kernelbase\\filefind.c @ 208\] + 02 00000086\`b357ac10 00007ffc\`e824afa1 ESENT\!COSFileFind::ErrInit+0x10b \[d:\\rs1\\onecore\\ds\\esent\\src\\os\\osfs.cxx @ 2476\] + 03 00000086\`b357b700 00007ffc\`e827bf02 ESENT\!COSFileSystem::ErrFileFind+0xa1 \[d:\\rs1\\onecore\\ds\\esent\\src\\os\\osfs.cxx @ 1443\] + 04 00000086\`b357b960 00007ffc\`e82882a9 ESENT\!JetGetDatabaseFileInfoEx+0xa2 \[d:\\rs1\\onecore\\ds\\esent\\src\\ese\\jetapi.cxx @ 11503\] + 05 00000086\`b357c260 00007ffc\`e8288166 ESENT\!JetGetDatabaseFileInfoExA+0x59 \[d:\\rs1\\onecore\\ds\\esent\\src\\ese\\jetapi.cxx @ 11759\] + 06 00000086\`b357c390 00007ffc\`e84c64fb ESENT\!JetGetDatabaseFileInfoA+0x46 \[d:\\rs1\\onecore\\ds\\esent\\src\\ese\\jetapi.cxx @ 12076\] + 07 00000086\`b357c3f0 00007ffc\`e84c5f23 ntdsbsrv\!CVssJetWriterLocal::RecoverJetDB+0x12f \[d:\\rs1\\ds\\ds\\src\\jetback\\snapshot.cxx @ 2009\] + 08 00000086\`b357c710 00007ffc\`e80339e0 ntdsbsrv\!CVssJetWriterLocal::OnPostSnapshot+0x293 \[d:\\rs1\\ds\\ds\\src\\jetback\\snapshot.cxx @ 2190\] + 09 00000086\`b357cad0 00007ffc\`e801fe6d VSSAPI\!CVssIJetWriter::OnPostSnapshot+0x300 \[d:\\rs1\\base\\stor\\vss\\modules\\jetwriter\\ijetwriter.cpp @ 1704\] + 0a 00000086\`b357ccc0 00007ffc\`e8022193 VSSAPI\!CVssWriterImpl::OnPostSnapshotGuard+0x1d \[d:\\rs1\\base\\stor\\vss\\modules\\vswriter\\vswrtimp.cpp @ 5228\] + 0b 00000086\`b357ccf0 00007ffc\`e80214f0 VSSAPI\!CVssWriterImpl::PostSnapshotInternal+0xc3b \[d:\\rs1\\base\\stor\\vss\\modules\\vswriter\\vswrtimp.cpp @ 3552\] +``` diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md b/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md index c026262ec6..9a5952f7e5 100644 --- a/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md +++ b/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md @@ -5,12 +5,12 @@ ms.reviewer: kaushika ms.technology: itpro-security ms.prod: windows-client ms.localizationpriority: medium -author: Teresa-Motiv -ms.author: v-tappelgate -manager: kaushika +author: frankroj +ms.author: frankroj +manager: aaroncz ms.collection: Windows Security Technologies\BitLocker ms.topic: troubleshooting -ms.date: 10/17/2019 +ms.date: 11/08/2022 ms.custom: bitlocker --- @@ -18,102 +18,103 @@ ms.custom: bitlocker Platform Configuration Registers (PCRs) are memory locations in the Trusted Platform Module (TPM). BitLocker and its related technologies depend on specific PCR configurations. Additionally, specific change in PCRs can cause a device or computer to enter BitLocker recovery mode. -By tracking changes in the PCRs, and identifying when they changed, you can gain insight into issues that occur or learn why a device or computer entered BitLocker recovery mode. The Measured Boot logs record PCR changes and other information. These logs are located in the C:\\Windows\\Logs\\MeasuredBoot\\ folder. +By tracking changes in the PCRs, and identifying when they changed, insight can be gained into issues that occur or learn why a device or computer entered BitLocker recovery mode. The Measured Boot logs record PCR changes and other information. These logs are located in the `C:\Windows\Logs\MeasuredBoot\` folder. -This article describes tools that you can use to decode these logs: TBSLogGenerator and PCPTool. +This article describes tools that can be used to decode these logs: `TBSLogGenerator.exe` and `PCPTool.exe`. For more information about Measured Boot and PCRs, see the following articles: - [TPM fundamentals: Measured Boot with support for attestation](../tpm/tpm-fundamentals.md#measured-boot-with-support-for-attestation) - [Understanding PCR banks on TPM 2.0 devices](../tpm/switch-pcr-banks-on-tpm-2-0-devices.md) -## Use TBSLogGenerator to decode Measured Boot logs +## Use `TBSLogGenerator.exe` to decode Measured Boot logs -Use TBSLogGenerator to decode Measured Boot logs that you have collected from Windows 11, Windows 10, and earlier versions. You can install this tool on the following systems: +Use `TBSLogGenerator.exe` to decode Measured Boot logs that were collected from Windows. `TBSLogGenerator.exe` can be installed on the following systems: -- A computer that is running Windows Server 2016 and that has a TPM enabled -- A Gen 2 virtual machine (running on Hyper-V) that is running Windows Server 2016 (you can use the virtual TPM) +- A computer that is running Windows Server 2016 or newer and that has a TPM enabled +- A Gen 2 virtual machine running on Hyper-V that is running Windows Server 2016 or newer and is using a virtual TPM. To install the tool, follow these steps: -1. Download the Windows Hardware Lab Kit from one of the following locations: +1. Download the Windows Hardware Lab Kit from [Windows Hardware Lab Kit](/windows-hardware/test/hlk/). - - [Windows Hardware Lab Kit](/windows-hardware/test/hlk/) - - Direct download link for Windows Server 2016: [Windows HLK, version 1607](https://go.microsoft.com/fwlink/p/?LinkID=404112) +2. After downloading, run the installation file from the path where the install was downloaded to. -1. Accept the default installation path. +3. Accept the default installation path. ![Specify Location page of the Windows Hardware Lab Kit installation wizard.](./images/ts-tpm-1.png) -1. Under **Select the features you want to install**, select **Windows Hardware Lab Kit—Controller + Studio**. +4. Under **Select the features you want to install**, select **Windows Hardware Lab Kit—Controller + Studio**. ![Select features page of the Windows Hardware Lab Kit installation wizard.](./images/ts-tpm-2.png) -1. Finish the installation. +5. Finish the installation. -To use TBSLogGenerator, follow these steps: +To use `TBSLogGenerator.exe`, follow these steps: 1. After the installation finishes, open an elevated Command Prompt window and navigate to the following folder: - **C:\\Program Files (x86)\\Windows Kits\\10\\Hardware Lab Kit\\Tests\\amd64\\NTTEST\\BASETEST\\ngscb** + **`C:\Program Files (x86)\Windows Kits\10\Hardware Lab Kit\Tests\amd64\NTTEST\BASETEST\ngscb`** - This folder contains the TBSLogGenerator.exe file. + This folder contains the `TBSLogGenerator.exe` file. - ![Properties and location of the TBSLogGenerator.exe file.](./images/ts-tpm-3.png) + ![Properties and location of the `TBSLogGenerator.exe` file.](./images/ts-tpm-3.png) 1. Run the following command: - ```console + ```cmd TBSLogGenerator.exe -LF \.log > \.txt ``` where the variables represent the following values: + - \<*LogFolderName*> = the name of the folder that contains the file to be decoded - \<*LogFileName*> = the name of the file to be decoded - \<*DestinationFolderName*> = the name of the folder for the decoded text file - \<*DecodedFileName*> = the name of the decoded text file - For example, the following figure shows Measured Boot logs that were collected from a Windows 10 computer and put into the C:\\MeasuredBoot\\ folder. The figure also shows a Command Prompt window and the command to decode the **0000000005-0000000000.log** file: + For example, the following figure shows Measured Boot logs that were collected from a Windows 10 computer and put into the **`C:\MeasuredBoot\`** folder. The figure also shows a Command Prompt window and the command to decode the **`0000000005-0000000000.log`** file: - ```console + ```cmd TBSLogGenerator.exe -LF C:\MeasuredBoot\0000000005-0000000000.log > C:\MeasuredBoot\0000000005-0000000000.txt ``` - ![Command Prompt window that shows an example of how to use TBSLogGenerator.](./images/ts-tpm-4.png) + ![Command Prompt window that shows an example of how to use `TBSLogGenerator.exe`.](./images/ts-tpm-4.png) - The command produces a text file that uses the specified name. In the case of the example, the file is **0000000005-0000000000.txt**. The file is located in the same folder as the original .log file. + The command produces a text file that uses the specified name. In this example, the file is **`0000000005-0000000000.txt`**. The file is located in the same folder as the original `.log` file. - ![Windows Explorer window that shows the text file that TBSLogGenerator produces.](./images/ts-tpm-5.png) + ![Windows Explorer window that shows the text file that `TBSLogGenerator.exe`produces.](./images/ts-tpm-5.png) + + The content of this text file is similar to the following text: - The content of this text file resembles the following. - ![Contents of the text file, as shown in NotePad.](./images/ts-tpm-6.png) - + To find the PCR information, go to the end of the file. - + ![View of NotePad that shows the PCR information at the end of the text file.](./images/ts-tpm-7.png) -## Use PCPTool to decode Measured Boot logs +## Use `PCPTool.exe` to decode Measured Boot logs > [!NOTE] -> PCPTool is a Visual Studio solution, but you need to build the executable before you can start using this tool. +> `PCPTool.exe` is a Visual Studio solution, but executable needs to be built before tool can be used. -PCPTool is part of the [TPM Platform Crypto-Provider Toolkit](https://www.microsoft.com/download/details.aspx?id=52487). The tool decodes a Measured Boot log file and converts it into an XML file. +`PCPTool.exe` is part of the [TPM Platform Crypto-Provider Toolkit](https://www.microsoft.com/download/details.aspx?id=52487). The tool decodes a Measured Boot log file and converts it into an XML file. -To download and install PCPTool, go to the Toolkit page, select **Download**, and follow the instructions. +To download and install `PCPTool.exe`, go to the Toolkit page, select **Download**, and follow the instructions. To decode a log, run the following command: -```console +```cmd PCPTool.exe decodelog \.log > \.xml -``` +``` where the variables represent the following values: + - \<*LogFolderPath*> = the path to the folder that contains the file to be decoded - \<*LogFileName*> = the name of the file to be decoded - \<*DestinationFolderName*> = the name of the folder for the decoded text file - \<*DecodedFileName*> = the name of the decoded text file -The content of the XML file resembles the following. +The content of the XML file will be similar to the following XML: -:::image type="content" alt-text="Command Prompt window that shows an example of how to use PCPTool." source="./images/pcptool-output.jpg" lightbox="./images/pcptool-output.jpg"::: +:::image type="content" alt-text="Command Prompt window that shows an example of how to use `PCPTool.exe`." source="./images/pcptool-output.jpg" lightbox="./images/pcptool-output.jpg"::: diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md index 1ba88008b1..dd44a1446d 100644 --- a/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md +++ b/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md @@ -1,116 +1,116 @@ --- title: Enforcing BitLocker policies by using Intune known issues -description: provides assistance for issues that you may see if you use Microsoft Intune policy to manage silent BitLocker encryption on devices. +description: Provides assistance for issues that may be seen if Microsoft Intune policy is being used to manage silent BitLocker encryption on devices. ms.reviewer: kaushika ms.technology: itpro-security ms.prod: windows-client ms.localizationpriority: medium -author: Teresa-Motiv -ms.author: v-tappelgate -manager: kaushika +author: frankroj +ms.author: frankroj +manager: aaroncz ms.collection: - Windows Security Technologies\BitLocker ms.topic: troubleshooting -ms.date: 10/18/2019 +ms.date: 11/08/2022 ms.custom: bitlocker --- # Enforcing BitLocker policies by using Intune: known issues -This article helps you troubleshoot issues that you may experience if you use Microsoft Intune policy to manage silent BitLocker encryption on devices. The Intune portal indicates whether BitLocker has failed to encrypt one or more managed devices. +This article helps troubleshooting issues that may be experienced if using Microsoft Intune policy to manage silent BitLocker encryption on devices. The Intune portal indicates whether BitLocker has failed to encrypt one or more managed devices. :::image type="content" alt-text="The BitLocker status indictors on the Intune portal." source="./images/4509189-en-1.png" lightbox="./images/4509189-en-1.png"::: -To start narrowing down the cause of the problem, review the event logs as described in [Troubleshoot BitLocker](troubleshoot-bitlocker.md). Concentrate on the Management and Operations logs in the **Applications and Services logs\\Microsoft\\Windows\\BitLocker-API** folder. The following sections provide more information about how to resolve the indicated events and error messages: +To start narrowing down the cause of the problem, review the event logs as described in [Troubleshoot BitLocker](troubleshoot-bitlocker.md). Concentrate on the **Management** and **Operations** logs in the **Applications and Services logs** > **Microsoft** > **Windows** > **BitLocker-API** folder. The following sections provide more information about how to resolve the indicated events and error messages: -- [Event ID 853: Error: A compatible Trusted Platform Module (TPM) Security Device cannot be found on this computer](#issue-1) -- [Event ID 853: Error: BitLocker Drive Encryption detected bootable media (CD or DVD) in the computer](#issue-2) -- [Event ID 854: WinRE is not configured](#issue-3) -- [Event ID 851: Contact manufacturer for BIOS upgrade](#issue-4) -- [Error message: The UEFI variable 'SecureBoot' could not be read](#issue-6) -- [Event ID 846, 778, and 851: Error 0x80072f9a](#issue-7) -- [Error message: Conflicting Group Policy settings for recovery options on operating system drives](#issue-5) +- [Event ID 853: Error: A compatible Trusted Platform Module (TPM) Security Device cannot be found on this computer](#event-id-853-error-a-compatible-trusted-platform-module-tpm-security-device-cannot-be-found-on-this-computer) +- [Event ID 853: Error: BitLocker Drive Encryption detected bootable media (CD or DVD) in the computer](#event-id-853-error-bitlocker-drive-encryption-detected-bootable-media-cd-or-dvd-in-the-computer) +- [Event ID 854: WinRE is not configured](#event-id-854-winre-is-not-configured) +- [Event ID 851: Contact manufacturer for BIOS upgrade](#event-id-851-contact-the-manufacturer-for-bios-upgrade-instructions) +- [Error message: The UEFI variable 'SecureBoot' could not be read](#error-message-the-uefi-variable-secureboot-could-not-be-read) +- [Event ID 846, 778, and 851: Error 0x80072f9a](#event-id-846-778-and-851-error-0x80072f9a) +- [Error message: There are conflicting group policy settings for recovery options on operating system drives](#error-message-there-are-conflicting-group-policy-settings-for-recovery-options-on-operating-system-drives) -If you do not have a clear trail of events or error messages to follow, other areas to investigate include the following: +If there's no clear trail of events or error messages to follow, other areas to investigate include the following areas: - [Review the hardware requirements for using Intune to manage BitLocker on devices](/windows-hardware/design/device-experiences/oem-bitlocker#bitlocker-automatic-device-encryption-hardware-requirements) -- [Review your BitLocker policy configuration](#policy) +- [Review BitLocker policy configuration](#review-bitlocker-policy-configuration) For information about the procedure to verify whether Intune policies are enforcing BitLocker correctly, see [Verifying that BitLocker is operating correctly](#verifying-that-bitlocker-is-operating-correctly). -## Event ID 853: Error: A compatible Trusted Platform Module (TPM) Security Device cannot be found on this computer +## Event ID 853: Error: A compatible Trusted Platform Module (TPM) Security Device cannot be found on this computer -Event ID 853 can carry different error messages, depending on the context. In this case, the Event ID 853 error message indicates that the device does not appear to have a TPM. The event information resembles the following: +Event ID 853 can carry different error messages, depending on the context. In this case, the Event ID 853 error message indicates that the device doesn't appear to have a TPM. The event information will be similar to the following event: -![Details of event ID 853 (TPM is not available, cannot find TPM).](./images/4509190-en-1.png) +![Details of event ID 853 (A compatible Trusted Platform Module (TPM) Security Device cannot be found on this computer).](./images/4509190-en-1.png) -### Cause +### Cause of Event ID 853: Error: A compatible Trusted Platform Module (TPM) Security Device cannot be found on this computer -The device that you are trying to secure may not have a TPM chip, or the device BIOS might have been configured to disable the TPM. +The device that is being secured may not have a TPM chip, or the device BIOS might have been configured to disable the TPM. -### Resolution +### Resolution for Event ID 853: Error: A compatible Trusted Platform Module (TPM) Security Device cannot be found on this computer -To resolve this issue, verify the following: +To resolve this issue, verify the following configurations: - The TPM is enabled in the device BIOS. -- The TPM status in the TPM management console resembles the following: - - Ready (TPM 2.0) - - Initialized (TPM 1.2) +- The TPM status in the TPM management console is similar to the following statuses: + - Ready (TPM 2.0) + - Initialized (TPM 1.2) For more information, see [Troubleshoot the TPM](../tpm/initialize-and-configure-ownership-of-the-tpm.md). -## Event ID 853: Error: BitLocker Drive Encryption detected bootable media (CD or DVD) in the computer +## Event ID 853: Error: BitLocker Drive Encryption detected bootable media (CD or DVD) in the computer -In this case, you see event ID 853, and the error message in the event indicates that bootable media is available to the device. The event information resembles the following. +In this case, event ID 853 is displayed, and the error message in the event indicates that bootable media is available to the device. The event information resembles the following. ![Details of event ID 853 (TPM is not available, bootable media found).](./images/4509191-en-1.png) -### Cause +### Cause of Event ID 853: Error: BitLocker Drive Encryption detected bootable media (CD or DVD) in the computer -During the provisioning process, BitLocker drive encryption records the configuration of the device to establish a baseline. If the device configuration changes later (for example, if you remove the media), BitLocker recovery mode automatically starts. +During the provisioning process, BitLocker drive encryption records the configuration of the device to establish a baseline. If the device configuration changes later (for example, if the media is removed), BitLocker recovery mode automatically starts. To avoid this situation, the provisioning process stops if it detects a removable bootable media. -### Resolution +### Resolution for Event ID 853: Error: BitLocker Drive Encryption detected bootable media (CD or DVD) in the computer Remove the bootable media, and restart the device. After the device restarts, verify the encryption status. -## Event ID 854: WinRE is not configured +## Event ID 854: WinRE is not configured -The event information resembles the following: +The event information resembles the following error message: > Failed to enable Silent Encryption. WinRe is not configured. > > Error: This PC cannot support device encryption because WinRE is not properly configured. -### Cause +### Cause of Event ID 854: WinRE is not configured -Windows Recovery Environment (WinRE) is a minimal Windows operating system that is based on Windows Preinstallation Environment (Windows PE). WinRE includes several tools that an administrator can use to recover or reset Windows and diagnose Windows issues. If a device cannot start the regular Windows operating system, the device tries to start WinRE. +Windows Recovery Environment (WinRE) is a minimal Windows operating system that is based on Windows Preinstallation Environment (Windows PE). WinRE includes several tools that an administrator can use to recover or reset Windows and diagnose Windows issues. If a device can't start the regular Windows operating system, the device tries to start WinRE. The provisioning process enables BitLocker drive encryption on the operating system drive during the Windows PE phase of provisioning. This action makes sure that the drive is protected before the full operating system is installed. The provisioning process also creates a system partition for WinRE to use if the system crashes. -If WinRE is not available on the device, provisioning stops. +If WinRE isn't available on the device, provisioning stops. -### Resolution +### Resolution for Event ID 854: WinRE is not configured -You can resolve this issue by verifying the configuration of the disk partitions, the status of WinRE, and the Windows Boot Loader configuration. To do this, follow these steps. +This issue can be resolved by verifying the configuration of the disk partitions, the status of WinRE, and the Windows Boot Loader configuration by following these steps: #### Step 1: Verify the configuration of the disk partitions -The procedures described in this section depend on the default disk partitions that Windows configures during installation. Windows 11 and Windows 10 automatically create a recovery partition that contains the Winre.wim file. The partition configuration resembles the following. +The procedures described in this section depend on the default disk partitions that Windows configures during installation. Windows 11 and Windows 10 automatically create a recovery partition that contains the **`Winre.wim`** file. The partition configuration resembles the following. ![Default disk partitions, including the recovery partition.](./images/4509194-en-1.png) To verify the configuration of the disk partitions, open an elevated Command Prompt window and run the following commands: -```console -diskpart +```cmd +diskpart.exe list volume ``` ![Output of the list volume command in the Diskpart app.](./images/4509195-en-1.png) -If the status of any of the volumes is not healthy or if the recovery partition is missing, you may have to reinstall Windows. Before you do this, check the configuration of the Windows image that you are using for provisioning. Make sure that the image uses the correct disk configuration. The image configuration should resemble the following (this example is from Microsoft Configuration Manager): +If the status of any of the volumes isn't healthy or if the recovery partition is missing, Windows may need to be reinstalled. Before reinstalling Windows, check the configuration of the Windows image that is being provisioned. Make sure that the image uses the correct disk configuration. The image configuration should resemble the following (this example is from Microsoft Configuration Manager): ![Windows image configuration in Microsoft Configuration Manager.](./images/configmgr-imageconfig.jpg) @@ -118,109 +118,110 @@ If the status of any of the volumes is not healthy or if the recovery partition To verify the status of WinRE on the device, open an elevated Command Prompt window and run the following command: -```console -reagentc /info +```cmd +reagentc.exe /info ``` + The output of this command resembles the following. -![Output of the reagentc /info command.](./images/4509193-en-1.png) +![Output of the reagentc.exe /info command.](./images/4509193-en-1.png) -If the **Windows RE status** is not **Enabled**, run the following command to enable it: +If the **Windows RE status** isn't **Enabled**, run the following command to enable it: -```console -reagentc /enable +```cmd +reagentc.exe /enable ``` #### Step 3: Verify the Windows Boot Loader configuration -If the partition status is healthy, but the **reagentc /enable** command results in an error, verify whether the Windows Boot Loader contains the recovery sequence GUID. To do this, run the following command in an elevated Command Prompt window: +If the partition status is healthy, but the **`reagentc.exe /enable`** command results in an error, verify whether the Windows Boot Loader contains the recovery sequence GUID by running the following command in an elevated Command Prompt window: -```console -bcdedit /enum all +```cmd +bcdedit.exe /enum all ``` -The output of this command resembles the following: +The output of this command will be similar to the following output: :::image type="content" alt-text="Output of the bcdedit /enum all command." source="./images/4509196-en-1.png" lightbox="./images/4509196-en-1.png"::: -In the output, locate the **Windows Boot Loader** section that includes the line **identifier={current}**. In that section, locate the **recoverysequence** attribute. The value of this attribute should be a GUID value, not a string of zeros. +In the output, locate the **Windows Boot Loader** section that includes the line **identifier={current}**. In that section, locate the **recoverysequence** attribute. The value of this attribute should be a GUID value, not a string of zeros. -## Event ID 851: Contact the manufacturer for BIOS upgrade instructions +## Event ID 851: Contact the manufacturer for BIOS upgrade instructions -The event information resembles the following: +The event information will be similar to the following error message: > Failed to enable Silent Encryption. > > Error: BitLocker Drive Encryption cannot be enabled on the operating system drive. Contact the computer manufacturer for BIOS upgrade instructions. -### Cause +### Cause of Event ID 851: Contact the manufacturer for BIOS upgrade instructions -The device must have Unified Extensible Firmware Interface (UEFI) BIOS. Silent BitLocker drive encryption does not support legacy BIOS. +The device must have Unified Extensible Firmware Interface (UEFI) BIOS. Silent BitLocker drive encryption doesn't support legacy BIOS. -### Resolution +### Resolution for Event ID 851: Contact the manufacturer for BIOS upgrade instructions -To verify the BIOS mode, use the System Information application. To do this, follow these steps: +To verify the BIOS mode, use the System Information application by following these steps: 1. Select **Start**, and enter **msinfo32** in the **Search** box. -1. Verify that the **BIOS Mode** setting is **UEFI** and not **Legacy**. +2. Verify that the **BIOS Mode** setting is **UEFI** and not **Legacy**. ![System Information app, showing the BIOS Mode setting.](./images/4509198-en-1.png) -1. If the **BIOS Mode** setting is **Legacy**, you have to switch the BIOS into **UEFI** or **EFI** mode. The steps for doing this are specific to the device. +3. If the **BIOS Mode** setting is **Legacy**, the UEFI firmware needs to be switched to **UEFI** or **EFI** mode. The steps for switching to **UEFI** or **EFI** mode are specific to the device. > [!NOTE] - > If the device supports only Legacy mode, you cannot use Intune to manage BitLocker device encryption on the device. + > If the device supports only Legacy mode, Intune can't be used to manage BitLocker Device Encryption on the device. -## Error message: The UEFI variable 'SecureBoot' could not be read +## Error message: The UEFI variable 'SecureBoot' could not be read -You receive an error message that resembles the following: +An error message similar to the following error message is displayed: > **Error:** BitLocker cannot use Secure Boot for integrity because the UEFI variable 'SecureBoot' could not be read. A required privilege is not held by the client. -### Cause +### Cause of Error message: The UEFI variable 'SecureBoot' could not be read A platform configuration register (PCR) is a memory location in the TPM. In particular, PCR 7 measures the state of secure boot. Silent BitLocker drive encryption requires the secure boot to be turned on. -### Resolution +### Resolution for Error message: The UEFI variable 'SecureBoot' could not be read -You can resolve this issue by verifying the PCR validation profile of the TPM and the secure boot state. To do this, follow these steps: +This issue can be resolved by verifying the PCR validation profile of the TPM and the secure boot state by following these steps: #### Step 1: Verify the PCR validation profile of the TPM To verify that PCR 7 is in use, open an elevated Command Prompt window and run the following command: -```console -Manage-bde -protectors -get %systemdrive% +```cmd +Manage-bde.exe -protectors -get %systemdrive% ``` In the TPM section of the output of this command, verify whether the **PCR Validation Profile** setting includes **7**, as follows: ![Output of the manage-bde command.](./images/4509199-en-1.png) -If **PCR Validation Profile** doesn't include **7** (for example, the values include **0**, **2**, **4**, and **11**, but not **7**), then secure boot is not turned on. +If **PCR Validation Profile** doesn't include **7** (for example, the values include **0**, **2**, **4**, and **11**, but not **7**), then secure boot isn't turned on. ![Output of the manage-bde command when PCR 7 is not present.](./images/4509200-en-1.png) -#### 2. Verify the secure boot state +#### 2: Verify the secure boot state -To verify the secure boot state, use the System Information application. To do this, follow these steps: +To verify the secure boot state, use the System Information application by following these steps: 1. Select **Start**, and enter **msinfo32** in the **Search** box. -1. Verify that the **Secure Boot State** setting is **On**, as follows: +2. Verify that the **Secure Boot State** setting is **On**, as follows: ![System Information app, showing a supported Secure Boot State.](./images/4509201-en-1.png) -1. If the **Secure Boot State** setting is **Unsupported**, you cannot use Silent BitLocker Encryption on this device. +3. If the **Secure Boot State** setting is **Unsupported**, Silent BitLocker Encryption can't be used on the device. ![System Information app, showing a unsupported Secure Boot State.](./images/4509202-en-1.png) > [!NOTE] -> You can also use the [Confirm-SecureBootUEFI](/powershell/module/secureboot/confirm-securebootuefi) cmdlet to verify the Secure Boot state. To do this, open an elevated PowerShell window and run the following command: +> The [Confirm-SecureBootUEFI](/powershell/module/secureboot/confirm-securebootuefi) PowerShell cmdlet can also be used to verify the Secure Boot state by opening an elevated PowerShell window and running the following command: > -> ```ps -> PS C:\> Confirm-SecureBootUEFI +> ```powershell +> Confirm-SecureBootUEFI > ``` > > If the computer supports Secure Boot and Secure Boot is enabled, this cmdlet returns "True." @@ -229,56 +230,58 @@ To verify the secure boot state, use the System Information application. To do t > > If the computer does not support Secure Boot or is a BIOS (non-UEFI) computer, this cmdlet returns "Cmdlet not supported on this platform." -## Event ID 846, 778, and 851: Error 0x80072f9a +## Event ID 846, 778, and 851: Error 0x80072f9a -In this case, you are deploying Intune policy to encrypt a Windows 11, Windows 10, version 1809 device, and store the recovery password in Azure Active Directory (Azure AD). As part of the policy configuration, you have selected the **Allow standard users to enable encryption during Azure AD Join** option. +Consider the following scenario: -The policy deployment fails and the failure generates the following events (visible in Event Viewer in the **Applications and Services Logs\\Microsoft\\Windows\\BitLocker API** folder): +Intune policy is being deployed to encrypt a Windows 10, version 1809 device, and the recovery password is being stored in Azure Active Directory (Azure AD). As part of the policy configuration, the **Allow standard users to enable encryption during Azure AD Join** option has been selected. + +The policy deployment fails and the failure generates the following events in Event Viewer in the **Applications and Services Logs** > **Microsoft** > **Windows** > **BitLocker API** folder: > Event ID:846 -> +> > Event: > Failed to backup BitLocker Drive Encryption recovery information for volume C: to your Azure AD. -> +> > TraceId: {cbac2b6f-1434-4faa-a9c3-597b17c1dfa3} > Error: Unknown HResult Error code: 0x80072f9a > Event ID:778 -> +> > Event: The BitLocker volume C: was reverted to an unprotected state. > Event ID: 851 -> +> > Event: > Failed to enable Silent Encryption. -> +> > Error: Unknown HResult Error code: 0x80072f9a. These events refer to Error code 0x80072f9a. -### Cause +### Cause of Event ID 846, 778, and 851: Error 0x80072f9a -These events indicate that the signed-in user does not have permission to read the private key on the certificate that is generated as part of the provisioning and enrollment process. Therefore, the BitLocker MDM policy refresh fails. +These events indicate that the signed-in user doesn't have permission to read the private key on the certificate that is generated as part of the provisioning and enrollment process. Therefore, the BitLocker MDM policy refresh fails. -The issue affects Windows 11 and Windows 10 version 1809. +The issue affects Windows 10 version 1809. -### Resolution +### Resolution for Event ID 846, 778, and 851: Error 0x80072f9a To resolve this issue, install the [May 21, 2019](https://support.microsoft.com/help/4497934/windows-10-update-kb4497934) update. -## Error message: There are conflicting group policy settings for recovery options on operating system drives +## Error message: There are conflicting group policy settings for recovery options on operating system drives -You receive a message that resembles the following: +An error message similar to the following error message is displayed: > **Error:** BitLocker Drive Encryption cannot be applied to this drive because there are conflicting Group Policy settings for recovery options on operating system drives. Storing recovery information to Active Directory Domain Services cannot be required when the generation of recovery passwords is not permitted. Please have your system administrator resolve these policy conflicts before attempting to enable BitLocker… -### Resolution +### Resolution for Error message: There are conflicting group policy settings for recovery options on operating system drives -To resolve this issue, review your group policy object (GPO) settings for conflicts. For further guidance, see the next section, [Review your BitLocker policy configuration](#policy). +To resolve this issue, review the group policy object (GPO) settings for conflicts. For more information, see the next section, [Review BitLocker policy configuration](#review-bitlocker-policy-configuration). For more information about GPOs and BitLocker, see [BitLocker Group Policy Reference](/previous-versions/windows/it-pro/windows-7/ee706521(v=ws.10)). -## Review your BitLocker policy configuration +## Review BitLocker policy configuration For information about the procedure to use policy together with BitLocker and Intune, see the following resources: @@ -292,13 +295,13 @@ For information about the procedure to use policy together with BitLocker and In Intune offers the following enforcement types for BitLocker: -- **Automatic** (Enforced when the device joins Azure AD during the provisioning process. This option is available in Windows 10 version 1703 and later, or Windows 11.) -- **Silent** (Endpoint protection policy. This option is available in Windows 10 version 1803 and later, or Windows 11.) -- **Interactive** (Endpoint policy for Windows versions that are older than Windows 10 version 1803, or Windows 11.) +- **Automatic** (Enforced when the device joins Azure AD during the provisioning process. This option is available in Windows 10 version 1703 and later.) +- **Silent** (Endpoint protection policy. This option is available in Windows 10 version 1803 and later.) +- **Interactive** (Endpoint policy for Windows versions that are older than Windows 10 version 1803.) -If your device runs Windows 10 version 1703 or later, or Windows 11, supports Modern Standby (also known as Instant Go) and is HSTI-compliant, joining the device to Azure AD triggers automatic device encryption. A separate endpoint protection policy is not required to enforce device encryption. +If the device runs Windows 10 version 1703 or later, supports Modern Standby (also known as Instant Go) and is HSTI-compliant, joining the device to Azure AD triggers automatic device encryption. A separate endpoint protection policy isn't required to enforce device encryption. -If your device is HSTI-compliant but does not support Modern Standby, you have to configure an endpoint protection policy to enforce silent BitLocker drive encryption. The settings for this policy should resemble the following: +If the device is HSTI-compliant but doesn't support Modern Standby, an endpoint protection policy has to be configured to enforce silent BitLocker drive encryption. The settings for this policy should be similar to the following settings: ![Intune policy settings.](./images/4509186-en-1.png) @@ -306,25 +309,25 @@ The OMA-URI references for these settings are as follows: - OMA-URI: **./Device/Vendor/MSFT/BitLocker/RequireDeviceEncryption** Value Type: **Integer** - Value: **1**  (1 = Require, 0 = Not Configured) + Value: **1** (1 = Require, 0 = Not Configured) - OMA-URI: **./Device/Vendor/MSFT/BitLocker/AllowWarningForOtherDiskEncryption** Value Type: **Integer** Value: **0** (0 = Blocked, 1 = Allowed) > [!NOTE] -> Because of an update to the BitLocker Policy CSP, if the device uses Windows 10 version 1809 or later, or Windows 11, you can use an endpoint protection policy to enforce silent BitLocker Device Encryption even if the device is not HSTI-compliant. +> Because of an update to the BitLocker Policy CSP, if the device uses Windows 10 version 1809 or later, an endpoint protection policy can be used to enforce silent BitLocker Device Encryption even if the device is not HSTI-compliant. > [!NOTE] -> If the **Warning for other disk encryption** setting is set to **Not configured**, you have to manually start the BitLocker drive encryption wizard. +> If the **Warning for other disk encryption** setting is set to **Not configured**, the BitLocker drive encryption wizard has to be manually started. -If the device does not support Modern Standby but is HSTI-compliant, and it uses a version of Windows that is earlier than Windows 10, version 1803, or Windows 11, an endpoint protection policy that has the settings that are described in this article delivers the policy configuration to the device. However, Windows then notifies the user to manually enable BitLocker Drive Encryption. To do this, the user selects the notification. This action starts the BitLocker Drive Encryption wizard. +If the device doesn't support Modern Standby but is HSTI-compliant, and it uses a version of Windows that is earlier than Windows 10, version 1803, an endpoint protection policy that has the settings that are described in this article delivers the policy configuration to the device. However, Windows then notifies the user to manually enable BitLocker Drive Encryption. When the user selects the notification, it will start the BitLocker Drive Encryption wizard. -The Intune 1901 release provides settings that you can use to configure automatic device encryption for Autopilot devices for standard users. Each device must meet the following requirements: +Intune provides settings that can be used to configure automatic device encryption for Autopilot devices for standard users. Each device must meet the following requirements: - Be HSTI-compliant - Support Modern Standby -- Use Windows 10 version 1803 or later, or Windows 11 +- Use Windows 10 version 1803 or later ![Intune policy setting.](./images/4509188-en-1.png) @@ -335,7 +338,13 @@ The OMA-URI references for these settings are as follows: Value: **1** > [!NOTE] -> This node works together with the **RequireDeviceEncryption** and **AllowWarningForOtherDiskEncryption** nodes. For this reason, when you set **RequireDeviceEncryption** to **1**, **AllowStandardUserEncryption** to **1**, and **AllowWarningForOtherDiskEncryption** to **0**, Intune enforces silent BitLocker encryption for Autopilot devices that have standard user profiles. +> This node works together with the **RequireDeviceEncryption** and **AllowWarningForOtherDiskEncryption** nodes. For this reason, when the following settings are set: +> +> - **RequireDeviceEncryption** to **1** +> - **AllowStandardUserEncryption** to **1** +> - **AllowWarningForOtherDiskEncryption** to **0** +> +> Intune enforces silent BitLocker encryption for Autopilot devices that have standard user profiles. ## Verifying that BitLocker is operating correctly @@ -345,13 +354,13 @@ During regular operations, BitLocker drive encryption generates events such as E ![Event ID 845, as shown in Event Viewer.](./images/4509204-en-1.png) -You can also determine whether the BitLocker recovery password has been uploaded to Azure AD by checking the device details in the Azure AD Devices section. +It can also be determined whether the BitLocker recovery password has been uploaded to Azure AD by checking the device details in the Azure AD Devices section. ![BitLocker recovery information as viewed in Azure AD.](./images/4509205-en-1.png) On the device, check the Registry Editor to verify the policy settings on the device. Verify the entries under the following subkeys: -- **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\current\\device\\BitLocker** -- **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\current\\device** +- **`HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\device\BitLocker`** +- **`HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\device`** -![Registry subkeys that relate to Intune policy.](./images/4509206-en-1.png) \ No newline at end of file +![Registry subkeys that relate to Intune policy.](./images/4509206-en-1.png) diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-network-unlock-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-network-unlock-issues.md index 00e41f6158..530b0f37e4 100644 --- a/windows/security/information-protection/bitlocker/ts-bitlocker-network-unlock-issues.md +++ b/windows/security/information-protection/bitlocker/ts-bitlocker-network-unlock-issues.md @@ -1,90 +1,105 @@ --- -title: BitLocker network unlock known issues -description: Describes several known issues that you may encounter while using network unlock, and provided guidance for addressing those issues. +title: BitLocker Network Unlock known issues +description: Describes several known issues that may be encountered while using Network Unlock, and provided guidance for addressing those issues. ms.technology: itpro-security ms.prod: windows-client ms.localizationpriority: medium -author: v-tappelgate -ms.author: v-tappelgate -manager: kaushika +author: frankroj +ms.author: frankroj +manager: aaroncz ms.reviewer: kaushika ms.collection: Windows Security Technologies\BitLocker ms.topic: troubleshooting ms.custom: bitlocker +ms.date: 11/08/2022 --- -# BitLocker network unlock: known issues +# BitLocker Network Unlock: known issues -By using the BitLocker network unlock feature, you can manage computers remotely without having to enter a BitLocker PIN when each computer starts up. To configure this behavior, your environment needs to meet the following requirements: +By using the BitLocker Network Unlock feature, computers can be managed remotely without having to enter a BitLocker PIN when each computer starts up. To configure this behavior, the environment needs to meet the following requirements: - Each computer belongs to a domain. - Each computer has a wired connection to the internal network. - The internal network uses DHCP to manage IP addresses. - Each computer has a DHCP driver implemented in its Unified Extensible Firmware Interface (UEFI) firmware. -For general guidelines about how to troubleshoot network unlock, see [How to enable network unlock: Troubleshoot network unlock](./bitlocker-how-to-enable-network-unlock.md#troubleshoot-network-unlock). +For general guidelines about how to troubleshoot BitLocker Network Unlock, see [How to enable Network Unlock: Troubleshoot Network Unlock](./bitlocker-how-to-enable-network-unlock.md#troubleshoot-network-unlock). -This article describes several known issues that you may encounter when you use network unlock, and provides guidance to address these issues. +This article describes several known issues that may be encountered when BitLocker Network Unlock is used and provides guidance to address these issues. -## Tip: Detect whether BitLocker network unlock is enabled on a specific computer +> [!TIP] +> BitLocker Network Unlock can be detected if it is enabled on a specific computer use the following steps on UEFI computers: +> +> 1. Open an elevated command prompt window and run the following command: +> +> ```cmd +> manage-bde.exe -protectors -get +> ``` +> +> For example: +> +> ```cmd +> manage-bde.exe -protectors -get C: +> ``` +> +> If the output of this command includes a key protector of type **TpmCertificate (9)**, the configuration is correct for BitLocker Network Unlock. +> +> 2. Start Registry Editor, and verify the following settings: +> +> 1. The following registry key exists and has the following value: +> +> - **Subkey**: `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE` +> - **Type**: `REG_DWORD` +> - **Value**: `OSManageNKP` equal to `1` (True) +> +> 2. The registry key: +> +> `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\FVE_NKP\Certificates` +> +> has an entry whose name matches the name of the certificate thumbprint of the BitLocker Network Unlock key protector that was found in step 1. -You can use the following steps on computers with either x64 or x32 UEFI firmware. You can also script these commands. +## On a Surface Pro 4 device, BitLocker Network Unlock doesn't work because the UEFI network stack is incorrectly configured -1. Open an elevated command prompt window and run the following command: +Consider the following scenario: - ```cmd - manage-bde -protectors -get - ``` - - ```cmd - manage-bde -protectors -get C: - ``` +BitLocker Network Unlock has been configured as described in [BitLocker: How to enable Network Unlock](/windows/device-security/bitlocker/bitlocker-how-to-enable-network-unlock). UEFI of a Surface Pro 4 has been configured to use DHCP. However, when the Surface Pro 4 is restarted, it still prompts for a BitLocker PIN. - Where `` is the drive letter, followed by a colon (`:`), of the bootable drive. - If the output of this command includes a key protector of type **TpmCertificate (9)**, the configuration is correct for BitLocker network unlock. +When testing another device, such as a different type of tablet or laptop PC that's configured to use the same infrastructure, the device restarts as expected, without prompting for the BitLocker PIN. This test confirms that the infrastructure is correctly configured, and the issue is specific to the device. -1. Start Registry Editor, and verify the following settings: - - Entry `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE: OSManageNKP` is set to `1`. - - Subkey `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\FVE_NKP\Certificates` has an entry whose name matches the name of the certificate thumbprint of the network unlock key protector that you found in step 1. +### Cause of BitLocker Network Unlock not working on Surface Pro 4 -## 1. On a Surface Pro 4 device, BitLocker network unlock doesn't work because the UEFI network stack is incorrectly configured +The UEFI network stack on the device is incorrectly configured. -You've configured BitLocker network unlock as described in [BitLocker: How to enable network unlock](/windows/device-security/bitlocker/bitlocker-how-to-enable-network-unlock). You've configured the UEFI of the device to use DHCP. However, when you restart the device, it still prompts you for the BitLocker PIN. +### Resolution for BitLocker Network Unlock not working on Surface Pro 4 -You test another device, such as a different type of tablet or laptop PC that's configured to use the same infrastructure. The device restarts as expected, without prompting for the BitLocker PIN. You conclude that the infrastructure is correctly configured, and the issue is specific to the device. - -### Cause of issue 1 - -The UEFI network stack on the device was incorrectly configured. - -### Resolution for issue 1 - -To correctly configure the UEFI network stack of the Surface Pro 4, you have to use Microsoft Surface Enterprise Management Mode (SEMM). For information about SEMM, see [Enroll and configure Surface devices with SEMM](/surface/enroll-and-configure-surface-devices-with-semm). +To correctly configure the UEFI network stack of the Surface Pro 4, the Microsoft Surface Enterprise Management Mode (SEMM) needs to be used. For information about SEMM, see [Enroll and configure Surface devices with SEMM](/surface/enroll-and-configure-surface-devices-with-semm). > [!NOTE] -> If you cannot use SEMM, you may be able to configure the Surface Pro 4 to use BitLocker network unlock by configuring the device to use the network as its first boot option. +> If SEMM can't be used, the Surface Pro 4 may be able to use BitLocker Network Unlock by configuring the Surface Pro 4 to use the network as its first boot option. -## 2. Unable to use BitLocker network unlock feature on a Windows client computer +## Unable to use BitLocker Network Unlock feature on a Windows client computer -You have configured BitLocker network unlock as described in [BitLocker: How to enable network unlock](/windows/device-security/bitlocker/bitlocker-how-to-enable-network-unlock). You have a Windows 8 client computer that is connected to the internal network with an ethernet cable. However, when you restart the computer, it still prompts you for the BitLocker PIN. +Consider the following scenario: -### Cause of issue 2 +BitLocker Network Unlock has been configured as described in [BitLocker: How to enable Network Unlock](/windows/device-security/bitlocker/bitlocker-how-to-enable-network-unlock). A Windows 8 client computer is connected to the internal network with an ethernet cable. However, when the device is restarted, the device still prompts for the BitLocker PIN. -A Windows 8-based or Windows Server 2012-based client computer sometimes doesn't receive or use the network unlock protector, depending on whether the client receives unrelated BOOTP replies from a DHCP server or WDS server. +### Cause of unable to use BitLocker Network Unlock feature on a Windows client computer + +A Windows 8-based or Windows Server 2012-based client computer sometimes doesn't receive or use the BitLocker Network Unlock protector, depending on whether the client receives unrelated BOOTP replies from a DHCP server or WDS server. DHCP servers may send any DHCP options to a BOOTP client as allowed by the DHCP options and BOOTP vendor extensions. This behavior means that because a DHCP server supports BOOTP clients, the DHCP server replies to BOOTP requests. The manner in which a DHCP server handles an incoming message depends in part on whether the message uses the Message Type option: -- The first two messages that the BitLocker network unlock client sends are DHCP DISCOVER\REQUEST messages. They use the Message Type option, so the DHCP server treats them as DHCP messages. -- The third message that the BitLocker network unlock client sends doesn't have the Message Type option. The DHCP server treats the message as a BOOTP request. +- The first two messages that the BitLocker Network Unlock client sends are DHCP DISCOVER\REQUEST messages. They use the Message Type option, so the DHCP server treats them as DHCP messages. +- The third message that the BitLocker Network Unlock client sends doesn't have the Message Type option. The DHCP server treats the message as a BOOTP request. -A DHCP server that supports BOOTP clients must interact with those clients according to the BOOTP protocol. The server must create a BOOTP BOOTREPLY message instead of a DHCP DHCPOFFER message. (In other words, the server must not include the DHCP message option type and must not exceed the size limit for BOOTREPLY messages.) After the server sends the BOOTP BOOTREPLY message, the server marks a binding for a BOOTP client as BOUND. A non-DHCP client doesn't send a DHCPREQUEST message, nor does that client expect a DHCPACK message. +A DHCP server that supports BOOTP clients must interact with those clients according to the BOOTP protocol. The server must create a BOOTP BOOTREPLY message instead of a DHCP DHCPOFFER message. In other words, the server must not include the DHCP message option type and must not exceed the size limit for BOOTREPLY messages. After the server sends the BOOTP BOOTREPLY message, the server marks a binding for a BOOTP client as BOUND. A non-DHCP client doesn't send a DHCPREQUEST message, nor does that client expect a DHCPACK message. If a DHCP server that isn't configured to support BOOTP clients receives a BOOTREQUEST message from a BOOTP client, that server silently discards the BOOTREQUEST message. -For more information about DHCP and BitLocker network unlock, see [BitLocker: How to enable network unlock: network unlock sequence](/windows/device-security/bitlocker/bitlocker-how-to-enable-network-unlock#network-unlock-sequence). +For more information about DHCP and BitLocker Network Unlock, see [BitLocker: How to enable Network Unlock: Network Unlock sequence](/windows/device-security/bitlocker/bitlocker-how-to-enable-network-unlock#network-unlock-sequence). -### Resolution for issue 2 +### Resolution for unable to use BitLocker Network Unlock feature on a Windows client computer To resolve this issue, change the configuration of the DHCP server by changing the **DHCP** option from **DHCP and BOOTP** to **DHCP**. diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-recovery-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-recovery-issues.md index 03932d4c98..5292df2a16 100644 --- a/windows/security/information-protection/bitlocker/ts-bitlocker-recovery-issues.md +++ b/windows/security/information-protection/bitlocker/ts-bitlocker-recovery-issues.md @@ -5,29 +5,29 @@ ms.reviewer: kaushika ms.technology: itpro-security ms.prod: windows-client ms.localizationpriority: medium -author: Teresa-Motiv -ms.author: v-tappelgate -manager: kaushika +author: frankroj +ms.author: frankroj +manager: aaroncz ms.collection: - Windows Security Technologies\BitLocker - highpri ms.topic: troubleshooting -ms.date: 10/18/2019 +ms.date: 11/08/2022 ms.custom: bitlocker --- # BitLocker recovery: known issues -This article describes common issues that may prevent BitLocker from behaving as expected when you recover a drive, or that may cause BitLocker to start recovery unexpectedly. The article also provides guidance to address these issues. +This article describes common issues that may prevent BitLocker from behaving as expected when a drive is recovered, or that may cause BitLocker to start recovery unexpectedly. The article also provides guidance to address these issues. > [!NOTE] > In this article, "recovery password" refers to the 48-digit recovery password and "recovery key" refers to 32-digit recovery key. For more information, see [BitLocker key protectors](./prepare-your-organization-for-bitlocker-planning-and-policies.md#bitlocker-key-protectors). ## Windows prompts for a non-existing BitLocker recovery password -Windows prompts you for a BitLocker recovery password. However, you did not configure a BitLocker recovery password. +Windows prompts for a BitLocker recovery password. However, a BitLocker recovery password wasn't configured. -### Resolution +### Resolution for Windows prompts for a non-existing BitLocker recovery password The BitLocker and Active Directory Domain Services (AD DS) FAQ address situations that may produce this symptom, and provides information about the procedure to resolve the issue: @@ -35,200 +35,210 @@ The BitLocker and Active Directory Domain Services (AD DS) FAQ address situation - [What happens if the backup initially fails? Will BitLocker retry the backup?](./bitlocker-and-adds-faq.yml) -## The recovery password for a laptop was not backed up, and the laptop is locked +## The recovery password for a laptop wasn't backed up, and the laptop is locked -You have a Windows 11 or Windows 10 Home-based laptop, and you have to recover its hard disk. The disk was encrypted by using BitLocker Driver Encryption. However, the BitLocker recovery password was not backed up, and the usual user of the laptop is not available to provide the password. +Consider the following scenario: -### Resolution +The hard disk of a Windows 11 or Windows 10 laptop has to be recovered. The disk was encrypted by using BitLocker Driver Encryption. However, the BitLocker recovery password wasn't backed up, and the usual user of the laptop isn't available to provide the password. + +### Resolution for the recovery password for a laptop wasn't backed up You can use either of the following methods to manually back up or synchronize an online client's existing recovery information: - Create a Windows Management Instrumentation (WMI) script that backs up the information. For more information, see [BitLocker Drive Encryption Provider](/windows/win32/secprov/bitlocker-drive-encryption-provider). -- In an elevated Command Prompt window, use the [manage-bde](/windows-server/administration/windows-commands/manage-bde) command to back up the information. +- In an elevated Command Prompt window, use the [manage-bde.exe](/windows-server/administration/windows-commands/manage-bde) command to back up the information. - For example, to back up all of the recovery information for the C: drive to AD DS, open an elevated Command Prompt window and run the following command: + For example, to back up all of the recovery information for the C: drive to AD DS, open an elevated Command Prompt window and run the following command: - ```console - manage-bde -protectors -adbackup C: + ```cmd + manage-bde.exe -protectors -adbackup C: ``` > [!NOTE] > BitLocker does not automatically manage this backup process. -## Tablet devices do not support using Manage-bde -forcerecovery to test recovery mode +## Tablet devices don't support using `manage-bde.exe -forcerecovery` to test recovery mode -You have a tablet or slate device, and you try to test BitLocker recovery by running the following command: +Consider the following scenario: -```console -Manage-bde -forcerecovery +BitLocker recovery needs to be tested on a tablet or slate device by running the following command: + +```cmd +manage-bde.exe -forcerecovery ``` -However, after you enter the recovery password, the device cannot start. +However, after entering the recovery password, the device can't start. -### Cause +### Cause of tablet devices don't support using `manage-bde.exe -forcerecovery` to test recovery mode > [!IMPORTANT] -> Tablet devices do not support the **manage-bde -forcerecovery** command. +> Tablet devices do not support the **`manage-bde.exe -forcerecovery`** command. -This issue occurs because the Windows Boot Manager cannot process touch-input during the pre-boot phase of startup. If Boot Manager detects that the device is a tablet, it redirects the startup process to the Windows Recovery Environment (WinRE), which can process touch-input. +This issue occurs because the Windows Boot Manager can't process touch-input during the pre-boot phase of startup. If Boot Manager detects that the device is a tablet, it redirects the startup process to the Windows Recovery Environment (WinRE), which can process touch-input. -If WindowsRE detects the TPM protector on the hard disk, it does a PCR reseal. However, the **manage-bde -forcerecovery** command deletes the TPM protectors on the hard disk. Therefore, WinRE cannot reseal the PCRs. This failure triggers an infinite BitLocker recovery cycle and prevents Windows from starting. +If WindowsRE detects the TPM protector on the hard disk, it does a PCR reseal. However, the **`manage-bde.exe -forcerecovery`** command deletes the TPM protectors on the hard disk. Therefore, WinRE can't reseal the PCRs. This failure triggers an infinite BitLocker recovery cycle and prevents Windows from starting. This behavior is by design for all versions of Windows. -### Workaround +### Workaround for tablet devices don't support using `manage-bde.exe -forcerecovery` to test recovery mode To resolve the restart loop, follow these steps: 1. On the BitLocker Recovery screen, select **Skip this drive**. -1. Select **Troubleshoot** \> **Advanced Options** \> **Command Prompt**. +2. Select **Troubleshoot** > **Advanced Options** > **Command Prompt**. -1. In the Command Prompt window, run the following commands: +3. In the Command Prompt window, run the following commands: - ```console - manage-bde –unlock C: -rp <48-digit BitLocker recovery password> - manage-bde -protectors -disable C: + ```cmd + manage-bde.exe -unlock C: -rp <48-digit BitLocker recovery password> + manage-bde.exe -protectors -disable C: ``` -1. Close the Command Prompt window. +4. Close the Command Prompt window. -1. Shut down the device. +5. Shut down the device. -1. Start the device. Windows should start as usual. +6. Start the device. Windows should start as usual. -## After you install UEFI or TPM firmware updates on Surface, BitLocker prompts for the recovery password +## After installing UEFI or TPM firmware updates on Surface, BitLocker prompts for the recovery password -You have a Surface device that has BitLocker drive encryption turned on. You update the firmware of the device TPM or install an update that changes the signature of the system firmware. For example, you install the Surface TPM (IFX) update. +Consider the following scenario: + +A Surface device has BitLocker drive encryption turned on. The firmware of the Surface's TPM is updated or an update that changes the signature of the system firmware is installed. For example, the Surface TPM (IFX) update is installed. You experience one or more of the following symptoms on the Surface device: -- At startup, you are prompted for your BitLocker recovery password. You enter the correct recovery password, but Windows doesn’t start up. -- Startup progresses directly into the Surface Unified Extensible Firmware Interface (UEFI) settings. +- At startup, the Surface device prompts for a BitLocker recovery password. The correct recovery password is entered, but Windows doesn't start up. + +- Startup progresses directly into the Surface device's Unified Extensible Firmware Interface (UEFI) settings. + - The Surface device appears to be in an infinite restart loop. -### Cause +### Cause of after installing UEFI or TPM firmware updates on Surface, BitLocker prompts for the recovery password This issue occurs if the Surface device TPM is configured to use Platform Configuration Register (PCR) values other than the default values of PCR 7 and PCR 11. For example, the following settings can configure the TPM this way: - Secure boot is turned off. - PCR values have been explicitly defined, such as by group policy. -Devices that support Connected Standby (also known as *InstantGO* or *Always On, Always Connected PCs*), including Surface devices, must use PCR 7 of the TPM. In its default configuration on such systems, BitLocker binds to PCR 7 and PCR 11 if PCR 7 and Secure Boot are correctly configured. For more information, see "About the Platform Configuration Register (PCR)" at [BitLocker Group Policy Settings](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj679890(v=ws.11)#about-the-platform-configuration-register-pcr)). +Devices that support Connected Standby (also known as *InstantGO* or *Always On, Always Connected PCs*), including Surface devices, must use PCR 7 of the TPM. In its default configuration on such systems, BitLocker binds to PCR 7 and PCR 11 if PCR 7 and Secure Boot are correctly configured. For more information, see the [About the Platform Configuration Register (PCR)](bitlocker-group-policy-settings.md#about-the-platform-configuration-register-pcr) section of the [BitLocker Group Policy Settings](bitlocker-group-policy-settings.md) article. -### Resolution +### Resolution for after installing UEFI or TPM firmware updates on Surface, BitLocker prompts for the recovery password To verify the PCR values that are in use on a device, open an elevated Command Prompt window and run the following command: -```console +```cmd manage-bde.exe -protectors -get : ``` -In this command, <*OSDriveLetter*> represents the drive letter of the operating system drive. +In this command, *\* represents the drive letter of the operating system drive. -To resolve this issue and repair the device, follow these steps. +To resolve this issue and repair the device, follow these steps: -#### Step 1: Disable the TPM protectors on the boot drive +#### Step 1: Disable the TPM protectors on the boot drive -If you have installed a TPM or UEFI update and your device cannot start, even if you enter the correct BitLocker recovery password, you can restore the ability to start by using the BitLocker recovery password and a Surface recovery image to remove the TPM protectors from the boot drive. +If a TPM or UEFI update has been installed and the Surface device can't start, even if the correct BitLocker recovery password has been entered, the ability to start can be restored by using the BitLocker recovery password and a Surface recovery image to remove the TPM protectors from the boot drive. -To do this, follow these steps: +To use the BitLocker recovery password and a Surface recovery image to remove the TPM protectors from the boot drive, follow these steps: -1. Obtain your BitLocker recovery password from [your Microsoft.com account](https://account.microsoft.com/devices/recoverykey). If BitLocker is managed by a different method, such as Microsoft BitLocker Administration and Monitoring (MBAM), contact your administrator for help. +1. Obtain the BitLocker recovery password from the Surface user's [Microsoft.com account](https://account.microsoft.com/devices/recoverykey). If BitLocker is managed by a different method, such as Microsoft BitLocker Administration and Monitoring (MBAM), Configuration Manager BitLocker Management, or Intune, contact the administrator for help. -1. Use another computer to download the Surface recovery image from [Download a recovery image for your Surface](https://support.microsoft.com/surfacerecoveryimage). Use the downloaded image to create a USB recovery drive. +2. Use another computer to download the Surface recovery image from [Surface Recovery Image Download](https://support.microsoft.com/surface-recovery-image). Use the downloaded image to create a USB recovery drive. -1. Insert the USB Surface recovery image drive into the Surface device, and start the device. +3. Insert the USB Surface recovery image drive into the Surface device, and start the device. -1. When you are prompted, select the following items: +4. When prompted, select the following items: - 1. Your operating system language. + 1. The operating system language. - 1. Your keyboard layout. + 2. The keyboard layout. -1. Select **Troubleshoot** > **Advanced Options** > **Command Prompt**. +5. Select **Troubleshoot** > **Advanced Options** > **Command Prompt**. -1. In the Command Prompt window, run the following commands: +6. In the Command Prompt window, run the following commands: - ```console - manage-bde -unlock -recoverypassword : - manage-bde -protectors -disable : + ```cmd + manage-bde.exe -unlock -recoverypassword : + manage-bde.exe -protectors -disable : ``` - In these commands, \<*Password*\> is the BitLocker recovery password that you obtained in step 1, and \<*DriveLetter*> is the drive letter that is assigned to your operating system drive. + where: + + - *\* is the BitLocker recovery password that was obtained in Step 1 + - *\* is the drive letter that is assigned to the operating system drive > [!NOTE] - > For more information about how to use this command, see [manage-bde: unlock](/windows-server/administration/windows-commands/manage-bde-unlock). + > For more information about how to use this command, see [manage-bde unlock](/windows-server/administration/windows-commands/manage-bde-unlock). -1. Restart the computer. +7. Restart the computer. -1. When you are prompted, enter the BitLocker recovery password that you obtained in step 1. +8. When prompted, enter the BitLocker recovery password that was obtained in Step 1. > [!NOTE] -> After you disable the TPM protectors, BitLocker drive encryption no longer protects your device. To re-enable BitLocker drive encryption, select **Start**, type **Manage BitLocker**, and then press Enter. Follow the steps to encrypt your drive. +> After the TPM protectors are disabled, BitLocker drive encryption no longer protects the device. To re-enable BitLocker drive encryption, select **Start**, type **Manage BitLocker**, and then press **Enter**. Follow the steps to encrypt the drive. -#### Step 2: Use Surface BMR to recover data and reset your device +#### Step 2: Use Surface BMR to recover data and reset the Surface device -To recover data from your Surface device if you cannot start Windows, follow steps 1 through 5 of [Step 1](#step-1) to return to the Command Prompt window, and then follow these steps: +To recover data from the Surface device if Windows doesn't start, follow steps 1 through 5 of the section [Step 1: Disable the TPM protectors on the boot drive](#step-1-disable-the-tpm-protectors-on-the-boot-drive) to get to a Command Prompt window. Once a Command Prompt window is open, follow these steps: 1. At the command prompt, run the following command: - ```console - manage-bde -unlock -recoverypassword : + ```cmd + manage-bde.exe -unlock -recoverypassword : ``` - In this command, \<*Password*\> is the BitLocker recovery password that you obtained in step 1 of [Step 1](#step-1), and \<*DriveLetter*> is the drive letter that is assigned to your operating system drive. + In this command, *\* is the BitLocker recovery password that was obtained in Step 1 of the section [Step 1: Disable the TPM protectors on the boot drive](#step-1-disable-the-tpm-protectors-on-the-boot-drive), and \<*DriveLetter*> is the drive letter that is assigned to the operating system drive. -1. After the drive is unlocked, use the **copy** or **xcopy** command to copy the user data to another drive. +2. After the drive is unlocked, use the **`copy`** or **`xcopy.exe`** command to copy the user data to another drive. > [!NOTE] - > For more information about the these commands, see the [Windows commands](/windows-server/administration/windows-commands/windows-commands). + > For more information about the these commands, see the [Windows commands](/windows-server/administration/windows-commands/windows-commands) article. -1. To reset your device by using a Surface recovery image, follow the instructions in the "How to reset your Surface using your USB recovery drive" section in [Creating and using a USB recovery drive](https://support.microsoft.com/help/4023512). +3. To reset the device by using a Surface recovery image, follow the instructions in the article [Creating and using a USB recovery drive for Surface](https://support.microsoft.com/surface/creating-and-using-a-usb-recovery-drive-for-surface-677852e2-ed34-45cb-40ef-398fc7d62c07). #### Step 3: Restore the default PCR values -To prevent this issue from recurring, we strongly recommend that you restore the default configuration of secure boot and the PCR values. +To prevent this issue from recurring, it's recommended to restore the default configuration of Secure Boot and the PCR values. -To enable secure boot on a Surface device, follow these steps: +To enable Secure Boot on a Surface device, follow these steps: -1. Suspend BitLocker. to do this, open an elevated Windows PowerShell window, and run the following cmdlet: +1. Suspend BitLocker by opening an elevated Windows PowerShell window and running the following PowerShell cmdlet: ```powershell Suspend-BitLocker -MountPoint ":" -RebootCount 0 ``` - In this command, <*DriveLetter*> is the letter that is assigned to your drive. + In this command, *\* is the letter that is assigned to the drive. -1. Restart the device, and then edit the BIOS to set the **Secure Boot** option to **Microsoft Only**. +2. Restart the device, and then edit the UEFI settings to set the **Secure Boot** option to **Microsoft Only**. -1. Restart the device. +3. Restart the device and sign into Windows. -1. Open an elevated PowerShell window, and run the following cmdlet: +4. Open an elevated PowerShell window and run the following PowerShell cmdlet: ```powershell - Resume-BitLocker -MountPoint ":" ``` To reset the PCR settings on the TPM, follow these steps: -1. Disable any Group Policy Objects that configure the PCR settings, or remove the device from any groups that enforce such policies. +1. Disable any Group Policy Objects that configure the PCR settings, or remove the device from any groups that enforce such policies. - For more information, see [BitLocker Group Policy settings](./bitlocker-group-policy-settings.md). + For more information, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md). -1. Suspend BitLocker. To do this, open an elevated Windows PowerShell window, and run the following cmdlet: +2. Suspend BitLocker by opening an elevated Windows PowerShell window and running the following PowerShell cmdlet: ```powershell Suspend-BitLocker -MountPoint ":" -RebootCount 0 ``` - - where <*DriveLetter*> is the letter assigned to your drive. -1. Run the following cmdlet: + In this command, *\* is the letter that is assigned to the drive. + +3. Run the following PowerShell cmdlet: ```powershell Resume-BitLocker -MountPoint ":" @@ -236,92 +246,108 @@ To reset the PCR settings on the TPM, follow these steps: #### Step 4: Suspend BitLocker during TPM or UEFI firmware updates -You can avoid this scenario when you install updates to system firmware or TPM firmware by temporarily suspending BitLocker before you apply such updates. +You can avoid this scenario when installing updates to system firmware or TPM firmware by temporarily suspending BitLocker before applying such updates. > [!IMPORTANT] -> TPM and UEFI firmware updates may require multiple restarts while they install. To keep BitLocker suspended during this process, you must use [Suspend-BitLocker](/powershell/module/bitlocker/suspend-bitlocker?view=winserver2012r2-ps&preserve-view=true) and set the **Reboot Count** parameter to either of the following values: -> - **2** or greater: This value sets the number of times the device can restart before BitLocker Device Encryption resumes. -> - **0**: This value suspends BitLocker Drive Encryption indefinitely, until you use [Resume-BitLocker](/powershell/module/bitlocker/resume-bitlocker?view=winserver2012r2-ps&preserve-view=true) or another mechanism to resume protection. +> TPM and UEFI firmware updates may require multiple restarts while they install. To keep BitLocker suspended during this process, the PowerShell cmdlet [Suspend-BitLocker](/powershell/module/bitlocker/suspend-bitlocker) must be used and the **Reboot Count** parameter must be set to either of the following values: +> +> - **2** or greater: This value sets the number of times the device will restart before BitLocker Device Encryption resumes. For example, setting the value to **2** will cause BitLocker to resume after the device restarts twice. +> +> - **0**: This value suspends BitLocker Drive Encryption indefinitely. To resume BitLocker, the PowerShell cmdlet [Resume-BitLocker](/powershell/module/bitlocker/resume-bitlocker) or another mechanism needs to be used to resume BitLocker protection. -To suspend BitLocker while you install TPM or UEFI firmware updates: +To suspend BitLocker while installing TPM or UEFI firmware updates: -1. Open an elevated Windows PowerShell window, and run the following cmdlet: +1. Open an elevated Windows PowerShell window and run the following PowerShell cmdlet: ```powershell - Suspend-BitLocker -MountPoint ":" -RebootCount 0 - + Suspend-BitLocker -MountPoint ":" -RebootCount 0 ``` - In this cmdlet <*DriveLetter*> is the letter that is assigned to your drive. -1. Install the Surface device driver and firmware updates. + In this PowerShell cmdlet, *\* is the letter that is assigned to the drive. -1. After you install the firmware updates, restart the computer, open an elevated PowerShell window, and then run the following cmdlet: +2. Install the Surface device driver and firmware updates. + +3. After installing the firmware updates, restart the computer, open an elevated PowerShell window, and then run the following PowerShell cmdlet: ```powershell Resume-BitLocker -MountPoint ":" ``` + -## After you install an update to a Hyper V-enabled computer, BitLocker prompts for the recovery password and returns error 0xC0210000 + ## Credential Guard/Device Guard on TPM 1.2: At every restart, BitLocker prompts for the recovery password and returns error 0xC0210000 -You have a device that uses TPM 1.2 and runs Windows 10, version 1809, or Windows 11. Also, the device uses [Virtualization-based Security](/windows-hardware/design/device-experiences/oem-vbs) features such as [Device Guard and Credential Guard](/windows-hardware/drivers/bringup/device-guard-and-credential-guard). Every time that you start the device, the device enters BitLocker Recovery mode and you see error code 0xc0210000, and a message that resembles the following. +Consider the following scenario: + +A device uses TPM 1.2 and runs Windows 10, version 1809. The device also uses [Virtualization-based Security](/windows-hardware/design/device-experiences/oem-vbs) features such as [Device Guard and Credential Guard](/windows-hardware/drivers/bringup/device-guard-and-credential-guard). Every time the device is started, the device enters BitLocker Recovery mode and an error message similar to the following error message is displayed: > Recovery -> +> > Your PC/Device needs to be repaired. > A required file couldn't be accessed because your BitLocker key wasn't loaded correctly. > @@ -329,15 +355,15 @@ You have a device that uses TPM 1.2 and runs Windows 10, version 1809, or Window > > You'll need to use recovery tools. If you don't have any installation media (like a disc or USB device), contact your PC administrator or PC/Device manufacturer. -### Cause +### Cause of Credential Guard/Device Guard on TPM 1.2: At every restart, BitLocker prompts for the recovery password and returns error 0xC0210000 -TPM 1.2 does not support Secure Launch. For more information, see [System Guard Secure Launch and SMM protection: Requirements Met by System Guard Enabled Machines](../../threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md) +TPM 1.2 doesn't support Secure Launch. For more information, see [System Guard Secure Launch and SMM protection: Requirements Met by System Guard Enabled Machines](../../threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md) For more information about this technology, see [Windows Defender System Guard: How a hardware-based root of trust helps protect Windows](../../threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows.md) -### Resolution +### Resolution for Credential Guard/Device Guard on TPM 1.2: At every restart, BitLocker prompts for the recovery password and returns error 0xC0210000 -To resolve this issue, do one of the following: +To resolve this issue, use one of the following two solutions: - Remove any device that uses TPM 1.2 from any group that is subject to GPOs that enforce secure launch. - Edit the **Turn On Virtualization Based Security** GPO to set **Secure Launch Configuration** to **Disabled**. diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-tpm-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-tpm-issues.md index b6ea2d5b56..c6628ccd73 100644 --- a/windows/security/information-protection/bitlocker/ts-bitlocker-tpm-issues.md +++ b/windows/security/information-protection/bitlocker/ts-bitlocker-tpm-issues.md @@ -5,12 +5,12 @@ ms.reviewer: kaushika ms.technology: itpro-security ms.prod: windows-client ms.localizationpriority: medium -author: Teresa-Motiv -ms.author: v-tappelgate -manager: kaushika +author: frankroj +ms.author: frankroj +manager: aaroncz ms.collection: Windows Security Technologies\BitLocker ms.topic: troubleshooting -ms.date: 10/18/2019 +ms.date: 11/08/2022 ms.custom: bitlocker --- @@ -20,13 +20,15 @@ This article describes common issues that relate directly to the trusted platfor ## Azure AD: Windows Hello for Business and single sign-on don't work -You have an Azure Active Directory (Azure AD)-joined client computer that can't authenticate correctly. You experience one or more of the following symptoms: +Consider the following scenario: -- Windows Hello for Business doesn't work. -- Conditional access fails. -- Single sign-on (SSO) doesn't work. +An Azure Active Directory (Azure AD)-joined client computer can't authenticate correctly. The computer is experiencing one or more of the following symptoms: -Additionally, the computer logs the following entry for Event ID 1026: +- Windows Hello for Business doesn't work +- Conditional access fails +- Single sign-on (SSO) doesn't work + +Additionally, in Event Viewer, the computer logs the following Event ID 1026 event under **Windows Logs** > **System**: > Log Name: System > Source: Microsoft-Windows-TPM-WMI @@ -38,54 +40,66 @@ Additionally, the computer logs the following entry for Event ID 1026: > User: SYSTEM > Computer: \ > Description: -> The Trusted Platform Module (TPM) hardware on this computer cannot be provisioned for use automatically.  To set up the TPM interactively use the TPM management console (Start-\>tpm.msc) and use the action to make the TPM ready. +> The Trusted Platform Module (TPM) hardware on this computer cannot be provisioned for use automatically. To set up the TPM interactively use the TPM management console (Start-\>tpm.msc) and use the action to make the TPM ready. > Error: The TPM is defending against dictionary attacks and is in a time-out period. > Additional Information: 0x840000 -### Cause +### Cause of Azure AD: Windows Hello for Business and single sign-on don't work This event indicates that the TPM isn't ready or has some setting that prevents access to the TPM keys. Additionally, the behavior indicates that the client computer can't obtain a [Primary Refresh Token (PRT)](/azure/active-directory/devices/concept-primary-refresh-token). -### Resolution +### Resolution for Azure AD: Windows Hello for Business and single sign-on don't work -To verify the status of the PRT, use the [dsregcmd /status command](/azure/active-directory/devices/troubleshoot-device-dsregcmd) to collect information. In the tool output, verify that either **User state** or **SSO state** contains the **AzureAdPrt** attribute. If the value of this attribute is **No**, the PRT wasn't issued. This may indicate that the computer couldn't present its certificate for authentication. +To verify the status of the PRT, use the [dsregcmd.exe /status](/azure/active-directory/devices/troubleshoot-device-dsregcmd) command to collect information. In the tool output, verify that either **User state** or **SSO state** contains the **AzureAdPrt** attribute. If the value of this attribute is **No**, the PRT wasn't issued. If the value of the attribute is **No**, it may indicate that the computer couldn't present its certificate for authentication. To resolve this issue, follow these steps to troubleshoot the TPM: -1. Open the TPM management console (tpm.msc). To do this, select **Start**, and enter **tpm.msc** in the **Search** box. -1. If you see a notice to either unlock the TPM or reset the lockout, follow those instructions. -1. If you don't see such a notice, review the BIOS settings of the computer for any setting that you can use to reset or disable the lockout. -1. Contact the hardware vendor to determine whether there's a known fix for the issue. -1. If you still can't resolve the issue, clear and reinitialize the TPM. To do this, follow the instructions in [Troubleshoot the TPM: Clear all the keys from the TPM](../tpm/initialize-and-configure-ownership-of-the-tpm.md#clear-all-the-keys-from-the-tpm). +1. Open the TPM management console (`tpm.msc`) by selecting **Start** and entering **tpm.msc** in the **Search** box. + +2. If a notice is displayed to either unlock the TPM or reset the lockout, contact the hardware vendor to determine whether there's a known fix for the issue. + +3. If the issue is still not resolved after contacting the hardware vendor, clear and reinitialize the TPM by following the instructions in the article [Troubleshoot the TPM: Clear all the keys from the TPM](../tpm/initialize-and-configure-ownership-of-the-tpm.md#clear-all-the-keys-from-the-tpm). + > [!WARNING] > Clearing the TPM can cause data loss. +If in Step 2 there's no notice to either unlock the TPM or reset the lockout, review the UEFI firmware/BIOS settings of the computer for any setting that can be used to reset or disable the lockout. + ## TPM 1.2 Error: Loading the management console failed. The device that is required by the cryptographic provider isn't ready for use -You have a Windows 11 or Windows 10 version 1703-based computer that uses TPM version 1.2. When you try to open the TPM management console, you receive the following message: +Consider the following scenario: + +When trying to open the TPM management console on a Windows computer that uses TPM version 1.2, the following message is displayed: > Loading the management console failed. The device that is required by the cryptographic provider is not ready for use. > HRESULT 0x800900300x80090030 - NTE\_DEVICE\_NOT\_READY > The device that is required by this cryptographic provider is not ready for use. > TPM Spec version: TPM v1.2 -On a different device that is running the same version of Windows, you can open the TPM management console. +On a different device that is running the same version of Windows, the TPM management console can be opened. -### Cause (suspected) +### Cause (suspected) of TPM 1.2 Error: Loading the management console failed. The device that is required by the cryptographic provider isn't ready for use These symptoms indicate that the TPM has hardware or firmware issues. -### Resolution +### Resolution for TPM 1.2 Error: Loading the management console failed. The device that is required by the cryptographic provider isn't ready for use -To resolve this issue, switch the TPM operating mode from version 1.2 to version 2.0. +To resolve the issue: -If this doesn't resolve the issue, consider replacing the device motherboard. After you replace the motherboard, switch the TPM operating mode from version 1.2 to version 2.0. +- Switch the TPM operating mode from version 1.2 to version 2.0 if the device has this option available. + +- If switching the TPM from version 1.2 to version 2.0 doesn't resolve the issue, or if the device doesn't have TPM version 2.0 available, contact the hardware vendor to determine whether there's a UEFI firmware update/BIOS update/TPM update for the device. If there's an update available, install the update to see if it resolves the issue. + +- If updating the UEFI firmware/BIOS doesn't resolve the issue, or if there's no update available, consider replacing the device motherboard by contacting the hardware vendor. After the motherboard has been replaced, switch the TPM operating mode from version 1.2 to version 2.0 if this option is available. + + > [!WARNING] + > Replacing the motherboard will cause data in the TPM to be lost. ## Devices don't join hybrid Azure AD because of a TPM issue -You have a device that you're trying to join to a hybrid Azure AD. However, the join operation appears to fail. +When trying to join a device to a hybrid Azure AD, the join operation appears to fail. To verify that the join succeeded, use the [dsregcmd /status command](/azure/active-directory/devices/troubleshoot-device-dsregcmd). In the tool output, the following attributes indicate that the join succeeded: @@ -94,16 +108,16 @@ To verify that the join succeeded, use the [dsregcmd /status command](/azure/act If the value of **AzureADJoined** is **No**, the join operation failed. -### Causes and Resolutions +### Causes and resolutions for devices don't join hybrid Azure AD because of a TPM issue -This issue may occur when the Windows operating system isn't the owner of the TPM. The specific fix for this issue depends on which errors or events you experience, as shown in the following table: +This issue may occur when the Windows operating system isn't the owner of the TPM. The specific fix for this issue depends on which errors or events are displayed, as shown in the following table: |Message |Reason | Resolution| | - | - | - | -|NTE\_BAD\_KEYSET (0x80090016/-2146893802) |TPM operation failed or was invalid |This issue was probably caused by a corrupted sysprep image. Make sure that you create the sysprep image by using a computer that isn't joined to or registered in Azure AD or hybrid Azure AD. | -|TPM\_E\_PCP\_INTERNAL\_ERROR (0x80290407/-2144795641) |Generic TPM error. |If the device returns this error, disable its TPM. Windows 10, version 1809 and later versions, or Windows 11 automatically detect TPM failures and finish the hybrid Azure AD join without using the TPM. | -|TPM\_E\_NOTFIPS (0x80280036/-2144862154) |The FIPS mode of the TPM is currently not supported. |If the device gives this error, disable its TPM. Windows 10, version 1809 and later versions, or Windows 11 automatically detect TPM failures and finish the hybrid Azure AD join without using the TPM. | -|NTE\_AUTHENTICATION\_IGNORED (0x80090031/-2146893775) |The TPM is locked out. |This error is transient. Wait for the cooldown period, and then retry the join operation. | +|*NTE\_BAD\_KEYSET (0x80090016/-2146893802)* |TPM operation failed or was invalid |This issue was probably caused by a corrupted sysprep image. When creating a sysprep image, make sure to use a computer that isn't joined to or registered in Azure AD or hybrid Azure AD. | +|*TPM\_E\_PCP\_INTERNAL\_ERROR (0x80290407/-2144795641)* |Generic TPM error. |If the device returns this error, disable its TPM. Windows 10, version 1809 and later versions, automatically detect TPM failures and finish the hybrid Azure AD join without using the TPM. | +|*TPM\_E\_NOTFIPS (0x80280036/-2144862154*) |The FIPS mode of the TPM is currently not supported. |If the device gives this error, disable its TPM. Windows 10, version 1809 and later versions, automatically detect TPM failures and finish the hybrid Azure AD join without using the TPM. | +|*NTE\_AUTHENTICATION\_IGNORED (0x80090031/-2146893775)* |The TPM is locked out. |This error is transient. Wait for the cooldown period, and then retry the join operation. | For more information about TPM issues, see the following articles: diff --git a/windows/security/information-protection/encrypted-hard-drive.md b/windows/security/information-protection/encrypted-hard-drive.md index 96c61886e5..765325f2f0 100644 --- a/windows/security/information-protection/encrypted-hard-drive.md +++ b/windows/security/information-protection/encrypted-hard-drive.md @@ -3,17 +3,18 @@ title: Encrypted Hard Drive (Windows) description: Encrypted Hard Drive uses the rapid encryption that is provided by BitLocker Drive Encryption to enhance data security and management. ms.reviewer: manager: aaroncz -ms.author: dansimp +ms.author: frankroj ms.prod: windows-client -author: dulcemontemayor -ms.date: 04/02/2019 +author: frankroj +ms.date: 11/08/2022 ms.technology: itpro-security --- # Encrypted Hard Drive -**Applies to** -- Windows 10 +*Applies to:* + +- Windows 10 - Windows 11 - Windows Server 2022 - Windows Server 2019 @@ -22,29 +23,29 @@ ms.technology: itpro-security Encrypted hard drive uses the rapid encryption that is provided by BitLocker drive encryption to enhance data security and management. -By offloading the cryptographic operations to a hardware, Encrypted hard drives increase BitLocker performance and reduce CPU usage and power consumption. Because Encrypted hard drives encrypt data quickly, enterprise devices can expand BitLocker deployment with minimal impact on productivity. +By offloading the cryptographic operations to hardware, Encrypted hard drives increase BitLocker performance and reduce CPU usage and power consumption. Because Encrypted hard drives encrypt data quickly, enterprise devices can expand BitLocker deployment with minimal impact on productivity. Encrypted hard drives are a new class of hard drives that are self-encrypting at a hardware level and allow for full disk hardware encryption. You can install Windows to encrypted hard drives without additional modification, beginning with Windows 8 and Windows Server 2012. Encrypted hard drives provide: -- **Better performance**: Encryption hardware, integrated into the drive controller, allows the drive to operate at full data rate with no performance degradation. -- **Strong security based in hardware**: Encryption is always "on" and the keys for encryption never leave the hard drive. User authentication is performed by the drive before it will unlock, independently of the operating system -- **Ease of use**: Encryption is transparent to the user, and the user doesn't need to enable it. Encrypted Hard Drives are easily erased using on-board encryption key; there's no need to re-encrypt data on the drive. -- **Lower cost of ownership**: There's no need for new infrastructure to manage encryption keys, since BitLocker leverages your existing infrastructure to store recovery information. Your device operates more efficiently because processor cycles don't need to be used for the encryption process. +- **Better performance**: Encryption hardware, integrated into the drive controller, allows the drive to operate at full data rate with no performance degradation. +- **Strong security based in hardware**: Encryption is always "on" and the keys for encryption never leave the hard drive. User authentication is performed by the drive before it will unlock, independently of the operating system +- **Ease of use**: Encryption is transparent to the user, and the user doesn't need to enable it. Encrypted Hard Drives are easily erased using on-board encryption key; there's no need to re-encrypt data on the drive. +- **Lower cost of ownership**: There's no need for new infrastructure to manage encryption keys, since BitLocker uses your existing infrastructure to store recovery information. Your device operates more efficiently because processor cycles don't need to be used for the encryption process. Encrypted hard drives are supported natively in the operating system through the following mechanisms: -- **Identification**: The operating system identifies that the drive is an Encrypted hard drive device type. -- **Activation**: The operating system disk management utility activates, creates and maps volumes to ranges/bands as appropriate. -- **Configuration**: The operating system creates and maps volumes to ranges/bands as appropriate. -- **API**: API support for applications to manage Encrypted hard drives independent of BitLocker drive encryption (BDE). -- **BitLocker support**: Integration with the BitLocker Control Panel provides a seamless BitLocker end-user experience. +- **Identification**: The operating system identifies that the drive is an Encrypted hard drive device type. +- **Activation**: The operating system disk management utility activates, creates and maps volumes to ranges/bands as appropriate. +- **Configuration**: The operating system creates and maps volumes to ranges/bands as appropriate. +- **API**: API support for applications to manage Encrypted hard drives independent of BitLocker drive encryption (BDE). +- **BitLocker support**: Integration with the BitLocker Control Panel provides a seamless BitLocker end-user experience. >[!WARNING] >Self-encrypting hard drives and encrypted hard drives for Windows are not the same type of devices. Encrypted hard drives for Windows require compliance for specific TCG protocols as well as IEEE 1667 compliance; Self-encrypting hard drives do not have these requirements. It is important to confirm that the device type is an encrypted hard drive for Windows when planning for deployment. - -If you are a storage device vendor who is looking for more info on how to implement Encrypted Hard Drive, see the [Encrypted Hard Drive Device Guide](/previous-versions/windows/hardware/design/dn653989(v=vs.85)). + +If you're a storage device vendor who is looking for more info on how to implement Encrypted Hard Drive, see the [Encrypted Hard Drive Device Guide](/previous-versions/windows/hardware/design/dn653989(v=vs.85)). ## System Requirements @@ -52,44 +53,44 @@ To use encrypted hard drives, the following system requirements apply: For an encrypted hard drive used as a **data drive**: -- The drive must be in an uninitialized state. -- The drive must be in a security inactive state. +- The drive must be in an uninitialized state. +- The drive must be in a security inactive state. For an encrypted hard drive used as a **startup drive**: -- The drive must be in an uninitialized state. -- The drive must be in a security inactive state. -- The computer must be UEFI 2.3.1 based and have the EFI\_STORAGE\_SECURITY\_COMMAND\_PROTOCOL defined. (This protocol is used to allow programs running in the EFI boot services environment to send security protocol commands to the drive). -- The computer must have the compatibility support module (CSM) disabled in UEFI. -- The computer must always boot natively from UEFI. +- The drive must be in an uninitialized state. +- The drive must be in a security inactive state. +- The computer must be UEFI 2.3.1 based and have the EFI\_STORAGE\_SECURITY\_COMMAND\_PROTOCOL defined. (This protocol is used to allow programs running in the EFI boot services environment to send security protocol commands to the drive). +- The computer must have the compatibility support module (CSM) disabled in UEFI. +- The computer must always boot natively from UEFI. >[!WARNING] >All encrypted hard drives must be attached to non-RAID controllers to function properly. - + ## Technical overview -Rapid encryption in BitLocker directly addresses the security needs of enterprises while offering significantly improved performance. In versions of Windows earlier than Windows Server 2012, BitLocker required a two-step process to complete read/write requests. In Windows Server 2012, Windows 8, or later versions, encrypted hard drives offload the cryptographic operations to the drive controller for much greater efficiency. When the operating system identifies an encrypted hard drive, it activates the security mode. This activation lets the drive controller generate a media key for every volume that the host computer creates. This media key, which is never exposed outside the disk, is used to rapidly encrypt or decrypt every byte of data that is sent or received from the disk. +Rapid encryption in BitLocker directly addresses the security needs of enterprises while offering improved performance. In versions of Windows earlier than Windows Server 2012, BitLocker required a two-step process to complete read/write requests. In Windows Server 2012, Windows 8, or later versions, encrypted hard drives offload the cryptographic operations to the drive controller for much greater efficiency. When the operating system identifies an encrypted hard drive, it activates the security mode. This activation lets the drive controller generate a media key for every volume that the host computer creates. This media key, which is never exposed outside the disk, is used to rapidly encrypt or decrypt every byte of data that is sent or received from the disk. ## Configuring encrypted hard drives as startup drives Configuration of encrypted hard drives as startup drives is done using the same methods as standard hard drives. These methods include: -- **Deploy from media**: Configuration of Encrypted Hard Drives happens automatically through the installation process. -- **Deploy from network**: This deployment method involves booting a Windows PE environment and using imaging tools to apply a Windows image from a network share. Using this method, the Enhanced Storage optional component needs to be included in the Windows PE image. You can enable this component using Server Manager, Windows PowerShell, or the DISM command line tool. If this component isn't present, configuration of Encrypted Hard Drives won't work. -- **Deploy from server**: This deployment method involves PXE booting a client with Encrypted Hard Drives present. Configuration of Encrypted Hard Drives happens automatically in this environment when the Enhanced Storage component is added to the PXE boot image. During deployment, the [TCGSecurityActivationDisabled](/windows-hardware/customize/desktop/unattend/microsoft-windows-enhancedstorage-adm-tcgsecurityactivationdisabled) setting in unattend.xml controls the encryption behavior of Encrypted Hard Drives. -- **Disk Duplication**: This deployment method involves use of a previously configured device and disk duplication tools to apply a Windows image to an Encrypted Hard Drive. Disks must be partitioned using at least Windows 8 or Windows Server 2012 for this configuration to work. Images made using disk duplicators won't work. +- **Deploy from media**: Configuration of Encrypted Hard Drives happens automatically through the installation process. +- **Deploy from network**: This deployment method involves booting a Windows PE environment and using imaging tools to apply a Windows image from a network share. Using this method, the Enhanced Storage optional component needs to be included in the Windows PE image. You can enable this component using Server Manager, Windows PowerShell, or the DISM command line tool. If this component isn't present, configuration of Encrypted Hard Drives won't work. +- **Deploy from server**: This deployment method involves PXE booting a client with Encrypted Hard Drives present. Configuration of Encrypted Hard Drives happens automatically in this environment when the Enhanced Storage component is added to the PXE boot image. During deployment, the [TCGSecurityActivationDisabled](/windows-hardware/customize/desktop/unattend/microsoft-windows-enhancedstorage-adm-tcgsecurityactivationdisabled) setting in unattend.xml controls the encryption behavior of Encrypted Hard Drives. +- **Disk Duplication**: This deployment method involves use of a previously configured device and disk duplication tools to apply a Windows image to an Encrypted Hard Drive. Disks must be partitioned using at least Windows 8 or Windows Server 2012 for this configuration to work. Images made using disk duplicators won't work. ## Configuring hardware-based encryption with group policy -There are three related Group Policy settings that help you manage how BitLocker uses hardware-based encryption and which encryption algorithms to use. If these settings aren't configured or disabled on systems that are equipped with encrypted drives, BitLocker uses software-based encryption: +There are three related Group Policy settings that help you manage how BitLocker uses hardware-based encryption and which encryption algorithms to use. If these settings aren't configured or disabled on systems that are equipped with encrypted drives, BitLocker uses software-based encryption: -- [Configure use of hardware-based encryption for fixed data drives](bitlocker/bitlocker-group-policy-settings.md#bkmk-hdefxd) +- [Configure use of hardware-based encryption for fixed data drives](bitlocker/bitlocker-group-policy-settings.md#configure-use-of-hardware-based-encryption-for-fixed-data-drives) - [Configure use of hardware-based encryption for removable data drives](bitlocker/bitlocker-group-policy-settings.md#configure-use-of-hardware-based-encryption-for-removable-data-drives) - [Configure use of hardware-based encryption for operating system drives](bitlocker/bitlocker-group-policy-settings.md#configure-use-of-hardware-based-encryption-for-operating-system-drives) ## Encrypted hard drive architecture -Encrypted hard drives utilize two encryption keys on the device to control the locking and unlocking of data on the drive. These are the data encryption key (DEK) and the authentication key (AK). +Encrypted hard drives utilize two encryption keys on the device to control the locking and unlocking of data on the drive. These encryption keys are the data encryption key (DEK) and the authentication key (AK). The Data Encryption Key is the key used to encrypt all of the data on the drive. The drive generates the DEK and it never leaves the device. It's stored in an encrypted format at a random location on the drive. If the DEK is changed or erased, data encrypted using the DEK is irrecoverable. @@ -97,13 +98,13 @@ The AK is the key used to unlock data on the drive. A hash of the key is stored When a computer with an encrypted hard drive is in a powered-off state, the drive locks automatically. As a computer powers on, the device remains in a locked state and is only unlocked after the AK decrypts the DEK. Once the AK decrypts the DEK, read-write operations can take place on the device. -When writing data to the drive, it passes through an encryption engine before the write operation completes. Likewise, reading data from the drive requires the encryption engine to decrypt the data before passing that data back to the user. In the event that the DEK needs to be changed or erased, the data on the drive doesn't need to be re-encrypted. A new Authentication Key needs to be created and it will re-encrypt the DEK. Once completed, the DEK can now be unlocked using the new AK and read-writes to the volume can continue. +When writing data to the drive, it passes through an encryption engine before the write operation completes. Likewise, reading data from the drive requires the encryption engine to decrypt the data before passing that data back to the user. If the DEK needs to be changed or erased, the data on the drive doesn't need to be re-encrypted. A new Authentication Key needs to be created and it will re-encrypt the DEK. Once completed, the DEK can now be unlocked using the new AK, and read-writes to the volume can continue. -## Re-configuring encrypted hard drives +## Reconfiguring encrypted hard drives Many encrypted hard drive devices come pre-configured for use. If reconfiguration of the drive is required, use the following procedure after removing all available volumes and reverting the drive to an uninitialized state: -1. Open Disk Management (diskmgmt.msc) -2. Initialize the disk and select the appropriate partition style (MBR or GPT) -3. Create one or more volumes on the disk. -4. Use the BitLocker setup wizard to enable BitLocker on the volume. +1. Open Disk Management (`diskmgmt.msc`) +2. Initialize the disk and select the appropriate partition style (MBR or GPT) +3. Create one or more volumes on the disk. +4. Use the BitLocker setup wizard to enable BitLocker on the volume. diff --git a/windows/security/threat-protection/auditing/audit-directory-service-access.md b/windows/security/threat-protection/auditing/audit-directory-service-access.md index c954c98ef9..a70119e0d5 100644 --- a/windows/security/threat-protection/auditing/audit-directory-service-access.md +++ b/windows/security/threat-protection/auditing/audit-directory-service-access.md @@ -1,6 +1,6 @@ --- title: Audit Directory Service Access (Windows 10) -description: The policy setting Audit Directory Service Access determines if audit events are generated when an Active Directory Domain Services (ADA DS) object is accessed. +description: The policy setting Audit Directory Service Access determines if audit events are generated when an Active Directory Domain Services (AD DS) object is accessed. ms.assetid: ba2562ba-4282-4588-b87c-a3fcb771c7d0 ms.reviewer: manager: aaroncz @@ -34,4 +34,4 @@ This subcategory allows you to audit when an Active Directory Domain Services (A - [4662](event-4662.md)(S, F): An operation was performed on an object. -- [4661](event-4661.md)(S, F): A handle to an object was requested. \ No newline at end of file +- [4661](event-4661.md)(S, F): A handle to an object was requested. diff --git a/windows/security/threat-protection/auditing/event-4616.md b/windows/security/threat-protection/auditing/event-4616.md index 6c96460629..dfd4eb58db 100644 --- a/windows/security/threat-protection/auditing/event-4616.md +++ b/windows/security/threat-protection/auditing/event-4616.md @@ -163,9 +163,9 @@ For 4616(S): The system time was changed. > [!IMPORTANT] > For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md). -- Report all “**Subject\\Security ID**” not equals **“LOCAL SERVICE”**, which means that the time change was not made not by Windows Time service. +- Report all “**Subject\\Security ID**” not equals **“LOCAL SERVICE”**, which means that the time change was not made by Windows Time service. -- Report all “**Process Information\\Name**” not equals **“C:\\Windows\\System32\\svchost.exe”** (path to svchost.exe can be different, you can search for “svchost.exe” substring), which means that the time change was not made not by Windows Time service. +- Report all “**Process Information\\Name**” not equals **“C:\\Windows\\System32\\svchost.exe”** (path to svchost.exe can be different, you can search for “svchost.exe” substring), which means that the time change was not made by Windows Time service. diff --git a/windows/security/threat-protection/auditing/event-4688.md b/windows/security/threat-protection/auditing/event-4688.md index 3de0d6acc5..2416040af7 100644 --- a/windows/security/threat-protection/auditing/event-4688.md +++ b/windows/security/threat-protection/auditing/event-4688.md @@ -14,7 +14,7 @@ ms.author: vinpa ms.technology: itpro-security --- -# 4688(S): A new process has been created. +# 4688(S): A new process has been created. (Windows 10) Event 4688 illustration diff --git a/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md index 314595bed9..b322223819 100644 --- a/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md +++ b/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md @@ -52,7 +52,7 @@ HVCI is labeled **Memory integrity** in the Windows Security app and it can be a ### Enable HVCI using Intune -Enabling in Intune requires using the Code Integrity node in the [AppLocker CSP](/windows/client-management/mdm/applocker-csp). +Enabling in Intune requires using the Code Integrity node in the [VirtualizationBasedTechnology CSP](/windows/client-management/mdm/policy-csp-virtualizationbasedtechnology). You can configure the settings in Windows by using the [settings catalog](/mem/intune/configuration/settings-catalog). ### Enable HVCI using Group Policy @@ -204,9 +204,6 @@ Windows 10, Windows 11, and Windows Server 2016 have a WMI class for related pro Get-CimInstance –ClassName Win32_DeviceGuard –Namespace root\Microsoft\Windows\DeviceGuard ``` -> [!NOTE] -> The *Win32\_DeviceGuard* WMI class is only available on the Enterprise edition of Windows 10 and Windows 11. - > [!NOTE] > Mode Based Execution Control property will only be listed as available starting with Windows 10 version 1803 and Windows 11 version 21H2. diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md index a00cec360b..c71d2b029e 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md @@ -60,7 +60,7 @@ These settings, located at `Computer Configuration\Administrative Templates\Wind |Configure Microsoft Defender Application Guard print settings|Windows 10 Enterprise, 1709 or higher

    Windows 11 Enterprise|Determines whether Application Guard can use the print functionality.|**Enabled.** This is effective only in managed mode. Turns on the print functionality and lets you choose whether to additionally:
    - Enable Application Guard to print into the XPS format.
    - Enable Application Guard to print into the PDF format.
    - Enable Application Guard to print to locally attached printers.
    - Enable Application Guard to print from previously connected network printers. Employees can't search for other printers.

    **Disabled or not configured.** Completely turns Off the print functionality for Application Guard.| |Allow Persistence|Windows 10 Enterprise, 1709 or higher

    Windows 11 Enterprise|Determines whether data persists across different sessions in Microsoft Defender Application Guard.|**Enabled.** This is effective only in managed mode. Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Guard sessions.

    **Disabled or not configured.** All user data within Application Guard is reset between sessions.

    **NOTE**: If you later decide to stop supporting data persistence for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.

    **To reset the container:**
    1. Open a command-line program and navigate to `Windows/System32`.
    2. Type `wdagtool.exe cleanup`. The container environment is reset, retaining only the employee-generated data.
    3. Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`. The container environment is reset, including discarding all employee-generated data.| |Turn on Microsoft Defender Application Guard in Managed Mode|Windows 10 Enterprise, 1809 or higher

    Windows 11 Enterprise|Determines whether to turn on Application Guard for Microsoft Edge and Microsoft Office.|**Enabled.** Turns on Application Guard for Microsoft Edge and/or Microsoft Office, honoring the network isolation settings, rendering untrusted content in the Application Guard container. Application Guard won't actually be turned on unless the required prerequisites and network isolation settings are already set on the device. Available options:
    - Enable Microsoft Defender Application Guard only for Microsoft Edge
    - Enable Microsoft Defender Application Guard only for Microsoft Office
    - Enable Microsoft Defender Application Guard for both Microsoft Edge and Microsoft Office

    **Disabled.** Turns off Application Guard, allowing all apps to run in Microsoft Edge and Microsoft Office.

    **Note:** For Windows 10, if you have KB5014666 installed, and for Windows 11, if you have KB5014668 installed, you are no longer required to configure network isolation policy to enable Application Guard for Edge.| -|Allow files to download to host operating system|Windows 10 Enterprise or Pro, 1803 or higher

    Windows 11 Enterprise or Pro|Determines whether to save downloaded files to the host operating system from the Microsoft Defender Application Guard container.|**Enabled.** This is effective only in managed mode. Allows users to save downloaded files from the Microsoft Defender Application Guard container to the host operating system. This action creates a share between the host and container that also allows for uploads from the host to the Application Guard container.

    **Disabled or not configured.** Users aren't able to save downloaded files from Application Guard to the host operating system.| +|Allow files to download to host operating system|Windows 10 Enterprise or Pro, 1803 or higher

    Windows 11 Enterprise or Pro|Determines whether to save downloaded files to the host operating system from the Microsoft Defender Application Guard container.|**Enabled.** Allows users to save downloaded files from the Microsoft Defender Application Guard container to the host operating system. This action creates a share between the host and container that also allows for uploads from the host to the Application Guard container.

    **Disabled or not configured.** Users aren't able to save downloaded files from Application Guard to the host operating system.| |Allow hardware-accelerated rendering for Microsoft Defender Application Guard|Windows 10 Enterprise, 1803 or higher

    Windows 11 Enterprise|Determines whether Microsoft Defender Application Guard renders graphics using hardware or software acceleration.|**Enabled.** This is effective only in managed mode. Microsoft Defender Application Guard uses Hyper-V to access supported, high-security rendering graphics hardware (GPUs). These GPUs improve rendering performance and battery life while using Microsoft Defender Application Guard, particularly for video playback and other graphics-intensive use cases. If this setting is enabled without connecting any high-security rendering graphics hardware, Microsoft Defender Application Guard will automatically revert to software-based (CPU) rendering. **Important:** Enabling this setting with potentially compromised graphics devices or drivers might pose a risk to the host device.

    **Disabled or not configured.** Microsoft Defender Application Guard uses software-based (CPU) rendering and won’t load any third-party graphics drivers or interact with any connected graphics hardware.| |Allow camera and microphone access in Microsoft Defender Application Guard|Windows 10 Enterprise, 1809 or higher

    Windows 11 Enterprise|Determines whether to allow camera and microphone access inside Microsoft Defender Application Guard.|**Enabled.** This is effective only in managed mode. Applications inside Microsoft Defender Application Guard are able to access the camera and microphone on the user's device. **Important:** Enabling this policy with a potentially compromised container could bypass camera and microphone permissions and access the camera and microphone without the user's knowledge.

    **Disabled or not configured.** Applications inside Microsoft Defender Application Guard are unable to access the camera and microphone on the user's device.| |Allow Microsoft Defender Application Guard to use Root Certificate Authorities from a user's device|Windows 10 Enterprise or Pro, 1809 or higher

    Windows 11 Enterprise or Pro|Determines whether Root Certificates are shared with Microsoft Defender Application Guard.|**Enabled.** Certificates matching the specified thumbprint are transferred into the container. Use a comma to separate multiple certificates.

    **Disabled or not configured.** Certificates aren't shared with Microsoft Defender Application Guard.| diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml index 7118a806da..e9a396f602 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml +++ b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml @@ -2,17 +2,17 @@ metadata: title: FAQ - Microsoft Defender Application Guard (Windows 10) description: Learn about the commonly asked questions and answers for Microsoft Defender Application Guard. - ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium - author: denisebmsft - ms.author: deniseb + ms.prod: windows-client + ms.technology: itpro-security + author: vinaypamnani-msft + ms.author: vinpa ms.reviewer: manager: aaroncz ms.custom: asr - ms.technology: windows-sec ms.topic: faq title: Frequently asked questions - Microsoft Defender Application Guard summary: | diff --git a/windows/security/threat-protection/security-policy-settings/administer-security-policy-settings.md b/windows/security/threat-protection/security-policy-settings/administer-security-policy-settings.md index 8d8e4c26cd..bc2b937927 100644 --- a/windows/security/threat-protection/security-policy-settings/administer-security-policy-settings.md +++ b/windows/security/threat-protection/security-policy-settings/administer-security-policy-settings.md @@ -22,7 +22,8 @@ ms.technology: itpro-security **Applies to** -- Windows 10 +- Windows 11 +- Windows 10 This article discusses different methods to administer security policy settings on a local device or throughout a small- or medium-sized organization. @@ -313,4 +314,4 @@ Secedit.exe is useful when you have multiple devices on which security must be a ## Working with Group Policy tools -Group Policy is an infrastructure that allows you to specify managed configurations for users and computers through Group Policy settings and Group Policy Preferences. For Group Policy settings that affect only a local device or user, you can use the Local Group Policy Editor. You can manage Group Policy settings and Group Policy Preferences in an Active Directory Domain Services (AD DS) environment through the Group Policy Management Console (GPMC). Group Policy management tools also are included in the Remote Server Administration Tools pack to provide a way for you to administer Group Policy settings from your desktop. \ No newline at end of file +Group Policy is an infrastructure that allows you to specify managed configurations for users and computers through Group Policy settings and Group Policy Preferences. For Group Policy settings that affect only a local device or user, you can use the Local Group Policy Editor. You can manage Group Policy settings and Group Policy Preferences in an Active Directory Domain Services (AD DS) environment through the Group Policy Management Console (GPMC). Group Policy management tools also are included in the Remote Server Administration Tools pack to provide a way for you to administer Group Policy settings from your desktop. diff --git a/windows/security/threat-protection/security-policy-settings/how-to-configure-security-policy-settings.md b/windows/security/threat-protection/security-policy-settings/how-to-configure-security-policy-settings.md index 4d69ec3195..d9bdd93728 100644 --- a/windows/security/threat-protection/security-policy-settings/how-to-configure-security-policy-settings.md +++ b/windows/security/threat-protection/security-policy-settings/how-to-configure-security-policy-settings.md @@ -22,7 +22,8 @@ ms.technology: itpro-security # Configure security policy settings **Applies to** -- Windows 10 +- Windows 11 +- Windows 10 Describes steps to configure a security policy setting on the local device, on a domain-joined device, and on a domain controller. diff --git a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md index 4c6c5ddd2d..39110f95c1 100644 --- a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md +++ b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md @@ -33,9 +33,9 @@ The **Microsoft network server: Amount of idle time required before suspending s ### Possible values -- A user-defined number of minutes from 0 through 99,999 +- A user-defined number of minutes from 0 through 99,999. - For this policy setting, a value of 0 means to disconnect an idle session as quickly as is reasonably possible. The maximum value is 99999, which is 208 days. In effect, this value disables the policy. + For this policy setting, a value of 0 means to disconnect an idle session as quickly as is reasonably possible. The maximum value is 99999 (8 business hours per day), which is 208 days. In effect, this value disables the policy. - Not defined diff --git a/windows/security/threat-protection/security-policy-settings/network-access-restrict-anonymous-access-to-named-pipes-and-shares.md b/windows/security/threat-protection/security-policy-settings/network-access-restrict-anonymous-access-to-named-pipes-and-shares.md index 4842d0dfe2..3b779eb87c 100644 --- a/windows/security/threat-protection/security-policy-settings/network-access-restrict-anonymous-access-to-named-pipes-and-shares.md +++ b/windows/security/threat-protection/security-policy-settings/network-access-restrict-anonymous-access-to-named-pipes-and-shares.md @@ -21,7 +21,13 @@ ms.technology: itpro-security # Network access: Restrict anonymous access to Named Pipes and Shares **Applies to** +- Windows 11 - Windows 10 +- Windows 8.1 +- Windows Server 2022 +- Windows Server 2019 +- Windows Server 2016 +- Windows Server 2012 R2 Describes the best practices, location, values, policy management and security considerations for the **Network access: Restrict anonymous access to Named Pipes and Shares** security policy setting. diff --git a/windows/security/threat-protection/security-policy-settings/network-list-manager-policies.md b/windows/security/threat-protection/security-policy-settings/network-list-manager-policies.md index f558cd0804..82252f7a68 100644 --- a/windows/security/threat-protection/security-policy-settings/network-list-manager-policies.md +++ b/windows/security/threat-protection/security-policy-settings/network-list-manager-policies.md @@ -21,7 +21,8 @@ ms.technology: itpro-security # Network List Manager policies **Applies to** -- Windows 10 +- Windows 11 +- Windows 10 Network List Manager policies are security settings that you can use to configure different aspects of how networks are listed and displayed on one device or on many devices. diff --git a/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md b/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md index 3781352906..fb87a0fd40 100644 --- a/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md +++ b/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md @@ -30,7 +30,7 @@ Describes the best practices, location, values, and security considerations for The **Passwords must meet complexity requirements** policy setting determines whether passwords must meet a series of strong-password guidelines. When enabled, this setting requires passwords to meet the following requirements: -1. Passwords may not contain the user's samAccountName (Account Name) value or entire displayName (Full Name value). Both checks aren't case-sensitive. +1. Passwords may not contain the user's samAccountName (Account Name) value or entire displayName (Full Name value). Neither of these checks is case-sensitive. The samAccountName is checked in its entirety only to determine whether it's part of the password. If the samAccountName is fewer than three characters long, this check is skipped. The displayName is parsed for delimiters: commas, periods, dashes or hyphens, underscores, spaces, pound signs, and tabs. If any of these delimiters are found, the displayName is split and all parsed sections (tokens) are confirmed not to be included in the password. Tokens that are shorter than three characters are ignored, and substrings of the tokens aren't checked. For example, the name "Erin M. Hagens" is split into three tokens: "Erin", "M", and "Hagens". Because the second token is only one character long, it's ignored. So, this user couldn't have a password that included either "erin" or "hagens" as a substring anywhere in the password. diff --git a/windows/security/threat-protection/security-policy-settings/security-policy-settings-reference.md b/windows/security/threat-protection/security-policy-settings/security-policy-settings-reference.md index cb99f2efbf..2668278e86 100644 --- a/windows/security/threat-protection/security-policy-settings/security-policy-settings-reference.md +++ b/windows/security/threat-protection/security-policy-settings/security-policy-settings-reference.md @@ -21,7 +21,8 @@ ms.technology: itpro-security # Security policy settings reference **Applies to** -- Windows 10 +- Windows 11 +- Windows 10 This reference of security settings provides information about how to implement and manage security policies, including setting options and security considerations. diff --git a/windows/security/threat-protection/windows-firewall/copy-a-gpo-to-create-a-new-gpo.md b/windows/security/threat-protection/windows-firewall/copy-a-gpo-to-create-a-new-gpo.md index 89e08b0200..cae3c81088 100644 --- a/windows/security/threat-protection/windows-firewall/copy-a-gpo-to-create-a-new-gpo.md +++ b/windows/security/threat-protection/windows-firewall/copy-a-gpo-to-create-a-new-gpo.md @@ -43,6 +43,8 @@ To complete this procedure, you must be a member of the Domain Administrators gr 4. In the navigation pane, right-click **Group Policy Objects** again, and then click **Paste**. + :::image type="content" alt-text="Screenshot that shows Copy Paste GPO." source="images/grouppolicy-paste.png"::: + 5. In the **Copy GPO** dialog box, click **Preserve the existing permissions**, and then click **OK**. Selecting this option preserves any exception groups to which you denied Read and Apply GPO permissions, making the change simpler. 6. After the copy is complete, click **OK**. The new GPO is named **Copy of** *original GPO name*. diff --git a/windows/security/threat-protection/windows-firewall/images/grouppolicy-paste.png b/windows/security/threat-protection/windows-firewall/images/grouppolicy-paste.png new file mode 100644 index 0000000000..ba2de148f1 Binary files /dev/null and b/windows/security/threat-protection/windows-firewall/images/grouppolicy-paste.png differ diff --git a/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md b/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md index 7f5b3c7832..58fb302ed7 100644 --- a/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md +++ b/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md @@ -229,12 +229,14 @@ With the Visual Studio Code installer script already mapped into the sandbox, th ### VSCodeInstall.cmd +Download vscode to `downloads` folder and run from `downloads` folder + ```batch REM Download Visual Studio Code -curl -L "https://update.code.visualstudio.com/latest/win32-x64-user/stable" --output C:\users\WDAGUtilityAccount\Desktop\vscode.exe +curl -L "https://update.code.visualstudio.com/latest/win32-x64-user/stable" --output C:\users\WDAGUtilityAccount\Downloads\vscode.exe REM Install and run Visual Studio Code -C:\users\WDAGUtilityAccount\Desktop\vscode.exe /verysilent /suppressmsgboxes +C:\users\WDAGUtilityAccount\Downloads\vscode.exe /verysilent /suppressmsgboxes ``` ### VSCode.wsb @@ -244,15 +246,17 @@ C:\users\WDAGUtilityAccount\Desktop\vscode.exe /verysilent /suppressmsgboxes C:\SandboxScripts + C:\Users\WDAGUtilityAccount\Downloads\sandbox true C:\CodingProjects + C:\Users\WDAGUtilityAccount\Documents\Projects false - C:\Users\WDAGUtilityAccount\Desktop\SandboxScripts\VSCodeInstall.cmd + C:\Users\WDAGUtilityAccount\Downloads\sandbox\VSCodeInstall.cmd ``` diff --git a/windows/security/threat-protection/windows-security-configuration-framework/get-support-for-security-baselines.md b/windows/security/threat-protection/windows-security-configuration-framework/get-support-for-security-baselines.md index 1f712dc9f7..cb62adc90c 100644 --- a/windows/security/threat-protection/windows-security-configuration-framework/get-support-for-security-baselines.md +++ b/windows/security/threat-protection/windows-security-configuration-framework/get-support-for-security-baselines.md @@ -77,7 +77,7 @@ Windows 8.1 |[9600 (April Update)](/archive/blogs/secguide/security-baselines-fo | Name | Details | Security Tools | |---------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------| | Microsoft 365 Apps for enterprise, version 2206 | [SecGuide](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-for-microsoft-365-apps-for-enterprise-v2206/ba-p/3502714) | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) | -| Microsoft Edge, version 98 | [SecGuide](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-for-microsoft-edge-v98/ba-p/3165443) | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) | +| Microsoft Edge, version 107 | [SecGuide](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-for-microsoft-edge-v98/ba-p/3165443) | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
    diff --git a/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md b/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md index a3d0a27f9d..11b8b102dd 100644 --- a/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md +++ b/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md @@ -49,7 +49,7 @@ The Security Compliance Toolkit consists of: - Microsoft 365 Apps for Enterprise Version 2206 - Microsoft Edge security baseline - - Edge version 98 + - Edge version 107 - Tools - Policy Analyzer diff --git a/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md b/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md index 5bedbaf17a..47647ffae7 100644 --- a/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md +++ b/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md @@ -66,7 +66,7 @@ There are several ways to get and use security baselines: 2. [Mobile device management (MDM) security baselines](/windows/client-management/mdm/#mdm-security-baseline) function like the Microsoft group policy-based security baselines and can easily integrate these baselines into an existing MDM management tool. -3. MDM security baselines can easily be configures in Microsoft Intune on devices that run Windows 10 and Windows 11. For more information, see [List of the settings in the Windows 10/11 MDM security baseline in Intune](/mem/intune/protect/security-baseline-settings-mdm-all). +3. MDM security baselines can easily be configured in Microsoft Intune on devices that run Windows 10 and Windows 11. For more information, see [List of the settings in the Windows 10/11 MDM security baseline in Intune](/mem/intune/protect/security-baseline-settings-mdm-all). ## Community diff --git a/windows/whats-new/windows-11-requirements.md b/windows/whats-new/windows-11-requirements.md index cbb7d6dbb6..e72a69b1d0 100644 --- a/windows/whats-new/windows-11-requirements.md +++ b/windows/whats-new/windows-11-requirements.md @@ -84,7 +84,7 @@ The following configuration requirements apply to VMs running Windows 11. - Generation: 2 \* - Storage: 64 GB or greater - Security: - - Azure: [Trusted launch](/azure/virtual-machines/trusted-launch) with vTPM and secure boot enabled + - Azure: [Trusted launch](/azure/virtual-machines/trusted-launch) with vTPM enabled - Hyper-V: [Secure boot and TPM enabled](/windows-server/virtualization/hyper-v/learn-more/Generation-2-virtual-machine-security-settings-for-Hyper-V#secure-boot-setting-in-hyper-v-manager) - General settings: Secure boot capable, virtual TPM enabled - Memory: 4 GB or greater