diff --git a/devices/hololens/hololens-FAQ.md b/devices/hololens/hololens-FAQ.md
index 16169cec8c..8cc17b758c 100644
--- a/devices/hololens/hololens-FAQ.md
+++ b/devices/hololens/hololens-FAQ.md
@@ -43,7 +43,7 @@ This article addresses the following questions and issues:
- [HoloLens doesn't respond to my gestures](#hololens-doesnt-respond-to-my-gestures)
- [HoloLens doesn't respond to my voice](#hololens-doesnt-respond-to-my-voice)
- [I'm having problems pairing or using a Bluetooth device](#im-having-problems-pairing-or-using-a-bluetooth-device)
-- [HoloLens Settings lists devices as available, but the devices don’t work](#hololens-settings-lists-devices-as-available-but-the-devices-dont-work)
+- [HoloLens Settings lists devices as available, but the devices don't work](#hololens-settings-lists-devices-as-available-but-the-devices-dont-work)
- [I'm having problems using the HoloLens clicker](#im-having-problems-using-the-hololens-clicker)
- [I can't connect to Wi-Fi](#i-cant-connect-to-wi-fi)
- [My HoloLens isn't running well, is unresponsive, or won't start](#my-hololens-isnt-running-well-is-unresponsive-or-wont-start)
@@ -166,9 +166,11 @@ On HoloLens (1st gen), built-in speech recognition is not configurable. It is al
If your HoloLens 2 is not responding to your voice, make sure Speech recognition is turned on. Go to **Start** > **Settings** > **Privacy** > **Speech** and turn on **Speech recognition**.
-### Cortana doesn't work
+### Cortana or Dictation doesn't work
-If Cortana isn't responding to your voice, make sure Cortana is turned on. Go to **Start** > **Settings** > **Privacy** > **Speech** and verify the **Online speech recognition** settings. Then do one of the following to verify that Cortana itself is turned on:
+If Cortana or Dictation isn't responding to your voice, make sure online speech recognition is turned on. Go to **Start** > **Settings** > **Privacy** > **Speech** and verify the **Online speech recognition** settings.
+
+If Cortana is still not responding, do one of the following to verify that Cortana itself is turned on:
- In **All apps**, select **Cortana** > select **Menu** > **Notebook** > **Settings** to make changes.
- On HoloLens 2, select the **Speech settings** button or say "Speech settings."
@@ -187,7 +189,7 @@ If you're having problems [pairing a Bluetooth device](hololens-connect-devices.
[Back to list](#list)
-## HoloLens Settings lists devices as available, but the devices don’t work
+## HoloLens Settings lists devices as available, but the devices don't work
HoloLens doesn't support Bluetooth audio profiles. Bluetooth audio devices, such as speakers and headsets, may appear as available in HoloLens settings, but they aren't supported.
@@ -255,7 +257,7 @@ No. You have to use Azure Active Directory (AAD) to manage user accounts for Hol
No.
-### Can HoloLens participate in WNA or Integrated Windows Authentication?
+### Can HoloLens participate in Integrated Windows Authentication?
No.
diff --git a/devices/hololens/hololens-network.md b/devices/hololens/hololens-network.md
index c7a9e2b3a1..bd9286a91e 100644
--- a/devices/hololens/hololens-network.md
+++ b/devices/hololens/hololens-network.md
@@ -5,7 +5,6 @@ ms.assetid: 0895606e-96c0-491e-8b1c-52e56b00365d
author: mattzmsft
ms.author: mazeller
keywords: HoloLens, wifi, wireless, internet, ip, ip address
-ms.date: 02/27/2020
ms.prod: hololens
ms.sitesec: library
ms.localizationpriority: high
diff --git a/devices/surface-hub/surface-hub-2s-whats-new.md b/devices/surface-hub/surface-hub-2s-whats-new.md
index 13d7eb06ce..82589b360e 100644
--- a/devices/surface-hub/surface-hub-2s-whats-new.md
+++ b/devices/surface-hub/surface-hub-2s-whats-new.md
@@ -22,7 +22,7 @@ Surface Hub 2S is an all-in-one collaboration canvas that’s built for teamwork
|**Mobile Device Management and UEFI manageability**| Manage settings and policies using a mobile device management (MDM) provider.
Full integration with Surface Enterprise Management Mode (SEMM) lets you manage hardware components and firmware. | [Managing Surface Hub 2S with Microsoft Intune](surface-hub-2s-manage-intune.md)
[Surface Enterprise Management Mode](https://docs.microsoft.com/surface/surface-enterprise-management-mode) |
|**Cloud and on-premises coexistence**| Supports on-premises, hybrid, or online. | [Prepare your environment for Microsoft Surface Hub 2S](surface-hub-2s-prepare-environment.md) |
|**Reset and recovery**| Restore from the cloud or USB drive. | [Recover and reset Surface Hub 2S](surface-hub-2s-recover-reset.md) |
-|**Microsoft Whiteboard**| Ofice 365 integration, intelligent ink, and Bing search bring powerful new capabilities, enabling a persistent digital canvas shareable across most browsers, Windows and iOS devices. | [Announcing a new whiteboard for your Surface Hub](https://techcommunity.microsoft.com/t5/Office-365-Blog/Announcing-a-new-Whiteboard-for-your-Surface-Hub/ba-p/637050) |
+|**Microsoft Whiteboard**| Office 365 integration, intelligent ink, and Bing search bring powerful new capabilities, enabling a persistent digital canvas shareable across most browsers, Windows and iOS devices. | [Announcing a new whiteboard for your Surface Hub](https://techcommunity.microsoft.com/t5/Office-365-Blog/Announcing-a-new-Whiteboard-for-your-Surface-Hub/ba-p/637050) |
|**Microsoft Teams Meeting Room License**| Extends Office 365 licensing options across Skype for Business, Microsoft Teams, and Intune. | [Teams Meeting Room Licensing Update](https://docs.microsoft.com/MicrosoftTeams/room-systems/skype-room-systems-v2-0) |
|**On-screen display**| Adjust volume, brightness, and input control directly on the display. | |
|**Sensor-activated Connected Standby**| Doppler sensor activates Connected Standby after 1 minute of inactivity.
Manage this setting remotely using Intune or directly on the device from the Settings app. | [Surface Hub 2S tech specs](surface-hub-2s-techspecs.md) |
diff --git a/devices/surface-hub/surface-hub-update-history.md b/devices/surface-hub/surface-hub-update-history.md
index 50af49ec5c..8e584f17b3 100644
--- a/devices/surface-hub/surface-hub-update-history.md
+++ b/devices/surface-hub/surface-hub-update-history.md
@@ -24,6 +24,33 @@ Please refer to the “[Surface Hub Important Information](https://support.micro
## Windows 10 Team Creators Update 1703
+February 28, 2020—update for Surface Hub 2S
+
+This update is specific to the Surface Hub 2S and provides the driver and firmware updates outlined below:
+
+* Surface Integration driver - 13.46.139.0
+ * Improves display brightness scenarios.
+* Intel(R) Management Engine Interface driver - 1914.12.0.1256
+ * Improves system stability.
+* Surface SMC Firmware update - 1.161.139.0
+ * Improves pen battery performance.
+* Surface UEFI update - 694.2938.768.0
+ * Improves system stability.
+February 11, 2020—update for Team edition based on KB4537765* (OS Build 15063.2284)
+
+This update to the Surface Hub includes quality improvements and security fixes. Key updates to Surface Hub, not already outlined in [Windows 10 Update History](https://support.microsoft.com/help/4018124/windows-10-update-history), include:
+
+* Resolves an issue where the Hub 2S cannot be heard well by other participants during Skype for Business calls.
+* Improves reliability for some Arabic, Hebrew, and other RTL language usage scenarios on Surface Hub.
+
+Please refer to the [Surface Hub Admin guide](https://docs.microsoft.com/surface-hub/) for enabling/disabling device features and services.
+*[KB4537765](https://support.microsoft.com/help/4537765)
+January 14, 2020—update for Team edition based on KB4534296* (OS Build 15063.2254)
diff --git a/devices/surface/surface-diagnostic-toolkit-for-business-intro.md b/devices/surface/surface-diagnostic-toolkit-for-business-intro.md
index df3918d715..a64fb3cc4f 100644
--- a/devices/surface/surface-diagnostic-toolkit-for-business-intro.md
+++ b/devices/surface/surface-diagnostic-toolkit-for-business-intro.md
@@ -7,7 +7,6 @@ ms.sitesec: library
author: dansimp
ms.author: dansimp
ms.topic: article
-ms.date: 06/11/2019
ms.reviewer: cottmca
manager: dansimp
ms.localizationpriority: medium
@@ -34,7 +33,8 @@ Before you run the diagnostic tool, make sure you have the latest Windows update
2. Select Run and follow the on-screen instructions. For full details, refer to [Deploy Surface Diagnostic Toolkit for Business](https://docs.microsoft.com/surface/surface-diagnostic-toolkit-business).
The diagnosis and repair time averages 15 minutes but could take an hour or longer, depending on internet connection speed and the number of updates or repairs required.
-# If you still need help
+
+## If you still need help
If the Surface Diagnostic Toolkit for Business didn’t fix the problem, you can also:
diff --git a/mdop/appv-v5/microsoft-application-virtualization-50-administrators-guide.md b/mdop/appv-v5/microsoft-application-virtualization-50-administrators-guide.md
index fdfc5ef202..3645704cf9 100644
--- a/mdop/appv-v5/microsoft-application-virtualization-50-administrators-guide.md
+++ b/mdop/appv-v5/microsoft-application-virtualization-50-administrators-guide.md
@@ -52,7 +52,7 @@ The Microsoft Application Virtualization (App-V) 5.0 Administrator’s Guide pro
- [Viewing App-V Server Publishing Metadata](viewing-app-v-server-publishing-metadata.md)
- [Running a Locally Installed Application Inside a Virtual Environment with Virtualized Applications](running-a-locally-installed-application-inside-a-virtual-environment-with-virtualized-applications.md)
-#
+## Also see
- Add or vote on suggestions on the ["Microsoft Application Virtualization" forum on UserVoice.com](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization).
- For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv).
diff --git a/mdop/appv-v5/microsoft-application-virtualization-51-administrators-guide.md b/mdop/appv-v5/microsoft-application-virtualization-51-administrators-guide.md
index b5120b6279..07efe04eca 100644
--- a/mdop/appv-v5/microsoft-application-virtualization-51-administrators-guide.md
+++ b/mdop/appv-v5/microsoft-application-virtualization-51-administrators-guide.md
@@ -48,7 +48,7 @@ The Microsoft Application Virtualization (App-V) 5.1 Administrator’s Guide pro
- [Viewing App-V Server Publishing Metadata](viewing-app-v-server-publishing-metadata51.md)
- [Running a Locally Installed Application Inside a Virtual Environment with Virtualized Applications](running-a-locally-installed-application-inside-a-virtual-environment-with-virtualized-applications51.md)
-#
+## Also see
- Add or vote on suggestions on the ["Microsoft Application Virtualization" forum on UserVoice.com](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization).
- For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv).
diff --git a/mdop/mbam-v2/about-mbam-20-sp1.md b/mdop/mbam-v2/about-mbam-20-sp1.md
index ab210f8c1c..cb1d4df6a7 100644
--- a/mdop/mbam-v2/about-mbam-20-sp1.md
+++ b/mdop/mbam-v2/about-mbam-20-sp1.md
@@ -16,12 +16,10 @@ ms.date: 08/30/2016
# About MBAM 2.0 SP1
-
This topic describes the changes in Microsoft BitLocker Administration and Monitoring (MBAM) 2.0 Service Pack 1 (SP1). For a general description of MBAM, see [Getting Started with MBAM 2.0](getting-started-with-mbam-20-mbam-2.md).
## What’s new in MBAM 2.0 SP1
-
This version of MBAM provides the following new features and functionality.
### Support for Windows 8.1, Windows Server 2012 R2, and System Center 2012 R2 Configuration Manager
@@ -257,8 +255,9 @@ If you are upgrading to MBAM 2.0 SP1 and you are using MBAM with Configuration M
// Microsoft BitLocker Administration and Monitoring
//===================================================
-# pragma namespace ("\\\\.\\root\\cimv2")
-# pragma deleteclass("Win32_BitLockerEncryptionDetails", NOFAIL)
+ # pragma namespace ("\\\\.\\root\\cimv2")
+ # pragma deleteclass("Win32_BitLockerEncryptionDetails", NOFAIL)
+
[Union, ViewSources{"select DeviceId, BitlockerPersistentVolumeId, BitLockerManagementPersistentVolumeId, BitLockerManagementVolumeType, DriveLetter, Compliant, ReasonsForNonCompliance, KeyProtectorTypes, EncryptionMethod, ConversionStatus, ProtectionStatus, IsAutoUnlockEnabled from Mbam_Volume"}, ViewSpaces{"\\\\.\\root\\microsoft\\mbam"}, dynamic, Provider("MS_VIEW_INSTANCE_PROVIDER")]
class Win32_BitLockerEncryptionDetails
{
@@ -290,8 +289,8 @@ If you are upgrading to MBAM 2.0 SP1 and you are using MBAM with Configuration M
Boolean IsAutoUnlockEnabled;
};
-# pragma namespace ("\\\\.\\root\\cimv2")
-# pragma deleteclass("Win32Reg_MBAMPolicy", NOFAIL)
+ # pragma namespace ("\\\\.\\root\\cimv2")
+ # pragma deleteclass("Win32Reg_MBAMPolicy", NOFAIL)
[DYNPROPS]
Class Win32Reg_MBAMPolicy
{
@@ -352,8 +351,8 @@ If you are upgrading to MBAM 2.0 SP1 and you are using MBAM with Configuration M
EncodedComputerName;
};
-# pragma namespace ("\\\\.\\root\\cimv2")
-# pragma deleteclass("Win32Reg_MBAMPolicy_64", NOFAIL)
+ # pragma namespace ("\\\\.\\root\\cimv2")
+ # pragma deleteclass("Win32Reg_MBAMPolicy_64", NOFAIL)
[DYNPROPS]
Class Win32Reg_MBAMPolicy_64
{
@@ -414,8 +413,8 @@ If you are upgrading to MBAM 2.0 SP1 and you are using MBAM with Configuration M
EncodedComputerName;
};
-# pragma namespace ("\\\\.\\root\\cimv2")
-# pragma deleteclass("CCM_OperatingSystemExtended", NOFAIL)
+ # pragma namespace ("\\\\.\\root\\cimv2")
+ # pragma deleteclass("CCM_OperatingSystemExtended", NOFAIL)
[Union, ViewSources{"select Name,OperatingSystemSKU from Win32_OperatingSystem"}, ViewSpaces{"\\\\.\\root\\cimv2"},
dynamic,Provider("MS_VIEW_INSTANCE_PROVIDER")]
class CCM_OperatingSystemExtended
@@ -426,8 +425,8 @@ If you are upgrading to MBAM 2.0 SP1 and you are using MBAM with Configuration M
uint32 SKU;
};
-# pragma namespace ("\\\\.\\root\\cimv2")
-# pragma deleteclass("CCM_ComputerSystemExtended", NOFAIL)
+ # pragma namespace ("\\\\.\\root\\cimv2")
+ # pragma deleteclass("CCM_ComputerSystemExtended", NOFAIL)
[Union, ViewSources{"select Name,PCSystemType from Win32_ComputerSystem"}, ViewSpaces{"\\\\.\\root\\cimv2"},
dynamic,Provider("MS_VIEW_INSTANCE_PROVIDER")]
class CCM_ComputerSystemExtended
@@ -449,35 +448,23 @@ If you are upgrading to MBAM 2.0 SP1 and you are using MBAM with Configuration M
MBAM 2.0 SP1 is now available in the following languages:
- English (United States) en-US
-
- French (France) fr-FR
-
- Italian (Italy) it-IT
-
- German (Germany) de-DE
-
- Spanish, International Sort (Spain) es-ES
-
- Korean (Korea) ko-KR
-
- Japanese (Japan) ja-JP
-
- Portuguese (Brazil) pt-BR
-
- Russian (Russia) ru-RU
-
- Chinese Traditional zh-TW
-
- Chinese Simplified zh-CN
## How to Get MDOP Technologies
-
MBAM 2.0 SP1 is a part of the Microsoft Desktop Optimization Pack (MDOP). MDOP is part of Microsoft Software Assurance. For more information about Microsoft Software Assurance and acquiring MDOP, see [How Do I Get MDOP](https://go.microsoft.com/fwlink/?LinkId=322049) (https://go.microsoft.com/fwlink/?LinkId=322049).
## Related topics
-
[Release Notes for MBAM 2.0 SP1](release-notes-for-mbam-20-sp1.md)
diff --git a/windows/configuration/start-layout-troubleshoot.md b/windows/configuration/start-layout-troubleshoot.md
index 2e002f5962..beff0509a7 100644
--- a/windows/configuration/start-layout-troubleshoot.md
+++ b/windows/configuration/start-layout-troubleshoot.md
@@ -7,7 +7,6 @@ ms.sitesec: library
ms.author: dansimp
author: dansimp
ms.localizationpriority: medium
-ms.date: 12/03/18
ms.reviewer:
manager: dansimp
ms.topic: troubleshooting
@@ -34,8 +33,6 @@ When troubleshooting basic Start issues (and for the most part, all other Window
- Powershell:[System.Environment]::OSVersion.Version
- WinVer from CMD.exe
-
-
### Check if Start is installed
- If Start fails immediately after a feature update, on thing to check is if the App package failed to install successfully.
@@ -66,7 +63,6 @@ If it is installed but not running, test booting into safe mode or use MSCONFIG
- If that file does not exist, the system is a clean install.
- Upgrade issues can be found by running `test-path "$env:windir\panther\miglog.xml"`
-
### Check if Start is registered or activated
- Export the following Event log to CSV and do a keyword search in a text editor or spreadsheet:
diff --git a/windows/deployment/TOC.md b/windows/deployment/TOC.md
index 84bd681996..8b61799ddc 100644
--- a/windows/deployment/TOC.md
+++ b/windows/deployment/TOC.md
@@ -79,19 +79,20 @@
##### [Compatibility Fixes for Windows 10, Windows 8, Windows 7, and Windows Vista](planning/compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md)
-### [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md)
-#### [Get started with the Microsoft Deployment Toolkit (MDT)](deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit.md)
-##### [Key features in MDT](deploy-windows-mdt/key-features-in-mdt.md)
-##### [MDT Lite Touch components](deploy-windows-mdt/mdt-lite-touch-components.md)
-##### [Prepare for deployment with MDT](deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md)
+### Deploy Windows 10 with the Microsoft Deployment Toolkit (MDT)
+#### [Get started with MDT](deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit.md)
-#### [Create a Windows 10 reference image](deploy-windows-mdt/create-a-windows-10-reference-image.md)
-#### [Deploy a Windows 10 image using MDT](deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md)
-#### [Build a distributed environment for Windows 10 deployment](deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md)
-#### [Refresh a Windows 7 computer with Windows 10](deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md)
-#### [Replace a Windows 7 computer with a Windows 10 computer](deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md)
-#### [Perform an in-place upgrade to Windows 10 with MDT](upgrade/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md)
-#### [Configure MDT settings](deploy-windows-mdt/configure-mdt-settings.md)
+#### Deploy Windows 10 with MDT
+##### [Prepare for deployment with MDT](deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md)
+##### [Create a Windows 10 reference image](deploy-windows-mdt/create-a-windows-10-reference-image.md)
+##### [Deploy a Windows 10 image using MDT](deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md)
+##### [Build a distributed environment for Windows 10 deployment](deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md)
+##### [Refresh a Windows 7 computer with Windows 10](deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md)
+##### [Replace a Windows 7 computer with a Windows 10 computer](deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md)
+##### [Perform an in-place upgrade to Windows 10 with MDT](deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md)
+
+#### Customize MDT
+##### [Configure MDT settings](deploy-windows-mdt/configure-mdt-settings.md)
##### [Set up MDT for BitLocker](deploy-windows-mdt/set-up-mdt-for-bitlocker.md)
##### [Configure MDT deployment share rules](deploy-windows-mdt/configure-mdt-deployment-share-rules.md)
##### [Configure MDT for UserExit scripts](deploy-windows-mdt/configure-mdt-for-userexit-scripts.md)
@@ -272,4 +273,3 @@
### [Manage device restarts after updates](update/waas-restart.md)
### [Manage additional Windows Update settings](update/waas-wu-settings.md)
### [Determine the source of Windows updates](update/windows-update-sources.md)
-
diff --git a/windows/deployment/change-history-for-deploy-windows-10.md b/windows/deployment/change-history-for-deploy-windows-10.md
deleted file mode 100644
index 2389ae314a..0000000000
--- a/windows/deployment/change-history-for-deploy-windows-10.md
+++ /dev/null
@@ -1,161 +0,0 @@
----
-title: Change history for Deploy Windows 10 (Windows 10)
-description: This topic lists new and updated topics in the Deploy Windows 10 documentation for Windows 10 and Windows 10 Mobile.
-ms.assetid: 19C50373-6B25-4F5C-A6EF-643D36904349
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-audience: itpro
-author: greg-lindsay
-ms.topic: article
----
-
-# Change history for Deploy Windows 10
-This topic lists new and updated topics in the [Deploy Windows 10](https://docs.microsoft.com/windows/deployment) documentation for [Windows 10 and Windows 10 Mobile](/windows/windows-10).
-
-## April 2018
-
-New or changed topic | Description
---- | ---
-[Install VAMT](volume-activation/install-vamt.md) | Updated the instructions and link for SQL Server Express.
-
-## November 2017
-
-New or changed topic | Description
--- | ---
- [Create a Windows 10 reference image](deploy-windows-mdt/create-a-windows-10-reference-image.md) | Added warning that you should not use **SkipMachineOOBE** or **SkipUserOOBE** in your Unattend.xml.
-
-## RELEASE: Windows 10, version 1709
-| New or changed topic | Description |
-|----------------------|-------------|
-| [Windows 10 edition upgrade](upgrade/windows-10-edition-upgrades.md) | Updated the edition upgrade table to include all other Windows 10 editions previously not on the list and the supported upgrade methods for upgrade path. |
-| [Fonts missing after upgrading to Windows 10](windows-10-missing-fonts.md)| New article about the set of fonts that have moved from being included in the default installation image to being included in Optional Features. This article includes the steps for adding these optional font features.|
-
-## July 2017
-| New or changed topic | Description |
-|----------------------|-------------|
-| The table of contents for deployment topics was reorganized.
-
-## June 2017
-| New or changed topic | Description |
-|----------------------|-------------|
-| [Overview of Windows Autopilot](windows-autopilot/windows-autopilot.md) | New |
-
-## April 2017
-| New or changed topic | Description |
-|----------------------|-------------|
-| [Deploy Windows 10 in a test lab using Microsoft Endpoint Configuration Manager](windows-10-poc-sc-config-mgr.md) | Updated: The "refresh" and "replace" procedures were swapped in order so that it would not be necessary to save and restore VMs. Also a missing step was added to include the State migration point role. |
-| [Step by step guide: Configure a test lab to deploy Windows 10](windows-10-poc.md)| Updated with minor fixes. |
-| [Manage Windows upgrades with Upgrade Readiness](upgrade/manage-windows-upgrades-with-upgrade-readiness.md)| Updated child topics under this node to include new feature and user interface changes. |
-| [Get started with Upgrade Readiness](upgrade/upgrade-readiness-get-started.md)| Added a table summarizing connection scenarios under the Enable data sharing topic. |
-
-
-## RELEASE: Windows 10, version 1703
-The topics in this library have been updated for Windows 10, version 1703 (also known as the Creators Update). The provisioning topics have been moved to [Configure Windows 10](/windows/configuration/index).
-
-
-## March 2017
-| New or changed topic | Description |
-|----------------------|-------------|
-| [What's new in Windows 10 deployment](deploy-whats-new.md) | New |
-| [Upgrade to Windows 10 with the Microsoft Deployment Toolkit](upgrade/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md) | Topic moved under [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md) in the table of contents and title adjusted to clarify in-place upgrade. |
-| [Upgrade to Windows 10 with Microsoft Endpoint Configuration Manager](upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md) | Topic moved under [Deploy Windows 10 with Microsoft Endpoint Configuration Manager](deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md) in the table of contents and title adjusted to clarify in-place upgrade. |
-| [Convert MBR partition to GPT](mbr-to-gpt.md) | New |
-
-## February 2017
-| New or changed topic | Description |
-|----------------------|-------------|
-| [Manage Windows upgrades with Upgrade Readiness](upgrade/manage-windows-upgrades-with-upgrade-readiness.md) | Multiple topics updated, name changed from Upgrade Analytics to Upgrade Readiness, and other content updates. |
-| [USMT Requirements](usmt/usmt-requirements.md) | Updated: Vista support removed and other minor changes |
-| [Get started with Upgrade Analytics](upgrade/upgrade-readiness-get-started.md) | Updated structure and content |
-| [Upgrade Analytics deployment script](upgrade/upgrade-readiness-deployment-script.md) | Added as a separate page from get started |
-| [Use Upgrade Analytics to manage Windows upgrades](upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md) | Updated with links to new content and information about the target OS setting |
-| [Upgrade Analytics - Upgrade overview](upgrade/upgrade-readiness-upgrade-overview.md) | New |
-| [Upgrade Analytics - Step 1: Identify important apps](upgrade/upgrade-readiness-identify-apps.md) | Updated topic title and content |
-| [Upgrade Analytics - Step 2: Resolve app and driver issues](upgrade/upgrade-readiness-resolve-issues.md) | New |
-| [Upgrade Analytics - Step 3: Deploy Windows](upgrade/upgrade-readiness-deploy-windows.md) | New |
-| [Upgrade Analytics - Additional insights](upgrade/upgrade-readiness-additional-insights.md) | New |
-
-
-## January 2017
-| New or changed topic | Description |
-|----------------------|-------------|
-| [Step by step guide: Configure a test lab to deploy Windows 10](windows-10-poc.md) | New |
-| [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md) | New |
-| [Deploy Windows 10 in a test lab using Microsoft Endpoint Configuration Manager](windows-10-poc-sc-config-mgr.md) | New |
-| [Apply a provisioning package](/windows/configuration/provisioning-packages/provisioning-apply-package) | New (previously published in other topics) |
-| [Create a provisioning package for Windows 10](/windows/configuration/provisioning-packages/provisioning-create-package) | New (previously published in Hardware Dev Center on MSDN) |
-| [Create a provisioning package with multivariant settings](/windows/configuration/provisioning-packages/provisioning-multivariant) | New (previously published in Hardware Dev Center on MSDN) |
-| [How provisioning works in Windows 10](/windows/configuration/provisioning-packages/provisioning-how-it-works) | New (previously published in Hardware Dev Center on MSDN) |
-| [Install Windows Imaging and Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd) | New (previously published in Hardware Dev Center on MSDN) |
-| [NFC-based device provisioning](/windows/configuration/mobile-devices/provisioning-nfc) | New (previously published in Hardware Dev Center on MSDN) |
-| [Settings changed when you uninstall a provisioning package](/windows/configuration/provisioning-packages/provisioning-uninstall-package) | New (previously published in Hardware Dev Center on MSDN) |
-| [Use a script to install a desktop app in provisioning packages](/windows/configuration/provisioning-packages/provisioning-script-to-install-app) | New (previously published in Hardware Dev Center on MSDN) |
-| [Windows ICD command-line interface (reference)](/windows/configuration/provisioning-packages/provisioning-command-line) | New (previously published in Hardware Dev Center on MSDN) |
-| [Get started with Upgrade Analytics](upgrade/upgrade-readiness-get-started.md) | Updated exit code table with suggested fixes, and added link to the Upgrade Analytics blog |
-| [Provision PCs with common settings for initial deployment (simple provisioning)](/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment) | Instructions for applying the provisioning package moved to [Apply a provisioning package](/windows/configuration/provisioning-packages/provisioning-apply-package) |
-| [Provision PCs with apps and certificates for initial deployments (advanced provisioning)](/windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates) | Instructions for applying the provisioning package moved to [Apply a provisioning package](/windows/configuration/provisioning-packages/provisioning-apply-package) |
-
-
-## October 2016
-| New or changed topic | Description |
-|----------------------|-------------|
-| [Resolve Windows 10 upgrade errors](upgrade/resolve-windows-10-upgrade-errors.md) | New |
-
-## September 2016
-| New or changed topic | Description |
-|----------------------|-------------|
-| [Windows 10 Enterprise E3 in CSP Overview](windows-10-enterprise-e3-overview.md) | New |
-| [Get started with Upgrade Analytics](upgrade/upgrade-readiness-get-started.md) | Updated with prerequisites for site discovery |
-| [Resolve application and driver issues](upgrade/upgrade-readiness-resolve-issues.md) | Updated with app status info for Ready For Windows |
-| [Review site discovery](upgrade/upgrade-readiness-additional-insights.md) | New |
-
-## RELEASE: Windows 10, version 1607
-
-The topics in this library have been updated for Windows 10, version 1607 (also known as the Anniversary Update). The following new topics have been added:
-
-- [Provisioning packages for Windows 10](/windows/configuration/provisioning-packages/provisioning-packages.md)
-- [Provision PCs with apps and certificates for initial deployment](/windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates.md)
-- [Provision PCs with common settings for initial deployment](/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md)
-
-## August 2016
-| New or changed topic | Description |
-|----------------------|-------------|
-| [Windows 10 edition upgrade](upgrade/windows-10-edition-upgrades.md) | Updated with reboot requirements |
-
-## July 2016
-| New or changed topic | Description |
-|----------------------|-------------|
-| [Manage Windows upgrades with Upgrade Analytics](upgrade/manage-windows-upgrades-with-upgrade-readiness.md) | New |
-
-## June 2016
-| New or changed topic | Description |
-|----------------------|-------------|
-| [Configure a PXE server to load Windows PE](configure-a-pxe-server-to-load-windows-pe.md) | New |
-| [User State Migration Tool Technical Reference](usmt/usmt-technical-reference.md) | Updated support statement for Office 2016 |
-| [Windows 10 upgrade paths](upgrade/windows-10-upgrade-paths.md) | New |
-
-## May 2016
-| New or changed topic | Description |
-|----------------------|-------------|
-| [Upgrade a Windows Phone 8.1 to Windows 10 Mobile with Mobile Device Management](upgrade/upgrade-windows-phone-8-1-to-10.md) | New |
-
-## December 2015
-| New or changed topic | Description |
-|----------------------|-------------|
-| [Activate using Key Management Service](volume-activation/activate-using-key-management-service-vamt.md) | Updated |
-| [Windows 10 edition upgrade](upgrade/windows-10-edition-upgrades.md) | Updated |
-
-## November 2015
-| New or changed topic | Description |
-|----------------------|-------------|
-| [Windows 10 edition upgrade](upgrade/windows-10-edition-upgrades.md) | New |
-
-## Related topics
-- [Change history for Plan for Windows 10 deployment](/windows/deployment/planning/change-history-for-plan-for-windows-10-deployment)
-- [Change history for Access Protection](/windows/access-protection/change-history-for-access-protection)
-- [Change history for Device Security](/windows/device-security/change-history-for-device-security)
-- [Change history for Threat Protection](/windows/threat-protection/change-history-for-threat-protection)
diff --git a/windows/deployment/deploy-old.md b/windows/deployment/deploy-old.md
new file mode 100644
index 0000000000..56697276c6
--- /dev/null
+++ b/windows/deployment/deploy-old.md
@@ -0,0 +1,48 @@
+---
+title: Deploy Windows 10 (Windows 10)
+description: Deploying Windows 10 for IT professionals.
+ms.assetid: E9E2DED5-DBA7-4300-B411-BA0FD39BE18C
+ms.reviewer:
+manager: laurawi
+ms.audience: itpro
+author: greg-lindsay
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.localizationpriority: medium
+audience: itpro
+author: greg-lindsay
+ms.topic: article
+---
+
+# Deploy Windows 10
+
+Windows 10 upgrade options are discussed and information is provided about planning, testing, and managing your production deployment. Procedures are provided to help you with a new deployment of the Windows 10 operating system, or to upgrade from a previous version of Windows to Windows 10. The following sections and topics are available.
+
+
+|Topic |Description |
+|------|------------|
+|[Overview of Windows Autopilot](windows-autopilot/windows-autopilot.md) |This topic provides an overview of Windows Autopilot deployment, a new zero-touch method for deploying Windows 10 in the enterprise. |
+|[Windows 10 upgrade paths](upgrade/windows-10-upgrade-paths.md) |This topic provides information about support for upgrading directly to Windows 10 from a previous operating system. |
+|[Windows 10 edition upgrade](upgrade/windows-10-edition-upgrades.md) |This topic provides information about support for upgrading from one edition of Windows 10 to another. |
+|[Windows 10 volume license media](windows-10-media.md) |This topic provides information about updates to volume licensing media in the current version of Windows 10. |
+|[Manage Windows upgrades with Upgrade Readiness](upgrade/manage-windows-upgrades-with-upgrade-readiness.md) |With Upgrade Readiness, enterprises now have the tools to plan and manage the upgrade process end to end, allowing them to adopt new Windows releases more quickly. With Windows diagnostic data enabled, Upgrade Readiness collects system, application, and driver data for analysis. We then identify compatibility issues that can block an upgrade and suggest fixes when they are known to Microsoft. The Upgrade Readiness workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded. |
+|[Windows 10 deployment test lab](windows-10-poc.md) |This guide contains instructions to configure a proof of concept (PoC) environment requiring a minimum amount of resources. The guide makes extensive use of Windows PowerShell and Hyper-V. Subsequent companion guides contain steps to deploy Windows 10 using the PoC environment. After completing this guide, additional guides are provided to deploy Windows 10 in the test lab using [Microsoft Deployment Toolkit](windows-10-poc-mdt.md) or [System Center Configuration Manager](windows-10-poc-sc-config-mgr.md). |
+|[Plan for Windows 10 deployment](planning/index.md) | This section describes Windows 10 deployment considerations and provides information to assist in Windows 10 deployment planning. |
+|[Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md) |This guide will walk you through the process of deploying Windows 10 in an enterprise environment using the Microsoft Deployment Toolkit (MDT). |
+|[Deploy Windows 10 with System Center 2012 R2 Configuration Manager](deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md) |If you have Microsoft System Center 2012 R2 Configuration Manager in your environment, you will most likely want to use it to deploy Windows 10. This topic will show you how to set up Configuration Manager for operating system deployment and how to integrate Configuration Manager with the Microsoft Deployment Toolkit (MDT) or. |
+|[Windows 10 deployment tools](windows-10-deployment-tools-reference.md) |Learn about available tools to deploy Windows 10, such as the Windows ADK, DISM, USMT, WDS, MDT, Windows PE and more. |
+|[How to install fonts that are missing after upgrading to Windows 10](windows-10-missing-fonts.md)|Windows 10 introduced changes to the fonts that are included in the image by default. Learn how to install additional fonts from **Optional features** after you install Windows 10 or upgrade from a previous version.|
+
+## Related topics
+
+[Modern Destop Deployment Center](https://docs.microsoft.com/microsoft-365/enterprise/desktop-deployment-center-home)
+
+
+
+
+
+
+
+
+
diff --git a/windows/deployment/deploy-whats-new.md b/windows/deployment/deploy-whats-new.md
index 0ee0a6d5b3..bc0b6b6602 100644
--- a/windows/deployment/deploy-whats-new.md
+++ b/windows/deployment/deploy-whats-new.md
@@ -169,11 +169,9 @@ For more information, see the following guides:
The following topics provide a change history for Windows 10 ITPro TechNet library content related to deploying and using Windows 10.
-[Change history for Deploy Windows 10](change-history-for-deploy-windows-10.md)
-
[Change history for Access Protection](/windows/access-protection/change-history-for-access-protection)
-
[Change history for Device Security](/windows/device-security/change-history-for-device-security)
-
[Change history for Threat Protection](/windows/threat-protection/change-history-for-threat-protection)
-
+[Change history for Access Protection](/windows/access-protection/change-history-for-access-protection)
+[Change history for Device Security](/windows/device-security/change-history-for-device-security)
+[Change history for Threat Protection](/windows/threat-protection/change-history-for-threat-protection)
## Related topics
diff --git a/windows/deployment/deploy-windows-mdt/TOC.md b/windows/deployment/deploy-windows-mdt/TOC.md
new file mode 100644
index 0000000000..7f51b8ca5b
--- /dev/null
+++ b/windows/deployment/deploy-windows-mdt/TOC.md
@@ -0,0 +1,22 @@
+# Deploy Windows 10 with the Microsoft Deployment Toolkit (MDT)
+## [Get started with MDT](get-started-with-the-microsoft-deployment-toolkit.md)
+
+## Deploy Windows 10 with MDT
+### [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md)
+### [Create a Windows 10 reference image](create-a-windows-10-reference-image.md)
+### [Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md)
+### [Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md)
+### [Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md)
+### [Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md)
+### [Perform an in-place upgrade to Windows 10 with MDT](upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md)
+
+## Customize MDT
+### [Configure MDT settings](configure-mdt-settings.md)
+### [Set up MDT for BitLocker](set-up-mdt-for-bitlocker.md)
+### [Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md)
+### [Configure MDT for UserExit scripts](configure-mdt-for-userexit-scripts.md)
+### [Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md)
+### [Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md)
+### [Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md)
+### [Use web services in MDT](use-web-services-in-mdt.md)
+### [Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt.md)
diff --git a/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md b/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md
index f0259285ae..67daeba302 100644
--- a/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md
+++ b/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md
@@ -21,15 +21,19 @@ ms.topic: article
**Applies to**
- Windows 10
-In this topic, you will learn how to replicate your Windows 10 deployment shares to facilitate the deployment of Windows 10 in remote or branch locations. If you work in a distributed environment, replicating the deployment shares is an important part of the deployment solution. With images reaching 5 GB in size or more, you can't deploy machines in a remote office over the wire. You need to replicate the content, so that the clients can do local deployments.
+Perform the steps in this article to build a distributed environment for Windows 10 deployment. A distributed environment for deployment is useful when you have a segmented network, for example one that is segmented geographically into two branch locations. If you work in a distributed environment, replicating the deployment shares is an important part of a deployment solution because images of 5 GB or more in size can present bandwidth issues when deployed over the wire. Replicating this content enables clients to do local deployments.
-We will use four machines for this topic: DC01, MDT01, MDT02, and PC0006. DC01 is a domain controller, MDT01 is a Windows Server 2012 R2 standard server, and PC0006 is a blank machine to which you will deploy Windows 10. You will configure a second deployment server (MDT02) for a remote site (Stockholm) by replicating the deployment share in the original site (New York). MDT01, MDT02, and PC0006 are members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md#proof).
+Four computers are used in this topic: DC01, MDT01, MDT02, and PC0006. DC01 is a domain controller, MDT01 and MDT02 are domain member computers running Windows Server 2019, and PC0006 is a blank device where we will deploy Windows 10. The second deployment server (MDT02) will be configured for a remote site (Stockholm) by replicating the deployment share on MDT01 at the original site (New York). All devices are members of the domain contoso.com for the fictitious Contoso Corporation.
+
+For the purposes of this article, we assume that MDT02 is prepared with the same network and storage capabilities that were specified for MDT01, except that MDT02 is located on a different subnet than MDT01. For more details on the infrastructure setup for this topic, please see [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md).
-Figure 1. The machines used in this topic.
+Computers used in this topic.
-## Replicate deployment shares
+>HV01 is also used in this topic to host the PC0006 virtual machine.
+
+## Replicate deployment shares
Replicating the content between MDT01 (New York) and MDT02 (Stockholm) can be done in a number of different ways. The most common content replication solutions with Microsoft Deployment Toolkit (MDT) use either the Linked Deployment Shares (LDS) feature or Distributed File System Replication (DFS-R). Some organizations have used a simple robocopy script for replication of the content.
@@ -42,60 +46,88 @@ LDS is a built-in feature in MDT for replicating content. However, LDS works bes
### Why DFS-R is a better option
-DFS-R is not only very fast and reliable, but it also offers central monitoring, bandwidth control, and a great delta replication engine. DFS-R will work equally well whether you have 2 sites or 90. When using DFS-R for MDT, we recommend running your deployment servers on Windows Server 2008 R2 or higher. From that version on, you can configure the replication target(s) as read-only, which is exactly what you want for MDT. This way, you can have your master deployment share centralized and replicate out changes as they happen. DFS-R will quickly pick up changes at the central deployment share in MDT01 and replicate the delta changes to MDT02.
+DFS-R is not only very fast and reliable, but it also offers central monitoring, bandwidth control, and a great delta replication engine. DFS-R will work equally well whether you have 2 sites or 90. When using DFS-R for MDT, we recommend running your deployment servers on Windows Server 2008 R2 or higher. From that version on, you can configure the replication targets as read-only, which is exactly what you want for MDT. This way, you can have your master deployment share centralized and replicate out changes as they happen. DFS-R will quickly pick up changes at the central deployment share in MDT01 and replicate the delta changes to MDT02.
-## Set up Distributed File System Replication (DFS-R) for replication
+## Set up Distributed File System Replication (DFS-R) for replication
-Setting up DFS-R for replication is a quick and straightforward process. You prepare the deployment servers and then create a replication group. To complete the setup, you configure some replication settings.
+Setting up DFS-R for replication is a quick and straightforward process: Prepare the deployment servers, create a replication group, then configure some replication settings.
### Prepare MDT01 for replication
-1. On MDT01, using Server Manager, click **Add roles and features**.
-2. On the **Select installation type** page, select **Role-based or feature-based installation**.
-3. On the **Select destination server** page, select **MDT01.contoso.com** and click **Next**.
-4. On the **Select server roles** page, expand **File and Storage Services (Installed)** and expand **File and iSCSI Services (Installed)**.
-5. In the **Roles** list, select **DFS Replication**. In the **Add Roles and Features Wizard** dialog box, select **Add Features**, and then click **Next**.
+On **MDT01**:
- 
+1. Install the DFS Replication role on MDT01 by entering the following at an elevated Windows PowerShell prompt:
- Figure 2. Adding the DFS Replication role to MDT01.
+```powershell
+Install-WindowsFeature -Name FS-DFS-Replication -IncludeManagementTools
+```
-6. On the **Select features** page, accept the default settings, and click **Next**.
-7. On the **Confirm installation selections** page, click **Install**.
-8. On the **Installation progress** page, click **Close**.
+2. Wait for installation to comlete, and then verify that the installation was successful. See the following output:
+
+```output
+PS C:\> Install-WindowsFeature -Name FS-DFS-Replication -IncludeManagementTools
+
+Success Restart Needed Exit Code Feature Result
+------- -------------- --------- --------------
+True No Success {DFS Replication, DFS Management Tools, Fi...
+```
### Prepare MDT02 for replication
-1. On MDT02, using Server Manager, click **Add roles and features**.
-2. On the **Select installation type** page, select **Role-based or feature-based installation**.
-3. On the **Select destination server** page, select **MDT02.contoso.com** and click **Next**.
-4. On the **Select server roles** page, expand **File and Storage Services (Installed)** and expand **File and iSCSI Services (Installed)**.
-5. In the **Roles** list, select **DFS Replication**. In the **Add Roles and Features Wizard** dialog box, select **Add Features**, and then click **Next**.
-6. On the **Select features** page, accept the default settings, and click **Next**.
-7. On the **Confirm installation selections** page, click **Install**.
-8. On the **Installation progress** page, click **Close**.
+On **MDT02**:
+
+1. Perform the same procedure on MDT02 by entering the following at an elevated Windows PowerShell prompt:
+
+```powershell
+Install-WindowsFeature -Name FS-DFS-Replication -IncludeManagementTools
+```
+
+2. Wait for installation to comlete, and then verify that the installation was successful. See the following output:
+
+```output
+PS C:\> Install-WindowsFeature -Name FS-DFS-Replication -IncludeManagementTools
+
+Success Restart Needed Exit Code Feature Result
+------- -------------- --------- --------------
+True No Success {DFS Replication, DFS Management Tools, Fi...
+```
### Create the MDTProduction folder on MDT02
-1. On MDT02, using File Explorer, create the **E:\\MDTProduction** folder.
-2. Share the **E:\\MDTProduction** folder as **MDTProduction$**. Use the default permissions.
+On **MDT02**:
- 
+1. Create and share the **D:\\MDTProduction** folder using default permissions by entering the following at an elevated command prompt:
- Figure 3. Sharing the **E:\\MDTProduction folder** on MDT02.
+ ```powershell
+ mkdir d:\MDTProduction
+ New-SmbShare -Name "MDTProduction$" -Path "D:\MDTProduction"
+ ```
+
+2. You should see the following output:
+
+ ```output
+ C:\> New-SmbShare -Name "MDTProduction$" -Path "D:\MDTProduction"
+
+ Name ScopeName Path Description
+ ---- --------- ---- -----------
+ MDTProduction$ * D:\MDTProduction
+ ```
### Configure the deployment share
When you have multiple deployment servers sharing the same content, you need to configure the Bootstrap.ini file with information about which server to connect to based on where the client is located. In MDT, that can be done by using the DefaultGateway property.
-1. On MDT01, using Notepad, navigate to the **E:\\MDTProduction\\Control** folder and modify the Boostrap.ini file to look like this:
+
+On **MDT01**:
+
+1. Using Notepad, navigate to the **D:\\MDTProduction\\Control** folder and modify the Boostrap.ini file as follows. Under [DefaultGateway] enter the IP addresses for the client's default gateway in New York and Stockholm, respectively (replace 10.10.10.1 and 10.10.20.1 with your default gateways). The default gateway setting is what tells the client which deployment share (i.e. server) to use.
```ini
[Settings]
Priority=DefaultGateway, Default
[DefaultGateway]
- 192.168.1.1=NewYork
- 192.168.2.1=Stockholm
+ 10.10.10.1=NewYork
+ 10.10.20.1=Stockholm
[NewYork]
DeployRoot=\\MDT01\MDTProduction$
@@ -106,137 +138,133 @@ When you have multiple deployment servers sharing the same content, you need to
[Default]
UserDomain=CONTOSO
UserID=MDT_BA
+ UserPassword=pass@word1
SkipBDDWelcome=YES
```
-
- > [!NOTE]
- > The DeployRoot value needs to go into the Bootstrap.ini file, but you can use the same logic in the CustomSettings.ini file. For example, you can redirect the logs to the local deployment server (SLSHARE), or have the User State Migration Tool (USMT) migration store (UDDIR) local.
- >
- > To learn more about USMT, see [Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md) and [Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md).
+ >[!NOTE]
+ >The DeployRoot value needs to go into the Bootstrap.ini file, but you can use the same logic in the CustomSettings.ini file. For example, you can redirect the logs to the local deployment server (SLSHARE), or have the User State Migration Tool (USMT) migration store (UDDIR) local. To learn more about USMT, see [Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md) and [Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md).
2. Save the Bootstrap.ini file.
-3. Using the Deployment Workbench, right-click the **MDT Production** deployment share and select **Update Deployment Share**.
-
- 
-
- Figure 4. Updating the MDT Production deployment share.
-
-4. Use the default settings for the Update Deployment Share Wizard.
-5. After the update is complete, use the Windows Deployment Services console. In the **Boot Images** node, right-click the **MDT Production x64** boot image and select **Replace Image**.
+3. Using the Deployment Workbench, right-click the **MDT Production** deployment share and select **Update Deployment Share**. Use the default settings for the Update Deployment Share Wizard. This process will take a few minutes.
+4. After the update is complete, use the Windows Deployment Services console on MDT01. In the **Boot Images** node, right-click the **MDT Production x64** boot image and select **Replace Image**.
+5. Browse and select the **D:\\MDTProduction\\Boot\\LiteTouchPE\_x64.wim** boot image, and then complete Replace Boot Image Wizard using the default settings.
- Figure 5. Replacing the updated boot image in WDS.
+ Replacing the updated boot image in WDS.
-6. Browse and select the **E:\\MDTProduction\\Boot\\LiteTouchPE\_x64.wim** boot image, and then complete Replace Boot Image Wizard using the default settings.
+ >[!TIP]
+ >If you modify bootstrap.ini again later, be sure to repeat the process of updating the deployment share in the Deployment Workbench and replacing the boot image in the WDS console.
+
+ ## Replicate the content
- ## Replicate the content
Once the MDT01 and MDT02 servers are prepared, you are ready to configure the actual replication.
### Create the replication group
-7. On MDT01, using DFS Management, right-click **Replication**, and select **New Replication Group**.
-8. On the **Replication Group Type** page, select **Multipurpose replication group**, and click **Next**.
-9. On the **Name and Domain** page, assign the **MDTProduction** name, and click **Next**.
-10. On the **Replication Group Members** page, click **Add**, add **MDT01** and **MDT02**, and then click **Next**.
+6. On MDT01, using DFS Management (dfsmgmt.msc), right-click **Replication**, and click **New Replication Group**.
+7. On the **Replication Group Type** page, select **Multipurpose replication group**, and click **Next**.
+8. On the **Name and Domain** page, assign the **MDTProduction** name, and click **Next**.
+9. On the **Replication Group Members** page, click **Add**, add **MDT01** and **MDT02**, and then click **Next**.
- Figure 6. Adding the Replication Group Members.
+ Adding the Replication Group Members.
-11. On the **Topology Selection** page, select the **Full mesh** option and click **Next**.
-12. On the **Replication Group Schedule and Bandwidth** page, accept the default settings and click **Next**.
-13. On the **Primary Member** page, select **MDT01** and click **Next**.
-14. On the **Folders to Replicate** page, click **Add**, type in **E:\\MDTProduction** as the folder to replicate, click **OK**, and then click **Next**.
-15. On the **Local Path of MDTProduction** on the **Other Members** page, select **MDT02**, and click **Edit**.
-16. On the **Edit** page, select the **Enabled** option, type in **E:\\MDTProduction** as the local path of folder, select the **Make the selected replicated folder on this member read-only** check box, click **OK**, and then click **Next**.
-
- 
-
- Figure 7. Configure the MDT02 member.
-
-17. On the **Review Settings and Create Replication Group** page, click **Create**.
-18. On the **Confirmation** page, click **Close**.
+10. On the **Topology Selection** page, select the **Full mesh** option and click **Next**.
+11. On the **Replication Group Schedule and Bandwidth** page, accept the default settings and click **Next**.
+12. On the **Primary Member** page, select **MDT01** and click **Next**.
+13. On the **Folders to Replicate** page, click **Add**, enter **D:\\MDTProduction** as the folder to replicate, click **OK**, and then click **Next**.
+14. On the **Local Path of MDTProduction** on the **Other Members** page, select **MDT02**, and click **Edit**.
+15. On the **Edit** page, select the **Enabled** option, type in **D:\\MDTProduction** as the local path of folder, select the **Make the selected replicated folder on this member read-only** check box, click **OK**, and then click **Next**.
+16. On the **Review Settings and Create Replication Group** page, click **Create**.
+17. On the **Confirmation** page, click **Close**.
### Configure replicated folders
-19. On MDT01, using DFS Management, expand **Replication** and then select **MDTProduction**.
-20. In the middle pane, right-click the **MDT01** member and select **Properties**.
-21. On the **MDT01 (MDTProduction) Properties** page, configure the following and then click **OK**:
+18. On **MDT01**, using DFS Management, expand **Replication** and then select **MDTProduction**.
+19. In the middle pane, right-click the **MDT01** member and click **Properties**.
+20. On the **MDT01 (MDTProduction) Properties** page, configure the following and then click **OK**:
1. In the **Staging** tab, set the quota to **20480 MB**.
2. In the **Advanced** tab, set the quota to **8192 MB**.
- In this scenario the size of the deployment share is known, but you might need to change the values for your environment. A good rule of thumb is to get the size of the 16 largest files and make sure they fit in the staging area. Here is a Windows PowerShell example that calculates the size of the 16 largest files in the E:\\MDTProduction deployment share:
+ In this scenario the size of the deployment share is known, but you might need to change the values for your environment. A good rule of thumb is to get the size of the 16 largest files and make sure they fit in the staging area. Below is a Windows PowerShell example that calculates the size of the 16 largest files in the D:\\MDTProduction deployment share:
``` powershell
- (Get-ChildItem E:\MDTProduction -Recurse | Sort-Object Length -Descending | Select-Object -First 16 | Measure-Object -Property Length -Sum).Sum /1GB
+ (Get-ChildItem D:\MDTProduction -Recurse | Sort-Object Length -Descending | Select-Object -First 16 | Measure-Object -Property Length -Sum).Sum /1GB
```
- 
-
- Figure 8. Configure the Staging settings.
-
-22. In the middle pane, right-click the **MDT02** member and select **Properties**.
-23. On the **MDT02 (MDTProduction) Properties** page, configure the following and then click **OK**:
+21. In the middle pane, right-click the **MDT02** member and select **Properties**.
+22. On the **MDT02 (MDTProduction) Properties** page, configure the following and then click **OK**:
1. In the **Staging** tab, set the quota to **20480 MB**.
2. In the **Advanced** tab, set the quota to **8192 MB**.
> [!NOTE]
> It will take some time for the replication configuration to be picked up by the replication members (MDT01 and MDT02). The time for the initial sync will depend on the WAN link speed between the sites. After that, delta changes are replicated quickly.
-
+
+23. Verify that MDT01 and MDT02 are members of the MDTProduction replication group, with MDT01 being primary as follows using an elevated command prompt:
+
+```cmd
+C:\> dfsradmin membership list /rgname:MDTProduction /attr:MemName,IsPrimary
+MemName IsPrimary
+MDT01 Yes
+MDT02 No
+```
+
### Verify replication
-1. On MDT02, wait until you start to see content appear in the **E:\\MDTProduction** folder.
-2. Using DFS Management, expand **Replication**, right-click **MDTProduction**, and select **Create Diagnostics Report**.
-3. In the Diagnostics Report Wizard, on the **Type of Diagnostics Report or Test** page, select **Health report** and click **Next**.
-4. On the **Path and Name** page, accept the default settings and click **Next**.
-5. On the **Members to Include** page, accept the default settings and click **Next**.
-6. On the **Options** page, accept the default settings and click **Next**.
-7. On the **Review Settings and Create Report** page, click **Create**.
-8. Open the report in Internet Explorer, and if necessary, select the **Allow blocked content** option.
+
+On **MDT02**:
+
+1. Wait until you start to see content appear in the **D:\\MDTProduction** folder.
+2. Using DFS Management, expand **Replication**, right-click **MDTProduction**, and select **Create Diagnostics Report**.
+3. In the Diagnostics Report Wizard, on the **Type of Diagnostics Report or Test** page, choose **Health report** and click **Next**.
+4. On the **Path and Name** page, accept the default settings and click **Next**.
+5. On the **Members to Include** page, accept the default settings and click **Next**.
+6. On the **Options** page, accept the default settings and click **Next**.
+7. On the **Review Settings and Create Report** page, click **Create**.
+8. Open the report in Internet Explorer, and if necessary, select the **Allow blocked content** option.
-Figure 9. The DFS Replication Health Report.
+The DFS Replication Health Report.
-## Configure Windows Deployment Services (WDS) in a remote site
+>If there are replication errors you can review the DFS event log in Event Viewer under **Applications and Services Logs**.
+
+## Configure Windows Deployment Services (WDS) in a remote site
Like you did in the previous topic for MDT01, you need to add the MDT Production Lite Touch x64 Boot image to Windows Deployment Services on MDT02. For the following steps, we assume that WDS has already been installed on MDT02.
-1. On MDT02, using the WDS console, right-click **Boot Images** and select **Add Boot Image**.
-2. Browse to the E:\\MDTProduction\\Boot\\LiteTouchPE\_x64.wim file and add the image with the default settings.
+1. On MDT02, using the WDS console, right-click **Boot Images** and select **Add Boot Image**.
+2. Browse to the **D:\\MDTProduction\\Boot\\LiteTouchPE\_x64.wim** file and add the image with the default settings.
-## Deploy the Windows 10 client to the remote site
+## Deploy a Windows 10 client to the remote site
-Now you should have a solution ready for deploying the Windows 10 client to the remote site, Stockholm, connecting to the MDT Production deployment share replica on MDT02.
+Now you should have a solution ready for deploying the Windows 10 client to the remote site: Stockholm, using the MDTProduction deployment share replica on MDT02. You can test this deployment with the following optional procedure.
+
+>For demonstration purposes, the following procedure uses a virtual machine (PC0006) hosted by the Hyper-V server HV01. To use the remote site server (MDT02) the VM must be assigned a default gateway that matches the one you entered in the Boostrap.ini file.
1. Create a virtual machine with the following settings:
- 1. Name: PC0006
- 2. Location: C:\\VMs
- 3. Generation: 2
- 4. Memory: 2048 MB
- 5. Hard disk: 60 GB (dynamic disk)
-2. Start the PC0006 virtual machine, and press **Enter** to start the Pre-Boot Execution Environment (PXE) boot. The machine will now load the Windows PE boot image from the WDS server.
+ 1. Name: PC0006
+ 2. Location: C:\\VMs
+ 3. Generation: 2
+ 4. Memory: 2048 MB
+ 5. Hard disk: 60 GB (dynamic disk)
+ 6. Install an operating system from a network-based installation server
+2. Start the PC0006 virtual machine, and press **Enter** to start the Pre-Boot Execution Environment (PXE) boot. The VM will now load the Windows PE boot image from the WDS server.
3. After Windows Preinstallation Environment (Windows PE) has booted, complete the Windows Deployment Wizard using the following settings:
- 1. Password: P@ssw0rd
- 2. Select a task sequence to execute on this computer:
- 1. Windows 10 Enterprise x64 RTM Custom Image
- 2. Computer Name: PC0006
- 3. Applications: Select the Install - Adobe Reader XI - x86 application
-4. The setup will now start and do the following:
+ 1. Select a task sequence to execute on this computer: Windows 10 Enterprise x64 RTM Custom Image
+ 2. Computer Name: PC0006
+ 3. Applications: Select the Install - Adobe Reader
+4. Setup will now start and perform the following:
1. Install the Windows 10 Enterprise operating system.
- 2. Install the added application.
- 3. Update the operating system via your local Windows Server Update Services (WSUS) server.
+ 2. Install applications.
+ 3. Update the operating system using your local Windows Server Update Services (WSUS) server.
+
+
## Related topics
-[Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md)
-
-[Create a Windows 10 reference image](create-a-windows-10-reference-image.md)
-
-[Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md)
-
-[Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md)
-
-[Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md)
-
-[Configure MDT settings](configure-mdt-settings.md)
-
-
+[Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md)
+[Create a Windows 10 reference image](create-a-windows-10-reference-image.md)
+[Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md)
+[Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md)
+[Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md)
+[Configure MDT settings](configure-mdt-settings.md)
\ No newline at end of file
diff --git a/windows/deployment/deploy-windows-mdt/configure-mdt-settings.md b/windows/deployment/deploy-windows-mdt/configure-mdt-settings.md
index 2b89867e2e..0eac636a76 100644
--- a/windows/deployment/deploy-windows-mdt/configure-mdt-settings.md
+++ b/windows/deployment/deploy-windows-mdt/configure-mdt-settings.md
@@ -1,6 +1,6 @@
---
title: Configure MDT settings (Windows 10)
-description: One of the most powerful features in Microsoft Deployment Toolkit (MDT) is its extension capabilities. Learn how to customize your environment.
+description: One of the most powerful features in Microsoft Deployment Toolkit (MDT) is its extension capabilities; there is virtually no limitation to what you can do in terms of customization.
ms.assetid: d3e1280c-3d1b-4fad-8ac4-b65dc711f122
ms.reviewer:
manager: laurawi
@@ -19,11 +19,11 @@ ms.topic: article
# Configure MDT settings
One of the most powerful features in Microsoft Deployment Toolkit (MDT) is its extension capabilities; there is virtually no limitation to what you can do in terms of customization. In this topic, you learn about configuring customizations for your environment.
-For the purposes of this topic, we will use four machines: DC01, MDT01, HV01, and PC0001. DC01 is a domain controller, MDT01 is a Windows Server 2012 R2 Standard server, and PC0001 is a Windows 10 Enterprise x64 client used for the MDT simulation environment. OR01 has Microsoft System Center 2012 R2 Orchestrator installed. MDT01, OR01, and PC0001 are members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md#proof).
+For the purposes of this topic, we will use four machines: DC01, MDT01, HV01, and PC0001. DC01 is a domain controller, MDT01 is a Windows Server 2012 R2 Standard server, and PC0001 is a Windows 10 Enterprise x64 client used for the MDT simulation environment. OR01 has Microsoft System Center 2012 R2 Orchestrator installed. MDT01, OR01, and PC0001 are members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
-Figure 1. The machines used in this topic.
+The computers used in this topic.
## In this section
@@ -38,14 +38,9 @@ Figure 1. The machines used in this topic.
## Related topics
-[Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md)
-
-[Create a Windows 10 reference image](create-a-windows-10-reference-image.md)
-
-[Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md)
-
-[Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md)
-
-[Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md)
-
+[Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md)
+[Create a Windows 10 reference image](create-a-windows-10-reference-image.md)
+[Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md)
+[Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md)
+[Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md)
[Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md)
diff --git a/windows/deployment/deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md b/windows/deployment/deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md
index 9076a17339..45f4bb2bb8 100644
--- a/windows/deployment/deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md
+++ b/windows/deployment/deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md
@@ -1,6 +1,6 @@
---
title: Create a task sequence with Configuration Manager (Windows 10)
-description: Create a Microsoft System Center 2012 R2 Configuration Manager task sequence with Microsoft Deployment Toolkit (MDT) integration using the MDT wizard.
+description: Create a Configuration Manager task sequence with Microsoft Deployment Toolkit (MDT) integration using the MDT wizard.
ms.assetid: 0b069bec-5be8-47c6-bf64-7a630f41ac98
ms.reviewer:
manager: laurawi
@@ -23,14 +23,14 @@ ms.topic: article
- Windows 10
-In this topic, you will learn how to create a Microsoft System Center 2012 R2 Configuration Manager task sequence with Microsoft Deployment Toolkit (MDT) integration using the MDT wizard. Creating task sequences in System Center 2012 R2 Configuration Manager requires many more steps than creating task sequences for MDT Lite Touch installation. Luckily, the MDT wizard helps you through the process and also guides you through creating the needed packages.
+In this topic, you will learn how to create a Configuration Manager task sequence with Microsoft Deployment Toolkit (MDT) integration using the MDT wizard. Creating task sequences in Configuration Manager requires many more steps than creating task sequences for MDT Lite Touch installation. Luckily, the MDT wizard helps you through the process and also guides you through creating the needed packages.
For the purposes of this topic, we will use two machines: DC01 and CM01. DC01 is a domain controller and CM01 is a machine running Windows Server 2012 R2 Standard, both of which are members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
## Create a task sequence using the MDT Integration Wizard
-This section walks you through the process of creating a System Center 2012 R2 Configuration Manager task sequence for production use.
+This section walks you through the process of creating a Configuration Manager task sequence for production use.
1. On CM01, using the Configuration Manager Console, in the Software Library workspace, expand **Operating Systems**, right-click **Task Sequences**, and select **Create MDT Task Sequence**.
diff --git a/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md b/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md
index 8e20ab78c8..aada4ef42f 100644
--- a/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md
+++ b/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md
@@ -19,60 +19,72 @@ ms.topic: article
# Create a Windows 10 reference image
**Applies to**
-- Windows 10
+- Windows 10
Creating a reference image is important because that image serves as the foundation for the devices in your organization. In this topic, you will learn how to create a Windows 10 reference image using the Microsoft Deployment Toolkit (MDT). You will create a deployment share, configure rules and settings, and import all the applications and operating system files required to build a Windows 10 reference image. After completing the steps outlined in this topic, you will have a Windows 10 reference image that can be used in your deployment solution.
-For the purposes of this topic, we will use four machines: DC01, MDT01, HV01, and PC0001. DC01 is a domain controller, PC0001 is a Windows 10 Enterprise x64 client, and MDT01 is a Windows Server 2012 R2 standard server. HV01 is a Hyper-V host server, but HV01 could be replaced by PC0001 as long as PC0001 has enough memory and is capable of running Hyper-V. MDT01, HV01, and PC0001 are members of the domain contoso.com for the fictitious Contoso Corporation.
>[!NOTE]
->For important details about the setup for the steps outlined in this article, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md#proof).
-
-
+>See [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md) for more information about the server, client, and network infrastructure used in this guide.
-Figure 1. The machines used in this topic.
+For the purposes of this topic, we will use three computers: DC01, MDT01, and HV01.
+ - DC01 is a domain controller for the contoso.com domain.
+ - MDT01 is a contoso.com domain member server.
+ - HV01 is a Hyper-V server that will be used to build the reference image.
+
+ 
+
+ Computers used in this topic.
## The reference image
-The reference image described in this documentation is designed primarily for deployment to physical machines. However, the reference image is created on a virtual platform, before being automatically run through the System Preparation (Sysprep) tool process and captured to a Windows Imaging (WIM) file. The reasons for creating the reference image on a virtual platform are the following:
-- You reduce development time and can use snapshots to test different configurations quickly.
-- You rule out hardware issues. You simply get the best possible image, and if you have a problem, it's not likely to be hardware related.
-- It ensures that you won't have unwanted applications that could be installed as part of a driver install but not removed by the Sysprep process.
-- It's easy to move between lab, test, and production.
+The reference image described in this guide is designed primarily for deployment to physical devices. However, the reference image is typically created on a virtual platform, before being automatically run through the System Preparation (Sysprep) tool process and captured to a Windows Imaging (WIM) file. The reasons for creating the reference image on a virtual platform are the following:
+- To reduce development time and can use snapshots to test different configurations quickly.
+- To rule out hardware issues. You simply get the best possible image, and if you have a problem, it's not likely to be hardware related.
+- To ensures that you won't have unwanted applications that could be installed as part of a driver install but not removed by the Sysprep process.
+- The image is easy to move between lab, test, and production.
-## Set up the MDT build lab deployment share
+## Set up the MDT build lab deployment share
-With Windows 10, there is no hard requirement to create reference images; however, to reduce the time needed for deployment, you may want to create a reference image that contains a few base applications as well as all of the latest updates. This section will show you how to create and configure the MDT Build Lab deployment share to create a Windows 10 reference image. Because reference images will be deployed only to virtual machines during the creation process and have specific settings (rules), you should always create a separate deployment share specifically for this process.
+With Windows 10, there is no hard requirement to create reference images. However, to reduce the time needed for deployment, you might want to create a reference image that contains a few base applications as well as all of the latest updates. This section will show you how to create and configure the MDT Build Lab deployment share to create a Windows 10 reference image. Because reference images will be deployed only to virtual machines during the creation process and have specific settings (rules), you should always create a separate deployment share specifically for this process.
### Create the MDT build lab deployment share
-- On MDT01, log on as Administrator in the CONTOSO domain using a password of P@ssw0rd.
+On **MDT01**:
+
+- Sign in as contoso\\administrator using a password of pass@word1 (credentials from the [prepare for deployment](prepare-for-windows-deployment-with-mdt.md) topic).
+- Start the MDT deployment workbench, and pin this to the taskbar for easy access.
- Using the Deployment Workbench, right-click **Deployment Shares** and select **New Deployment Share**.
- Use the following settings for the New Deployment Share Wizard:
-- Deployment share path: E:\\MDTBuildLab
-- Share name: MDTBuildLab$
-- Deployment share description: MDT Build Lab
-- <default>
-- Verify that you can access the \\\\MDT01\\MDTBuildLab$ share.
+ - Deployment share path: **D:\\MDTBuildLab**
+ - Share name: **MDTBuildLab$**
+ - Deployment share description: **MDT Build Lab**
+- Accept the default selections on the Options page and click **Next**.
+- Review the Summary page, click **Next**, wait for the deployment share to be created, then click **Finish**.
+- Verify that you can access the \\\\MDT01\\MDTBuildLab$ share.
-
+ 
-Figure 2. The Deployment Workbench with the MDT Build Lab deployment share created.
+ The Deployment Workbench with the MDT Build Lab deployment share.
+
+### Enable monitoring
+
+To monitor the task sequence as it happens, right-click the **MDT Build Lab** deployment share, click **Properties**, click the **Monitoring** tab, and select **Enable monitoring for this deployment share**. This step is optional.
### Configure permissions for the deployment share
-In order to write the reference image back to the deployment share, you need to assign Modify permissions to the MDT Build Account (MDT\_BA) for the **Captures** subfolder in the **E:\\MDTBuildLab** folder
-1. On MDT01, log on as **CONTOSO\\Administrator**.
-2. Modify the NTFS permissions for the **E:\\MDTBuildLab\\Captures** folder by running the following command in an elevated Windows PowerShell prompt:
+In order to read files in the deployment share and write the reference image back to it, you need to assign NTSF and SMB permissions to the MDT Build Account (MDT\_BA) for the **D:\\MDTBuildLab** folder
- ```
- icacls E:\MDTBuildLab\Captures /grant '"MDT_BA":(OI)(CI)(M)'
+On **MDT01**:
+
+1. Ensure you are signed in as **contoso\\administrator**.
+2. Modify the NTFS permissions for the **D:\\MDTBuildLab** folder by running the following command in an elevated Windows PowerShell prompt:
+
+ ``` powershell
+ icacls "D:\MDTBuildLab" /grant '"CONTOSO\MDT_BA":(OI)(CI)(M)'
+ grant-smbshareaccess -Name MDTBuildLab$ -AccountName "Contoso\MDT_BA" -AccessRight Full -force
```
-
-
-Figure 3. Permissions configured for the MDT\_BA user.
-
-## Add the setup files
+## Add setup files
This section will show you how to populate the MDT deployment share with the Windows 10 operating system source files, commonly referred to as setup files, which will be used to create a reference image. Setup files are used during the reference image creation process and are the foundation for the reference image.
@@ -85,211 +97,205 @@ MDT supports adding both full source Windows 10 DVDs (ISOs) and custom images t
### Add Windows 10 Enterprise x64 (full source)
-In these steps we assume that you have copied the content of a Windows 10 Enterprise x64 ISO to the **E:\\Downloads\\Windows 10 Enterprise x64** folder.
+On **MDT01**:
-1. On MDT01, log on as **CONTOSO\\Administrator**.
-2. Using the Deployment Workbench, expand the **Deployment Shares** node, and then expand **MDT Build Lab**.
-3. Right-click the **Operating Systems** node, and create a new folder named **Windows 10**.
-4. Expand the **Operating Systems** node, right-click the **Windows 10** folder, and select **Import Operating System**. Use the following settings for the Import Operating System Wizard:
-5. Full set of source files
-6. Source directory: E:\\Downloads\\Windows 10 Enterprise x64
-7. Destination directory name: W10EX64RTM
-8. After adding the operating system, in the **Operating Systems / Windows 10** folder, double-click the added operating system name in the **Operating System** node and change the name to the following: **Windows 10 Enterprise x64 RTM Default Image**
+1. Sign in as **contoso\\administrator** and copy the content of a Windows 10 Enterprise x64 DVD/ISO to the **D:\\Downloads\\Windows 10 Enterprise x64** folder on MDT01, or just insert the DVD or mount an ISO on MDT01. The following example shows the files copied to the D:\\Downloads folder, but you can also choose to import the OS directly from an ISO or DVD.
-
+ 
-Figure 4. The imported Windows 10 operating system after renaming it.
+2. Using the Deployment Workbench, expand the **Deployment Shares** node, and then expand **MDT Build Lab**.
+3. Right-click the **Operating Systems** node, and create a new folder named **Windows 10**.
+4. Expand the **Operating Systems** node, right-click the **Windows 10** folder, and select **Import Operating System**. Use the following settings for the Import Operating System Wizard:
+ - Full set of source files
+ - Source directory: (location of your source files)
+ - Destination directory name: W10EX64RTM
+5. After adding the operating system, in the **Operating Systems / Windows 10** folder, double-click it and change the name to: **Windows 10 Enterprise x64 RTM Default Image**. See the following example.
-## Add applications
+ 
-Before you create an MDT task sequence, you need to add all of the applications and other sample scripts to the MDT Build Lab share.
+>Depending on the DVD you used, there might be multiple editions available. For the purposes of this guide, we are using the Windows 10 Enterprise image, but other images will also work.
-The steps in this section use a strict naming standard for your MDT applications. You add the "Install - " prefix for typical application installations that run a setup installer of some kind, and you use the "Configure - " prefix when an application configures a setting in the operating system. You also add an " - x86", " - x64", or "- x86-x64" suffix to indicate the application's architecture (some applications have installers for both architectures). Using a script naming standard is always recommended when using MDT as it helps maintain order and consistency.
-By storing configuration items as MDT applications, it is easy to move these objects between various solutions, or between test and production environments. In this topic's step-by-step sections, you will add the following applications:
+## Add applications
-- Install - Microsoft Office 2013 Pro Plus - x86
-- Install - Microsoft Silverlight 5.0 - x64
-- Install - Microsoft Visual C++ 2005 SP1 - x86
-- Install - Microsoft Visual C++ 2005 SP1 - x64
-- Install - Microsoft Visual C++ 2008 SP1 - x86
-- Install - Microsoft Visual C++ 2008 SP1 - x64
-- Install - Microsoft Visual C++ 2010 SP1 - x86
-- Install - Microsoft Visual C++ 2010 SP1 - x64
-- Install - Microsoft Visual C++ 2012 Update 4 - x86
-- Install - Microsoft Visual C++ 2012 Update 4 - x64
+Before you create an MDT task sequence, you need to add any applications and scripts you wish to install to the MDT Build Lab share.
-In these examples, we assume that you downloaded the software in this list to the E:\\Downloads folder. The first application is added using the UI, but because MDT supports Windows PowerShell, you add the other applications using Windows PowerShell.
+On **MDT01**:
+
+First, create an MDT folder to store the Microsoft applications that will be installed:
+
+1. In the MDT Deployment Workbench, expand **Deployment Shares \\ MDT Build Lab \\ Applications**
+2. Right-click **Applications** and then click **New Folder**.
+3. Under **Folder name**, type **Microsoft**.
+4. Click **Next** twice, and then click **Finish**.
+
+The steps in this section use a strict naming standard for your MDT applications.
+- Use the "Install - " prefix for typical application installations that run a setup installer of some kind,
+- Use the "Configure - " prefix when an application configures a setting in the operating system.
+- You also add an " - x86", " - x64", or "- x86-x64" suffix to indicate the application's architecture (some applications have installers for both architectures).
+
+Using a script naming standard is always recommended when using MDT as it helps maintain order and consistency.
+
+By storing configuration items as MDT applications, it is easy to move these objects between various solutions, or between test and production environments.
+
+In example sections, you will add the following applications:
+
+- Install - Microsoft Office 365 Pro Plus - x64
+- Install - Microsoft Visual C++ Redistributable 2019 - x86
+- Install - Microsoft Visual C++ Redistributable 2019 - x64
+
+>The 64-bit version of Microsoft Office 365 Pro Plus is recommended unless you need legacy app support. For more information, see [Choose between the 64-bit or 32-bit version of Office](https://support.office.com/article/choose-between-the-64-bit-or-32-bit-version-of-office-2dee7807-8f95-4d0c-b5fe-6c6f49b8d261)
+
+Download links:
+- [Office Deployment Tool](https://www.microsoft.com/download/details.aspx?id=49117)
+- [Microsoft Visual C++ Redistributable 2019 - x86](https://aka.ms/vs/16/release/VC_redist.x86.exe)
+- [Microsoft Visual C++ Redistributable 2019 - x64](https://aka.ms/vs/16/release/VC_redist.x64.exe)
+
+Download all three items in this list to the D:\\Downloads folder on MDT01.
+
+**Note**: For the purposes of this lab, we will leave the MSVC files in the D:\\Downloads folder and the Office365 files will be extracted to a child folder. If you prefer, you can place each application in its own separate child folder and then modify the $ApplicationSourcePath below as needed (instead of just D:\\Downloads).
>[!NOTE]
->All the Microsoft Visual C++ downloads can be found on [The latest supported Visual C++ downloads](https://go.microsoft.com/fwlink/p/?LinkId=619523).
+>All the Microsoft Visual C++ downloads can be found on [The latest supported Visual C++ downloads](https://go.microsoft.com/fwlink/p/?LinkId=619523). Visual C++ 2015, 2017 and 2019 all share the same redistributable files.
-### Create the install: Microsoft Office Professional Plus 2013 x86
+### Create configuration file: Microsoft Office 365 Professional Plus x64
-You can customize Office 2013. In the volume license versions of Office 2013, there is an Office Customization Tool you can use to customize the Office installation. In these steps we assume you have copied the Office 2013 installation files to the E:\\Downloads\\Office2013 folder.
+1. After downloading the most current version of the Office Deployment tool from the Microsoft Download Center using the link provided above, run the self-extracting executable file and extract the files to **D:\\Downloads\\Office365**. The Office Deployment Tool (setup.exe) and several sample configuration.xml files will be extracted.
+2. Using a text editor (such as Notepad), create an XML file in the D:\\Downloads\\Office365 directory with the installation settings for Office 365 ProPlus that are appropriate for your organization. The file uses an XML format, so the file you create must have an extension of .xml but the file can have any filename.
-### Add the Microsoft Office Professional Plus 2013 x86 installation files
+ For example, you can use the following configuration.xml file, which provides these configuration settings:
+ - Install the 64-bit version of Office 365 ProPlus in English directly from the Office Content Delivery Network (CDN) on the internet. Note: 64-bit is now the default and recommended edition.
+ - Use the Semi-Annual Channel and get updates directly from the Office CDN on the internet.
+ - Perform a silent installation. You won’t see anything that shows the progress of the installation and you won’t see any error messages.
-After adding the Microsoft Office Professional Plus 2013 x86 application, you then automate its setup by running the Office Customization Tool. In fact, MDT detects that you added the Office Professional Plus 2013 x86 application and creates a shortcut for doing this.
-You also can customize the Office installation using a Config.xml file. But we recommend that you use the Office Customization Tool as described in the following steps, as it provides a much richer way of controlling Office 2013 settings.
-1. Using the Deployment Workbench in the MDT Build Lab deployment share, expand the **Applications / Microsoft** node, and double-click **Install - Microsoft Office 2013 Pro Plus x86**.
-2. In the **Office Products** tab, click **Office Customization Tool**, and click **OK** in the **Information** dialog box.
+ ```xml
+
+[Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md)
+[Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md)
+[Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md)
+[Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md)
[Configure MDT settings](configure-mdt-settings.md)
diff --git a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md
index 238fd0d31e..7e06abfeb3 100644
--- a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md
+++ b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md
@@ -21,115 +21,144 @@ ms.topic: article
**Applies to**
- Windows 10
-This topic will show you how to take your reference image for Windows 10, and deploy that image to your environment using the Microsoft Deployment Toolkit (MDT). You will prepare for this by creating a MDT deployment share that is used solely for image deployment. Separating the processes of creating reference images from the processes used to deploy them in production allows greater control of on both processes. You will then configure the deployment share, create a new task sequence, add applications, add drivers, add rules, and configure Active Directory permissions for deployment.
+This topic will show you how to take your reference image for Windows 10 (that was just [created](create-a-windows-10-reference-image.md)), and deploy that image to your environment using the Microsoft Deployment Toolkit (MDT).
-For the purposes of this topic, we will use three machines: DC01, MDT01, and PC0005. DC01 is a domain controller, MDT01 is a Windows Server 2012 R2 standard server, and PC0005 is a blank machine to which you deploy Windows 10. MDT01 and PC0005 are members of the domain contoso.com for the fictitious Contoso Corporation.
+We will prepare for this by creating an MDT deployment share that is used solely for image deployment. Separating the processes of creating reference images from the processes used to deploy them in production allows greater control of on both processes. We will configure Active Directory permissions, configure the deployment share, create a new task sequence, and add applications, drivers, and rules.
-
+For the purposes of this topic, we will use four computers: DC01, MDT01, HV01 and PC0005.
-Figure 1. The machines used in this topic.
+- DC01 is a domain controller
+- MDT01 is a domain member server
+- HV01 is a Hyper-V server
+- PC0005 is a blank device to which we will deploy Windows 10
+
+MDT01 and PC0005 are members of the domain contoso.com for the fictitious Contoso Corporation. HV01 used to test deployment of PC0005 in a virtual environment.
+
+ 
>[!NOTE]
->For important details about the setup for the steps outlined in this article, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
-
+>For details about the setup for the procedures in this article, please see [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md).
-## Step 1: Configure Active Directory permissions
+## Step 1: Configure Active Directory permissions
+
+These steps will show you how to configure an Active Directory account with the permissions required to deploy a Windows 10 machine to the domain using MDT. These steps assume you have The account is used for Windows Preinstallation Environment (Windows PE) to connect to MDT01. In order for MDT to join machines into the contoso.com domain you need to create an account and configure permissions in Active Directory.
+
+On **DC01**:
+
+1. Download the [Set-OUPermissions.ps1 script](https://go.microsoft.com/fwlink/p/?LinkId=619362) and copy it to the **C:\\Setup\\Scripts** directory on DC01. This script configures permissions to allow the MDT_JD account to manage computer accounts in the contoso > Computers organizational unit.
+2. Create the MDT_JD service account by running the following command from an elevated Windows PowerShell prompt:
+
+ ```powershell
+ New-ADUser -Name MDT_JD -UserPrincipalName MDT_JD -path "OU=Service Accounts,OU=Accounts,OU=Contoso,DC=CONTOSO,DC=COM" -Description "MDT join domain account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -PasswordNeverExpires $true -Enabled $true
+ ```
+
+3. Next, run the Set-OuPermissions script to apply permissions to the **MDT\_JD** service account, enabling it to manage computer accounts in the Contoso / Computers OU. Run the following commands from an elevated Windows PowerShell prompt:
-These steps will show you how to configure an Active Directory account with the permissions required to deploy a Windows 10 machine to the domain using MDT. These steps assume you have downloaded the sample [Set-OUPermissions.ps1 script](https://go.microsoft.com/fwlink/p/?LinkId=619362) and copied it to C:\\Setup\\Scripts on DC01. The account is used for Windows Preinstallation Environment (Windows PE) to connect to MDT01. In order for MDT to join machines into the contoso.com domain you need to create an account and configure permissions in Active Directory.
-1. On DC01, using Active Directory User and Computers, browse to **contoso.com / Contoso / Service Accounts**.
-2. Select the **Service Accounts** organizational unit (OU) and create the MDT\_JD account using the following settings:
- 1. Name: MDT\_JD
- 2. User logon name: MDT\_JD
- 3. Password: P@ssw0rd
- 4. User must change password at next logon: Clear
- 5. User cannot change password: Select
- 6. Password never expires: Select
-3. In an elevated Windows PowerShell prompt (run as Administrator), run the following commands and press **Enter** after each command:
```powershell
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force
Set-Location C:\Setup\Scripts
.\Set-OUPermissions.ps1 -Account MDT_JD -TargetOU "OU=Workstations,OU=Computers,OU=Contoso"
```
-4. The Set-OUPermissions.ps1 script allows the MDT\_JD user account permissions to manage computer accounts in the Contoso / Computers OU. Below you find a list of the permissions being granted:
- 1. Scope: This object and all descendant objects
- 1. Create Computer objects
- 2. Delete Computer objects
- 2. Scope: Descendant Computer objects
- 1. Read All Properties
- 2. Write All Properties
- 3. Read Permissions
- 4. Modify Permissions
- 5. Change Password
- 6. Reset Password
- 7. Validated write to DNS host name
- 8. Validated write to service principal name
-## Step 2: Set up the MDT production deployment share
+The following is a list of the permissions being granted:
+ a. Scope: This object and all descendant objects
+ b. Create Computer objects
+ c. Delete Computer objects
+ d. Scope: Descendant Computer objects
+ e. Read All Properties
+ f. Write All Properties
+ g. Read Permissions
+ h. Modify Permissions
+ i. Change Password
+ j. Reset Password
+ k. Validated write to DNS host name
+ l. Validated write to service principal name
-When you are ready to deploy Windows 10 in a production environment, you will first create a new MDT deployment share. You should not use the same deployment share that you used to create the reference image for a production deployment. For guidance on creating a custom Windows 10 image, see
-[Create a Windows 10 reference image](create-a-windows-10-reference-image.md).
+## Step 2: Set up the MDT production deployment share
+
+Next, create a new MDT deployment share. You should not use the same deployment share that you used to create the reference image for a production deployment. Perform this procedure on the MDT01 server.
### Create the MDT production deployment share
+On **MDT01**:
+
The steps for creating the deployment share for production are the same as when you created the deployment share for creating the custom reference image:
-1. On MDT01, log on as Administrator in the CONTOSO domain using a password of P@ssw0rd.
-2. Using the Deployment Workbench, right-click **Deployment Shares** and select **New Deployment Share**.
-3. On the **Path** page, in the **Deployment share path** text box, type **E:\\MDTProduction** and click **Next**.
+
+1. Ensure you are signed on as: contoso\administrator.
+2. In the Deployment Workbench console, right-click **Deployment Shares** and select **New Deployment Share**.
+3. On the **Path** page, in the **Deployment share path** text box, type **D:\\MDTProduction** and click **Next**.
4. On the **Share** page, in the **Share name** text box, type **MDTProduction$** and click **Next**.
5. On the **Descriptive Name** page, in the **Deployment share description** text box, type **MDT Production** and click **Next**.
6. On the **Options** page, accept the default settings and click **Next** twice, and then click **Finish**.
7. Using File Explorer, verify that you can access the **\\\\MDT01\\MDTProduction$** share.
-## Step 3: Add a custom image
+### Configure permissions for the production deployment share
+
+To read files in the deployment share, you need to assign NTFS and SMB permissions to the MDT Build Account (MDT\_BA) for the **D:\\MDTProduction** folder
+
+On **MDT01**:
+
+1. Ensure you are signed in as **contoso\\administrator**.
+2. Modify the NTFS permissions for the **D:\\MDTProduction** folder by running the following command in an elevated Windows PowerShell prompt:
+
+ ``` powershell
+ icacls "D:\MDTProduction" /grant '"CONTOSO\MDT_BA":(OI)(CI)(M)'
+ grant-smbshareaccess -Name MDTProduction$ -AccountName "Contoso\MDT_BA" -AccessRight Full -force
+ ```
+
+## Step 3: Add a custom image
The next step is to add a reference image into the deployment share with the setup files required to successfully deploy Windows 10. When adding a custom image, you still need to copy setup files (an option in the wizard) because Windows 10 stores additional components in the Sources\\SxS folder which is outside the image and may be required when installing components.
### Add the Windows 10 Enterprise x64 RTM custom image
-In these steps, we assume that you have completed the steps in the [Create a Windows 10 reference image](create-a-windows-10-reference-image.md) topic, so you have a Windows 10 reference image in the E:\\MDTBuildLab\\Captures folder on MDT01.
+In these steps, we assume that you have completed the steps in the [Create a Windows 10 reference image](create-a-windows-10-reference-image.md) topic, so you have a Windows 10 reference image at **D:\\MDTBuildLab\\Captures\REFW10X64-001.wim** on MDT01.
+
1. Using the Deployment Workbench, expand the **Deployment Shares** node, and then expand **MDT Production**; select the **Operating Systems** node, and create a folder named **Windows 10**.
2. Right-click the **Windows 10** folder and select **Import Operating System**.
3. On the **OS Type** page, select **Custom image file** and click **Next**.
-4. On the **Image** page, in the **Source file** text box, browse to **E:\\MDTBuildLab\\Captures\\REFW10X64-001.wim** and click **Next**.
-5. On the **Setup** page, select the **Copy Windows 7, Windows Server 2008 R2, or later setup files from the specified path** option; in the **Setup source directory** text box, browse to **E:\\MDTBuildLab\\Operating Systems\\W10EX64RTM** and click **Next**.
+4. On the **Image** page, in the **Source file** text box, browse to **D:\\MDTBuildLab\\Captures\\REFW10X64-001.wim** and click **Next**.
+5. On the **Setup** page, select the **Copy Windows 7, Windows Server 2008 R2, or later setup files from the specified path** option; in the **Setup source directory** text box, browse to **D:\\MDTBuildLab\\Operating Systems\\W10EX64RTM** and click **Next**.
6. On the **Destination** page, in the **Destination directory name** text box, type **W10EX64RTM**, click **Next** twice, and then click **Finish**.
-7. After adding the operating system, double-click the added operating system name in the **Operating Systems / Windows 10** node and change the name to match the following: **Windows 10 Enterprise x64 RTM Custom Image**.
+7. After adding the operating system, double-click the added operating system name in the **Operating Systems / Windows 10** node and change the name to **Windows 10 Enterprise x64 RTM Custom Image**.
>[!NOTE]
>The reason for adding the setup files has changed since earlier versions of MDT. MDT 2010 used the setup files to install Windows. MDT uses DISM to apply the image; however, you still need the setup files because some components in roles and features are stored outside the main image.
-
+
-Figure 2. The imported operating system after renaming it.
+## Step 4: Add an application
-## Step 4: Add an application
+When you configure your MDT Build Lab deployment share, you can also add applications to the new deployment share before creating your task sequence. This section walks you through the process of adding an application to the MDT Production deployment share using Adobe Reader as an example.
-When you configure your MDT Build Lab deployment share, you will also add any applications to the new deployment share before creating your task sequence. This section walks you through the process of adding an application to the MDT Production deployment share using Adobe Reader as an example.
+### Create the install: Adobe Reader DC
-### Create the install: Adobe Reader XI x86
+On **MDT01**:
-In this example, we assume that you have downloaded the Adobe Reader XI installation file (AdbeRdr11000\_eu\_ES.msi) to E:\\Setup\\Adobe Reader on MDT01.
-1. Using the Deployment Workbench, expand the **MDT Production** node and navigate to the **Applications** node.
-2. Right-click the **Applications** node, and create a new folder named **Adobe**.
-3. In the **Applications** node, right-click the **Adobe** folder and select **New Application**.
-4. On the **Application Type** page, select the **Application with source files** option and click **Next**.
-5. On the **Details** page, in the **Application** name text box, type **Install - Adobe Reader XI - x86** and click **Next**.
-6. On the **Source** page, in the **Source Directory** text box, browse to **E:\\Setup\\Adobe Reader XI** and click **Next**.
-7. On the **Destination** page, in the **Specify the name of the directory that should be created** text box, type **Install - Adobe Reader XI - x86** and click **Next**.
-8. On the **Command Details** page, in the **Command Line** text box, type **msiexec /i AdbeRdr11000\_eu\_ES.msi /q**, click **Next** twice, and then click **Finish**.
+1. Download the Enterprise distribution version of [Adobe Acrobat Reader DC](https://get.adobe.com/reader/enterprise/) (AcroRdrDC1902120058_en_US.exe) to **D:\\setup\\adobe** on MDT01.
+2. Extract the .exe file that you downloaded to an .msi (ex: .\AcroRdrDC1902120058_en_US.exe -sfx_o"d:\setup\adobe\install\" -sfx_ne).
+3. In the Deployment Workbench, expand the **MDT Production** node and navigate to the **Applications** node.
+4. Right-click the **Applications** node, and create a new folder named **Adobe**.
+5. In the **Applications** node, right-click the **Adobe** folder and select **New Application**.
+6. On the **Application Type** page, select the **Application with source files** option and click **Next**.
+7. On the **Details** page, in the **Application Name** text box, type **Install - Adobe Reader** and click *Next**.
+8. On the **Source** page, in the **Source Directory** text box, browse to **D:\\setup\\adobe\\install** and click **Next**.
+9. On the **Destination** page, in the **Specify the name of the directory that should be created** text box, type **Install - Adobe Reader** and click **Next**.
+10. On the **Command Details** page, in the **Command Line** text box, type **msiexec /i AcroRead.msi /q**, click **Next** twice, and then click **Finish**.
-
+
-Figure 3. The Adobe Reader application added to the Deployment Workbench.
+The Adobe Reader application added to the Deployment Workbench.
-## Step 5: Prepare the drivers repository
+## Step 5: Prepare the drivers repository
In order to deploy Windows 10 with MDT successfully, you need drivers for the boot images and for the actual operating system. This section will show you how to add drivers for the boot image and operating system, using the following hardware models as examples:
- Lenovo ThinkPad T420
-- Dell Latitude E6440
+- Dell Latitude 7390
- HP EliteBook 8560w
- Microsoft Surface Pro
+
For boot images, you need to have storage and network drivers; for the operating system, you need to have the full suite of drivers.
>[!NOTE]
@@ -139,20 +168,22 @@ For boot images, you need to have storage and network drivers; for the operating
The key to successful management of drivers for MDT, as well as for any other deployment solution, is to have a really good driver repository. From this repository, you import drivers into MDT for deployment, but you should always maintain the repository for future use.
-1. On MDT01, using File Explorer, create the **E:\\Drivers** folder.
-2. In the **E:\\Drivers** folder, create the following folder structure:
+On **MDT01**:
+
+1. Using File Explorer, create the **D:\\drivers** folder.
+2. In the **D:\\drivers** folder, create the following folder structure:
1. WinPE x86
2. WinPE x64
3. Windows 10 x64
3. In the new Windows 10 x64 folder, create the following folder structure:
- Dell
- - Latitude E6440
- - HP
+ - Latitude E7450
+ - Hewlett-Packard
- HP EliteBook 8560w
- Lenovo
- - ThinkPad T420 (4178)
+ - ThinkStation P500 (30A6003TUS)
- Microsoft Corporation
- - Surface Pro 3
+ - Surface Laptop
>[!NOTE]
>Even if you are not going to use both x86 and x64 boot images, we still recommend that you add the support structure for future use.
@@ -166,16 +197,16 @@ When you import drivers to the MDT driver repository, MDT creates a single insta
2. WinPE x64
3. Windows 10 x64
3. In the **Windows 10 x64** folder, create the following folder structure:
- - Dell Inc.
- - Latitude E6440
+ - Dell
+ - Latitude E7450
- Hewlett-Packard
- HP EliteBook 8560w
- Lenovo
- - 4178
+ - 30A6003TUS
- Microsoft Corporation
- - Surface Pro 3
+ - Surface Laptop
-The preceding folder names are selected because they match the actual make and model values that MDT reads from the machines during deployment. You can find out the model values for your machines via the following command in Windows PowerShell:
+The preceding folder names should match the actual make and model values that MDT reads from devices during deployment. You can find out the model values for your machines by using the following command in Windows PowerShell:
``` powershell
Get-WmiObject -Class:Win32_ComputerSystem
@@ -188,87 +219,104 @@ wmic csproduct get name
If you want a more standardized naming convention, try the ModelAliasExit.vbs script from the Deployment Guys blog post entitled [Using and Extending Model Aliases for Hardware Specific Application Installation](https://go.microsoft.com/fwlink/p/?LinkId=619536).
-
+
-Figure 4. The Out-of-Box Drivers structure in Deployment Workbench.
+The Out-of-Box Drivers structure in the Deployment Workbench.
### Create the selection profiles for boot image drivers
By default, MDT adds any storage and network drivers that you import to the boot images. However, you should add only the drivers that are necessary to the boot image. You can control which drivers are added by using selection profiles.
The drivers that are used for the boot images (Windows PE) are Windows 10 drivers. If you can’t locate Windows 10 drivers for your device, a Windows 7 or Windows 8.1 driver will most likely work, but Windows 10 drivers should be your first choice.
-1. On MDT01, using the Deployment Workbench, in the **MDT Production** node, expand the **Advanced Configuration** node, right-click the **Selection Profiles** node, and select **New Selection Profile**.
+
+On **MDT01**:
+
+1. In the Deployment Workbench, under the **MDT Production** node, expand the **Advanced Configuration** node, right-click the **Selection Profiles** node, and select **New Selection Profile**.
2. In the New Selection Profile Wizard, create a selection profile with the following settings:
1. Selection Profile name: WinPE x86
2. Folders: Select the WinPE x86 folder in Out-of-Box Drivers.
-3. Again, right-click the **Selection Profiles** node, and select **New Selection Profile**.
+ 3. Click **Next**, **Next** and **Finish**.
+3. Right-click the **Selection Profiles** node again, and select **New Selection Profile**.
4. In the New Selection Profile Wizard, create a selection profile with the following settings:
1. Selection Profile name: WinPE x64
2. Folders: Select the WinPE x64 folder in Out-of-Box Drivers.
+ 3. Click **Next**, **Next** and **Finish**.
-Figure 5. Creating the WinPE x64 selection profile.
+Creating the WinPE x64 selection profile.
### Extract and import drivers for the x64 boot image
Windows PE supports all the hardware models that we have, but here you learn to add boot image drivers to accommodate any new hardware that might require additional drivers. In this example, you add the latest Intel network drivers to the x64 boot image.
-In these steps, we assume you have downloaded PROWinx64.exe from Intel.com and saved it to a temporary folder.
-1. Extract PROWinx64.exe to a temporary folder - in this example to the **C:\\Tmp\\ProWinx64** folder.
-2. Using File Explorer, create the **E:\\Drivers\\WinPE x64\\Intel PRO1000** folder.
-3. Copy the content of the **C:\\Tmp\\PROWinx64\\PRO1000\\Winx64\\NDIS64** folder to the **E:\\Drivers\\WinPE x64\\Intel PRO1000** folder.
-4. Using Deployment Workbench, expand the **Out-of-Box Drivers** node, right-click the **WinPE x64** node, and select **Import Drivers**. Use the following setting for the Import Drivers Wizard:
- - Driver source directory: **E:\\Drivers\\WinPE x64\\Intel PRO1000**
+On **MDT01**:
+
+1. Download **PROWinx64.exe** from Intel.com (ex: [PROWinx64.exe](https://downloadcenter.intel.com/downloads/eula/25016/Intel-Network-Adapter-Driver-for-Windows-10?httpDown=https%3A%2F%2Fdownloadmirror.intel.com%2F25016%2Feng%2FPROWinx64.exe)).
+2. Extract PROWinx64.exe to a temporary folder - in this example to the **C:\\Tmp\\ProWinx64** folder.
+ a. **Note**: Extracting the .exe file manually requires an extraction utility. You can also run the .exe and it will self-extract files to the **%userprofile%\AppData\Local\Temp\RarSFX0** directory. This directory is temporary and will be deleted when the .exe terminates.
+3. Using File Explorer, create the **D:\\Drivers\\WinPE x64\\Intel PRO1000** folder.
+4. Copy the content of the **C:\\Tmp\\PROWinx64\\PRO1000\\Winx64\\NDIS64** folder to the **D:\\Drivers\\WinPE x64\\Intel PRO1000** folder.
+5. In the Deployment Workbench, expand the **MDT Production** > **Out-of-Box Drivers** node, right-click the **WinPE x64** node, and select **Import Drivers**, and use the following Driver source directory to import drivers: **D:\\Drivers\\WinPE x64\\Intel PRO1000**.
### Download, extract, and import drivers
-### For the ThinkPad T420
+### For the Lenovo ThinkStation P500
-For the Lenovo T420 model, you use the Lenovo ThinkVantage Update Retriever software to download the drivers. With Update Retriever, you need to specify the correct Lenovo Machine Type for the actual hardware (the first four characters of the model name). As an example, the Lenovo T420 model has the 4178B9G model name, meaning the Machine Type is 4178.
+For the ThinkStation P500 model, you use the Lenovo ThinkVantage Update Retriever software to download the drivers. With Update Retriever, you need to specify the correct Lenovo Machine Type for the actual hardware (the first four characters of the model name). As an example, the Lenovo ThinkStation P500 model has the 30A6003TUS model name, meaning the Machine Type is 30A6.
-To get the updates, you download the drivers from the Lenovo ThinkVantage Update Retriever using its export function. You can download the drivers from the [Lenovo website](https://go.microsoft.com/fwlink/p/?LinkId=619543).
+
-In these steps, we assume you have downloaded and extracted the drivers using ThinkVantage Update Retriever v5.0 to the E:\\Drivers\\Lenovo\\ThinkPad T420 (4178) folder.
+To get the updates, download the drivers from the Lenovo ThinkVantage Update Retriever using its export function. You can also download the drivers by searching PC Support on the [Lenovo website](https://go.microsoft.com/fwlink/p/?LinkId=619543).
-1. On MDT01, using the Deployment Workbench, in the **MDT Production** node, expand the **Out-Of-Box Drivers** node, and expand the **Lenovo** node.
-2. Right-click the **4178** folder and select **Import Drivers**; use the following setting for the Import Drivers Wizard:
- - Driver source directory: **E:\\Drivers\\Windows 10 x64\\Lenovo\\ThinkPad T420 (4178)**
+In this example, we assume you have downloaded and extracted the drivers using ThinkVantage Update Retriever to the **D:\\Drivers\\Lenovo\\ThinkStation P500 (30A6003TUS)** directory.
-### For the Latitude E6440
+On **MDT01**:
-For the Dell Latitude E6440 model, you use the Dell Driver CAB file, which is accessible via the [Dell TechCenter website](https://go.microsoft.com/fwlink/p/?LinkId=619544).
+1. In the Deployment Workbench, in the **MDT Production** > **Out-Of-Box Drivers** > **Windows 10 x64** node, expand the **Lenovo** node.
+2. Right-click the **30A6003TUS** folder and select **Import Drivers** and use the following Driver source directory to import drivers: **D:\\Drivers\\Windows 10 x64\\Lenovo\\ThinkStation P500 (30A6003TUS)**
-In these steps, we assume you have downloaded and extracted the CAB file for the Latitude E6440 model to the E:\\Drivers\\Dell\\Latitude E6440 folder.
+The folder you select and all sub-folders will be checked for drivers, expanding any .cab files that are present and searching for drivers.
-1. On **MDT01**, using the **Deployment Workbench**, in the **MDT Production** node, expand the **Out-Of-Box Drivers** node, and expand the **Dell** node.
-2. Right-click the **Latitude E6440** folder and select **Import Drivers**; use the following setting for the Import Drivers Wizard:
- - Driver source directory: **E:\\Drivers\\Windows 10 x64\\Dell\\Latitude E6440**
+### For the Latitude E7450
+
+For the Dell Latitude E7450 model, you use the Dell Driver CAB file, which is accessible via the [Dell TechCenter website](https://go.microsoft.com/fwlink/p/?LinkId=619544).
+
+In these steps, we assume you have downloaded and extracted the CAB file for the Latitude E7450 model to the **D:\\Drivers\\Dell\\Latitude E7450** folder.
+
+On **MDT01**:
+
+1. In the **Deployment Workbench**, in the **MDT Production** > **Out-Of-Box Drivers** > **Windows 10 x64** node, expand the **Dell** node.
+2. Right-click the **Latitude E7450** folder and select **Import Drivers** and use the following Driver source directory to import drivers: **D:\\Drivers\\Windows 10 x64\\Dell\\Latitude E7450**
### For the HP EliteBook 8560w
For the HP EliteBook 8560w, you use HP SoftPaq Download Manager to get the drivers. The HP SoftPaq Download Manager can be accessed on the [HP Support site](https://go.microsoft.com/fwlink/p/?LinkId=619545).
-In these steps, we assume you have downloaded and extracted the drivers for the HP EliteBook 8650w model to the E:\\Drivers\\Windows 10 x64\\HP\\HP EliteBook 8560w folder.
+In these steps, we assume you have downloaded and extracted the drivers for the HP EliteBook 8650w model to the **D:\\Drivers\\Windows 10 x64\\Hewlett-Packard\\HP EliteBook 8560w** folder.
-1. On **MDT01**, using the **Deployment Workbench**, in the **MDT Production** node, expand the **Out-Of-Box Drivers** node, and expand the **Hewlett-Packard** node.
-2. Right-click the **HP EliteBook 8560w** folder and select **Import Drivers**; use the following setting for the Import Drivers Wizard:
- - Driver source directory: **E:\\Drivers\\Windows 10 x64\\HP\\HP EliteBook 8560w**
+On **MDT01**:
-### For the Microsoft Surface Pro 3
+1. In the **Deployment Workbench**, in the **MDT Production** > **Out-Of-Box Drivers** > **Windows 10 x64** node, expand the **Hewlett-Packard** node.
+2. Right-click the **HP EliteBook 8560w** folder and select **Import Drivers** and use the following Driver source directory to import drivers: **D:\\Drivers\\Windows 10 x64\\Hewlett-Packard\\HP EliteBook 8560w**
-For the Microsoft Surface Pro model, you find the drivers on the Microsoft website. In these steps we assume you have downloaded and extracted the Surface Pro 3 drivers to the E:\\Drivers\\Windows 10 x64\\Microsoft\\Surface Pro 3 folder.
+### For the Microsoft Surface Laptop
-1. On MDT01, using the Deployment Workbench, in the **MDT Production** node, expand the **Out-Of-Box Drivers** node, and expand the **Microsoft** node.
-2. Right-click the **Surface Pro 3** folder and select **Import Drivers**; use the following setting for the Import Drivers Wizard:
- - Driver source directory: **E:\\Drivers\\Windows 10 x64\\Microsoft\\Surface Pro 3**
+For the Microsoft Surface Laptop model, you find the drivers on the Microsoft website. In these steps we assume you have downloaded and extracted the Surface Laptop drivers to the **D:\\Drivers\\Windows 10 x64\\Microsoft\\Surface Laptop** folder.
-## Step 6: Create the deployment task sequence
+On **MDT01**:
-This section will show you how to create the task sequence used to deploy your production Windows 10 reference image. You will then configure the tasks sequence to enable patching via a Windows Server Update Services (WSUS) server.
+1. In the Deployment Workbench, in the **MDT Production** > **Out-Of-Box Drivers** > **Windows 10 x64** node, expand the **Microsoft** node.
+2. Right-click the **Surface Laptop** folder and select **Import Drivers**; and use the following Driver source directory to import drivers: **D:\\Drivers\\Windows 10 x64\\Microsoft\\Surface Laptop**
+
+## Step 6: Create the deployment task sequence
+
+This section will show you how to create the task sequence used to deploy your production Windows 10 reference image. You will then configure the task sequence to enable patching via a Windows Server Update Services (WSUS) server.
### Create a task sequence for Windows 10 Enterprise
-1. Using the Deployment Workbench, select **Task Sequences** in the **MDT Production** node, and create a folder named **Windows 10**.
+On **MDT01**:
+
+1. In the Deployment Workbench, under the **MDT Production** node, right-click **Task Sequences**, and create a folder named **Windows 10**.
2. Right-click the new **Windows 10** folder and select **New Task Sequence**. Use the following settings for the New Task Sequence Wizard:
1. Task sequence ID: W10-X64-001
2. Task sequence name: Windows 10 Enterprise x64 RTM Custom Image
@@ -278,13 +326,14 @@ This section will show you how to create the task sequence used to deploy your p
6. Specify Product Key: Do not specify a product key at this time
7. Full Name: Contoso
8. Organization: Contoso
- 9. Internet Explorer home page: about:blank
+ 9. Internet Explorer home page: https://www.contoso.com
10. Admin Password: Do not specify an Administrator Password at this time
- ### Edit the Windows 10 task sequence
-3. Right-click the **Windows 10 Enterprise x64 RTM Custom Image** task sequence, and select **Properties**.
-4. On the **Task Sequence** tab, configure the **Windows 10 Enterprise x64 RTM Custom Image** task sequence with the following settings:
- 1. Preinstall. After the **Enable BitLocker (Offline)** action, add a **Set Task Sequence Variable** action with the following settings:
+### Edit the Windows 10 task sequence
+
+1. Continuing from the previous procedure, right-click the **Windows 10 Enterprise x64 RTM Custom Image** task sequence, and select **Properties**.
+2. On the **Task Sequence** tab, configure the **Windows 10 Enterprise x64 RTM Custom Image** task sequence with the following settings:
+ 1. Preinstall: After the **Enable BitLocker (Offline)** action, add a **Set Task Sequence Variable** action with the following settings:
1. Name: Set DriverGroup001
2. Task Sequence Variable: DriverGroup001
3. Value: Windows 10 x64\\%Make%\\%Model%
@@ -297,89 +346,93 @@ This section will show you how to create the task sequence used to deploy your p
3. State Restore. Enable the **Windows Update (Pre-Application Installation)** action.
4. State Restore. Enable the **Windows Update (Post-Application Installation)** action.
-5. Click **OK**.
+3. Click **OK**.
-
+
-Figure 6. The task sequence for production deployment.
+The task sequence for production deployment.
-## Step 7: Configure the MDT production deployment share
+## Step 7: Configure the MDT production deployment share
In this section, you will learn how to configure the MDT Build Lab deployment share with the rules required to create a simple and dynamic deployment process. This includes configuring commonly used rules and an explanation of how these rules work.
### Configure the rules
-1. On MDT01, using File Explorer, copy the following files from the **D:\\Setup\\Sample Files\\MDT Production\\Control** folder to **E:\\MDTProduction\\Control**. Overwrite the existing files.
- 1. Bootstrap.ini
- 2. CustomSettings.ini
-2. Right-click the **MDT Production** deployment share and select **Properties**.
-3. Select the **Rules** tab and modify using the following information:
+On **MDT01**:
- ```
- [Settings]
- Priority=Default
- [Default]
- _SMSTSORGNAME=Contoso
- OSInstall=YES
- UserDataLocation=AUTO
- TimeZoneName=Pacific Standard Time
- AdminPassword=P@ssw0rd
- JoinDomain=contoso.com
- DomainAdmin=CONTOSO\MDT_JD
- DomainAdminPassword=P@ssw0rd
- MachineObjectOU=OU=Workstations,OU=Computers,OU=Contoso,DC=contoso,DC=com
- SLShare=\\MDT01\Logs$
- ScanStateArgs=/ue:*\* /ui:CONTOSO\*
- USMTMigFiles001=MigApp.xml
- USMTMigFiles002=MigUser.xml
- HideShell=YES
- ApplyGPOPack=NO
- WSUSServer=mdt01.contoso.com:8530
- SkipAppsOnUpgrade=NO
- SkipAdminPassword=YES
- SkipProductKey=YES
- SkipComputerName=NO
- SkipDomainMembership=YES
- SkipUserData=YES
- SkipLocaleSelection=YES
- SkipTaskSequence=NO
- SkipTimeZone=YES
- SkipApplications=NO
- SkipBitLocker=YES
- SkipSummary=YES
- SkipCapture=YES
- SkipFinalSummary=NO
- ```
-4. Click **Edit Bootstrap.ini** and modify using the following information:
+1. Right-click the **MDT Production** deployment share and select **Properties**.
+2. Select the **Rules** tab and replace the existing rules with the following information (modify the domain name, WSUS server, and administrative credentials to match your environment):
- ```
- [Settings]
- Priority=Default
- [Default]
- DeployRoot=\\MDT01\MDTProduction$
- UserDomain=CONTOSO
- UserID=MDT_BA
- SkipBDDWelcome=YES
- ```
-5. In the **Windows PE** tab, in the **Platform** drop-down list, make sure **x86** is selected.
-6. In the **General** sub tab, configure the following settings:
+ ```
+ [Settings]
+ Priority=Default
+
+ [Default]
+ _SMSTSORGNAME=Contoso
+ OSInstall=YES
+ UserDataLocation=AUTO
+ TimeZoneName=Pacific Standard Time
+ AdminPassword=pass@word1
+ JoinDomain=contoso.com
+ DomainAdmin=CONTOSO\MDT_JD
+ DomainAdminPassword=pass@word1
+ MachineObjectOU=OU=Workstations,OU=Computers,OU=Contoso,DC=contoso,DC=com
+ SLShare=\\MDT01\Logs$
+ ScanStateArgs=/ue:*\* /ui:CONTOSO\*
+ USMTMigFiles001=MigApp.xml
+ USMTMigFiles002=MigUser.xml
+ HideShell=YES
+ ApplyGPOPack=NO
+ WSUSServer=mdt01.contoso.com:8530
+ SkipAppsOnUpgrade=NO
+ SkipAdminPassword=YES
+ SkipProductKey=YES
+ SkipComputerName=NO
+ SkipDomainMembership=YES
+ SkipUserData=YES
+ SkipLocaleSelection=YES
+ SkipTaskSequence=NO
+ SkipTimeZone=YES
+ SkipApplications=NO
+ SkipBitLocker=YES
+ SkipSummary=YES
+ SkipCapture=YES
+ SkipFinalSummary=NO
+ ```
+
+3. Click **Edit Bootstrap.ini** and modify using the following information:
+
+```
+[Settings]
+Priority=Default
+
+[Default]
+DeployRoot=\\MDT01\MDTProduction$
+UserDomain=CONTOSO
+UserID=MDT_BA
+UserPassword=pass@word1
+SkipBDDWelcome=YES
+```
+
+4. On the **Windows PE** tab, in the **Platform** drop-down list, make sure **x86** is selected.
+5. On the **General** sub tab (still under the main Windows PE tab), configure the following settings:
- In the **Lite Touch Boot Image Settings** area:
1. Image description: MDT Production x86
2. ISO file name: MDT Production x86.iso
> [!NOTE]
>
- > Because you are going to use Pre-Boot Execution Environment (PXE) later to deploy the machines, you do not need the ISO file; however, we recommend creating ISO files because they are useful when troubleshooting deployments and for quick tests.
+ >Because you are going to use Pre-Boot Execution Environment (PXE) later to deploy the machines, you do not need the ISO file; however, we recommend creating ISO files because they are useful when troubleshooting deployments and for quick tests.
-7. In the **Drivers and Patches** sub tab, select the **WinPE x86** selection profile and select the **Include all drivers from the selection profile** option.
-8. In the **Windows PE** tab, in the **Platform** drop-down list, select **x64**.
-9. In the **General** sub tab, configure the following settings:
+6. On the **Drivers and Patches** sub tab, select the **WinPE x86** selection profile and select the **Include all drivers from the selection profile** option.
+7. On the **Windows PE** tab, in the **Platform** drop-down list, select **x64**.
+8. On the **General** sub tab, configure the following settings:
- In the **Lite Touch Boot Image Settings** area:
1. Image description: MDT Production x64
2. ISO file name: MDT Production x64.iso
-10. In the **Drivers and Patches** sub tab, select the **WinPE x64** selection profile and select the **Include all drivers from the selection profile** option.
-11. In the **Monitoring** tab, select the **Enable monitoring for this deployment share** check box.
-12. Click **OK**.
+9. In the **Drivers and Patches** sub tab, select the **WinPE x64** selection profile and select the **Include all drivers from the selection profile** option.
+10. In the **Monitoring** tab, select the **Enable monitoring for this deployment share** check box.
+11. Click **OK**.
>[!NOTE]
>It will take a while for the Deployment Workbench to create the monitoring database and web service.
@@ -387,39 +440,46 @@ In this section, you will learn how to configure the MDT Build Lab deployment sh
-Figure 7. The Windows PE tab for the x64 boot image.
+The Windows PE tab for the x64 boot image.
### The rules explained
-The rules for the MDT Production deployment share are somewhat different from those for the MDT Build Lab deployment share. The biggest differences are that you deploy the machines into a domain instead of a workgroup and that you do not automate the logon.
+The rules for the MDT Production deployment share are somewhat different from those for the MDT Build Lab deployment share. The biggest differences are that you deploy the machines into a domain instead of a workgroup.
+
+>
+>You can optionally remove the **UserID** and **UserPassword** entries from Bootstrap.ini so that users performing PXE boot are prompted to provide credentials with permission to connect to the deployment share. Setting **SkipBDDWelcome=NO** enables the welcome screen that displays options to run the deployment wizard, run DaRT tools (if installed), exit to a Windows PE command prompt, set the keyboard layout, or configure a static IP address. In this example we are skipping the welcome screen and providing credentials.
### The Bootstrap.ini file
-This is the MDT Production Bootstrap.ini without the user credentials (except domain information):
+This is the MDT Production Bootstrap.ini:
```
[Settings]
Priority=Default
+
[Default]
DeployRoot=\\MDT01\MDTProduction$
UserDomain=CONTOSO
UserID=MDT_BA
+UserPassword=pass@word1
SkipBDDWelcome=YES
```
+
### The CustomSettings.ini file
This is the CustomSettings.ini file with the new join domain information:
```
[Settings]
Priority=Default
+
[Default]
_SMSTSORGNAME=Contoso
OSInstall=Y
UserDataLocation=AUTO
TimeZoneName=Pacific Standard Time
-AdminPassword=P@ssw0rd
+AdminPassword=pass@word1
JoinDomain=contoso.com
DomainAdmin=CONTOSO\MDT_JD
-DomainAdminPassword=P@ssw0rd
+DomainAdminPassword=pass@word1
MachineObjectOU=OU=Workstations,OU=Computers,OU=Contoso,DC=contoso,DC=com
SLShare=\\MDT01\Logs$
ScanStateArgs=/ue:*\* /ui:CONTOSO\*
@@ -444,7 +504,8 @@ SkipCapture=YES
SkipFinalSummary=NO
EventService=http://MDT01:9800
```
-The additional properties to use in the MDT Production rules file are as follows:
+
+Some properties to use in the MDT Production rules file are as follows:
- **JoinDomain.** The domain to join.
- **DomainAdmin.** The account to use when joining the machine to the domain.
- **DomainAdminDomain.** The domain for the join domain account.
@@ -456,33 +517,35 @@ The additional properties to use in the MDT Production rules file are as follows
### Optional deployment share configuration
-If your organization has a Microsoft Software Assurance agreement, you also can subscribe to the additional Microsoft Desktop Optimization Package (MDOP) license (at an additional cost). Included in MDOP is Microsoft Diagnostics and Recovery Toolkit (DaRT), which contains tools that can help you
-troubleshoot MDT deployments, as well as troubleshoot Windows itself.
+If your organization has a Microsoft Software Assurance agreement, you also can subscribe to the additional Microsoft Desktop Optimization Package (MDOP) license (at an additional cost). Included in MDOP is Microsoft Diagnostics and Recovery Toolkit (DaRT), which contains tools that can help you troubleshoot MDT deployments, as well as troubleshoot Windows itself.
### Add DaRT 10 to the boot images
-If you have licensing for MDOP and DaRT, you can add DaRT to the boot images using the steps in this section. If you do not have DaRT licensing, or don't want to use it, simply skip to the next section, [Update the Deployment Share](#bkmk-update-deployment). To enable the remote connection feature in MDT, you need to do the following:
-- Install DaRT 10 (part of MDOP 2015 R1).
-- Copy the two tools CAB files (Toolsx86.cab and Toolsx64.cab) to the deployment share.
-- Configure the deployment share to add DaRT.
- In these steps, we assume that you downloaded MDOP 2015 R1 and copied DaRT 10 to the E:\\Setup\\DaRT 10 folder on MDT01.
-- On MDT01, install DaRT 10 (MSDaRT10.msi) using the default settings.
-- Using File Explorer, navigate to the **C:\\Program Files\\Microsoft DaRT\\v10** folder.
-- Copy the Toolsx64.cab file to **E:\\MDTProduction\\Tools\\x64**.
-- Copy the Toolsx86.cab file to **E:\\MDTProduction\\Tools\\x86**.
-- Using the Deployment Workbench, right-click the **MDT Production** deployment share and select **Properties**.
-- In the **Windows PE** tab, in the **Platform** drop-down list, make sure **x86** is selected.
-- In the **Features** sub tab, select the **Microsoft Diagnostics and Recovery Toolkit (DaRT)** check box.
+If you have licensing for MDOP and DaRT, you can add DaRT to the boot images using the steps in this section. If you do not have DaRT licensing, or don't want to use it, simply skip to the next section, [Update the Deployment Share](#update-the-deployment-share). To enable the remote connection feature in MDT, you need to do the following:
- 
+>DaRT 10 is part of [MDOP 2015](https://docs.microsoft.com/microsoft-desktop-optimization-pack/#how-to-get-mdop). Note: MDOP might be available as a download from your [Visual Studio subscription](https://my.visualstudio.com/Downloads). When searching, be sure to look for **Desktop Optimization Pack**.
- Figure 8. Selecting the DaRT 10 feature in the deployment share.
+On **MDT01**:
+
+1. Download MDOP 2015 and copy the DaRT 10 installer file to the D:\\Setup\\DaRT 10 folder on MDT01 (DaRT\\DaRT 10\\Installers\\\
Dism /Split-Image /ImageFile:D:\MDTOfflinemedia\Content\Deploy\Operating Systems\W10EX64RTM\REFW10X64-001.wim /SWMFile:E:\sources\install.swm /FileSize:3800.
Windows Setup automatically installs from this file, provided you name it install.swm. The file names for the next files include numbers, for example: install2.swm, install3.swm.
To enable split image in MDT, the Settings.xml file in your deployment share (ex: D:\MDTProduction\Control\Settings.xml) must have the **SkipWimSplit** value set to **False**. By default this value is set to True (\
+[Create a Windows 10 reference image](create-a-windows-10-reference-image.md)
+[Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md)
+[Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md)
+[Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md)
+[Configure MDT settings](configure-mdt-settings.md)
diff --git a/windows/deployment/deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md b/windows/deployment/deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md
deleted file mode 100644
index bc6f898741..0000000000
--- a/windows/deployment/deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md
+++ /dev/null
@@ -1,98 +0,0 @@
----
-title: Deploy Windows 10 with the Microsoft Deployment Toolkit (Windows 10)
-description: This guide will walk you through the process of deploying Windows 10 in an enterprise environment using the Microsoft Deployment Toolkit (MDT).
-ms.assetid: 837f009c-617e-4b3f-9028-2246067ee0fb
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-keywords: deploy, tools, configure, script
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.localizationpriority: medium
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.pagetype: mdt
-ms.topic: article
----
-
-# Deploy Windows 10 with the Microsoft Deployment Toolkit
-
-**Applies to**
-- Windows 10
-
-This guide will walk you through the process of deploying Windows 10 in an enterprise environment using the Microsoft Deployment Toolkit (MDT).
-
-The Microsoft Deployment Toolkit is a unified collection of tools, processes, and guidance for automating desktop and server deployment. In addition to reducing deployment time and standardizing desktop and server images, MDT enables you to more easily manage security and ongoing configurations. MDT builds on top of the core deployment tools in the Windows Assessment and Deployment Kit (Windows ADK) with additional guidance and features designed to reduce the complexity and time required for deployment in an enterprise environment.
-MDT supports the deployment of Windows 10, as well as Windows 7, Windows 8, Windows 8.1, and Windows Server 2012 R2. It also includes support for zero-touch installation (ZTI) with Microsoft System Center 2012 R2 Configuration Manager.
-
-To download the latest version of MDT, visit the [MDT resource page](https://go.microsoft.com/fwlink/p/?LinkId=618117).
-
-## In this section
-
-- [Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md)
-- [Create a Windows 10 reference image](create-a-windows-10-reference-image.md)
-- [Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md)
-- [Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md)
-- [Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md)
-- [Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md)
-- [Configure MDT settings](configure-mdt-settings.md)
-
-## Proof-of-concept environment
-
-For the purposes of this guide, and the topics discussed herein, we will use the following servers and client machines: DC01, MDT01, CM01, PC0001, and PC0002.
-
-
-
-Figure 1. The servers and machines used for examples in this guide.
-
-DC01 is a domain controller; the other servers and client machines are members of the domain contoso.com for the fictitious Contoso Corporation.
-
-
-
-Figure 2. The organizational unit (OU) structure used in this guide.
-
-### Server details
-
-- **DC01.** A Windows Server 2012 R2 Standard machine, fully patched with the latest security updates, and configured as Active Directory Domain Controller, DNS Server, and DHCP Server in the contoso.com domain.
- - Server name: DC01
- - IP Address: 192.168.1.200
- - Roles: DNS, DHCP, and Domain Controller
-- **MDT01.** A Windows Server 2012 R2 Standard machine, fully patched with the latest security updates, and configured as a member server in the contoso.com domain.
- - Server name: MDT01
- - IP Address: 192.168.1.210
-- **CM01.** A Windows Server 2012 R2 Standard machine, fully patched with the latest security updates, and configured as a member server in the contoso.com domain.
- - Server name: CM01
- - IP Address: 192.168.1.214
-
-### Client machine details
-
-- **PC0001.** A Windows 10 Enterprise x64 machine, fully patched with the latest security updates, and configured as a member in the contoso.com domain. This machine is referenced as the admin workstation.
- - Client name: PC0001
- - IP Address: DHCP
-- **PC0002.** A Windows 7 SP1 Enterprise x64 machine, fully patched with the latest security updates, and configured as a member in the contoso.com domain. This machine is referenced during the migration scenarios.
- - Client name: PC0002
- - IP Address: DHCP
-
-## Sample files
-
-The information in this guide is designed to help you deploy Windows 10. In order to help you put the information you learn into practice more quickly, we recommend that you download a small set of sample files for the fictitious Contoso Corporation:
-- [Gather.ps1](https://go.microsoft.com/fwlink/p/?LinkId=619361). This sample Windows PowerShell script performs the MDT Gather process in a simulated MDT environment. This allows you to test the MDT gather process and check to see if it is working correctly without performing a full Windows deployment.
-- [Set-OUPermissions.ps1](https://go.microsoft.com/fwlink/p/?LinkId=619362). This sample Windows PowerShell script creates a domain account and then configures OU permissions to allow the account to join machines to the domain in the specified OU.
-- [MDTSample.zip](https://go.microsoft.com/fwlink/p/?LinkId=619363). This sample web service shows you how to configure a computer name dynamically using MDT.
-
-## Related topics
-
-[Microsoft Deployment Toolkit downloads and resources](https://go.microsoft.com/fwlink/p/?LinkId=618117)
-
-[Windows 10 deployment scenarios](../windows-10-deployment-scenarios.md)
-
-[Windows 10 deployment tools](../windows-deployment-scenarios-and-tools.md)
-
-[Deploy Windows 10 with System Center 2012 R2 Configuration Manager](../deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md)
-
-[Deploy Windows To Go in your organization](../deploy-windows-to-go.md)
-
-[Sideload apps in Windows 10](/windows/application-management/sideload-apps-in-windows-10)
-
-[Volume Activation for Windows 10](../volume-activation/volume-activation-windows-10.md)
-
diff --git a/windows/deployment/deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit.md b/windows/deployment/deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit.md
index e7742fa773..00c0a446a3 100644
--- a/windows/deployment/deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit.md
+++ b/windows/deployment/deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit.md
@@ -1,54 +1,171 @@
----
-title: Get started with the Microsoft Deployment Toolkit (MDT) (Windows 10)
-description: This topic will help you gain a better understanding of how to use the Microsoft Deployment Toolkit (MDT), as part of a Windows operating system deployment.
-ms.assetid: a256442c-be47-4bb9-a105-c831f58ce3ee
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-keywords: deploy, image, feature, install, tools
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.localizationpriority: medium
-ms.sitesec: library
-ms.pagetype: mdt
-audience: itpro
author: greg-lindsay
-ms.topic: article
----
-
-# Get started with the Microsoft Deployment Toolkit (MDT)
-
-**Applies to**
-- Windows 10
-
-This topic will help you gain a better understanding of how to use the Microsoft Deployment Toolkit (MDT), as part of a Windows operating system deployment. MDT is one of the most important tools available to IT professionals today. You can use it to create reference images or as a complete deployment solution. MDT also can be used to extend the operating system deployment features available in Microsoft System Center 2012 R2 Configuration Manager.
-
-In addition to familiarizing you with the features and options available in MDT, this topic will walk you through the process of preparing for deploying Windows 10 using MDT by configuring Active Directory, creating an organizational unit (OU) structure, creating service accounts, configuring log files and folders, and installing the tools needed to view the logs and continue with the deployment process.
-
-For the purposes of this topic, we will use two machines: DC01 and MDT01. DC01 is a domain controller and MDT01 is a Windows Server 2012 R2 standard server. MDT01 is a member of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see
-[Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md#proof).
-
-
-
-Figure 1. The machines used in this topic.
-
-## In this section
-
-- [Key features in MDT](key-features-in-mdt.md)
-- [MDT Lite Touch components](mdt-lite-touch-components.md)
-- [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md)
-
-## Related topics
-
-[Microsoft Deployment Toolkit downloads and documentation](https://go.microsoft.com/fwlink/p/?LinkId=618117)
-
-[Create a Windows 10 reference image](create-a-windows-10-reference-image.md)
-
-[Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md)
-
-[Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md)
-
-[Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md)
-
-[Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md)
-
-[Configure MDT settings](configure-mdt-settings.md)
+---
+title: Get started with the Microsoft Deployment Toolkit (MDT) (Windows 10)
+description: This topic will help you gain a better understanding of how to use the Microsoft Deployment Toolkit (MDT), as part of a Windows operating system deployment.
+ms.assetid: a256442c-be47-4bb9-a105-c831f58ce3ee
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+keywords: deploy, image, feature, install, tools
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.localizationpriority: medium
+ms.sitesec: library
+ms.pagetype: mdt
+audience: itpro
+author: greg-lindsay
+ms.topic: article
+---
+
+# Get started with MDT
+
+**Applies to**
+- Windows 10
+
+This article provides an overview of the features, components, and capabilities of the [Microsoft Deployment Toolkit (MDT)](https://go.microsoft.com/fwlink/p/?LinkId=618117). When you have finished reviewing this information, see [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md).
+
+## About MDT
+
+MDT is a unified collection of tools, processes, and guidance for automating desktop and server deployment. You can use it to create reference images or as a complete deployment solution. MDT is one of the most important tools available to IT professionals today.
+
+In addition to reducing deployment time and standardizing desktop and server images, MDT enables you to more easily manage security and ongoing configurations. MDT builds on top of the core deployment tools in the [Windows Assessment and Deployment Kit](https://docs.microsoft.com/windows-hardware/get-started/adk-install) (Windows ADK) with additional guidance and features designed to reduce the complexity and time required for deployment in an enterprise environment.
+
+MDT supports the deployment of Windows 10, as well as Windows 7, Windows 8.1, and Windows Server. It also includes support for zero-touch installation (ZTI) with [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/).
+
+## Key features in MDT
+
+MDT has been in existence since 2003, when it was first introduced as Business Desktop Deployment (BDD) 1.0. The toolkit has evolved, both in functionality and popularity, and today it is considered fundamental to Windows operating system and enterprise application deployment.
+
+MDT has many useful features, such as:
+- **Windows Client support.** Supports Windows 7, Windows 8.1, and Windows 10.
+- **Windows Server support.** Supports Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, and Windows Server 2019.
+- **Additional operating systems support.** Supports Windows Thin PC and [Windows Embedded POSReady 7](https://www.microsoft.com/en-us/download/details.aspx?id=26558), as well as Windows 8.1 Embedded Industry.
+- **UEFI support.** Supports deployment to machines using Unified Extensible Firmware Interface (UEFI) version 2.3.1.
+- **GPT support.** Supports deployment to machines that require the new GPT partition table format. This is related to UEFI.
+- **Enhanced Windows PowerShell support.** Provides support for running PowerShell scripts.
+
+ 
+
+ The deployment share mounted as a standard PSDrive allows for administration using PowerShell.
+
+- **Add local administrator accounts.** Allows you to add multiple user accounts to the local Administrators group on the target computers, either via settings or the deployment wizard.
+- **Automated participation in CEIP and WER.** Provides configuration for participation in Windows Customer Experience Improvement Program (CEIP) and Windows Error Reporting (WER).
+- **Deploy Windows RE.** Enables deployment of a customized Windows Recovery Environment (Windows RE) as part of the task sequence.
+- **Deploy to VHD.** Provides ready-made task sequence templates for deploying Windows into a virtual hard disk (VHD) file.
+- **Improved deployment wizard.** Provides additional progress information and a cleaner UI for the Lite Touch Deployment Wizard.
+- **Monitoring.** Allows you to see the status of currently running deployments.
+- **Apply GPO Pack.** Allows you to deploy local group policy objects created by Microsoft Security Compliance Manager (SCM).
+- **Partitioning routines.** Provides improved partitioning routines to ensure that deployments work regardless of the current hard drive structure.
+- **Offline BitLocker.** Provides the capability to have BitLocker enabled during the Windows Preinstallation Environment (Windows PE) phase, thus saving hours of encryption time.
+- **USMT offline user-state migration.** Provides support for running the User State Migration Tool (USMT) capture offline, during the Windows PE phase of the deployment.
+
+ 
+
+ The offline USMT backup in action.
+
+- **Install or uninstall Windows roles or features.** Enables you to select roles and features as part of the deployment wizard. MDT also supports uninstall of roles and features.
+- **Microsoft System Center Orchestrator integration.** Provides the capability to use Orchestrator runbooks as part of the task sequence.
+- **Support for DaRT.** Supports optional integration of the DaRT components into the boot image.
+- **Support for Microsoft Office.** Provides added support for deploying Microsoft Office.
+- **Support for Modern UI app package provisioning.** Provisions applications based on the new Windows app package standard, which is used in Windows 8 and later.
+- **Extensibility.** Provides the capability to extend MDT far beyond the built-in features by adding custom scripts, web services, System Center Orchestrator runbooks, PowerShell scripts, and VBScripts.
+- **Upgrade task sequence.** Provides a new upgrade task sequence template that you can use to upgrade existing Windows 7, Windows 8, and Windows 8.1 systems directly to Windows 10, automatically preserving all data, settings, applications, and drivers. For more information about using this new upgrade task sequence, refer to the [Microsoft Deployment Toolkit resource page](https://go.microsoft.com/fwlink/p/?LinkId=618117).
+
+## MDT Lite Touch components
+
+Many features in MDT support Lite Touch Installation (LTI) for Windows 10. An LTI deployment strategy requires very little infrastructure or user interaction, and can be used to deploy an operating system from a network share or from a physical media, such as a USB flash drive or disc.
+
+When deploying the Windows operating system using MDT, most of the administration and configuration is done through the Deployment Workbench, but you also can perform many of the tasks using Windows PowerShell. The easiest way to find out how to use PowerShell in MDT is to use the Deployment Workbench to perform an operation and at the end of that task, click View Script. That will give you the PowerShell command.
+
+
+
+If you click **View Script** on the right side, you will get the PowerShell code that was used to perform the task.
+
+## Deployment shares
+
+A deployment share is essentially a folder on the server that is shared and contains all the setup files and scripts needed for the deployment solution. It also holds the configuration files (called rules) that are gathered when a machine is deployed. These configuration files can reach out to other sources, like a database, external script, or web server to get additional settings for the deployment. For Lite Touch deployments, it is common to have two deployment shares: one for creating the reference images and one for deployment. For Zero Touch, it is common to have only the deployment share for creating reference images because Configuration Manager deploys the image in the production environment.
+
+## Rules
+
+The rules (CustomSettings.ini and Bootstrap.ini) make up the brain of MDT. The rules control the Windows Deployment Wizard on the client and, for example, can provide the following settings to the machine being deployed:
+- Computer name
+- Domain to join, and organizational unit (OU) in Active Directory to hold the computer object
+- Whether to enable BitLocker
+- Regional settings
+You can manage hundreds of settings in the rules. For more information, see the [Microsoft Deployment Toolkit resource center](https://go.microsoft.com/fwlink/p/?LinkId=618117).
+
+
+
+Example of a MDT rule. In this example, the new computer name is being calculated based on PC- plus the first seven (Left) characters from the serial number
+
+## Boot images
+
+Boot images are the Windows Preinstallation Environment (Windows PE) images that are used to start the deployment. They can be started from a CD or DVD, an ISO file, a USB device, or over the network using a Pre-Boot Execution Environment (PXE) server. The boot images connect to the deployment
+share on the server and start the deployment.
+
+## Operating systems
+
+Using the Deployment Workbench, you import the operating systems you want to deploy. You can import either the full source (like the full Windows 10 DVD/ISO) or a custom image that you have created. The full-source operating systems are primarily used to create reference images; however, they also can be used for normal deployments.
+
+## Applications
+
+Using the Deployment Workbench, you also add the applications you want to deploy. MDT supports virtually every executable Windows file type. The file can be a standard .exe file with command-line switches for an unattended install, a Microsoft Windows Installer (MSI) package, a batch file, or a VBScript. In fact, it can be just about anything that can be executed unattended. MDT also supports the new Universal Windows apps.
+
+## Driver repository
+
+You also use the Deployment Workbench to import the drivers your hardware needs into a driver repository that lives on the server, not in the image.
+
+## Packages
+
+With the Deployment Workbench, you can add any Microsoft packages that you want to use. The most commonly added packages are language packs, and the Deployment Workbench Packages node works well for those. You also can add security and other updates this way. However, we generally recommend that you use Windows Server Update Services (WSUS) for operating system updates. The rare exceptions are critical hotfixes that are not available via WSUS, packages for the boot image, or any other package that needs to be deployed before the WSUS update process starts.
+
+## Task sequences
+
+Task sequences are the heart and soul of the deployment solution. When creating a task sequence, you need to select a template. The templates are located in the Templates folder in the MDT installation directory, and they determine which default actions are present in the sequence.
+
+You can think of a task sequence as a list of actions that need to be executed in a certain order. Each action can also have conditions. Some examples of actions are as follows:
+- **Gather.** Reads configuration settings from the deployment server.
+- **Format and Partition.** Creates the partition(s) and formats them.
+- **Inject Drivers.** Finds out which drivers the machine needs and downloads them from the central driver repository.
+- **Apply Operating System.** Uses ImageX to apply the image.
+- **Windows Update.** Connects to a WSUS server and updates the machine.
+
+## Task sequence templates
+
+MDT comes with nine default task sequence templates. You can also create your own templates. As long as you store them in the Templates folder, they will be available when you create a new task sequence.
+- **Sysprep and Capture task sequence.** Used to run the System Preparation (Sysprep) tool and capture an image of a reference computer.
+
+ **Note**: It is preferable to use a complete build and capture instead of the Sysprep and Capture task sequence. A complete build and capture can be automated, whereas Sysprep and Capture cannot.
+
+- **Standard Client task sequence.** The most frequently used task sequence. Used for creating reference images and for deploying clients in production.
+- **Standard Client Replace task sequence.** Used to run User State Migration Tool (USMT) backup and the optional full Windows Imaging (WIM) backup action. Can also be used to do a secure wipe of a machine that is going to be decommissioned.
+- **Custom task sequence.** As the name implies, a custom task sequence with only one default action (one Install Application action).
+- **Standard Server task sequence.** The default task sequence for deploying operating system images to servers. The main difference between this template and the Standard Client task sequence template is that it does not contain any USMT actions because USMT is not supported on servers.
+- **Lite Touch OEM task sequence.** Used to preload operating systems images on the computer hard drive. Typically used by computer original equipment manufacturers (OEMs) but some enterprise organizations also use this feature.
+- **Post OS Installation task sequence.** A task sequence prepared to run actions after the operating system has been deployed. Very useful for server deployments but not often used for client deployments.
+- **Deploy to VHD Client task sequence.** Similar to the Standard Client task sequence template but also creates a virtual hard disk (VHD) file on the target computer and deploys the image to the VHD file.
+- **Deploy to VHD Server task sequence.** Same as the Deploy to VHD Client task sequence but for servers.
+- **Standard Client Upgrade task sequence.** A simple task sequence template used to perform an in-place upgrade from Windows 7, Windows 8, or Windows 8.1 directly to Windows 10, automatically preserving existing data, settings, applications, and drivers.
+
+## Selection profiles
+
+Selection profiles, which are available in the Advanced Configuration node, provide a way to filter content in the Deployment Workbench. Selection profiles are used for several purposes in the Deployment Workbench and in Lite Touch deployments. For example, they can be used to:
+- Control which drivers and packages are injected into the Lite Touch (and generic) boot images.
+- Control which drivers are injected during the task sequence.
+- Control what is included in any media that you create.
+- Control what is replicated to other deployment shares.
+- Filter which task sequences and applications are displayed in the Deployment Wizard.
+
+## Logging
+
+MDT uses many log files during operating system deployments. By default the logs are client side, but by configuring the deployment settings, you can have MDT store them on the server, as well.
+
+**Note**
+The easiest way to view log files is to use Configuration Manager Trace (CMTrace), which is included in the [System Center 2012 R2 Configuration Manager Toolkit](https://go.microsoft.com/fwlink/p/?LinkId=734717).
+
+## Monitoring
+
+On the deployment share, you also can enable monitoring. After you enable monitoring, you will see all running deployments in the Monitor node in the Deployment Workbench.
+
+## See next
+
+[Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md)
\ No newline at end of file
diff --git a/windows/deployment/deploy-windows-mdt/key-features-in-mdt.md b/windows/deployment/deploy-windows-mdt/key-features-in-mdt.md
deleted file mode 100644
index f0fe20a593..0000000000
--- a/windows/deployment/deploy-windows-mdt/key-features-in-mdt.md
+++ /dev/null
@@ -1,66 +0,0 @@
----
-title: Key features in MDT (Windows 10)
-description: The Microsoft Deployment Toolkit (MDT) has been in existence since 2003, when it was first introduced as Business Desktop Deployment (BDD) 1.0.
-ms.assetid: 858e384f-e9db-4a93-9a8b-101a503e4868
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-keywords: deploy, feature, tools, upgrade, migrate, provisioning
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.localizationpriority: medium
-ms.sitesec: library
-ms.pagetype: mdt
-audience: itpro
author: greg-lindsay
-ms.topic: article
----
-
-# Key features in MDT
-
-**Applies to**
-- Windows 10
-
-The Microsoft Deployment Toolkit (MDT) has been in existence since 2003, when it was first introduced as Business Desktop Deployment (BDD) 1.0. The toolkit has evolved, both in functionality and popularity, and today it is considered fundamental to Windows operating system and enterprise application deployment.
-
-MDT has many useful features, the most important of which are:
-- **Windows Client support.** Supports Windows 7, Windows 8, Windows 8.1, and Windows 10.
-- **Windows Server support.** Supports Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2.
-- **Additional operating systems support.** Supports Windows Thin PC and Windows Embedded POSReady 7, as well as Windows 8.1 Embedded Industry.
-- **UEFI support.** Supports deployment to machines using Unified Extensible Firmware Interface (UEFI) version 2.3.1.
-- **GPT support.** Supports deployment to machines that require the new GUID (globally unique identifier) partition table (GPT) format. This is related to UEFI.
-- **Enhanced Windows PowerShell support.** Provides support for running PowerShell scripts.
-
- 
-
- Figure 2. The deployment share mounted as a standard PSDrive allows for administration using PowerShell.
-
-- **Add local administrator accounts.** Allows you to add multiple user accounts to the local Administrators group on the target computers, either via settings or the deployment wizard.
-- **Automated participation in CEIP and WER.** Provides configuration for participation in Windows Customer Experience Improvement Program (CEIP) and Windows Error Reporting (WER).
-- **Deploy Windows RE.** Enables deployment of a customized Windows Recovery Environment (Windows RE) as part of the task sequence.
-- **Deploy to VHD.** Provides ready-made task sequence templates for deploying Windows into a virtual hard disk (VHD) file.
-- **Improved deployment wizard.** Provides additional progress information and a cleaner UI for the Lite Touch Deployment Wizard.
-- **Monitoring.** Allows you to see the status of currently running deployments.
-- **Apply GPO Pack.** Allows you to deploy local group policy objects created by Microsoft Security Compliance Manager (SCM).
-- **Partitioning routines.** Provides improved partitioning routines to ensure that deployments work regardless of the current hard drive structure.
-- **Offline BitLocker.** Provides the capability to have BitLocker enabled during the Windows Preinstallation Environment (Windows PE) phase, thus saving hours of encryption time.
-- **USMT offline user-state migration.** Provides support for running the User State Migration Tool (USMT) capture offline, during the Windows PE phase of the deployment.
-
- 
-
- Figure 3. The offline USMT backup in action.
-
-- **Install or uninstall Windows roles or features.** Enables you to select roles and features as part of the deployment wizard. MDT also supports uninstall of roles and features.
-- **Microsoft System Center 2012 Orchestrator integration.** Provides the capability to use Orchestrator runbooks as part of the task sequence.
-- **Support for DaRT.** Supports optional integration of the DaRT components into the boot image.
-- **Support for Office 2013.** Provides added support for deploying Microsoft Office Professional Plus 2013.
-- **Support for Modern UI app package provisioning.** Provisions applications based on the new Windows app package standard, which is used in Windows 8 and later.
-- **Extensibility.** Provides the capability to extend MDT far beyond the built-in features by adding custom scripts, web services, System Center Orchestrator runbooks, PowerShell scripts, and VBScripts.
-- **Upgrade task sequence.** Provides a new upgrade task sequence template that you can use to upgrade existing Windows 7, Windows 8, and Windows 8.1 systems directly to Windows 10, automatically preserving all data, settings, applications, and drivers. For more information about using this new upgrade task sequence, refer to the [Microsoft Deployment Toolkit resource page](https://go.microsoft.com/fwlink/p/?LinkId=618117).
-
-## Related topics
-
-[Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md)
-
-[MDT Lite Touch components](mdt-lite-touch-components.md)
-
-
diff --git a/windows/deployment/deploy-windows-mdt/mdt-lite-touch-components.md b/windows/deployment/deploy-windows-mdt/mdt-lite-touch-components.md
deleted file mode 100644
index 15f4f07658..0000000000
--- a/windows/deployment/deploy-windows-mdt/mdt-lite-touch-components.md
+++ /dev/null
@@ -1,121 +0,0 @@
----
-title: MDT Lite Touch components (Windows 10)
-description: This topic provides an overview of the features in the Microsoft Deployment Toolkit (MDT) that support Lite Touch Installation (LTI) for Windows 10.
-ms.assetid: 7d6fc159-e338-439e-a2e6-1778d0da9089
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-keywords: deploy, install, deployment, boot, log, monitor
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.localizationpriority: medium
-ms.sitesec: library
-ms.pagetype: mdt
-audience: itpro
author: greg-lindsay
-ms.topic: article
----
-
-# MDT Lite Touch components
-
-**Applies to**
-- Windows 10
-
-This topic provides an overview of the features in the Microsoft Deployment Toolkit (MDT) that support Lite Touch Installation (LTI) for Windows 10. An LTI deployment strategy requires very little infrastructure or user interaction, and can be used to deploy an operating system from a network share or from a physical media, such as a USB flash drive or disc.
-When deploying the Windows operating system using MDT, most of the administration and configuration is done through the Deployment Workbench, but you also can perform many of the tasks using Windows PowerShell. The easiest way to find out how to use PowerShell in MDT is to use the Deployment Workbench to perform an operation and at the end of that task, click View Script. That will give you the PowerShell command.
-
-
-
-Figure 4. If you click **View Script** on the right side, you will get the PowerShell code that was used to perform the task.
-
-## Deployment shares
-
-A deployment share is essentially a folder on the server that is shared and contains all the setup files and scripts needed for the deployment solution. It also holds the configuration files (called rules) that are gathered when a machine is deployed. These configuration files can reach out to other sources, like a database, external script, or web server to get additional settings for the deployment. For Lite Touch deployments, it is common to have two deployment shares: one for creating the reference images and one for deployment. For Zero Touch, it is common to have only the deployment share for creating reference images because Microsoft System Center 2012 R2 Configuration Manager deploys the image in the production environment.
-
-## Rules
-
-The rules (CustomSettings.ini and Bootstrap.ini) make up the brain of MDT. The rules control the Windows Deployment Wizard on the client and, for example, can provide the following settings to the machine being deployed:
-- Computer name
-- Domain to join, and organizational unit (OU) in Active Directory to hold the computer object
-- Whether to enable BitLocker
-- Regional settings
-You can manage hundreds of settings in the rules. For more information, see the [Microsoft Deployment Toolkit resource center](https://go.microsoft.com/fwlink/p/?LinkId=618117).
-
-
-
-Figure 5. Example of a MDT rule. In this example, the new computer name is being calculated based on PC- plus the first seven (Left) characters from the serial number
-
-## Boot images
-
-Boot images are the Windows Preinstallation Environment (Windows PE) images that are used to start the deployment. They can be started from a CD or DVD, an ISO file, a USB device, or over the network using a Pre-Boot Execution Environment (PXE) server. The boot images connect to the deployment
-share on the server and start the deployment.
-
-## Operating systems
-
-Using the Deployment Workbench, you import the operating systems you want to deploy. You can import either the full source (like the full Windows 10 DVD/ISO) or a custom image that you have created. The full-source operating systems are primarily used to create reference images; however, they also can be used for normal deployments.
-
-## Applications
-
-Using the Deployment Workbench, you also add the applications you want to deploy. MDT supports virtually every executable Windows file type. The file can be a standard .exe file with command-line switches for an unattended install, a Microsoft Windows Installer (MSI) package, a batch file, or a VBScript. In fact, it can be just about anything that can be executed unattended. MDT also supports the new Universal Windows apps.
-
-## Driver repository
-
-You also use the Deployment Workbench to import the drivers your hardware needs into a driver repository that lives on the server, not in the image.
-
-## Packages
-
-With the Deployment Workbench, you can add any Microsoft packages that you want to use. The most commonly added packages are language packs, and the Deployment Workbench Packages node works well for those. You also can add security and other updates this way. However, we generally recommend that you use Windows Server Update Services (WSUS) for operating system updates. The rare exceptions are critical hotfixes that are not available via WSUS, packages for the boot image, or any other package that needs to be deployed before the WSUS update process starts.
-
-## Task sequences
-
-Task sequences are the heart and soul of the deployment solution. When creating a task sequence, you need to select a template. The templates are located in the Templates folder in the MDT installation directory, and they determine which default actions are present in the sequence.
-
-You can think of a task sequence as a list of actions that need to be executed in a certain order. Each action can also have conditions. Some examples of actions are as follows:
-- **Gather.** Reads configuration settings from the deployment server.
-- **Format and Partition.** Creates the partition(s) and formats them.
-- **Inject Drivers.** Finds out which drivers the machine needs and downloads them from the central driver repository.
-- **Apply Operating System.** Uses ImageX to apply the image.
-- **Windows Update.** Connects to a WSUS server and updates the machine.
-
-## Task sequence templates
-
-MDT comes with nine default task sequence templates. You can also create your own templates. As long as you store them in the Templates folder, they will be available when you create a new task sequence.
-- **Sysprep and Capture task sequence.** Used to run the System Preparation (Sysprep) tool and capture an image of a reference computer.
-
- **Note**
- It is preferable to use a complete build and capture instead of the Sysprep and Capture task sequence. A complete build and capture can be automated, whereas Sysprep and Capture cannot.
-
-- **Standard Client task sequence.** The most frequently used task sequence. Used for creating reference images and for deploying clients in production.
-- **Standard Client Replace task sequence.** Used to run User State Migration Tool (USMT) backup and the optional full Windows Imaging (WIM) backup action. Can also be used to do a secure wipe of a machine that is going to be decommissioned.
-- **Custom task sequence.** As the name implies, a custom task sequence with only one default action (one Install Application action).
-- **Standard Server task sequence.** The default task sequence for deploying operating system images to servers. The main difference between this template and the Standard Client task sequence template is that it does not contain any USMT actions because USMT is not supported on servers.
-- **Lite Touch OEM task sequence.** Used to preload operating systems images on the computer hard drive. Typically used by computer original equipment manufacturers (OEMs) but some enterprise organizations also use this feature.
-- **Post OS Installation task sequence.** A task sequence prepared to run actions after the operating system has been deployed. Very useful for server deployments but not often used for client deployments.
-- **Deploy to VHD Client task sequence.** Similar to the Standard Client task sequence template but also creates a virtual hard disk (VHD) file on the target computer and deploys the image to the VHD file.
-- **Deploy to VHD Server task sequence.** Same as the Deploy to VHD Client task sequence but for servers.
-- **Standard Client Upgrade task sequence.** A simple task sequence template used to perform an in-place upgrade from Windows 7, Windows 8, or Windows 8.1 directly to Windows 10, automatically preserving existing data, settings, applications, and drivers.
-
-## Selection profiles
-
-Selection profiles, which are available in the Advanced Configuration node, provide a way to filter content in the Deployment Workbench. Selection profiles are used for several purposes in the Deployment Workbench and in Lite Touch deployments. For example, they can be used to:
-- Control which drivers and packages are injected into the Lite Touch (and generic) boot images.
-- Control which drivers are injected during the task sequence.
-- Control what is included in any media that you create.
-- Control what is replicated to other deployment shares.
-- Filter which task sequences and applications are displayed in the Deployment Wizard.
-
-## Logging
-
-MDT uses many log files during operating system deployments. By default the logs are client side, but by configuring the deployment settings, you can have MDT store them on the server, as well.
-
-**Note**
-The easiest way to view log files is to use Configuration Manager Trace (CMTrace), which is included in the [System Center 2012 R2 Configuration Manager Toolkit](https://go.microsoft.com/fwlink/p/?LinkId=734717).
-
-## Monitoring
-
-On the deployment share, you also can enable monitoring. After you enable monitoring, you will see all running deployments in the Monitor node in the Deployment Workbench.
-
-## Related topics
-
-[Key features in MDT](key-features-in-mdt.md)
-
-[Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md)
diff --git a/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md b/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md
index aa2e3ff40e..41701e19c0 100644
--- a/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md
+++ b/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md
@@ -1,6 +1,6 @@
---
title: Prepare for deployment with MDT (Windows 10)
-description: Learn how to create the server structure required to deploy the Windows 10 operating system using the Microsoft Deployment Toolkit (MDT).
+description: This topic will walk you through the steps necessary to create the server structure required to deploy the Windows 10 operating system using the Microsoft Deployment Toolkit (MDT).
ms.assetid: 5103c418-0c61-414b-b93c-a8e8207d1226
ms.reviewer:
manager: laurawi
@@ -19,51 +19,176 @@ ms.topic: article
# Prepare for deployment with MDT
**Applies to**
-- Windows 10
+- Windows 10
-This topic will walk you through the steps necessary to create the server structure required to deploy the Windows 10 operating system using the Microsoft Deployment Toolkit (MDT). It covers the installation of the necessary system prerequisites, the creation of shared folders and service accounts, and the configuration of security permissions in the files system and in Active Directory.
+This article will walk you through the steps necessary to prepare your network and server infrastructure to deploy Windows 10 with the Microsoft Deployment Toolkit (MDT). It covers the installation of the necessary system prerequisites, the creation of shared folders and service accounts, and the configuration of security permissions in the file system and in Active Directory.
-For the purposes of this topic, we will use two machines: DC01 and MDT01. DC01 is a domain controller and MDT01 is a Windows Server 2012 R2 standard server. MDT01 is a member of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md#proof).
+## Infrastructure
-## System requirements
+The procedures in this guide use the following names and infrastructure.
-MDT requires the following components:
-- Any of the following operating systems:
- - Windows 7
- - Windows 8
- - Windows 8.1
- - Windows 10
- - Windows Server 2008 R2
- - Windows Server 2012
- - Windows Server 2012 R2
-- Windows Assessment and Deployment Kit (ADK) for Windows 10
-- Windows PowerShell
-- Microsoft .NET Framework
+### Network and servers
-## Install Windows ADK for Windows 10
+For the purposes of this topic, we will use three server computers: **DC01**, **MDT01**, and **HV01**.
+- All servers are running Windows Server 2019.
+ - You can use an earlier version of Windows Server with minor modifications to some procedures.
+ - Note: Although MDT supports Windows Server 2008 R2, at least Windows Server 2012 R2 or later is requried to perform the procedures in this guide.
+- **DC01** is a domain controller, DHCP server, and DNS server for contoso.com, representing the fictitious Contoso Corporation.
+- **MDT01** is a domain member server in contoso.com with a data (D:) drive that can store at least 200GB. MDT01 will host deployment shares and run the Windows Deployment Service. Optionally, MDT01 is also a WSUS server.
+ - A second MDT server (**MDT02**) configured identically to MDT01 is optionally used to [build a distributed environment](build-a-distributed-environment-for-windows-10-deployment.md) for Windows 10 deployment. This server is located on a different subnet than MDT01 and has a different default gateway.
+- **HV01** is a Hyper-V host computer that is used to build a Windows 10 reference image.
+ - See [Hyper-V requirements](#hyper-v-requirements) below for more information about HV01.
-These steps assume that you have the MDT01 member server installed and configured and that you have downloaded [Windows ADK for Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=526803) to the E:\\Downloads\\ADK folder.
-1. On MDT01, log on as Administrator in the CONTOSO domain using a password of P@ssw0rd.
-2. Start the **ADK Setup** (E:\\Downloads\\ADK\\adksetup.exe), and on the first wizard page, click **Continue**.
-3. On the **Select the features you want to change** page, select the features below and complete the wizard using the default settings:
- 1. Deployment Tools
- 2. Windows Preinstallation Environment (Windows PE)
- 3. User State Migration Tool (USMT)
+### Client computers
- >[!IMPORTANT]
- >Starting with Windows 10, version 1809, Windows PE is released separately from the ADK. See [Download and install the Windows ADK](https://docs.microsoft.com/windows-hardware/get-started/adk-install) for more information.
+Several client computers are referenced in this guide with hostnames of PC0001 to PC0007.
-## Install MDT
+- **PC0001**: A computer running Windows 10 Enterprise x64, fully patched with the latest security updates, and configured as a member in the contoso.com domain.
+ - Client name: PC0001
+ - IP Address: DHCP
+- **PC0002**: A computer running Windows 7 SP1 Enterprise x64, fully patched with the latest security updates, and configured as a member in the contoso.com domain. This computer is referenced during the migration scenarios.
+ - Client name: PC0002
+ - IP Address: DHCP
+- **PC0003 - PC0007**: These are other client computers similar to PC0001 and PC0002 that are used in this guide and another guide for various scenarios. The device names are incremented for clarity within each scenario. For example, PC0003 and PC0004 are running Windows 7 just like PC0002, but are used for Configuration Manager refresh and replace scenarios, respectively.
-These steps assume that you have downloaded [MDT](https://go.microsoft.com/fwlink/p/?LinkId=618117 ) to the E:\\Downloads\\MDT folder on MDT01.
+### Storage requirements
-1. On MDT01, log on as Administrator in the CONTOSO domain using a password of P@ssw0rd.
-2. Install **MDT** (E:\\Downloads\\MDT\\MicrosoftDeploymentToolkit\_x64.msi) with the default settings.
+MDT01 and HV01 should have the ability to store up to 200 GB of files on a data drive (D:). If you use a computer with a single system partition (C:) you will need to adjust come procedures in this guide to specify the C: drive instead of the D: drive.
-## Create the OU structure
+### Hyper-V requirements
-If you do not have an organizational unit (OU) structure in your Active Directory, you should create one. In this section, you create an OU structure and a service account for MDT.
-1. On DC01, using Active Directory User and Computers, in the contoso.com domain level, create a top-level OU named **Contoso**.
+If you do not have access to a Hyper-V server, you can install Hyper-V on a Windows 10 or Windows 8.1 computer temporarily to use for building reference images. For instructions on how to enable Hyper-V on Windows 10, see the [Verify support and install Hyper-V](https://docs.microsoft.com/windows/deployment/windows-10-poc#verify-support-and-install-hyper-v) section in the Windows 10 deployment test lab guide. This guide is a proof-of-concept guide that has detailed instructions for installing Hyper-V.
+
+### Network requirements
+
+All server and client computers referenced in this guide are on the same subnet. This is not required, but each server and client computer must be able to connect to each other to share files, and to resolve all DNS names and Active Directory information for the contoso.com domain. Internet connectivity is also required to download OS and application updates.
+
+### Domain credentials
+
+The following generic credentials are used in this guide. You should replace these credentials as they appear in each procedure with your credentials.
+
+**Active Directory domain name**: contoso.com
+**Domain administrator username**: administrator
+**Domain administrator password**: pass@word1
+
+### Organizational unit structure
+
+The following OU structure is used in this guide. Instructions are provided [below](#create-the-ou-structure) to help you create the required OUs.
+
+
+
+## Install the Windows ADK
+
+These steps assume that you have the MDT01 member server running and configured as a domain member server.
+
+On **MTD01**:
+
+Visit the [Download and install the Windows ADK](https://go.microsoft.com/fwlink/p/?LinkId=526803) page and download the following items to the **D:\\Downloads\\ADK** folder on MDT01 (you will need to create this folder):
+- [The Windows ADK for Windows 10](https://go.microsoft.com/fwlink/?linkid=2086042)
+- [The Windows PE add-on for the ADK](https://go.microsoft.com/fwlink/?linkid=2087112)
+- [The Windows System Image Manager (WSIM) 1903 update](https://go.microsoft.com/fwlink/?linkid=2095334)
+
+>[!TIP]
+>You might need to temporarily disable IE Enhanced Security Configuration for administrators in order to download files from the Internet to the server. This setting can be disabled by using Server Manager (Local Server/Properties).
+
+1. On **MDT01**, ensure that you are signed in as an administrator in the CONTOSO domain.
+ - For the purposes of this guide, we are using a Domain Admin account of **administrator** with a password of pass@word1. You can use your own administrator username and password as long as you properly adjust all steps in this guide that use these login credentials.
+2. Start the **ADK Setup** (D:\\Downloads\\ADK\\adksetup.exe), click **Next** twice to accept the default installation parameters, click **Accept** to accept the license agreement, and then on the **Select the features you want to install** page accept the default list of features by clicking **Install**. This will install deployment tools and the USMT. Verify that the installation completes successfully before moving to the next step.
+3. Start the **WinPE Setup** (D:\\Downloads\\ADK\\adkwinpesetup.exe), click **Next** twice to accept the default installation parameters, click **Accept** to accept the license agreement, and then on the **Select the features you want to install** page click **Install**. This will install Windows PE for x86, AMD64, ARM, and ARM64. Verify that the installation completes successfully before moving to the next step.
+4. Extract the **WSIM 1903 update** (D:\\Downloads\ADK\\WSIM1903.zip) and then run the **UpdateWSIM.bat** file.
+ - You can confirm that the update is applied by viewing properties of the ImageCat.exe and ImgMgr.exe files at **C:\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Deployment Tools\\WSIM** and verifying that the **Details** tab displays a **File version** of **10.0.18362.144** or later.
+
+## Install and initialize Windows Deployment Services (WDS)
+
+On **MDT01**:
+
+1. Open an elevated Windows PowerShell prompt and enter the following command:
+
+ ```powershell
+ Install-WindowsFeature -Name WDS -IncludeManagementTools
+ WDSUTIL /Verbose /Progress /Initialize-Server /Server:MDT01 /RemInst:"D:\RemoteInstall"
+ WDSUTIL /Set-Server /AnswerClients:All
+ ```
+
+## Optional: Install Windows Server Update Services (WSUS)
+
+If you wish to use MDT as a WSUS server using the Windows Internal Database (WID), use the following command to install this service. Alternatively, change the WSUS server information in this guide to the WSUS server in your environment.
+
+To install WSUS on MDT01, enter the following at an elevated Windows PowerShell prompt:
+
+ ```powershell
+ Install-WindowsFeature -Name UpdateServices, UpdateServices-WidDB, UpdateServices-Services, UpdateServices-RSAT, UpdateServices-API, UpdateServices-UI
+ cmd /c "C:\Program Files\Update Services\Tools\wsusutil.exe" postinstall CONTENT_DIR=C:\WSUS
+ ```
+
+>To use the WSUS that you have installed on MDT01, you must also [configure Group Policy](https://docs.microsoft.com/windows/deployment/update/waas-manage-updates-wsus#configure-automatic-updates-and-update-service-location) on DC01.
+
+## Install MDT
+
+>[!NOTE]
+>MDT installation requires the following:
+>- The Windows ADK for Windows 10 (installed in the previous procedure)
+>- Windows PowerShell ([version 5.1](https://www.microsoft.com/download/details.aspx?id=54616) is recommended; type **$host** to check)
+>- Microsoft .NET Framework
+
+On **MDT01**:
+
+1. Visit the [MDT resource page](https://go.microsoft.com/fwlink/p/?LinkId=618117) and click **Download MDT**.
+2. Save the **MicrosoftDeploymentToolkit_x64.msi** file to the D:\\Downloads\\MDT folder on MDT01.
+ - **Note**: As of the publishing date for this guide, the current version of MDT is 8456 (6.3.8456.1000), but a later version will also work.
+3. Install **MDT** (D:\\Downloads\\MDT\\MicrosoftDeploymentToolkit_x64.exe) with the default settings.
+
+## Create the OU structure
+
+Switch to **DC01** and perform the following procedures on **DC01**:
+
+To create the OU structure, you can use the Active Directory Users and Computers console (dsa.msc), or you can use Windows PowerShell.
+
+To use Windows PowerShell, copy the following commands into a text file and save it as C:\Setup\Scripts\ou.ps1. Be sure that you are viewing file extensions and that you save the file with the .ps1 extension.
+
+```powershell
+$oulist = Import-csv -Path c:\oulist.txt
+ForEach($entry in $oulist){
+ $ouname = $entry.ouname
+ $oupath = $entry.oupath
+ New-ADOrganizationalUnit -Name $ouname -Path $oupath -WhatIf
+ Write-Host -ForegroundColor Green "OU $ouname is created in the location $oupath"
+}
+```
+
+Next, copy the following list of OU names and paths into a text file and save it as C:\Setup\Scripts\oulist.txt
+
+```text
+OUName,OUPath
+Contoso,"DC=CONTOSO,DC=COM"
+Accounts,"OU=Contoso,DC=CONTOSO,DC=COM"
+Computers,"OU=Contoso,DC=CONTOSO,DC=COM"
+Groups,"OU=Contoso,DC=CONTOSO,DC=COM"
+Admins,"OU=Accounts,OU=Contoso,DC=CONTOSO,DC=COM"
+Service Accounts,"OU=Accounts,OU=Contoso,DC=CONTOSO,DC=COM"
+Users,"OU=Accounts,OU=Contoso,DC=CONTOSO,DC=COM"
+Servers,"OU=Computers,OU=Contoso,DC=CONTOSO,DC=COM"
+Workstations,"OU=Computers,OU=Contoso,DC=CONTOSO,DC=COM"
+Security Groups,"OU=Groups,OU=Contoso,DC=CONTOSO,DC=COM"
+```
+
+Lastly, open an elevated Windows PowerShell prompt on DC01 and run the ou.ps1 script:
+
+```powershell
+Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force
+Set-Location C:\Setup\Scripts
+.\ou.ps1
+```
+
+This will create an OU structure as shown below.
+
+
+
+To use the Active Directory Users and Computers console (instead of PowerShell):
+
+On **DC01**:
+
+1. Using the Active Directory Users and Computers console (dsa.msc), in the contoso.com domain level, create a top-level OU named **Contoso**.
2. In the **Contoso** OU, create the following OUs:
1. Accounts
2. Computers
@@ -76,55 +201,62 @@ If you do not have an organizational unit (OU) structure in your Active Director
1. Servers
2. Workstations
5. In the **Contoso / Groups** OU, create the following OU:
- - Security Groups
+ 1. Security Groups
-
+The final result of either method is shown below. The **MDT_BA** account will be created next.
-Figure 6. A sample of how the OU structure will look after all the OUs are created.
+## Create the MDT service account
-## Create the MDT service account
+When creating a reference image, you need an account for MDT. The MDT build account is used for Windows Preinstallation Environment (Windows PE) to connect to MDT01.
-When creating a reference image, you need an account for MDT. The MDT Build Account is used for Windows Preinstallation Environment (Windows PE) to connect to MDT01.
-1. On DC01, using Active Directory User and Computers, browse to **contoso.com / Contoso / Service Accounts**.
-2. Select the **Service Accounts** OU and create the **MDT\_BA** account using the following settings:
- 1. Name: MDT\_BA
- 2. User logon name: MDT\_BA
- 3. Password: P@ssw0rd
- 4. User must change password at next logon: Clear
- 5. User cannot change password: Selected
- 6. Password never expires: Selected
+To create an MDT build account, open an elevalted Windows PowerShell prompt on DC01 and enter the following (copy and paste the entire command, taking care to notice the scroll bar at the bottom). This command will create the MDT_BA user account and set the password to "pass@word1":
-## Create and share the logs folder
+```powershell
+New-ADUser -Name MDT_BA -UserPrincipalName MDT_BA -path "OU=Service Accounts,OU=Accounts,OU=Contoso,DC=CONTOSO,DC=COM" -Description "MDT Build Account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -PasswordNeverExpires $true -Enabled $true
+```
+If you have the Active Directory Users and Computers console open you can refresh the view and see this new account in the **Contoso\Accounts\Service Accounts** OU as shown in the screenshot above.
+
+## Create and share the logs folder
By default MDT stores the log files locally on the client. In order to capture a reference image, you will need to enable server-side logging and, to do that, you will need to have a folder in which to store the logs. For more information, see [Create a Windows 10 reference image](create-a-windows-10-reference-image.md).
-1. On MDT01, log on as **CONTOSO\\Administrator**.
-2. Create and share the **E:\\Logs** folder by running the following commands in an elevated Windows PowerShell prompt:
+On **MDT01**:
- ``` powershell
- New-Item -Path E:\Logs -ItemType directory
- New-SmbShare -Name Logs$ -Path E:\Logs -ChangeAccess EVERYONE
- icacls E:\Logs /grant '"MDT_BA":(OI)(CI)(M)'
+1. Sign in as **CONTOSO\\administrator**.
+2. Create and share the **D:\\Logs** folder by running the following commands in an elevated Windows PowerShell prompt:
+
+ ```powershell
+ New-Item -Path D:\Logs -ItemType directory
+ New-SmbShare -Name Logs$ -Path D:\Logs -ChangeAccess EVERYONE
+ icacls D:\Logs /grant '"MDT_BA":(OI)(CI)(M)'
```
-
+See the following example:
-Figure 7. The Sharing tab of the E:\\Logs folder after sharing it with PowerShell.
+
-## Use CMTrace to read log files (optional)
+## Use CMTrace to read log files (optional)
-The log files in MDT Lite Touch are formatted to be read by Configuration Manager Trace (CMTrace), which is available as part [of Microsoft System Center 2012 R2 Configuration Manager Toolkit](https://go.microsoft.com/fwlink/p/?LinkId=734717). You can use Notepad, but CMTrace formatting makes the logs easier to read.
+The log files in MDT Lite Touch are formatted to be read by Configuration Manager Trace ([CMTrace](https://docs.microsoft.com/sccm/core/support/cmtrace)), which is available as part of the [Microsoft System 2012 R2 Center Configuration Manager Toolkit](https://go.microsoft.com/fwlink/p/?LinkId=734717). You should also download this tool.
+You can use Notepad (example below):
-Figure 8. An MDT log file opened in Notepad.
+Alternatively, CMTrace formatting makes the logs much easier to read. See the same log file below, opened in CMTrace:
+After installing the ConfigMgrTools.msi file, you can search for **cmtrace** and pin the tool to your taskbar for easy access.
-Figure 9. The same log file, opened in CMTrace, is much easier to read.
-## Related topics
+## Next steps
-[Key features in MDT](key-features-in-mdt.md)
+When you have completed all the steps in this section to prepare for deployment, see [Create a Windows 10 reference image](create-a-windows-10-reference-image.md).
-[MDT Lite Touch components](mdt-lite-touch-components.md)
+## Appendix
+
+**Sample files**
+
+The following sample files are also available to help automate some MDT deployment tasks. This guide does not use these files, but they are made available here so that you can see how some tasks can be automated with Windows PowerShell.
+- [Gather.ps1](https://go.microsoft.com/fwlink/p/?LinkId=619361). This sample Windows PowerShell script performs the MDT Gather process in a simulated MDT environment. This allows you to test the MDT gather process and check to see if it is working correctly without performing a full Windows deployment.
+- [Set-OUPermissions.ps1](https://go.microsoft.com/fwlink/p/?LinkId=619362). This sample Windows PowerShell script creates a domain account and then configures OU permissions to allow the account to join machines to the domain in the specified OU.
+- [MDTSample.zip](https://go.microsoft.com/fwlink/p/?LinkId=619363). This sample web service shows you how to configure a computer name dynamically using MDT.
\ No newline at end of file
diff --git a/windows/deployment/deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md b/windows/deployment/deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md
index 6c0524658f..c0f5f7d8a1 100644
--- a/windows/deployment/deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md
+++ b/windows/deployment/deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md
@@ -1,132 +1,120 @@
----
-title: Refresh a Windows 7 computer with Windows 10 (Windows 10)
-description: This topic will show you how to use MDT Lite Touch Installation (LTI) to upgrade a Windows 7 computer to a Windows 10 computer using the computer refresh process.
-ms.assetid: 2866fb3c-4909-4c25-b083-6fc1f7869f6f
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-keywords: reinstallation, customize, template, script, restore
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.localizationpriority: medium
-ms.sitesec: library
-ms.pagetype: mdt
-audience: itpro
author: greg-lindsay
-ms.topic: article
----
-
-# Refresh a Windows 7 computer with Windows 10
-
-**Applies to**
-- Windows 10
-
-This topic will show you how to use MDT Lite Touch Installation (LTI) to upgrade a Windows 7 computer to a Windows 10 computer using the computer refresh process. The refresh scenario, or computer refresh, is a reinstallation of an operating system on the same machine. You can refresh the machine to the same operating system as it is currently running, or to a later version.
-
-For the purposes of this topic, we will use three machines: DC01, MDT01, and PC0001. DC01 is a domain controller and MDT01 is a Windows Server 2012 R2 Standard server. PC0001 is a machine with Windows 7 Service Pack 1 (SP1) that is going to be refreshed into a Windows 10 machine, with data and settings restored. MDT01 and PC0001 are members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md#proof).
-
-
-
-Figure 1. The machines used in this topic.
-
-## The computer refresh process
-
-Even though a computer will appear, to the end user, to be upgraded, a computer refresh is not, technically, an in-place upgrade. A computer refresh also involves taking care of user data and settings from the old installation and making sure to restore those at the end of the installation.
-For a computer refresh with MDT, you use the User State Migration Tool (USMT), which is part of the Windows Assessment and Deployment Kit (ADK) for Windows 10, to migrate user data and settings. To complete a computer refresh you will:
-
-1. Back up data and settings locally, in a backup folder.
-
-2. Wipe the partition, except for the backup folder.
-
-3. Apply the new operating system image.
-
-4. Install other applications.
-
-5. Restore data and settings.
-
-During the computer refresh, USMT uses a feature called Hard-Link Migration Store. When you use this feature, the files are simply linked in the file system, which allows for fast migration, even when there is a lot of data.
-
->[!NOTE]
->In addition to the USMT backup, you can enable an optional full Windows Imaging (WIM) backup of the machine by configuring the MDT rules. If you do this, a .wim file is created in addition to the USMT backup. The .wim file will contain the entire volume from the computer, and helpdesk personnel can extract content from it if needed. Please note that this is a data WIM backup only. Using this backup to restore the entire machine is not a supported scenario.
-
-### Multi-user migration
-
-By default, ScanState in USMT backs up all profiles on the machine, including local computer profiles. If you have a machine that has been in your environment for a while, it likely has several domain-based profiles on it, including those of former users. You can limit which profiles are backed up
-by configuring command-line switches to ScanState (added as rules in MDT).
-
-As an example, the following line configures USMT to migrate only domain user profiles and not profiles from the local SAM account database: ScanStateArgs=/ue:\*\\\* /ui:CONTOSO\\\*
-
->[!NOTE]
->You also can combine the preceding switches with the /uel switch, which excludes profiles that have not been accessed within a specific number of days. For example, adding /uel:60 will configure ScanState (or LoadState) not to include profiles that haven't been accessed for more than 60 days.
-
-### Support for additional settings
-
-In addition to the command-line switches that control which profiles to migrate, the XML templates control exactly what data is being migrated. You can control data within and outside the user profiles
-
-## Create a custom User State Migration Tool (USMT) template
-
-In this section, you learn to migrate additional data using a custom template. You configure the environment to use a custom USMT XML template that will:
-
-1. Back up the **C:\\Data** folder (including all files and folders).
-
-2. Scan the local disk for PDF documents (\*.pdf files) and restore them into the **C:\\Data\\PDF Documents** folder on the destination machine.
- The custom USMT template is named MigContosoData.xml, and you can find it in the sample files for this documentation, which include:
-
- * [Gather script](https://go.microsoft.com/fwlink/p/?LinkId=619361)
- * [Set-OUPermissions](https://go.microsoft.com/fwlink/p/?LinkId=619362) script
- * [MDT Sample Web Service](https://go.microsoft.com/fwlink/p/?LinkId=619363)
-
-### Add the custom XML template
-
-In order to use the custom MigContosoData.xml USMT template, you need to copy it to the MDT Production deployment share and update the CustomSettings.ini file. In these steps, we assume you have downloaded the MigContosoData.xml file.
-1. Using File Explorer, copy the MigContosoData.xml file to the **E:\\MDTProduction\\Tools\\x64\\USMT5** folder.
-2. Using Notepad, edit the E:\\MDTProduction\\Control\\CustomSettings.ini file. After the USMTMigFiles002=MigUser.xml line add the following line:
-
- ``` syntax
- USMTMigFiles003=MigContosoData.xml
- ```
-3. Save the CustomSettings.ini file.
-
-## Refresh a Windows 7 SP1 client
-
-After adding the additional USMT template and configuring the CustomSettings.ini file to use it, you are now ready to refresh a Windows 7 SP1 client to Windows 10. In these steps, we assume you have a Windows 7 SP1 client named PC0001 in your environment that is ready for a refresh to Windows 10.
-
->[!NOTE]
->MDT also supports an offline computer refresh. For more info on that scenario, see the USMTOfflineMigration property in the [MDT resource page](https://go.microsoft.com/fwlink/p/?LinkId=618117).
-
-### Upgrade (refresh) a Windows 7 SP1 client
-
-1. On PC0001, log on as **CONTOSO\\Administrator**. Start the Lite Touch Deploy Wizard by executing **\\\\MDT01\\MDTProduction$\\Scripts\\Litetouch.vbs**. Complete the deployment guide using the following settings:
-
- * Select a task sequence to execute on this computer: Windows 10 Enterprise x64 RTM
- * Computer name: <default>
- * Specify where to save a complete computer backup: Do not back up the existing computer
- >[!NOTE]
- >Skip this optional full WIM backup. The USMT backup will still run.
-
-2. Select one or more applications to install: Install - Adobe Reader XI - x86
-
-3. The setup now starts and does the following:
-
- * Backs up user settings and data using USMT.
- * Installs the Windows 10 Enterprise x64 operating system.
- * Installs the added application(s).
- * Updates the operating system via your local Windows Server Update Services (WSUS) server.
- * Restores user settings and data using USMT.
-
-
-
-Figure 2. Starting the computer refresh from the running Windows 7 SP1 client.
-
-## Related topics
-
-[Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md)
-
-[Create a Windows 10 reference image](create-a-windows-10-reference-image.md)
-
-[Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md)
-
-[Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md)
-
-[Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md)
-
-[Configure MDT settings](configure-mdt-settings.md)
+---
+title: Refresh a Windows 7 computer with Windows 10 (Windows 10)
+description: This topic will show you how to use MDT Lite Touch Installation (LTI) to upgrade a Windows 7 computer to a Windows 10 computer using the computer refresh process.
+ms.assetid: 2866fb3c-4909-4c25-b083-6fc1f7869f6f
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+keywords: reinstallation, customize, template, script, restore
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.localizationpriority: medium
+ms.sitesec: library
+ms.pagetype: mdt
+audience: itpro
+author: greg-lindsay
+ms.topic: article
+---
+
+# Refresh a Windows 7 computer with Windows 10
+
+**Applies to**
+- Windows 10
+
+This topic will show you how to use MDT Lite Touch Installation (LTI) to upgrade a Windows 7 computer to a Windows 10 computer using the online computer refresh process. The computer refresh scenario is a reinstallation of an updated operating system on the same computer. You can also use this procedure to reinstall the same OS version. In this article, the computer refresh will be done while the computer is online. MDT also supports an offline computer refresh. For more info on that scenario, see the USMTOfflineMigration property on the [MDT resource page](https://go.microsoft.com/fwlink/p/?LinkId=618117).
+
+For the purposes of this topic, we will use three computers: DC01, MDT01, and PC0001.
+- DC01 is a domain controller for the contoso.com domain.
+- MDT01 is domain member server that hosts your deployment share.
+- PC0001 is a domain member computer running a previous version of Windows that is going to be refreshed to a new version of Windows 10, with data and settings restored. The example used here is a computer running Windows 7 SP1.
+
+Both DC01 and MDT01 are running Windows Server 2019; however any supported version of Windows Server can be used. For more details on the setup for this topic, please see [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md).
+
+
+
+The computers used in this topic.
+
+## The computer refresh process
+
+A computer refresh is not the same as an in-place upgrade because a computer refresh involves exporting user data and settings then wiping the device before installing a fresh OS and restoring the user's data and settings.
+
+For a computer refresh with MDT, you use the User State Migration Tool (USMT), which is part of the Windows Assessment and Deployment Kit (ADK) for Windows 10, to migrate user data and settings. To complete a computer refresh you will:
+
+1. Back up data and settings locally, in a backup folder.
+2. Wipe the partition, except for the backup folder.
+3. Apply the new operating system image.
+4. Install other applications.
+5. Restore data and settings.
+
+During the computer refresh, USMT uses a feature called Hard-Link Migration Store. When you use this feature, the files are simply linked in the file system, which allows for fast migration, even when there is a lot of data.
+
+>[!NOTE]
+>In addition to the USMT backup, you can enable an optional full Windows Imaging (WIM) backup of the machine by configuring the MDT rules. If you do this, a .wim file is created in addition to the USMT backup. The .wim file contains the entire volume from the computer and helpdesk personnel can extract content from it if needed. Please note that this is a data WIM backup only. Using this backup to restore the entire computer is not a supported scenario.
+
+### Multi-user migration
+
+By default, ScanState in USMT backs up all profiles on the machine, including local computer profiles. If you have a computer that has been in your environment for a while, it likely has several domain-based profiles on it, including those of former users. You can limit which profiles are backed up by configuring command-line switches to ScanState (added as rules in MDT).
+
+For example, the following line configures USMT to migrate only domain user profiles and not profiles from the local SAM account database: ScanStateArgs=/ue:\*\\\* /ui:CONTOSO\\\*
+
+>[!NOTE]
+>You also can combine the preceding switches with the /uel switch, which excludes profiles that have not been accessed within a specific number of days. For example, adding /uel:60 will configure ScanState (or LoadState) not to include profiles that haven't been accessed for more than 60 days.
+
+### Support for additional settings
+
+In addition to the command-line switches that control which profiles to migrate, [XML templates](https://docs.microsoft.com/windows/deployment/usmt/understanding-migration-xml-files) control exactly what data is being migrated. You can control data within and outside the user profiles.
+
+### Multicast
+
+Multicast is a technology designed to optimize simultaneous deployment to multiple devices. If you have a limited number of simultaneous deployments, you should disable multicast which was [configured in a previous procedure](deploy-a-windows-10-image-using-mdt.md#set-up-mdt-for-multicast) in this guide. Disabling multicast will speed up deployment for a small number of computers. You will need to update the deployment share after changing this setting.
+
+## Refresh a Windows 7 SP1 client
+
+In these section, we assume that you have already performed the prerequisite procedures in the following topics, so that you have a deployment share named **MDTProduction$** on MDT01:
+
+- [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md)
+- [Create a Windows 10 reference image](create-a-windows-10-reference-image.md)
+- [Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md)
+
+It is also assumed that you have a domain member client computer named PC0001 in your environment running Windows 7, 8.1 or 10 that is ready for a refresh to the latest version of Windows 10. For demonstration purposes, we will refreshing a Windows 7 SP1 PC to Windows 10, version 1909.
+
+### Upgrade (refresh) a Windows 7 SP1 client
+
+>[!IMPORTANT]
+>Domain join details [specified in the deployment share rules](deploy-a-windows-10-image-using-mdt.md#configure-the-rules) will be used to rejoin the computer to the domain during the refresh process. If the Windows 7 client is domain-jonied in a different OU than the one specified by MachineObjectOU, the domain join process will initially fail and then retry without specifying an OU. If the domain account that is specified (ex: **MDT_JD**) has [permissions limited to a specific OU](deploy-a-windows-10-image-using-mdt.md#step-1-configure-active-directory-permissions) then the domain join will ultimately fail, the refresh process will proceed, and the client computer object will be orphaned in Active Directory. In the current guide, computer objects should be located in Contoso > Computers > Workstations. Use the Active Directory Users and Computers console to review the location of computer objects and move them if needed. To diagnose MDT domain join errors, see **ZTIDomainJoin.log** in the C:\Windows\Temp\DeploymentLogs directory on the client computer.
+
+1. On PC0001, sign in as **contoso\\Administrator** and start the Lite Touch Deploy Wizard by opening **\\\\MDT01\\MDTProduction$\\Scripts\\Litetouch.vbs**.
+2. Complete the deployment guide using the following settings:
+
+ * Select a task sequence to execute on this computer: Windows 10 Enterprise x64 RTM Custom Image
+ * Computer name: <default>
+ * Specify where to save a complete computer backup: Do not back up the existing computer
+ >[!NOTE]
+ >Skip this optional full WIM backup that we are choosing not to perform. The USMT backup will still run.
+ * Select one or more applications to install: Install - Adobe Reader
+
+ 
+
+4. Setup starts and does the following:
+
+ * Backs up user settings and data using USMT.
+ * Installs the Windows 10 Enterprise x64 operating system.
+ * Installs any added applications.
+ * Updates the operating system using your local Windows Server Update Services (WSUS) server.
+ * Restores user settings and data using USMT.
+
+5. You can monitor progress of the deployment using the deployment workbench on MDT01. See the following example:
+
+ 
+
+6. After the refresh process completes, sign in to the Windows 10 computer and verify that user accounts, data and settings were migrated.
+
+## Related topics
+
+[Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md)
+[Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md)
+[Create a Windows 10 reference image](create-a-windows-10-reference-image.md)
+[Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md)
+[Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md)
+[Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md)
+[Configure MDT settings](configure-mdt-settings.md)
diff --git a/windows/deployment/deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md b/windows/deployment/deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md
index f9d1c1f252..1f16c8febd 100644
--- a/windows/deployment/deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md
+++ b/windows/deployment/deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md
@@ -21,68 +21,75 @@ ms.topic: article
**Applies to**
- Windows 10
-A computer replace scenario for Windows 10 is quite similar to a computer refresh for Windows 10; however, because you are replacing a machine, you cannot store the backup on the old computer. Instead you need to store the backup to a location where the new computer can read it.
-For the purposes of this topic, we will use four machines: DC01, MDT01, PC0002, and PC0007. DC01 is a domain controller and MDT01 is a Windows Server 2012 R2 standard server. PC0002 is an old machine running Windows 7 SP1. It is going to be replaced by a new Windows 10 machine, PC0007. User State Migration Tool (USMT) will be used to backup and restore data and settings. MDT01, PC0002, and PC0007 are members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md#proof).
+A computer replace scenario for Windows 10 is quite similar to a computer refresh for Windows 10. However, because you are replacing a device, you cannot store the backup on the old computer. Instead you need to store the backup to a location where the new computer can read it. The User State Migration Tool (USMT) will be used to back up and restore data and settings.
-
+For the purposes of this topic, we will use four computers: DC01, MDT01, PC0002, and PC0007.
+- DC01 is a domain controller for the contoso.com domain.
+- MDT01 is domain member server that hosts your deployment share.
+- PC0002 is an old computer running Windows 7 SP1 that will be replaced by PC0007.
+- PC0007 is a new computer will have the Windows 10 OS installed prior to data from PC0002 being migrated. Both PC0002 and PC0007 are members of the contoso.com domain.
-Figure 1. The machines used in this topic.
+For more details on the setup for this topic, please see [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md).
-## Prepare for the computer replace
+
-When preparing for the computer replace, you need to create a folder in which to store the backup, and a backup only task sequence that you run on the old computer.
+The computers used in this topic.
+
+>HV01 is also used in this topic to host the PC0007 virtual machine for demonstration purposes, however typically PC0007 is a physical computer.
+
+## Prepare for the computer replace
+
+ To prepare for the computer replace, you need to create a folder in which to store the backup and a backup only task sequence to run on the old computer.
### Configure the rules on the Microsoft Deployment Toolkit (MDT) Production share
-1. On MDT01, using the Deployment Workbench, update the MDT Production deployment share rules.
+On **MDT01**:
-2. Change the **SkipUserData=YES** option to **NO**, and click **OK**.
+1. Open the Deployment Workbench, under **Deployment Shares** right-click **MDT Production**, click **Properties**, and then click the **Rules** tab.
+2. Change the **SkipUserData=YES** option to **NO**, and click **OK**.
+3. Right-click **MDT Production** and click **Update Deployment Share**. Click **Next**, **Next**, and **Finish** to complete the Update Deployment Share Wizard with the default setttings.
### Create and share the MigData folder
-1. On MDT01, log on as **CONTOSO\\Administrator**.
+On **MDT01**:
-2. Create and share the **E:\\MigData** folder by running the following three commands in an elevated Windows PowerShell prompt:
+1. Create and share the **D:\\MigData** folder by running the following three commands in an elevated Windows PowerShell prompt:
``` powershell
- New-Item -Path E:\MigData -ItemType directory
- New-SmbShare -Name MigData$ -Path E:\MigData
- -ChangeAccess EVERYONE
- icacls E:\MigData /grant '"MDT_BA":(OI)(CI)(M)'
+ New-Item -Path D:\MigData -ItemType directory
+ New-SmbShare -Name MigData$ -Path D:\MigData -ChangeAccess EVERYONE
+ icacls D:\MigData /grant '"MDT_BA":(OI)(CI)(M)'
```
### Create a backup only (replace) task sequence
-3. On MDT01, using the Deployment Workbench, in the MDT Production deployment share, select the **Task Sequences** node and create a new folder named **Other**.
+2. In Deployment Workbench, under the **MDT Production** deployment share, select the **Task Sequences** node and create a new folder named **Other**.
-4. Right-click the **Other** folder and select **New Task Sequence**. Use the following settings for the New Task Sequence Wizard:
+3. Right-click the **Other** folder and select **New Task Sequence**. Use the following settings for the New Task Sequence Wizard:
* Task sequence ID: REPLACE-001
* Task sequence name: Backup Only Task Sequence
* Task sequence comments: Run USMT to backup user data and settings
* Template: Standard Client Replace Task Sequence
-5. In the **Other** folder, double-click **Backup Only Task Sequence**, and then in the **Task Sequence** tab, review the sequence. Notice that it only contains a subset of the normal client task sequence actions.
+4. In the **Other** folder, double-click **Backup Only Task Sequence**, and then in the **Task Sequence** tab, review the sequence. Notice that it only contains a subset of the normal client task sequence actions.
- Figure 2. The Backup Only Task Sequence action list.
+ The Backup Only Task Sequence action list.
-## Perform the computer replace
+## Perform the computer replace
During a computer replace, these are the high-level steps that occur:
1. On the computer you are replacing, a special replace task sequence runs the USMT backup and, if you configured it, runs the optional full Window Imaging (WIM) backup.
+2. On the new computer, you perform a standard bare-metal deployment. At the end of the bare-metal deployment, the USMT backup from the old computer is restored.
-2. On the new machine, you perform a standard bare-metal deployment. At the end of the bare-metal deployment, the USMT backup from the old computer is restored.
+### Run the replace task sequence
-### Execute the replace task sequence
+On **PC0002**:
-1. On PC0002, log on as **CONTOSO\\Administrator**.
-
-2. Verify that you have write access to the **\\\\MDT01\\MigData$** share.
-
-3. Execute **\\\\MDT01\\MDTProduction$\\Scripts\\LiteTouch.vbs**.
-
-4. Complete the Windows Deployment Wizard using the following settings:
+1. Sign in as **CONTOSO\\Administrator** and verify that you have write access to the **\\\\MDT01\\MigData$** share.
+2. Run **\\\\MDT01\\MDTProduction$\\Scripts\\LiteTouch.vbs**.
+3. Complete the Windows Deployment Wizard using the following settings:
1. Select a task sequence to execute on this computer: Backup Only Task Sequence
* Specify where to save your data and settings: Specify a location
@@ -92,21 +99,24 @@ During a computer replace, these are the high-level steps that occur:
>If you are replacing the computer at a remote site you should create the MigData folder on MDT02 and use that share instead.
2. Specify where to save a complete computer backup: Do not back up the existing computer
- 3. Password: P@ssw0rd
- The task sequence will now run USMT (Scanstate.exe) to capture user data and settings of the machine.
+ The task sequence will now run USMT (Scanstate.exe) to capture user data and settings of the computer.
- Figure 3. The new task sequence running the Capture User State action on PC0002.
+ The new task sequence running the Capture User State action on PC0002.
-5. On MDT01, verify that you have an USMT.MIG compressed backup file in the **E:\\MigData\\PC0002\\USMT** folder.
+4. On **MDT01**, verify that you have an USMT.MIG compressed backup file in the **D:\\MigData\\PC0002\\USMT** folder.
- Figure 4. The USMT backup of PC0002.
+ The USMT backup of PC0002.
-### Deploy the PC0007 virtual machine
+### Deploy the replacement computer
+
+To demonstrate deployment of the replacement computer, HV01 is used to host a virtual machine: PC0007.
+
+On **HV01**:
1. Create a virtual machine with the following settings:
@@ -115,38 +125,40 @@ During a computer replace, these are the high-level steps that occur:
* Generation: 2
* Memory: 2048 MB
* Hard disk: 60 GB (dynamic disk)
+ * Install an operating system from a network-based installation server
-2. Start the PC0007 virtual machine, and press **Enter** to start the Pre-Boot Execution Environment (PXE) boot. The machine will now load the Windows PE boot image from the WDS server.
+2. Start the PC0007 virtual machine, and press **Enter** to start the Pre-Boot Execution Environment (PXE) boot. The VM will now load the Windows PE boot image from MDT01 (or MDT02 if at a remote site).
- Figure 5. The initial PXE boot process of PC0005.
+ The initial PXE boot process of PC0007.
3. After Windows Preinstallation Environment (Windows PE) has booted, complete the Windows Deployment Wizard using the following settings:
- * Password: P@ssw0rd
* Select a task sequence to execute on this computer:
* Windows 10 Enterprise x64 RTM Custom Image
* Computer Name: PC0007
- * Applications: Select the Install - Adobe Reader XI - x86 application.
+ * Move Data and Settings: Do not move user data and settings.
+ * User Data (Restore) > Specify a location: \\\\MDT01\\MigData$\\PC0002
+ * Applications: Adobe > Install - Adobe Reader
-4. The setup now starts and does the following:
+4. Setup now starts and does the following:
+ * Partitions and formats the disk.
* Installs the Windows 10 Enterprise operating system.
- * Installs the added application.
+ * Installs the application.
* Updates the operating system via your local Windows Server Update Services (WSUS) server.
* Restores the USMT backup from PC0002.
+You can view progress of the process by clicking the Monitoring node in the Deployment Workbrench on MDT01.
+
+
+
## Related topics
-[Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md)
-
-[Create a Windows 10 reference image](create-a-windows-10-reference-image.md)
-
-[Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md)
-
-[Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md)
-
-[Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md)
-
+[Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md)
+[Create a Windows 10 reference image](create-a-windows-10-reference-image.md)
+[Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md)
+[Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md)
+[Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md)
[Configure MDT settings](configure-mdt-settings.md)
diff --git a/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md b/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md
index 03899e149e..d54f06dc77 100644
--- a/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md
+++ b/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md
@@ -37,7 +37,10 @@ If you have access to Microsoft BitLocker Administration and Monitoring (MBAM),
> [!NOTE]
> Backing up TMP to Active Directory was supported only on Windows 10 version 1507 and 1511.
-For the purposes of this topic, we will use DC01, a domain controller that is a member of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md#proof).
+>[!NOTE]
+>Even though it is not a BitLocker requirement, we recommend configuring BitLocker to store the recovery key and TPM owner information in Active Directory. For additional information about these features, see [Backing Up BitLocker and TPM Recovery Information to AD DS](https://go.microsoft.com/fwlink/p/?LinkId=619548). If you have access to Microsoft BitLocker Administration and Monitoring (MBAM), which is part of Microsoft Desktop Optimization Pack (MDOP), you have additional management features for BitLocker.
+
+For the purposes of this topic, we will use DC01, a domain controller that is a member of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
## Configure Active Directory for BitLocker
@@ -50,7 +53,7 @@ In Windows Server version from 2008 R2 and later, you have access to the BitLock
-Figure 2. The BitLocker Recovery information on a computer object in the contoso.com domain.
+The BitLocker Recovery information on a computer object in the contoso.com domain.
### Add the BitLocker Drive Encryption Administration Utilities
@@ -69,7 +72,7 @@ The BitLocker Drive Encryption Administration Utilities are added as features vi
-Figure 3. Selecting the BitLocker Drive Encryption Administration Utilities.
+Selecting the BitLocker Drive Encryption Administration Utilities.
### Create the BitLocker Group Policy
@@ -103,7 +106,7 @@ In addition to the Group Policy created previously, you need to configure permis
-Figure 4. Running the Add-TPMSelfWriteACE.vbs script on DC01.
+Running the Add-TPMSelfWriteACE.vbs script on DC01.
## Add BIOS configuration tools from Dell, HP, and Lenovo
@@ -161,16 +164,10 @@ In the following task sequence, we added five actions:
## Related topics
-[Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md)
-
-[Configure MDT for UserExit scripts](configure-mdt-for-userexit-scripts.md)
-
-[Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md)
-
-[Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md)
-
-[Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md)
-
-[Use web services in MDT](use-web-services-in-mdt.md)
-
+[Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md)
+[Configure MDT for UserExit scripts](configure-mdt-for-userexit-scripts.md)
+[Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md)
+[Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md)
+[Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md)
+[Use web services in MDT](use-web-services-in-mdt.md)
[Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt.md)
diff --git a/windows/deployment/deploy-windows-mdt/simulate-a-windows-10-deployment-in-a-test-environment.md b/windows/deployment/deploy-windows-mdt/simulate-a-windows-10-deployment-in-a-test-environment.md
index 6278b32fe5..cb28eea313 100644
--- a/windows/deployment/deploy-windows-mdt/simulate-a-windows-10-deployment-in-a-test-environment.md
+++ b/windows/deployment/deploy-windows-mdt/simulate-a-windows-10-deployment-in-a-test-environment.md
@@ -18,15 +18,26 @@ ms.topic: article
# Simulate a Windows 10 deployment in a test environment
-This topic will walk you through the process of creating a simulated environment on which to test your Windows 10 deployment using MDT. When working with advanced settings and rules, especially those like database calls, it is most efficient to be able to test the settings without having to run through a complete deployment. Luckily, MDT enables you to perform a simulated deployment by running the Gather process by itself. The simulation works best when you are using a domain-joined machine (client or server). In the following example, you use the PC0001 Windows 10 client.
-For the purposes of this topic, you already will have either downloaded and installed the free Microsoft System Center 2012 R2 Configuration Manager Toolkit, or copied Configuration Manager Trace (CMTrace) if you have access to the System Center 2012 R2 Configuration Manager media. We also assume that you have downloaded the [sample Gather.ps1 script](https://go.microsoft.com/fwlink/p/?LinkId=619361) from the TechNet gallery.
+This topic will walk you through the process of creating a simulated environment on which to test your Windows 10 deployment using MDT. When working with advanced settings and rules, especially those like database calls, it is most efficient to be able to test the settings without having to run through a complete deployment. Luckily, MDT enables you to perform a simulated deployment by running the Gather process by itself. The simulation works best when you are using a domain-joined client.
-1. On PC0001, log on as **CONTOSO\\Administrator** using the password P@ssw0rd.
-2. Using Computer Management, add the **CONTOSO\\MDT\_BA** user account to the local **Administrators** group.
-3. Log off, and then log on to PC0001 as **CONTOSO\\MDT\_BA**.
-4. Using File Explorer, create a folder named **C:\\MDT**.
-5. Copy the downloaded Gather.ps1 script to the **C:\\MDT** folder.
-6. From the **\\\\MDT01\\MDTProduction$\\Scripts** folder, copy the following files to **C:\\MDT**:
+## Test environment
+
+- A Windows 10 client named **PC0001** will be used to simulate deployment. The client is joined to the contoso.com domain and has access to the Internet to required download tools and scripts.
+- It is assumed that you have performed (at least) the following procedures so that you have an MDT service account and an MDT production deployment share:
+ - [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md)
+ - [Create a Windows 10 reference image](create-a-windows-10-reference-image.md)
+ - [Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md)
+
+## Simulate deployment
+
+On **PC0001**:
+
+1. Sign as **contoso\\Administrator**.
+2. Download the [sample Gather.ps1 script](https://go.microsoft.com/fwlink/p/?LinkId=619361) from the TechNet gallery and copy it to a directory named **C:\MDT** on PC0001.
+3. Download and install the free [Microsoft System Center 2012 R2 Configuration Manager Toolkit](https://go.microsoft.com/fwlink/p/?LinkId=734717) on PC0001 so that you have access to the Configuration Manager Trace (cmtrace.exe) tool.
+4. Using Local Users and Groups (lusrmgr.msc), add the **contoso\\MDT\_BA** user account to the local **Administrators** group.
+5. Sign off, and then sign on to PC0001 as **contoso\\MDT\_BA**.
+6. Open the **\\\\MDT01\\MDTProduction$\\Scripts** folder and copy the following files to **C:\\MDT**:
1. ZTIDataAccess.vbs
2. ZTIGather.wsf
3. ZTIGather.xml
@@ -35,36 +46,32 @@ For the purposes of this topic, you already will have either downloaded and inst
8. In the **C:\\MDT** folder, create a subfolder named **X64**.
9. From the **\\\\MDT01\\MDTProduction$\\Tools\\X64** folder, copy the Microsoft.BDD.Utility.dll file to **C:\\MDT\\X64**.
- 
+ 
- Figure 6. The C:\\MDT folder with the files added for the simulation environment.
+ The C:\\MDT folder with the files added for the simulation environment.
-10. Using an elevated Windows PowerShell prompt (run as Administrator), run the following commands. Press Enter after each command:
+10. Type the following at an elevated Windows PowerShell prompt:
``` powershell
+ Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope Process -Force
Set-Location C:\MDT
.\Gather.ps1
```
-11. Review the ZTIGather.log in the **C:\\MININT\\SMSOSD\\OSDLOGS** folder.
+ When prompted, press **R** to run the gather script.
+
+11. Review the ZTIGather.log in the **C:\\MININT\\SMSOSD\\OSDLOGS** folder using CMTrace.
**Note**
Warnings or errors with regard to the Wizard.hta are expected. If the log file looks okay, you are ready to try a real deployment.
+ 
-
-
-Figure 7. The ZTIGather.log file from PC0001, displaying some of its hardware capabilities.
+ The ZTIGather.log file from PC0001.
## Related topics
-[Set up MDT for BitLocker](set-up-mdt-for-bitlocker.md)
-
-[Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md)
-
-[Configure MDT for UserExit scripts](configure-mdt-for-userexit-scripts.md)
-
-[Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md)
-
-[Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md)
-
-[Use web services in MDT](use-web-services-in-mdt.md)
-
+[Set up MDT for BitLocker](set-up-mdt-for-bitlocker.md)
+[Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md)
+[Configure MDT for UserExit scripts](configure-mdt-for-userexit-scripts.md)
+[Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md)
+[Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md)
+[Use web services in MDT](use-web-services-in-mdt.md)
[Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt.md)
diff --git a/windows/deployment/deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md b/windows/deployment/deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md
new file mode 100644
index 0000000000..38604acbf4
--- /dev/null
+++ b/windows/deployment/deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md
@@ -0,0 +1,114 @@
+---
+title: Perform an in-place upgrade to Windows 10 with MDT (Windows 10)
+description: The simplest path to upgrade PCs that are currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade.
+ms.assetid: B8993151-3C1E-4F22-93F4-2C5F2771A460
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+keywords: upgrade, update, task sequence, deploy
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.localizationpriority: medium
+ms.sitesec: library
+ms.pagetype: mdt
+audience: itpro
+author: greg-lindsay
+ms.topic: article
+---
+
+# Perform an in-place upgrade to Windows 10 with MDT
+
+**Applies to**
+- Windows 10
+
+The simplest path to upgrade PCs that are currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade.
+
+>[!TIP]
+>In-place upgrade is the preferred method to use when migrating from Windows 10 to a later release of Windows 10, and is also a preferred method for upgrading from Windows 7 or 8.1 if you do not plan to significantly change the device's configuration or applications. MDT includes an in-place upgrade task sequence template that makes the process really simple.
+
+In-place upgrade differs from [computer refresh](refresh-a-windows-7-computer-with-windows-10.md) in that you cannot use a custom image to perform the in-place upgrade. In this article we will add a default Windows 10 image to the production deployment share specifically to perform an in-place upgrade.
+
+Three computers are used in this topic: DC01, MDT01, and PC0002.
+
+- DC01 is a domain controller for the contoso.com domain
+- MDT01 is a domain member server
+- PC0002 is a domain member computer running Windows 7 SP1, targeted for the Windows 10 upgrade
+
+ 
+
+ The computers used in this topic.
+
+>[!NOTE]
+>For details about the setup for the procedures in this article, please see [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md).
+
+>If you have already completed all the steps in [Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md), then you already have a production deployment share and you can skip to [Add Windows 10 Enterprise x64 (full source)](#add-windows-10-enterprise-x64-full-source).
+
+## Create the MDT production deployment share
+
+On **MDT01**:
+
+1. Ensure you are signed on as: contoso\administrator.
+2. In the Deployment Workbench console, right-click **Deployment Shares** and select **New Deployment Share**.
+3. On the **Path** page, in the **Deployment share path** text box, type **D:\\MDTProduction** and click **Next**.
+4. On the **Share** page, in the **Share name** text box, type **MDTProduction$** and click **Next**.
+5. On the **Descriptive Name** page, in the **Deployment share description** text box, type **MDT Production** and click **Next**.
+6. On the **Options** page, accept the default settings and click **Next** twice, and then click **Finish**.
+7. Using File Explorer, verify that you can access the **\\\\MDT01\\MDTProduction$** share.
+
+## Add Windows 10 Enterprise x64 (full source)
+
+>If you have already have a Windows 10 [reference image](create-a-windows-10-reference-image.md) in the **MDT Build Lab** deployment share, you can use the deployment workbench to copy and paste this image from the MDT Build Lab share to the MDT Production share and skip the steps in this section.
+
+On **MDT01**:
+
+1. Sign in as contoso\\administrator and copy the content of a Windows 10 Enterprise x64 DVD/ISO to the **D:\\Downloads\\Windows 10 Enterprise x64** folder on MDT01, or just insert the DVD or mount an ISO on MDT01.
+2. Using the Deployment Workbench, expand the **Deployment Shares** node, and then expand **MDT Production**.
+3. Right-click the **Operating Systems** node, and create a new folder named **Windows 10**.
+4. Expand the **Operating Systems** node, right-click the **Windows 10** folder, and select **Import Operating System**. Use the following settings for the Import Operating System Wizard:
+ - Full set of source files
+ - Source directory: (location of your source files)
+ - Destination directory name: W10EX64RTM
+5. After adding the operating system, in the **Operating Systems / Windows 10** folder, double-click it and change the name to: **Windows 10 Enterprise x64 RTM Default Image**.
+
+## Create a task sequence to upgrade to Windows 10 Enterprise
+
+On **MDT01**:
+
+1. Using the Deployment Workbench, select **Task Sequences** in the **MDT Production** node, and create a folder named **Windows 10**.
+2. Right-click the new **Windows 10** folder and select **New Task Sequence**. Use the following settings for the New Task Sequence Wizard:
+ - Task sequence ID: W10-X64-UPG
+ - Task sequence name: Windows 10 Enterprise x64 RTM Upgrade
+ - Template: Standard Client Upgrade Task Sequence
+ - Select OS: Windows 10 Enterprise x64 RTM Default Image
+ - Specify Product Key: Do not specify a product key at this time
+ - Organization: Contoso
+ - Admin Password: Do not specify an Administrator password at this time
+
+## Perform the Windows 10 upgrade
+
+To initiate the in-place upgrade, perform the following steps on PC0002 (the device to be upgraded).
+
+On **PC0002**:
+
+1. Start the MDT deployment wizard by running the following command: **\\\\MDT01\\MDTProduction$\\Scripts\\LiteTouch.vbs**
+2. Select the **Windows 10 Enterprise x64 RTM Upgrade** task sequence, and then click **Next**.
+3. Select one or more applications to install (will appear if you use custom image): Install - Adobe Reader
+4. On the **Ready** tab, click **Begin** to start the task sequence.
+ When the task sequence begins, it automatically initiates the in-place upgrade process by invoking the Windows setup program (Setup.exe) with the necessary command-line parameters to perform an automated upgrade, which preserves all data, settings, apps, and drivers.
+
+
+
+
+
+
+
+
+
+
+
+After the task sequence completes, the computer will be fully upgraded to Windows 10.
+
+## Related topics
+
+[Windows 10 deployment scenarios](../windows-10-deployment-scenarios.md)
+[Microsoft Deployment Toolkit downloads and resources](https://go.microsoft.com/fwlink/p/?LinkId=618117)
\ No newline at end of file
diff --git a/windows/deployment/deploy-windows-sccm/TOC.md b/windows/deployment/deploy-windows-sccm/TOC.md
new file mode 100644
index 0000000000..93aadaebcd
--- /dev/null
+++ b/windows/deployment/deploy-windows-sccm/TOC.md
@@ -0,0 +1,15 @@
+# Deploy Windows 10 with Configuration Manager
+## [Configuration Manager components](deploy-windows-10-with-system-center-2012-r2-configuration-manager.md)
+### [Integrate Configuration Manager with MDT](../deploy-windows-mdt/integrate-configuration-manager-with-mdt.md)
+### [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
+### [Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
+### [Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)
+### [Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
+### [Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
+### [Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md)
+### [Finalize the operating system configuration for Windows 10 deployment with Configuration Manager](finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md)
+### [Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md)
+### [Monitor the Windows 10 deployment with Configuration Manager](monitor-windows-10-deployment-with-configuration-manager.md)
+### [Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
+### [Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
+### [Perform an in-place upgrade to Windows 10 using Configuration Manager](../upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md)
\ No newline at end of file
diff --git a/windows/deployment/deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md b/windows/deployment/deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md
index 06c696d2c7..5a2a0146fc 100644
--- a/windows/deployment/deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md
+++ b/windows/deployment/deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md
@@ -86,23 +86,14 @@ Operating system deployment with Configuration Manager is part of the normal sof
**Note** Configuration Manager SP1 along with the Windows Assessment and Deployment Kit (ADK) for Windows 10 are required to support management and deployment of Windows 10.
-
-
## See also
-
- [Microsoft Deployment Toolkit downloads and resources](https://go.microsoft.com/fwlink/p/?LinkId=618117)
-
- [Windows deployment tools](../windows-deployment-scenarios-and-tools.md)
-
- [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md)
-
-- [Upgrade to Windows 10 with the Microsoft Deployment Toolkit](../upgrade/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md)
-
+- [Upgrade to Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md)
- [Deploy Windows To Go in your organization](../deploy-windows-to-go.md)
-
- [Sideload Windows Store apps](https://technet.microsoft.com/library/dn613831.aspx)
-
- [Windows ADK for Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=526803)
diff --git a/windows/deployment/deploy-windows-sccm/deploy-windows-10-with-system-center-configuration-manager.md b/windows/deployment/deploy-windows-sccm/deploy-windows-10-with-system-center-configuration-manager.md
new file mode 100644
index 0000000000..0c75a0f3df
--- /dev/null
+++ b/windows/deployment/deploy-windows-sccm/deploy-windows-10-with-system-center-configuration-manager.md
@@ -0,0 +1,80 @@
+---
+title: Deploy Windows 10 with Configuration Manager (Windows 10)
+description: If you have Configuration Manager in your environment, you will most likely want to use it to deploy Windows 10.
+ms.assetid: eacd7b7b-dde0-423d-97cd-29bde9e8b363
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+keywords: deployment, custom, boot
+ms.prod: w10
+ms.localizationpriority: medium
+ms.mktglfcycl: deploy
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.topic: article
+---
+
+# Deploy Windows 10 with Configuration Manager
+
+
+**Applies to**
+
+- Windows 10 versions 1507, 1511
+
+>[!IMPORTANT]
+>For instructions to deploy the most recent version of Windows 10 with Configuration Manager, see [Scenarios to deploy enterprise operating systems with System Center Configuration Manager](https://docs.microsoft.com/sccm/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems).
+>Configuration Manager 2012 and 2012 R2 provide support for Windows 10 versions 1507 and 1511 only. Later versions of Windows 10 require an updated Configuration Manager release. For a list of Configuration Manager versions and the corresponding Windows 10 client versions that are supported, see [Support for Windows 10 for System Center Configuration Manager](https://docs.microsoft.com/sccm/core/plan-design/configs/support-for-windows-10).
+
+If you have Configuration Manager in your environment, you will most likely want to use it to deploy Windows 10. This topic will show you how to set up Configuration Manager for operating system deployment and how to integrate Configuration Manager with the Microsoft Deployment Toolkit (MDT).
+
+For the purposes of this topic, we will use four machines: DC01, CM01, PC0003, and PC0004. DC01 is a domain controller and CM01 is a machine running Windows Server 2012 R2 standard. PC0003 and PC0004 are machines with Windows 7 SP1, on which Windows 10 will be deployed via both refresh and replace scenarios. In addition to these four ready-made machines, you could also include a few blank virtual machines to be used for bare-metal deployments. DC01, CM01, PC003, and PC0004 are all members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
+
+
+
+Figure 1. The machines used in this topic.
+
+## In this section
+
+
+- [Integrate Configuration Manager with MDT](../deploy-windows-mdt/integrate-configuration-manager-with-mdt.md)
+- [Prepare for Zero Touch Installation of Windows with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
+- [Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
+- [Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)
+- [Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
+- [Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
+- [Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md)
+- [Finalize the operating system configuration for Windows 10 deployment with Configuration Manager](finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md)
+- [Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md)
+- [Monitor the Windows 10 deployment with Configuration Manager](monitor-windows-10-deployment-with-configuration-manager.md)
+- [Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
+- [Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
+
+## Components of Configuration Manager operating system deployment
+
+
+Operating system deployment with Configuration Manager is part of the normal software distribution infrastructure, but there are additional components. For example, operating system deployment in Configuration Manager may use the State Migration Point role, which is not used by normal application deployment in Configuration Manager. This section describes the Configuration Manager components involved with the deployment of an operating system, such as Windows 10.
+
+- **State migration point (SMP).** The state migration point is used to store user state migration data during computer replace scenarios.
+- **Distribution point (DP).** The distribution point is used to store all packages in Configuration Manager, including the operating system deployment-related packages.
+- **Software update point (SUP).** The software update point, which is normally used to deploy updates to existing machines, also can be used to update an operating system as part of the deployment process. You also can use offline servicing to update the image directly on the Configuration Manager server.
+- **Reporting services point.** The reporting services point can be used to monitor the operating system deployment process.
+- **Boot images.** Boot images are the Windows Preinstallation Environment (Windows PE) images Configuration Manager uses to start the deployment.
+- **Operating system images.** The operating system image package contains only one file, the custom .wim image. This is typically the production deployment image.
+- **Operating system installers.** The operating system installers were originally added to create reference images using Configuration Manager. Instead, we recommend that you use MDT Lite Touch to create your reference images. For more information on how to create a reference image, see [Create a Windows 10 reference image](../deploy-windows-mdt/create-a-windows-10-reference-image.md).
+- **Drivers.** Like MDT Lite Touch, Configuration Manager also provides a repository (catalog) of managed device drivers.
+- **Task sequences.** The task sequences in Configuration Manager look and feel pretty much like the sequences in MDT Lite Touch, and they are used for the same purpose. However, in Configuration Manager the task sequence is delivered to the clients as a policy via the Management Point (MP). MDT provides additional task sequence templates to Configuration Manager.
+
+ **Note** Configuration Manager SP1 along with the Windows Assessment and Deployment Kit (ADK) for Windows 10 are required to support management and deployment of Windows 10.
+
+
+
+## See also
+
+- [Microsoft Deployment Toolkit downloads and resources](https://go.microsoft.com/fwlink/p/?LinkId=618117)
+- [Windows deployment tools](../windows-deployment-scenarios-and-tools.md)
+- [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md)
+- [Upgrade to Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md)
+- [Deploy Windows To Go in your organization](../deploy-windows-to-go.md)
+- [Sideload Windows Store apps](https://technet.microsoft.com/library/dn613831.aspx)
+- [Windows ADK for Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=526803)
diff --git a/windows/deployment/deploy.md b/windows/deployment/deploy.md
index adca6df481..8fc3e2cdc1 100644
--- a/windows/deployment/deploy.md
+++ b/windows/deployment/deploy.md
@@ -1,49 +1,39 @@
----
-title: Deploy Windows 10 (Windows 10)
-description: Deploying Windows 10 for IT professionals.
-ms.assetid: E9E2DED5-DBA7-4300-B411-BA0FD39BE18C
-ms.reviewer:
-manager: laurawi
-ms.audience: itpro
-author: greg-lindsay
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: medium
-ms.date: 11/06/2018
-audience: itpro
-author: greg-lindsay
-ms.topic: article
----
-
-# Deploy Windows 10
-
-Windows 10 upgrade options are discussed and information is provided about planning, testing, and managing your production deployment. Procedures are provided to help you with a new deployment of the Windows 10 operating system, or to upgrade from a previous version of Windows to Windows 10. The following sections and topics are available.
-
-
-|Topic |Description |
-|------|------------|
-|[Overview of Windows Autopilot](windows-autopilot/windows-autopilot.md) |This topic provides an overview of Windows Autopilot deployment, a new zero-touch method for deploying Windows 10 in the enterprise. |
-|[Windows 10 upgrade paths](upgrade/windows-10-upgrade-paths.md) |This topic provides information about support for upgrading directly to Windows 10 from a previous operating system. |
-|[Windows 10 edition upgrade](upgrade/windows-10-edition-upgrades.md) |This topic provides information about support for upgrading from one edition of Windows 10 to another. |
-|[Windows 10 volume license media](windows-10-media.md) |This topic provides information about updates to volume licensing media in the current version of Windows 10. |
-|[Manage Windows upgrades with Upgrade Readiness](upgrade/manage-windows-upgrades-with-upgrade-readiness.md) |With Upgrade Readiness, enterprises now have the tools to plan and manage the upgrade process end to end, allowing them to adopt new Windows releases more quickly. With Windows diagnostic data enabled, Upgrade Readiness collects system, application, and driver data for analysis. We then identify compatibility issues that can block an upgrade and suggest fixes when they are known to Microsoft. The Upgrade Readiness workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded. |
-|[Windows 10 deployment test lab](windows-10-poc.md) |This guide contains instructions to configure a proof of concept (PoC) environment requiring a minimum amount of resources. The guide makes extensive use of Windows PowerShell and Hyper-V. Subsequent companion guides contain steps to deploy Windows 10 using the PoC environment. After completing this guide, additional guides are provided to deploy Windows 10 in the test lab using [Microsoft Deployment Toolkit](windows-10-poc-mdt.md) or [Microsoft Endpoint Configuration Manager](windows-10-poc-sc-config-mgr.md). |
-|[Plan for Windows 10 deployment](planning/index.md) | This section describes Windows 10 deployment considerations and provides information to assist in Windows 10 deployment planning. |
-|[Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md) |This guide will walk you through the process of deploying Windows 10 in an enterprise environment using the Microsoft Deployment Toolkit (MDT). |
-|[Deploy Windows 10 with Microsoft Endpoint Configuration Manager](deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md) |If you have Microsoft Endpoint Configuration Manager in your environment, you will most likely want to use it to deploy Windows 10. This topic will show you how to set up Configuration Manager for operating system deployment and how to integrate Configuration Manager with the Microsoft Deployment Toolkit (MDT) or. |
-|[Windows 10 deployment tools](windows-10-deployment-tools-reference.md) |Learn about available tools to deploy Windows 10, such as the Windows ADK, DISM, USMT, WDS, MDT, Windows PE and more. |
-|[How to install fonts that are missing after upgrading to Windows 10](windows-10-missing-fonts.md)|Windows 10 introduced changes to the fonts that are included in the image by default. Learn how to install additional fonts from **Optional features** after you install Windows 10 or upgrade from a previous version.|
-
-## Related topics
-
-[Modern Desktop Deployment Center](https://docs.microsoft.com/microsoft-365/enterprise/desktop-deployment-center-home)
-
-
-
-
-
-
-
-
-
+---
+title: Deploy Windows 10 (Windows 10)
+description: Deploying Windows 10 for IT professionals.
+ms.assetid: E9E2DED5-DBA7-4300-B411-BA0FD39BE18C
+ms.reviewer:
+manager: laurawi
+ms.audience: itpro
+author: greg-lindsay
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.localizationpriority: medium
+audience: itpro
+author: greg-lindsay
+ms.topic: article
+---
+
+# Deploy Windows 10
+
+Windows 10 upgrade options are discussed and information is provided about planning, testing, and managing your production deployment. Procedures are provided to help you with a new deployment of the Windows 10 operating system, or to upgrade from a previous version of Windows to Windows 10. The following sections and topics are available.
+
+
+|Topic |Description |
+|------|------------|
+|[Overview of Windows Autopilot](windows-autopilot/windows-autopilot.md) |This topic provides an overview of Windows Autopilot deployment, a new zero-touch method for deploying Windows 10 in the enterprise. |
+|[Windows 10 upgrade paths](upgrade/windows-10-upgrade-paths.md) |This topic provides information about support for upgrading directly to Windows 10 from a previous operating system. |
+|[Windows 10 edition upgrade](upgrade/windows-10-edition-upgrades.md) |This topic provides information about support for upgrading from one edition of Windows 10 to another. |
+|[Windows 10 volume license media](windows-10-media.md) |This topic provides information about updates to volume licensing media in the current version of Windows 10. |
+|[Manage Windows upgrades with Upgrade Readiness](upgrade/manage-windows-upgrades-with-upgrade-readiness.md) |With Upgrade Readiness, enterprises now have the tools to plan and manage the upgrade process end to end, allowing them to adopt new Windows releases more quickly. With Windows diagnostic data enabled, Upgrade Readiness collects system, application, and driver data for analysis. We then identify compatibility issues that can block an upgrade and suggest fixes when they are known to Microsoft. The Upgrade Readiness workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded. |
+|[Windows 10 deployment test lab](windows-10-poc.md) |This guide contains instructions to configure a proof of concept (PoC) environment requiring a minimum amount of resources. The guide makes extensive use of Windows PowerShell and Hyper-V. Subsequent companion guides contain steps to deploy Windows 10 using the PoC environment. After completing this guide, additional guides are provided to deploy Windows 10 in the test lab using [Microsoft Deployment Toolkit](windows-10-poc-mdt.md) or [Microsoft Endpoint Configuration Manager](windows-10-poc-sc-config-mgr.md). |
+|[Plan for Windows 10 deployment](planning/index.md) | This section describes Windows 10 deployment considerations and provides information to assist in Windows 10 deployment planning. |
+|[Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md) |This guide will walk you through the process of deploying Windows 10 in an enterprise environment using the Microsoft Deployment Toolkit (MDT). |
+|[Deploy Windows 10 with Microsoft Endpoint Configuration Manager](deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md) |If you have Microsoft Endpoint Configuration Manager in your environment, you will most likely want to use it to deploy Windows 10. This topic will show you how to set up Configuration Manager for operating system deployment and how to integrate Configuration Manager with the Microsoft Deployment Toolkit (MDT) or. |
+|[Windows 10 deployment tools](windows-10-deployment-tools-reference.md) |Learn about available tools to deploy Windows 10, such as the Windows ADK, DISM, USMT, WDS, MDT, Windows PE and more. |
+|[How to install fonts that are missing after upgrading to Windows 10](windows-10-missing-fonts.md)|Windows 10 introduced changes to the fonts that are included in the image by default. Learn how to install additional fonts from **Optional features** after you install Windows 10 or upgrade from a previous version.|
+
+## Related topics
+
+[Modern Desktop Deployment Center](https://docs.microsoft.com/microsoft-365/enterprise/desktop-deployment-center-home)
\ No newline at end of file
diff --git a/windows/deployment/images/acroread.png b/windows/deployment/images/acroread.png
new file mode 100644
index 0000000000..142e7b6d74
Binary files /dev/null and b/windows/deployment/images/acroread.png differ
diff --git a/windows/deployment/images/captureimage.png b/windows/deployment/images/captureimage.png
new file mode 100644
index 0000000000..e9ebbf3aad
Binary files /dev/null and b/windows/deployment/images/captureimage.png differ
diff --git a/windows/deployment/images/dart.png b/windows/deployment/images/dart.png
new file mode 100644
index 0000000000..f5c099e9a0
Binary files /dev/null and b/windows/deployment/images/dart.png differ
diff --git a/windows/deployment/images/dc01-cm01-pc0001.png b/windows/deployment/images/dc01-cm01-pc0001.png
new file mode 100644
index 0000000000..f6adafdf15
Binary files /dev/null and b/windows/deployment/images/dc01-cm01-pc0001.png differ
diff --git a/windows/deployment/images/deployment-workbench01.png b/windows/deployment/images/deployment-workbench01.png
new file mode 100644
index 0000000000..c68ee25db1
Binary files /dev/null and b/windows/deployment/images/deployment-workbench01.png differ
diff --git a/windows/deployment/images/downloads.png b/windows/deployment/images/downloads.png
new file mode 100644
index 0000000000..36c45c4a88
Binary files /dev/null and b/windows/deployment/images/downloads.png differ
diff --git a/windows/deployment/images/fig10-unattend.png b/windows/deployment/images/fig10-unattend.png
index a9d2bc16df..54f0b0f86f 100644
Binary files a/windows/deployment/images/fig10-unattend.png and b/windows/deployment/images/fig10-unattend.png differ
diff --git a/windows/deployment/images/fig2-importedos.png b/windows/deployment/images/fig2-importedos.png
index ed72d2ef4d..90cf910c24 100644
Binary files a/windows/deployment/images/fig2-importedos.png and b/windows/deployment/images/fig2-importedos.png differ
diff --git a/windows/deployment/images/fig2-taskseq.png b/windows/deployment/images/fig2-taskseq.png
index 1da70bd6e7..bdd81ddbde 100644
Binary files a/windows/deployment/images/fig2-taskseq.png and b/windows/deployment/images/fig2-taskseq.png differ
diff --git a/windows/deployment/images/fig4-oob-drivers.png b/windows/deployment/images/fig4-oob-drivers.png
index b1f6924665..14d93fb278 100644
Binary files a/windows/deployment/images/fig4-oob-drivers.png and b/windows/deployment/images/fig4-oob-drivers.png differ
diff --git a/windows/deployment/images/fig8-cust-tasks.png b/windows/deployment/images/fig8-cust-tasks.png
index 378215ee2b..3ab40d730a 100644
Binary files a/windows/deployment/images/fig8-cust-tasks.png and b/windows/deployment/images/fig8-cust-tasks.png differ
diff --git a/windows/deployment/images/image-captured.png b/windows/deployment/images/image-captured.png
new file mode 100644
index 0000000000..69c5d5ef15
Binary files /dev/null and b/windows/deployment/images/image-captured.png differ
diff --git a/windows/deployment/images/iso-data.png b/windows/deployment/images/iso-data.png
new file mode 100644
index 0000000000..f188046b7f
Binary files /dev/null and b/windows/deployment/images/iso-data.png differ
diff --git a/windows/deployment/images/mdt-03-fig02.png b/windows/deployment/images/mdt-03-fig02.png
index d0fd979449..934be09dc1 100644
Binary files a/windows/deployment/images/mdt-03-fig02.png and b/windows/deployment/images/mdt-03-fig02.png differ
diff --git a/windows/deployment/images/mdt-03-fig03.png b/windows/deployment/images/mdt-03-fig03.png
index ba1de39aa0..a387923d80 100644
Binary files a/windows/deployment/images/mdt-03-fig03.png and b/windows/deployment/images/mdt-03-fig03.png differ
diff --git a/windows/deployment/images/mdt-03-fig04.png b/windows/deployment/images/mdt-03-fig04.png
index 26600a2036..437531d2f6 100644
Binary files a/windows/deployment/images/mdt-03-fig04.png and b/windows/deployment/images/mdt-03-fig04.png differ
diff --git a/windows/deployment/images/mdt-03-fig05.png b/windows/deployment/images/mdt-03-fig05.png
index 9c44837022..a7b8d6ca2e 100644
Binary files a/windows/deployment/images/mdt-03-fig05.png and b/windows/deployment/images/mdt-03-fig05.png differ
diff --git a/windows/deployment/images/mdt-07-fig01.png b/windows/deployment/images/mdt-07-fig01.png
index b2ccfec334..90635678e8 100644
Binary files a/windows/deployment/images/mdt-07-fig01.png and b/windows/deployment/images/mdt-07-fig01.png differ
diff --git a/windows/deployment/images/mdt-07-fig08.png b/windows/deployment/images/mdt-07-fig08.png
index 66e2969916..2cbfc47271 100644
Binary files a/windows/deployment/images/mdt-07-fig08.png and b/windows/deployment/images/mdt-07-fig08.png differ
diff --git a/windows/deployment/images/mdt-07-fig09.png b/windows/deployment/images/mdt-07-fig09.png
index ce320427ee..245b59072d 100644
Binary files a/windows/deployment/images/mdt-07-fig09.png and b/windows/deployment/images/mdt-07-fig09.png differ
diff --git a/windows/deployment/images/mdt-07-fig10.png b/windows/deployment/images/mdt-07-fig10.png
index 7aff3c2d76..2c61e0eb3d 100644
Binary files a/windows/deployment/images/mdt-07-fig10.png and b/windows/deployment/images/mdt-07-fig10.png differ
diff --git a/windows/deployment/images/mdt-07-fig11.png b/windows/deployment/images/mdt-07-fig11.png
index 905f8bd572..ce70374271 100644
Binary files a/windows/deployment/images/mdt-07-fig11.png and b/windows/deployment/images/mdt-07-fig11.png differ
diff --git a/windows/deployment/images/mdt-07-fig13.png b/windows/deployment/images/mdt-07-fig13.png
index 849949a2f2..dae9bd23b8 100644
Binary files a/windows/deployment/images/mdt-07-fig13.png and b/windows/deployment/images/mdt-07-fig13.png differ
diff --git a/windows/deployment/images/mdt-07-fig14.png b/windows/deployment/images/mdt-07-fig14.png
index cfe7843eeb..788e609cf6 100644
Binary files a/windows/deployment/images/mdt-07-fig14.png and b/windows/deployment/images/mdt-07-fig14.png differ
diff --git a/windows/deployment/images/mdt-07-fig16.png b/windows/deployment/images/mdt-07-fig16.png
index 80e0925a40..995eaa51c7 100644
Binary files a/windows/deployment/images/mdt-07-fig16.png and b/windows/deployment/images/mdt-07-fig16.png differ
diff --git a/windows/deployment/images/mdt-08-fig01.png b/windows/deployment/images/mdt-08-fig01.png
index 7f795c42d4..7e9e650633 100644
Binary files a/windows/deployment/images/mdt-08-fig01.png and b/windows/deployment/images/mdt-08-fig01.png differ
diff --git a/windows/deployment/images/mdt-08-fig02.png b/windows/deployment/images/mdt-08-fig02.png
index 50c97d8d0c..7a0a4a1bbb 100644
Binary files a/windows/deployment/images/mdt-08-fig02.png and b/windows/deployment/images/mdt-08-fig02.png differ
diff --git a/windows/deployment/images/mdt-08-fig14.png b/windows/deployment/images/mdt-08-fig14.png
index 21b358d1f8..4e5626280a 100644
Binary files a/windows/deployment/images/mdt-08-fig14.png and b/windows/deployment/images/mdt-08-fig14.png differ
diff --git a/windows/deployment/images/mdt-09-fig07.png b/windows/deployment/images/mdt-09-fig07.png
index 431f212f80..a2a9093ff0 100644
Binary files a/windows/deployment/images/mdt-09-fig07.png and b/windows/deployment/images/mdt-09-fig07.png differ
diff --git a/windows/deployment/images/mdt-10-fig05.png b/windows/deployment/images/mdt-10-fig05.png
index 64c0c4a6ee..8625f2972b 100644
Binary files a/windows/deployment/images/mdt-10-fig05.png and b/windows/deployment/images/mdt-10-fig05.png differ
diff --git a/windows/deployment/images/mdt-10-fig09.png b/windows/deployment/images/mdt-10-fig09.png
index ccdd05f34e..bb5010a93d 100644
Binary files a/windows/deployment/images/mdt-10-fig09.png and b/windows/deployment/images/mdt-10-fig09.png differ
diff --git a/windows/deployment/images/mdt-apps.png b/windows/deployment/images/mdt-apps.png
new file mode 100644
index 0000000000..72ee2268f2
Binary files /dev/null and b/windows/deployment/images/mdt-apps.png differ
diff --git a/windows/deployment/images/mdt-monitoring.png b/windows/deployment/images/mdt-monitoring.png
new file mode 100644
index 0000000000..c49732223a
Binary files /dev/null and b/windows/deployment/images/mdt-monitoring.png differ
diff --git a/windows/deployment/images/mdt-offline-media.png b/windows/deployment/images/mdt-offline-media.png
new file mode 100644
index 0000000000..d81ea4e0d8
Binary files /dev/null and b/windows/deployment/images/mdt-offline-media.png differ
diff --git a/windows/deployment/images/mdt-post-upg.png b/windows/deployment/images/mdt-post-upg.png
new file mode 100644
index 0000000000..f41d2ff32b
Binary files /dev/null and b/windows/deployment/images/mdt-post-upg.png differ
diff --git a/windows/deployment/images/mdt-replace.png b/windows/deployment/images/mdt-replace.png
new file mode 100644
index 0000000000..d731037d38
Binary files /dev/null and b/windows/deployment/images/mdt-replace.png differ
diff --git a/windows/deployment/images/mdt-rules.png b/windows/deployment/images/mdt-rules.png
new file mode 100644
index 0000000000..b01c519635
Binary files /dev/null and b/windows/deployment/images/mdt-rules.png differ
diff --git a/windows/deployment/images/mdt-upgrade-proc.png b/windows/deployment/images/mdt-upgrade-proc.png
new file mode 100644
index 0000000000..07a968aed0
Binary files /dev/null and b/windows/deployment/images/mdt-upgrade-proc.png differ
diff --git a/windows/deployment/images/mdt-upgrade.png b/windows/deployment/images/mdt-upgrade.png
new file mode 100644
index 0000000000..c794526ad5
Binary files /dev/null and b/windows/deployment/images/mdt-upgrade.png differ
diff --git a/windows/deployment/images/mdt.png b/windows/deployment/images/mdt.png
new file mode 100644
index 0000000000..76a00ee065
Binary files /dev/null and b/windows/deployment/images/mdt.png differ
diff --git a/windows/deployment/images/monitor-pc0001.PNG b/windows/deployment/images/monitor-pc0001.PNG
new file mode 100644
index 0000000000..072b9cb58c
Binary files /dev/null and b/windows/deployment/images/monitor-pc0001.PNG differ
diff --git a/windows/deployment/images/office-folder.png b/windows/deployment/images/office-folder.png
new file mode 100644
index 0000000000..722cc4d664
Binary files /dev/null and b/windows/deployment/images/office-folder.png differ
diff --git a/windows/deployment/images/pc0001.png b/windows/deployment/images/pc0001.png
new file mode 100644
index 0000000000..839cd3de54
Binary files /dev/null and b/windows/deployment/images/pc0001.png differ
diff --git a/windows/deployment/images/pc0005-vm-office.png b/windows/deployment/images/pc0005-vm-office.png
new file mode 100644
index 0000000000..bb8e96f5af
Binary files /dev/null and b/windows/deployment/images/pc0005-vm-office.png differ
diff --git a/windows/deployment/images/pc0005-vm.png b/windows/deployment/images/pc0005-vm.png
new file mode 100644
index 0000000000..4b2af635c4
Binary files /dev/null and b/windows/deployment/images/pc0005-vm.png differ
diff --git a/windows/deployment/images/pc0006.png b/windows/deployment/images/pc0006.png
new file mode 100644
index 0000000000..6162982966
Binary files /dev/null and b/windows/deployment/images/pc0006.png differ
diff --git a/windows/deployment/images/thinkstation.png b/windows/deployment/images/thinkstation.png
new file mode 100644
index 0000000000..7a144ec5b3
Binary files /dev/null and b/windows/deployment/images/thinkstation.png differ
diff --git a/windows/deployment/images/upgrademdt-fig1-machines.png b/windows/deployment/images/upgrademdt-fig1-machines.png
deleted file mode 100644
index ef553b6595..0000000000
Binary files a/windows/deployment/images/upgrademdt-fig1-machines.png and /dev/null differ
diff --git a/windows/deployment/planning/change-history-for-plan-for-windows-10-deployment.md b/windows/deployment/planning/change-history-for-plan-for-windows-10-deployment.md
deleted file mode 100644
index afb65c8724..0000000000
--- a/windows/deployment/planning/change-history-for-plan-for-windows-10-deployment.md
+++ /dev/null
@@ -1,96 +0,0 @@
----
-title: Change history for Plan for Windows 10 deployment (Windows 10)
-description: This topic lists new and updated topics in the Plan for Windows 10 deployment documentation for Windows 10 and Windows 10 Mobile.
-ms.assetid: 70D9F4F8-F2A4-4FB4-9459-5B2BE7BCAC66
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.date: 07/19/2017
-ms.topic: article
----
-
-# Change history for Plan for Windows 10 deployment
-
-
-This topic lists new and updated topics in the [Plan for Windows 10 deployment](index.md) documentation for [Windows 10 and Windows 10 Mobile](/windows/windows-10).
-
-
-## RELEASE: Windows 10, version 1703
-
-The topics in this library have been updated for Windows 10, version 1703 (also known as the Creators Update). The following is a new topic:
-- [Windows 10 Enterprise - FAQ for IT Professionals](windows-10-enterprise-faq-itpro.md)
-
-## January 2017
-
-| New or changed topic | Description |
-|----------------------|-------------|
-| [Windows 10 Infrastructure Requirements](windows-10-infrastructure-requirements.md) | Added link for Windows Server 2008 R2 and Windows 7 activation and a link to Windows Server 2016 Volume Activation Tips |
-
-## September 2016
-
-| New or changed topic | Description |
-| --- | --- |
-| Windows 10 servicing overview | New content replaced this topic; see [Overview of Windows as a service](https://technet.microsoft.com/itpro/windows/manage/waas-overview) |
-| Windows Update for BusinessSetup and deployment of Windows Update for BusinessIntegration of Windows Update for Business with management solutions | New content replaced these topics; see [Manage updates using Windows Update for Business](https://technet.microsoft.com/itpro/windows/manage/waas-manage-updates-wufb) |
-
-
-## RELEASE: Windows 10, version 1607
-
-The topics in this library have been updated for Windows 10, version 1607 (also known as the Anniversary Update).
-
-
-## July 2016
-
-
-| New or changed topic | Description |
-|--------------------------------------------------------------------------------------------------------------------------------------------------|-------------|
-|[Application Compatibility Toolkit (ACT) Technical Reference](act-technical-reference.md) (multiple topics) |Redirected deprecated content to the [Upgrade Analytics](../upgrade/manage-windows-upgrades-with-upgrade-readiness.md) content. Only Standard User Analyzer and Compatibility Administrator continue to be supported.|
-| [Windows 10 servicing overview](../update/waas-overview.md) | Content on this page was summarized. Detailed content about servicing branches was moved to the [Windows 10 servicing options](../update/waas-servicing-strategy-windows-10-updates.md) page. |
-
-
-## May 2016
-
-
-| New or changed topic | Description |
-|--------------------------------------------------------------------------------------------------------------------------------------------------|-------------|
-| [Deploy Windows 10 in a school](/education/windows/deploy-windows-10-in-a-school) | New|
-
-## December 2015
-
-
-| New or changed topic | Description |
-|--------------------------------------------------------------------------------------------------------------------------------------------------|-------------|
-| [Application Compatibility Toolkit (ACT) Technical Reference](act-technical-reference.md) (multiple topics) | New |
-
-
-## November 2015
-
-
-| New or changed topic | Description |
-|--------------------------------------------------------------------------------------------------|-------------|
-| [Chromebook migration guide](/education/windows/chromebook-migration-guide) | New |
-| [Windows Update for Business](../update/waas-manage-updates-wufb.md) (multiple topics) | New |
-| [Windows To Go: feature overview](windows-to-go-overview.md) (multiple topics) | Updated |
-
-
-
-## Related topics
-
-
-[Change history for What's new in Windows 10](/windows/whats-new/change-history-for-what-s-new-in-windows-10)
-
-[Change history for Deploy Windows 10](../change-history-for-deploy-windows-10.md)
-
-
-
-
-
-
-
-
-
-
diff --git a/windows/deployment/planning/index.md b/windows/deployment/planning/index.md
index 6f28178063..dde951580a 100644
--- a/windows/deployment/planning/index.md
+++ b/windows/deployment/planning/index.md
@@ -27,9 +27,9 @@ Windows 10 provides new deployment capabilities, scenarios, and tools by buildi
## Related topics
- [Windows 10 servicing options for updates and upgrades](../update/index.md)
-- [Deploy Windows 10 with MDT 2013 Update 1](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md)
+- [Deploy Windows 10 with MDT](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md)
- [Deploy Windows 10 with Configuration Manager and MDT 2013 Update 1](../deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md)
-- [Upgrade to Windows 10 with MDT 2013 Update 1](../upgrade/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md)
+- [Upgrade to Windows 10 with MDT](../deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md)
- [Upgrade to Windows 10 with Configuration Manager](../upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md)
- [Windows Imaging and Configuration Designer](https://go.microsoft.com/fwlink/p/?LinkId=733911)
diff --git a/windows/deployment/update/update-compliance-monitor.md b/windows/deployment/update/update-compliance-monitor.md
index 731828c027..2bcc21e872 100644
--- a/windows/deployment/update/update-compliance-monitor.md
+++ b/windows/deployment/update/update-compliance-monitor.md
@@ -17,6 +17,11 @@ ms.topic: article
# Monitor Windows Updates with Update Compliance
+> [!IMPORTANT]
+> While [Windows Analytics was retired on January 31, 2020](https://docs.microsoft.com/windows/deployment/update/update-compliance-monitor), support for Update Compliance has continued through the Azure Portal; however, please note the following updates:
+>
+> * On March 31, 2020, the Windows Defender Antivirus reporting feature of Update Compliance will be removed. You can continue to define and review security compliance policies using [Microsoft Endpoint Manager](https://docs.microsoft.com/configmgr/), which allows finer control over security features and updates.
+> * The Perspectives feature of Update Compliance will also be removed on March 31, 2020 in favor of a better experience. The Perspectives feature is part of the Log Search portal of Log Analytics, which was deprecated on February 15, 2019 in favor of [Azure Monitor Logs](https://docs.microsoft.com/azure/azure-monitor/log-query/log-search-transition). Your Update Compliance solution will be automatically upgraded to Azure Monitor Logs, and the data available in Perspectives will be migrated to a set of queries in the [Needs Attention section](update-compliance-need-attention.md) of Update Compliance.
## Introduction
@@ -46,8 +51,8 @@ The Update Compliance architecture and data flow follows this process:
4. Diagnostic data is available in the Update Compliance solution.
->[!NOTE]
->This process assumes that Windows diagnostic data is enabled and data sharing is enabled as outlined in the enrollment section of [Get started with Update Compliance](update-compliance-get-started.md).
+> [!NOTE]
+> This process assumes that Windows diagnostic data is enabled and data sharing is enabled as outlined in the enrollment section of [Get started with Update Compliance](update-compliance-get-started.md).
@@ -55,4 +60,4 @@ The Update Compliance architecture and data flow follows this process:
## Related topics
[Get started with Update Compliance](update-compliance-get-started.md)
-[Use Update Compliance to monitor Windows Updates](update-compliance-using.md)
\ No newline at end of file
+[Use Update Compliance to monitor Windows Updates](update-compliance-using.md)
diff --git a/windows/deployment/update/update-compliance-perspectives.md b/windows/deployment/update/update-compliance-perspectives.md
index b38df5c5af..b07741ffeb 100644
--- a/windows/deployment/update/update-compliance-perspectives.md
+++ b/windows/deployment/update/update-compliance-perspectives.md
@@ -16,6 +16,10 @@ ms.topic: article
# Perspectives
+> [!IMPORTANT]
+> On March 31, 2020, the Perspectives feature of Update Compliance will be removed in favor of a better experience. The Perspectives feature is part of the Log Search portal of Log Analytics, which was deprecated on February 15, 2019 in favor of [Azure Monitor Logs](https://docs.microsoft.com/azure/azure-monitor/log-query/log-search-transition). Your Update Compliance solution will be automatically upgraded to Azure Monitor Logs, and the data available in Perspectives will be migrated to a set of queries in the [Needs Attention section](update-compliance-need-attention.md) of Update Compliance.
+
+
Perspectives are elaborations on specific queries hand-crafted by developers which data views that provide deeper insight into your data. Perspectives are loaded whenever clicking into more detailed views from both the Security Update Status section and Feature Update Status section of Update Compliance.
@@ -33,10 +37,10 @@ The third blade is the **Deployment Status** blade. This defines how many days i
| State | Description |
| --- | --- |
| Update Completed | When a device has finished the update process and is on the queried update, it will display here as Update completed. |
-| In Progress | Devices that report they are “In Progress” are one of the various stages of installing an update; these stages are reported in the Detailed Deployment Status blade. |
-| Deferred | When a device’s Windows Update for Business deferral policy dictates that the update is not yet applicable due to deferral, it will report as such in this blade. |
-| Progress stalled | Devices that report as “Progress stalled” have been stuck at “In progress” for more than 7 days. |
-| Cancelled | The update was cancelled. |
+| In Progress | Devices that report they are "In Progress" are one of the various stages of installing an update; these stages are reported in the Detailed Deployment Status blade. |
+| Deferred | When a device's Windows Update for Business deferral policy dictates that the update is not yet applicable due to deferral, it will report as such in this blade. |
+| Progress stalled | Devices that report as "Progress stalled" have been stuck at "In progress" for more than 7 days. |
+| Cancelled | The update was canceled. |
| Blocked | There is a hard block on the update being completed. This could be that another update must be completed before this one, or some other task is blocking the installation of the update. |
| Unknown | Devices that do not report detailed information on the status of their updates will report Unknown. This is most likely devices that do not use Windows Update for deployment. |
| Update paused | These devices have Windows Update for Business pause enabled, preventing this update from being installed. |
@@ -48,19 +52,19 @@ The final blade is the **Detailed Deployment Status** blade. This blade breaks d
| State | Description |
| --- | --- |
-| Update deferred | When a device’s Windows Update for Business policy dictates the update is deferred. |
-| Update paused | The device’s Windows Update for Business policy dictates the update is paused from being offered. |
+| Update deferred | When a device's Windows Update for Business policy dictates the update is deferred. |
+| Update paused | The device's Windows Update for Business policy dictates the update is paused from being offered. |
| Update offered | The device has been offered the update, but has not begun downloading it. |
| Pre-Download tasks passed | The device has finished all necessary tasks prior to downloading the update. |
| Compatibility hold | The device has been placed under a *compatibility hold* to ensure a smooth feature update experience and will not resume the update until the hold has been cleared. For more information see [Feature Update Status report](update-compliance-feature-update-status.md#compatibility-holds) |
| Download Started | The update has begun downloading on the device. |
| Download Succeeded | The update has successfully completed downloading. |
| Pre-Install Tasks Passed | Tasks that must be completed prior to installing the update have been completed. |
-| Install Started | Installation of the update has begun. |
-| Reboot Required | The device has finished installing the update, and a reboot is required before the update can be completed.
+| Install Started | Installation of the update has begun. |
+| Reboot Required | The device has finished installing the update, and a reboot is required before the update can be completed.
| Reboot Pending | The device has a scheduled reboot to apply the update. |
| Reboot Initiated | The scheduled reboot has been initiated. |
-| Update Completed/Commit | The update has successfully installed. |
+| Update Completed/Commit | The update has successfully installed. |
->[!NOTE]
->Interacting with any rows in the perspective view will automatically apply the given value to the query and execute it with the new parameter, narrowing the perspective to devices that satisfy that criteria. For example, clicking “Not configured (-1)” devices in Deferral Configurations will filter the query to only contain devices that do not have a deferral configuration. These filters can also be applied to queries via the filter sidebar.
+> [!NOTE]
+> Interacting with any rows in the perspective view will automatically apply the given value to the query and execute it with the new parameter, narrowing the perspective to devices that satisfy that criteria. For example, clicking "Not configured (-1)" devices in Deferral Configurations will filter the query to only contain devices that do not have a deferral configuration. These filters can also be applied to queries via the filter sidebar.
diff --git a/windows/deployment/update/update-compliance-wd-av-status.md b/windows/deployment/update/update-compliance-wd-av-status.md
index edc9156531..b07741ffeb 100644
--- a/windows/deployment/update/update-compliance-wd-av-status.md
+++ b/windows/deployment/update/update-compliance-wd-av-status.md
@@ -1,8 +1,8 @@
---
-title: Update Compliance - Windows Defender AV Status report
+title: Update Compliance - Perspectives
ms.reviewer:
manager: laurawi
-description: an overview of the Windows Defender AV Status report
+description: an overview of Update Compliance Perspectives
ms.prod: w10
ms.mktglfcycl: deploy
ms.pagetype: deploy
@@ -14,30 +14,57 @@ ms.collection: M365-analytics
ms.topic: article
---
-# Windows Defender AV Status
+# Perspectives
-
+> [!IMPORTANT]
+> On March 31, 2020, the Perspectives feature of Update Compliance will be removed in favor of a better experience. The Perspectives feature is part of the Log Search portal of Log Analytics, which was deprecated on February 15, 2019 in favor of [Azure Monitor Logs](https://docs.microsoft.com/azure/azure-monitor/log-query/log-search-transition). Your Update Compliance solution will be automatically upgraded to Azure Monitor Logs, and the data available in Perspectives will be migrated to a set of queries in the [Needs Attention section](update-compliance-need-attention.md) of Update Compliance.
-The Windows Defender AV Status section deals with data concerning signature and threat status for devices that use Windows Defender Antivirus. The section tile in the [Overview Blade](update-compliance-using.md#overview-blade) provides the percentage of devices with insufficient protection – this percentage only considers devices using Windows Defender Antivirus.
->[!NOTE]
->Update Compliance's Windows Defender Antivirus status is compatible with E3, B, F1, VL Professional and below licenses. Devices with an E5 license are not shown here; devices with an E5 license can be monitored using the [Windows Defender ATP portal](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-endpoints-windows-defender-advanced-threat-protection). If you'd like to learn more about Windows 10 licensing, see the [Windows 10 product licensing options](https://www.microsoft.com/Licensing/product-licensing/windows10.aspx).
+
-## Windows Defender AV Status sections
-The **Protection Status** blade gives a count for devices that have either out-of-date signatures or real-time protection turned off. Below, it gives a more detailed breakdown of the two issues. Selecting any of these statuses will navigate you to a Log Search view containing the query.
+Perspectives are elaborations on specific queries hand-crafted by developers which data views that provide deeper insight into your data. Perspectives are loaded whenever clicking into more detailed views from both the Security Update Status section and Feature Update Status section of Update Compliance.
-The **Threat Status** blade shows, among devices that have encountered threats, how many were and were not remediated successfully. It also provides a detailed count. Selecting either of these will take you to the respective query in Log Search for further investigation.
+There is only one perspective framework; it is for **Update Deployment Status**. The same framework is utilized for both feature and quality updates.
-Here are some important terms to consider when using the Windows Defender AV Status section of Update Compliance:
-* **Signature out of date** devices are devices with a signature older than 14 days.
-* **No real-time protection** devices are devices that are using Windows Defender AV but have turned off real-time protection.
-* **Recently disappeared** devices are devices that were previously seen by Windows Defender AV and are no longer seen in the past 7 days.
-* **Remediation failed** devices are devices where Windows Defender AV failed to remediate the threat. This could be due to a number of reasons, including a full disk, network error, operation aborted, etc. Manual intervention might be needed from IT team.
-* **Not assessed** devices are devices where either a non-Microsoft AV solution is used or it has been more than 7 days since the device recently disappeared.
+The first blade is the **Build Summary** blade. This blade summarizes the most important aspects of the given build being queried, listing the total number of devices, the total number of update failures for the build, and a breakdown of the different errors encountered.
-## Windows Defender data latency
-Because of the way Windows Defender is associated with the rest of Windows device data, Defender data for new devices might take much longer to appear than other data types. This process could take up to 28 days.
+The second blade is the **Deferral Configurations** blade, breaking down Windows Update for Business deferral settings (if any).
-## Related topics
+## Deployment status
-- [Windows Defender Antivirus pre-requisites](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-reporting#confirm-pre-requisites)
+The third blade is the **Deployment Status** blade. This defines how many days it has been since the queried version has been released, and breaks down the various states in the update funnel each device has reported to be in. The possible states are as follows:
+
+| State | Description |
+| --- | --- |
+| Update Completed | When a device has finished the update process and is on the queried update, it will display here as Update completed. |
+| In Progress | Devices that report they are "In Progress" are one of the various stages of installing an update; these stages are reported in the Detailed Deployment Status blade. |
+| Deferred | When a device's Windows Update for Business deferral policy dictates that the update is not yet applicable due to deferral, it will report as such in this blade. |
+| Progress stalled | Devices that report as "Progress stalled" have been stuck at "In progress" for more than 7 days. |
+| Cancelled | The update was canceled. |
+| Blocked | There is a hard block on the update being completed. This could be that another update must be completed before this one, or some other task is blocking the installation of the update. |
+| Unknown | Devices that do not report detailed information on the status of their updates will report Unknown. This is most likely devices that do not use Windows Update for deployment. |
+| Update paused | These devices have Windows Update for Business pause enabled, preventing this update from being installed. |
+| Failed | A device is unable to install an update. This failure could be linked to a serious error in the update installation process or, in some cases, a [compatibility hold](update-compliance-feature-update-status.md#compatibility-holds). |
+
+## Detailed deployment status
+
+The final blade is the **Detailed Deployment Status** blade. This blade breaks down the detailed stage of deployment a device is in, beyond the generalized terms defined in Deployment Status. The following are the possible stages a device can report:
+
+| State | Description |
+| --- | --- |
+| Update deferred | When a device's Windows Update for Business policy dictates the update is deferred. |
+| Update paused | The device's Windows Update for Business policy dictates the update is paused from being offered. |
+| Update offered | The device has been offered the update, but has not begun downloading it. |
+| Pre-Download tasks passed | The device has finished all necessary tasks prior to downloading the update. |
+| Compatibility hold | The device has been placed under a *compatibility hold* to ensure a smooth feature update experience and will not resume the update until the hold has been cleared. For more information see [Feature Update Status report](update-compliance-feature-update-status.md#compatibility-holds) |
+| Download Started | The update has begun downloading on the device. |
+| Download Succeeded | The update has successfully completed downloading. |
+| Pre-Install Tasks Passed | Tasks that must be completed prior to installing the update have been completed. |
+| Install Started | Installation of the update has begun. |
+| Reboot Required | The device has finished installing the update, and a reboot is required before the update can be completed.
+| Reboot Pending | The device has a scheduled reboot to apply the update. |
+| Reboot Initiated | The scheduled reboot has been initiated. |
+| Update Completed/Commit | The update has successfully installed. |
+
+> [!NOTE]
+> Interacting with any rows in the perspective view will automatically apply the given value to the query and execute it with the new parameter, narrowing the perspective to devices that satisfy that criteria. For example, clicking "Not configured (-1)" devices in Deferral Configurations will filter the query to only contain devices that do not have a deferral configuration. These filters can also be applied to queries via the filter sidebar.
diff --git a/windows/deployment/update/wufb-compliancedeadlines.md b/windows/deployment/update/wufb-compliancedeadlines.md
index df08dd3caa..41edd21e70 100644
--- a/windows/deployment/update/wufb-compliancedeadlines.md
+++ b/windows/deployment/update/wufb-compliancedeadlines.md
@@ -16,15 +16,15 @@ ms.topic: article
Deploying feature or quality updates for many organizations is only part of the equation for managing their device ecosystem. The ability to enforce update compliance is the next important part. Windows Update for Business provides controls to manage deadlines for when devices should migrate to newer versions.
-The compliance options have changed with the release of Windows 10, version 1903:
+The compliance options have changed for devices on Windows 10, version 1709 and above:
-- [Starting with Windows 10, version 1903](#starting-with-windows-10-version-1903)
-- [Prior to Windows 10, version 1903](#prior-to-windows-10-version-1903)
+- [For Windows 10, version 1709 and above](#for-windows-10-version-1709-and-above)
+- [For prior to Windows 10, version 1709](#prior-to-windows-10-version-1709)
-## Starting with Windows 10, version 1903
+## For Windows 10, version 1709 and above
-With a current version of Windows 10, it's best to use the new policy introduced in Windows 10, version 1903: **Specify deadlines for automatic updates and restarts**. In MDM, this policy is available as four separate settings:
+With a current version of Windows 10, it's best to use the new policy introduced in June 2019 to Windows 10, version 1709 and above: **Specify deadlines for automatic updates and restarts**. In MDM, this policy is available as four separate settings:
- Update/ConfigureDeadlineForFeatureUpdates
- Update/ConfigureDeadlineForQualityUpdates
@@ -43,7 +43,7 @@ Further, the policy includes the option to opt out of automatic restarts until t
|Policy|Description |
|-|-|
-| (starting in Windows 10, version 1903) Specify deadlines for automatic updates and restarts | Similar to the older "Specify deadline before auto-restart for update installation," but starts the deadline countdown from when the update was published. Also introduces a configurable grace period and the option to opt out of automatic restarts until the deadline is reached. |
+| (For Windows 10, version 1709 and above) Specify deadlines for automatic updates and restarts | Similar to the older "Specify deadline before auto-restart for update installation," but starts the deadline countdown from when the update was published. Also introduces a configurable grace period and the option to opt out of automatic restarts until the deadline is reached. |
@@ -51,31 +51,34 @@ Further, the policy includes the option to opt out of automatic restarts until t
|Policy|Location|Quality update deadline in days|Feature update deadline in days|Grace period in days|
|-|-|-|-|-|
-|(starting in Windows 10, version 1903) Specify deadlines for automatic updates and restarts | GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Specify deadlines for automatic updates and restarts | 7 | 7 | 2 |
+|(For Windows 10, version 1709 and above) Specify deadlines for automatic updates and restarts | GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Specify deadlines for automatic updates and restarts | 7 | 7 | 2 |
-When **Specify deadlines for automatic updates and restarts** is set (starting in Windows 10, version 1903):
+When **Specify deadlines for automatic updates and restarts** is set (For Windows 10, version 1709 and above):
-**While restart is pending, before the deadline occurs:**
-- For the first few days, the user receives a toast notification
-- After this period, the user receives this dialog:
+ - **While restart is pending, before the deadline occurs:**
-
-- If the user scheduled a restart, or if an auto restart is scheduled, 15 minutes before the scheduled time the user is receives this notification that the restart is about to occur:
+ - For the first few days, the user receives a toast notification
-
+ - After this period, the user receives this dialog:
-**If the restart is still pending after the deadline passes:**
-- Within 12 hours before the deadline passes, the user receives this notification that the deadline is approaching:
+ 
-
-- Once the deadline has passed, the user is forced to restart to keep their devices in compliance and receives this notification:
+ - If the user scheduled a restart, or if an auto restart is scheduled, 15 minutes before the scheduled time the user is receives this notification that the restart is about to occur:
-
+ 
+
+ - **If the restart is still pending after the deadline passes:**
+
+ - Within 12 hours before the deadline passes, the user receives this notification that the deadline is approaching:
+
+ 
+
+ - Once the deadline has passed, the user is forced to restart to keep their devices in compliance and receives this notification:
+
+ 
-
-
-## Prior to Windows 10, version 1903
+## Prior to Windows 10, version 1709
Two compliance flows are available:
@@ -119,9 +122,11 @@ Once the device is in the pending restart state, it will attempt to restart the
#### Notification experience for deadline
Notification users get for a quality update deadline:
+
Notification users get for a feature update deadline:
+
### Deadline with user engagement
diff --git a/windows/deployment/upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md b/windows/deployment/upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md
index c5595129d2..2d3ffa0e03 100644
--- a/windows/deployment/upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md
+++ b/windows/deployment/upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md
@@ -28,14 +28,13 @@ The simplest path to upgrade PCs currently running Windows 7, Windows 8, or Wi
## Proof-of-concept environment
+For the purposes of this topic, we will use three computers: DC01, CM01, and PC0001. DC01 is a domain controller and CM01 is a domain member server. PC0001 is a computer running Windows 7 SP1, targeted for the Windows 10 upgrade. For more details on the setup for this topic, please see [Prepare for deployment with MDT](../deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md).
-For the purposes of this topic, we will use three machines: DC01, CM01, and PC0001. DC01 is a domain controller and CM01 is a Windows Server 2012 R2 standard machine, fully patched with the latest security updates, and configured as a member server in the fictional contoso.com domain. PC0001 is a machine with Windows 7 SP1, targeted for the Windows 10 upgrade. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
+
-
+The computers used in this topic.
-Figure 1. The machines used in this topic.
-
-## Upgrade to Windows 10 with System Center 2012 R2 Configuration Manager
+## Upgrade to Windows 10 with Configuration Manager
System Center 2012 R2 Configuration Manager SP 1 adds support to manage and deploy Windows 10. Although it does not include built-in support to perform an in-place upgrade from Windows 7, Windows 8, or Windows 8.1 to Windows 10, you can build a custom task sequence to perform the necessary tasks.
diff --git a/windows/deployment/upgrade/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md b/windows/deployment/upgrade/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md
deleted file mode 100644
index ee85dd816a..0000000000
--- a/windows/deployment/upgrade/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md
+++ /dev/null
@@ -1,110 +0,0 @@
----
-title: Perform an in-place upgrade to Windows 10 with MDT (Windows 10)
-description: The simplest path to upgrade PCs that are currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade.
-ms.assetid: B8993151-3C1E-4F22-93F4-2C5F2771A460
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-keywords: upgrade, update, task sequence, deploy
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.localizationpriority: medium
-ms.sitesec: library
-ms.pagetype: mdt
-audience: itpro
-author: greg-lindsay
-ms.topic: article
----
-
-# Perform an in-place upgrade to Windows 10 with MDT
-
-**Applies to**
-- Windows 10
-
-The simplest path to upgrade PCs that are currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade. You can use a Microsoft Deployment Toolkit (MDT) 2013 Update 2 task sequence to completely automate the process.
-
-## Proof-of-concept environment
-
-For the purposes of this topic, we will use three machines: DC01, MDT01, and PC0001. DC01 is a domain controller and MDT01 is a Windows Server 2012 R2 standard machine, fully patched with the latest security updates, and configured as a member server in the fictional contoso.com domain. PC0001 is a machine with Windows 7 SP1, targeted for the Windows 10 upgrade. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
-
-
-
-Figure 1. The machines used in this topic.
-
-## Set up the upgrade task sequence
-
-MDT adds support for Windows 10 deployment, including a new in-place upgrade task sequence template that makes the process really simple.
-
-## Create the MDT production deployment share
-
-The steps to create the deployment share for production are the same as when you created the deployment share to create the custom reference image:
-
-1. On MDT01, log on as Administrator in the CONTOSO domain with a password of P@ssw0rd.
-2. Using the Deployment Workbench, right-click **Deployment Shares** and select **New Deployment Share**.
-3. On the **Path** page, in the **Deployment share path** text box, type **E:\\MDTProduction**, and then click **Next**.
-4. On the **Share** page, in the **Share name** text box, type **MDTProduction$**, and then click **Next**.
-5. On the **Descriptive Name** page, in the **Deployment share** description text box, type **MDT Production**, and then click **Next**.
-6. On the **Options** page, accept the default settings and click **Next** twice, and then click **Finish**.
-7. Using File Explorer, verify that you can access the **\\\\MDT01\\MDTProduction$** share.
-
-## Add Windows 10 Enterprise x64 (full source)
-
-In these steps we assume that you have copied the content of a Windows 10 Enterprise x64 ISO to the E:\\Downloads\\Windows 10 Enterprise x64 folder.
-
-1. Using the Deployment Workbench, expand the **Deployment Shares** node, and then expand **MDT Production**.
-2. Right-click the **Operating Systems** node, and create a new folder named **Windows 10**.
-3. Expand the **Operating Systems** node, right-click the **Windows 10** folder, and select **Import Operating System**. Use the following settings for the Import Operating System Wizard:
- - Full set of source files
- - Source directory: E:\\Downloads\\Windows 10 Enterprise x64
- - Destination directory name: W10EX64RTM
-4. After you add the operating system, in the **Operating Systems / Windows 10** folder, double-click the added operating system name in the **Operating System** node and change the name to the following: **Windows 10 Enterprise x64 RTM Default Image**
-
-
-
-Figure 2. The imported Windows 10 operating system after you rename it.
-
-## Create a task sequence to upgrade to Windows 10 Enterprise
-
-1. Using the Deployment Workbench, select **Task Sequences** in the **MDT Production** node, and create a folder named **Windows 10**.
-2. Right-click the new **Windows 10** folder and select **New Task Sequence**. Use the following settings for the New Task Sequence Wizard:
- - Task sequence ID: W10-X64-UPG
- - Task sequence name: Windows 10 Enterprise x64 RTM Upgrade
- - Template: Standard Client Upgrade Task Sequence
- - Select OS: Windows 10 Enterprise x64 RTM Default Image
- - Specify Product Key: Do not specify a product key at this time
- - Full Name: Contoso
- - Organization: Contoso
- - Internet Explorer home page: about:blank
- - Admin Password: Do not specify an Administrator Password at this time
-
-
-
-Figure 3. The task sequence to upgrade to Windows 10.
-
-## Perform the Windows 10 upgrade
-
-To initiate the in-place upgrade, perform the following steps on PC0003 (currently running Windows 7 SP1).
-
-1. Start the MDT deployment wizard by running the following command: **\\\\MDT01\\MDTProduction$\\Scripts\\LiteTouch.vbs**
-2. Select the **Windows 10 Enterprise x64 RTM Upgrade** task sequence, and then click **Next**.
-
- 
-
- Figure 4. Upgrade task sequence.
-
-3. On the **Credentials** tab, specify the **MDT\_BA** account, P@ssw0rd password, and **CONTOSO** for the domain. (Some or all of these values can be specified in Bootstrap.ini so they are automatically populated.)
-4. On the **Ready** tab, click **Begin** to start the task sequence.
- When the task sequence begins, it automatically initiates the in-place upgrade process by invoking the Windows setup program (Setup.exe) with the necessary command-line parameters to perform an automated upgrade, which preserves all data, settings, apps, and drivers.
-
-
-
-Figure 5. Upgrade from Windows 7 to Windows 10 Enterprise x64 with a task sequence.
-
-After the task sequence completes, the computer will be fully upgraded to Windows 10.
-
-## Related topics
-
-[Windows 10 deployment scenarios](../windows-10-deployment-scenarios.md)
-
-[Microsoft Deployment Toolkit downloads and resources](https://go.microsoft.com/fwlink/p/?LinkId=618117)
-
diff --git a/windows/deployment/windows-10-deployment-scenarios.md b/windows/deployment/windows-10-deployment-scenarios.md
index cd3a28b0ca..3479b54e9c 100644
--- a/windows/deployment/windows-10-deployment-scenarios.md
+++ b/windows/deployment/windows-10-deployment-scenarios.md
@@ -55,7 +55,7 @@ The following table summarizes various Windows 10 deployment scenarios. The scen
Use Windows Setup to update your OS and migrate apps and settings. Rollback data is saved in Windows.old.
-Perform an in-place upgrade to Windows 10 with MDT
Perform an in-place upgrade to Windows 10 using Configuration Manager
+Perform an in-place upgrade to Windows 10 with MDT
Perform an in-place upgrade to Windows 10 using Configuration Manager
@@ -268,7 +268,7 @@ The deployment process for the replace scenario is as follows:
## Related topics
-- [Upgrade to Windows 10 with the Microsoft Deployment Toolkit](upgrade/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md)
+- [Upgrade to Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md)
- [Upgrade to Windows 10 with Microsoft Endpoint Configuration Manager](upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md)
- [Deploy Windows 10 with System Center 2012 R2 Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkId=620230)
- [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md)
diff --git a/windows/deployment/windows-10-poc-sc-config-mgr.md b/windows/deployment/windows-10-poc-sc-config-mgr.md
index fc6a392e8f..944908ad16 100644
--- a/windows/deployment/windows-10-poc-sc-config-mgr.md
+++ b/windows/deployment/windows-10-poc-sc-config-mgr.md
@@ -7,7 +7,6 @@ ms.sitesec: library
ms.pagetype: deploy
keywords: deployment, automate, tools, configure, sccm
ms.localizationpriority: medium
-ms.date: 10/11/2017
ms.reviewer:
manager: laurawi
ms.audience: itpro
@@ -446,7 +445,7 @@ If you have already completed steps in [Deploy Windows 10 in a test lab using Mi
- Summary: click **Next**
- Confirmation: click **Finish**
-9. For purposes of this test lab, we will not add applications, such as Microsoft Office, to the deployment share. For information about adding applications, see the [Add applications](deploy-windows-mdt/create-a-windows-10-reference-image.md#sec03) section of the [Create a Windows 10 reference image](deploy-windows-mdt/create-a-windows-10-reference-image.md) topic in the TechNet library.
+9. For purposes of this test lab, we will not add applications, such as Microsoft Office, to the deployment share. For information about adding applications, see the [Add applications](deploy-windows-mdt/create-a-windows-10-reference-image.md#add-applications) section of the [Create a Windows 10 reference image](deploy-windows-mdt/create-a-windows-10-reference-image.md) topic in the TechNet library.
10. The next step is to create a task sequence to reference the operating system that was imported. To create a task sequence, right-click the **Task Sequences** node under **MDT Build Lab** and then click **New Task Sequence**. Use the following settings for the New Task Sequence Wizard:
- Task sequence ID: **REFW10X64-001**
-
@@ -1074,10 +1073,3 @@ In the Configuration Manager console, in the Software Library workspace under Op
## Related Topics
[System Center 2012 Configuration Manager Survival Guide](https://social.technet.microsoft.com/wiki/contents/articles/7075.system-center-2012-configuration-manager-survival-guide.aspx#Step-by-Step_Guides)
-
-
-
-
-
-
-
diff --git a/windows/deployment/windows-autopilot/existing-devices.md b/windows/deployment/windows-autopilot/existing-devices.md
index 8a7020e6c9..81d649c077 100644
--- a/windows/deployment/windows-autopilot/existing-devices.md
+++ b/windows/deployment/windows-autopilot/existing-devices.md
@@ -251,6 +251,9 @@ See the following examples.
25. Click **OK** to close the Task Sequence Editor.
+> [!NOTE]
+> On Windows 10 1903 and 1909, the **AutopilotConfigurationFile.json** is deleted by the **Prepare Windows for Capture** step. See [Windows Autopilot - known issues](https://docs.microsoft.com/windows/deployment/windows-autopilot/known-issues) for more information and a workaround.
+
### Deploy Content to Distribution Points
Next, ensure that all content required for the task sequence is deployed to distribution points.
diff --git a/windows/deployment/windows-autopilot/known-issues.md b/windows/deployment/windows-autopilot/known-issues.md
index 5be64cc194..40de54fe9a 100644
--- a/windows/deployment/windows-autopilot/known-issues.md
+++ b/windows/deployment/windows-autopilot/known-issues.md
@@ -32,9 +32,9 @@ ms.topic: article
Windows Autopilot for existing devices does not work for Windows 10, version 1903; you see screens that you've disabled in your Windows Autopilot profile, such as the Windows 10 License Agreement screen.
+ Windows Autopilot for existing devices does not work for Windows 10, version 1903 or 1909; you see screens that you've disabled in your Windows Autopilot profile, such as the Windows 10 License Agreement screen.
-This happens because Windows 10, version 1903 deletes the AutopilotConfigurationFile.json file.
+This happens because Windows 10, version 1903 and 1909 deletes the AutopilotConfigurationFile.json file.
To fix this issue:
More informationError importing Windows Autopilot devices from a .csv file Ensure that you have not edited the .csv file in Microsoft Excel or an editor other than Notepad. Some of these editors can introduce extra characters causing the file format to be invalid.
Windows Autopilot for existing devices does not follow the Autopilot OOBE experience. Ensure that the JSON profile file is saved in ANSI/ASCII format, not Unicode or UTF-8.
Something went wrong is displayed page during OOBE. The client is likely unable to access all the required AAD/MSA-related URLs. For more information, see Networking requirements.
+ Using a provisioning package in combination with Windows Autopilot can cause issues, especially if the PPKG contains join, enrollment, or device name information. Using PPKGs in combination with Windows Autopilot is not recommended.
## Related topics
diff --git a/windows/deployment/windows-autopilot/troubleshooting.md b/windows/deployment/windows-autopilot/troubleshooting.md
index 010a4d2420..a03e5fbb55 100644
--- a/windows/deployment/windows-autopilot/troubleshooting.md
+++ b/windows/deployment/windows-autopilot/troubleshooting.md
@@ -67,10 +67,10 @@ So, as an example (this is not a device hash, but it's misaligned unpadded Base6
Now for the padding rules. The padding character is "=". The padding character can only be at the end of the hash, and there can only be a maximum of 2 padding characters. Here's the basic logic.
- Does decoding the hash fail?
- - Yes: Are the last two characters "="?
- - Yes: Replace both "=" with a single "A" character, then try again
- - No: Add another "=" character at the end, then try again
- - No: That hash is valid
+ - Yes: Are the last two characters "="?
+ - Yes: Replace both "=" with a single "A" character, then try again
+ - No: Add another "=" character at the end, then try again
+ - No: That hash is valid
Looping the logic above on the previous example hash, we get the following permutations:
- Q29udG9zbwAAA
@@ -128,6 +128,8 @@ On devices running a [supported version](https://docs.microsoft.com/windows/rele
The most common issue joining a device to Azure AD is related to Azure AD permissions. Ensure [the correct configuration is in place](windows-autopilot-requirements.md) to allow users to join devices to Azure AD. Errors can also happen if the user has exceeded the number of devices that they are allowed to join, as configured in Azure AD.
+An Azure AD device is created upon import - it's important that this object not be deleted. It acts as Autopilot's anchor in AAD for group membership and targeting (including the profile) and can lead to join errors if it's deleted. Once this object has been deleted, to fix the issue, deleting and reimporting this autopilot hash will be necessary so it can recreate the associated object.
+
Error code 801C0003 will typically be reported on an error page titled "Something went wrong". This error means that the Azure AD join failed.
## Troubleshooting Intune enrollment issues
diff --git a/windows/privacy/license-terms-windows-diagnostic-data-for-powershell.md b/windows/privacy/license-terms-windows-diagnostic-data-for-powershell.md
index 8fa6e44dc7..3fde86eb4c 100644
--- a/windows/privacy/license-terms-windows-diagnostic-data-for-powershell.md
+++ b/windows/privacy/license-terms-windows-diagnostic-data-for-powershell.md
@@ -18,12 +18,12 @@ ms.reviewer:
robots: noindex,nofollow
---
+# Microsoft Windows diagnostic data for PowerShell license terms
+
MICROSOFT SOFTWARE LICENSE TERMS
MICROSOFT WINDOWS DIAGNOSTIC DATA FOR POWERSHELL
-
-
These license terms are an agreement between you and Microsoft Corporation (or one of its affiliates). They apply to the software named above and any Microsoft services or software updates (except to the extent such services or updates are accompanied by new or additional terms, in which case those different terms apply prospectively and do not alter your or Microsoft’s rights relating to pre-updated software or services). IF YOU COMPLY WITH THESE LICENSE TERMS, YOU HAVE THE RIGHTS BELOW. BY USING THE SOFTWARE, YOU ACCEPT THESE TERMS.
1. INSTALLATION AND USE RIGHTS.
diff --git a/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md b/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md
index 013c2a4130..16be1aa6bc 100644
--- a/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md
+++ b/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md
@@ -26,7 +26,7 @@ ms.reviewer:
- Key trust
> [!NOTE]
->There was an issue with key trust on Windows Server 2019. To fix it, refer to [KB4487044](https://support.microsoft.com/en-us/help/4487044/windows-10-update-kb4487044).
+>There was an issue with key trust authentication on Windows Server 2019. To fix it, refer to [KB4487044](https://support.microsoft.com/en-us/help/4487044/windows-10-update-kb4487044).
## How many is adequate
diff --git a/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md b/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md
index c0e102cb90..6bc04cd39f 100644
--- a/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md
+++ b/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md
@@ -15,7 +15,7 @@ manager: dansimp
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
-ms.date: 08/19/2018
+ms.date: 03/05/2020
---
# Windows Hello biometrics in the enterprise
@@ -28,34 +28,36 @@ Windows Hello is the biometric authentication feature that helps strengthen auth
>[!NOTE]
>When Windows 10 first shipped, it included Microsoft Passport and Windows Hello, which worked together to provide multi-factor authentication. To simplify deployment and improve supportability, Microsoft has combined these technologies into a single solution under the Windows Hello name. Customers who have already deployed these technologies will not experience any change in functionality. Customers who have yet to evaluate Windows Hello will find it easier to deploy due to simplified policies, documentation, and semantics.
-Because we realize your employees are going to want to use this new technology in your enterprise, we’ve been actively working with the device manufacturers to create strict design and performance recommendations that help to ensure that you can more confidently introduce Windows Hello biometrics into your organization.
+Because we realize your employees are going to want to use this new technology in your enterprise, we've been actively working with the device manufacturers to create strict design and performance recommendations that help to ensure that you can more confidently introduce Windows Hello biometrics into your organization.
## How does Windows Hello work?
Windows Hello lets your employees use fingerprint or facial recognition as an alternative method to unlocking a device. With Windows Hello, authentication happens when the employee provides his or her unique biometric identifier while accessing the device-specific Windows Hello credentials.
-The Windows Hello authenticator works to authenticate and allow employees onto your enterprise network. Authentication doesn’t roam among devices, isn’t shared with a server, and can’t easily be extracted from a device. If multiple employees share a device, each employee will use his or her own biometric data on the device.
+The Windows Hello authenticator works to authenticate and allow employees onto your enterprise network. Authentication doesn't roam among devices, isn't shared with a server, and can't easily be extracted from a device. If multiple employees share a device, each employee will use his or her own biometric data on the device.
## Why should I let my employees use Windows Hello?
Windows Hello provides many benefits, including:
-- It helps to strengthen your protections against credential theft. Because an attacker must have both the device and the biometric info or PIN, it’s much more difficult to gain access without the employee’s knowledge.
+- It helps to strengthen your protections against credential theft. Because an attacker must have both the device and the biometric info or PIN, it's much more difficult to gain access without the employee's knowledge.
-- Employees get a simple authentication method (backed up with a PIN) that’s always with them, so there’s nothing to lose. No more forgetting passwords!
+- Employees get a simple authentication method (backed up with a PIN) that's always with them, so there's nothing to lose. No more forgetting passwords!
- Support for Windows Hello is built into the operating system so you can add additional biometric devices and polices as part of a coordinated rollout or to individual employees or groups using Group Policy or Mobile Device Management (MDM) configurations service provider (CSP) policies.
For more info about the available Group Policies and MDM CSPs, see the [Implement Windows Hello for Business in your organization](hello-manage-in-organization.md) topic.
## Where is Windows Hello data stored?
-The biometric data used to support Windows Hello is stored on the local device only. It doesn’t roam and is never sent to external devices or servers. This separation helps to stop potential attackers by providing no single collection point that an attacker could potentially compromise to steal biometric data. Additionally, even if an attacker was actually able to get the biometric data, it still can’t be easily converted to a form that could be recognized by the biometric sensor.
+The biometric data used to support Windows Hello is stored on the local device only. It doesn't roam and is never sent to external devices or servers. This separation helps to stop potential attackers by providing no single collection point that an attacker could potentially compromise to steal biometric data. Additionally, even if an attacker was actually able to get the biometric data from a device, it cannot be converted back into a raw biometric sample that could be recognized by the biometric sensor.
+
+Each sensor on a device will have its own biometric database file where template data is stored. Each database has a unique, randomly generated key that is encrypted to the system. The template data for the sensor will be encrypted with this per-database key using AES with CBC chaining mode. The hash is SHA256. Some fingerprint sensors have the capability to complete matching on the fingerprint sensor module instead of in the OS. These sensors will store biometric data on the fingerprint module instead of in the database file.
## Has Microsoft set any device requirements for Windows Hello?
-We’ve been working with the device manufacturers to help ensure a high-level of performance and protection is met by each sensor and device, based on these requirements:
+We've been working with the device manufacturers to help ensure a high-level of performance and protection is met by each sensor and device, based on these requirements:
- **False Accept Rate (FAR).** Represents the instance a biometric identification solution verifies an unauthorized person. This is normally represented as a ratio of number of instances in a given population size, for example 1 in 100 000. This can also be represented as a percentage of occurrence, for example, 0.001%. This measurement is heavily considered the most important with regards to the security of the biometric algorithm.
- **False Reject Rate (FRR).** Represents the instances a biometric identification solution fails to verify an authorized person correctly. Usually represented as a percentage, the sum of the True Accept Rate and False Reject Rate is 1. Can be with or without anti-spoofing or liveness detection.
### Fingerprint sensor requirements
-To allow fingerprint matching, you must have devices with fingerprint sensors and software. Fingerprint sensors, or sensors that use an employee’s unique fingerprint as an alternative log on option, can be touch sensors (large area or small area) or swipe sensors. Each type of sensor has its own set of detailed requirements that must be implemented by the manufacturer, but all of the sensors must include anti-spoofing measures (required).
+To allow fingerprint matching, you must have devices with fingerprint sensors and software. Fingerprint sensors, or sensors that use an employee's unique fingerprint as an alternative log on option, can be touch sensors (large area or small area) or swipe sensors. Each type of sensor has its own set of detailed requirements that must be implemented by the manufacturer, but all of the sensors must include anti-spoofing measures (required).
**Acceptable performance range for small to large size touch sensors**
@@ -70,7 +72,7 @@ To allow fingerprint matching, you must have devices with fingerprint sensors an
- Effective, real world FRR with Anti-spoofing or liveness detection: <10%
### Facial recognition sensors
-To allow facial recognition, you must have devices with integrated special infrared (IR) sensors and software. Facial recognition sensors use special cameras that see in IR light, letting them tell the difference between a photo and a living person while scanning an employee’s facial features. These sensors, like the fingerprint sensors, must also include anti-spoofing measures (required) and a way to configure them (optional).
+To allow facial recognition, you must have devices with integrated special infrared (IR) sensors and software. Facial recognition sensors use special cameras that see in IR light, letting them tell the difference between a photo and a living person while scanning an employee's facial features. These sensors, like the fingerprint sensors, must also include anti-spoofing measures (required) and a way to configure them (optional).
- False Accept Rate (FAR): <0.001%
diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.md b/windows/security/identity-protection/hello-for-business/hello-faq.md
index 07be2bbf3d..7d47fb49d1 100644
--- a/windows/security/identity-protection/hello-for-business/hello-faq.md
+++ b/windows/security/identity-protection/hello-for-business/hello-faq.md
@@ -50,6 +50,9 @@ It is currently possible to set a convenience PIN on Azure Active Directory Join
## Can I use an external camera when my laptop is closed or docked?
No. Windows 10 currently only supports one Windows Hello for Business camera and does not fluidly switch to an external camera when the computer is docked with the lid closed. The product group is aware of this and is investigating this topic further.
+## Why does authentication fail immediately after provisioning Hybrid Key Trust?
+In a hybrid deployment, a user's public key must sync from Azure AD to AD before it can be used to authenticate against a domain controller. This sync is handled by Azure AD Connect and will occur during a normal sync cycle.
+
## What is the password-less strategy?
Watch Principal Program Manager Karanbir Singh's Ignite 2017 presentation **Microsoft's guide for going password-less**.
@@ -166,4 +169,3 @@ Windows Hello for Business can work with any third-party federation servers that
## Does Windows Hello for Business work with Mac and Linux clients?
Windows Hello for Business is a feature of Windows 10. At this time, Microsoft is not developing clients for other platforms. However, Microsoft is open to third parties who are interested in moving these platforms away from passwords. Interested third parties can get more information by emailing [whfbfeedback@microsoft.com](mailto:whfbfeedback@microsoft.com?subject=collaboration).
-
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md
index 6ab596d350..c7b2eca8b7 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md
@@ -37,7 +37,10 @@ New installations are considerably more involved than existing implementations b
The new installation baseline begins with a basic Active Directory deployment and enterprise PKI.
## Active Directory
-This document expects you have Active Directory deployed with an _adequate_ number of Windows Server 2016 domain controllers for each site. Read the [Planning an adequate number of Windows Server 2016 Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) to learn more.
+This document expects you have Active Directory deployed with an _adequate_ number of Windows Server 2016 or later domain controllers for each site. Read the [Planning an adequate number of Windows Server 2016 Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) to learn more.
+
+> [!NOTE]
+>There was an issue with key trust authentication on Windows Server 2019. If you are planning to use Windows Server 2019 domain controllers refer to [KB4487044](https://support.microsoft.com/en-us/help/4487044/windows-10-update-kb4487044) to fix this issue.
Lab environments and isolated proof of concepts may want to limit the number of domain controllers. The purpose of these environments is to experiment and learn. Reducing the number of domain controllers can prevent troubleshooting issue, such as Active Directory replication, which is unrelated to activity's goal.
@@ -93,7 +96,7 @@ If you do not have an existing public key infrastructure, please review [Certifi
> * Highly available certificate revocation list (Azure AD Joined devices).
## Azure Active Directory
-You’ve prepared your Active Directory. Hybrid Windows Hello for Business deployment needs Azure Active Directory to host your cloud-based identities.
+You've prepared your Active Directory. Hybrid Windows Hello for Business deployment needs Azure Active Directory to host your cloud-based identities.
The next step of the deployment is to follow the [Creating an Azure AD tenant](https://docs.microsoft.com/azure/active-directory/develop/active-directory-howto-tenant) process to provision an Azure tenant for your organization.
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
index d2b1de480f..016bf3f7d8 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
@@ -41,6 +41,9 @@ Hybrid Windows Hello for Business needs two directories: on-premises Active Dire
A hybrid Windows Hello for Business deployment needs an Azure Active Directory subscription. The hybrid key trust deployment, does not need a premium Azure Active Directory subscription.
You can deploy Windows Hello for Business in any environment with Windows Server 2008 R2 or later domain controllers. However, the key trust deployment needs an ***adequate*** number of Windows Server 2016 or later domain controllers at each site where users authenticate using Windows Hello for Business. Read the [Planning an adequate number of Windows Server 2016 or later Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) to learn more.
+
+> [!NOTE]
+>There was an issue with key trust authentication on Windows Server 2019. If you are planning to use Windows Server 2019 domain controllers refer to [KB4487044](https://support.microsoft.com/en-us/help/4487044/windows-10-update-kb4487044) to fix this issue.
Review these requirements and those from the Windows Hello for Business planning guide and worksheet. Based on your deployment decisions you may need to upgrade your on-premises Active Directory or your Azure Active Directory subscription to meet your needs.
@@ -112,7 +115,7 @@ You can deploy Windows Hello for Business key trust in non-federated and federat
Windows Hello for Business is a strong, two-factor credential the helps organizations reduce their dependency on passwords. The provisioning process lets a user enroll in Windows Hello for Business using their user name and password as one factor, but needs a second factor of authentication.
-Hybrid Windows Hello for Business deployments can use Azure’s Multifactor Authentication (MFA) service or they can use multifactor authentication provided by AD FS beginning with Windows Server 2012 R2, which includes an adapter model that enables third parties to integrate their MFA into AD FS. The MFA enabled by an Office 365 license is sufficient for Azure AD.
+Hybrid Windows Hello for Business deployments can use Azure's Multifactor Authentication (MFA) service or they can use multifactor authentication provided by AD FS beginning with Windows Server 2012 R2, which includes an adapter model that enables third parties to integrate their MFA into AD FS. The MFA enabled by an Office 365 license is sufficient for Azure AD.
### Section Review
> [!div class="checklist"]
diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md
index 42d9d4b606..93ca09aa2f 100644
--- a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md
+++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md
@@ -25,7 +25,10 @@ ms.reviewer:
- Key trust
-Key trust deployments need an adequate number of 2016 domain controllers to ensure successful user authentication with Windows Hello for Business. To learn more about domain controller planning for key trust deployments, read the [Windows Hello for Business planning guide](hello-planning-guide.md), the [Planning an adequate number of Windows Server 2016 Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) section.
+Key trust deployments need an adequate number of 2016 or later domain controllers to ensure successful user authentication with Windows Hello for Business. To learn more about domain controller planning for key trust deployments, read the [Windows Hello for Business planning guide](hello-planning-guide.md), the [Planning an adequate number of Windows Server 2016 or later Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) section.
+
+> [!NOTE]
+>There was an issue with key trust authentication on Windows Server 2019. If you are planning to use Windows Server 2019 domain controllers refer to [KB4487044](https://support.microsoft.com/en-us/help/4487044/windows-10-update-kb4487044) to fix this issue.
The key registration process for the On-premises deployment of Windows Hello for Business needs the Windows Server 2016 Active Directory schema. The key-trust model receives the schema extension when the first Windows Server 2016 domain controller is added to the forest. The minimum required domain functional and forest functional levels for Windows Hello for Business deployment is Windows Server 2008 R2.
diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md
index 57a2493e4c..7a49cdb675 100644
--- a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md
+++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md
@@ -64,14 +64,24 @@ Domain controllers automatically request a domain controller certificate (if pub
By default, the Active Directory Certificate Authority provides and publishes the Kerberos Authentication certificate template. However, the cryptography configuration included in the provided template is based on older and less performant cryptography APIs. To ensure domain controllers request the proper certificate with the best available cryptography, use the Kerberos Authentication certificate template as a baseline to create an updated domain controller certificate template.
Sign-in to a certificate authority or management workstations with _Domain Admin_ equivalent credentials.
+
1. Open the **Certificate Authority** management console.
+
2. Right-click **Certificate Templates** and click **Manage**.
+
3. In the **Certificate Template Console**, right-click the **Kerberos Authentication** template in the details pane and click **Duplicate Template**.
+
4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2008 R2** from the **Certification Authority** list. Select **Windows 7.Server 2008 R2** from the **Certification Recipient** list.
+
5. On the **General** tab, type **Domain Controller Authentication (Kerberos)** in Template display name. Adjust the validity and renewal period to meet your enterprise’s needs.
- **Note**If you use different template names, you’ll need to remember and substitute these names in different portions of the lab.
+
+ > [!NOTE]
+ > If you use different template names, you’ll need to remember and substitute these names in different portions of the lab.
+
6. On the **Subject Name** tab, select the **Build from this Active Directory information** button if it is not already selected. Select **None** from the **Subject name format** list. Select **DNS name** from the **Include this information in alternate subject** list. Clear all other items.
+
7. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list. Click **OK**.
+
8. Close the console.
### Superseding the existing Domain Controller certificate
@@ -81,14 +91,23 @@ Many domain controllers may have an existing domain controller certificate. The
The Kerberos Authentication certificate template is the most current certificate template designated for domain controllers and should be the one you deploy to all your domain controllers (2008 or later). The autoenrollment feature in Windows enables you to effortlessly replace these domain controller certificates. You can use the following configuration to replace older domain controller certificates with a new certificate using the Kerberos Authentication certificate template.
Sign-in to a certificate authority or management workstations with _Enterprise Admin_ equivalent credentials.
+
1. Open the **Certificate Authority** management console.
+
2. Right-click **Certificate Templates** and click **Manage**.
+
3. In the **Certificate Template Console**, right-click the **Domain Controller Authentication (Kerberos)** (or the name of the certificate template you created in the previous section) template in the details pane and click **Properties**.
+
4. Click the **Superseded Templates** tab. Click **Add**.
+
5. From the **Add Superseded Template** dialog, select the **Domain Controller** certificate template and click **OK**. Click **Add**.
+
6. From the **Add Superseded Template** dialog, select the **Domain Controller Authentication** certificate template and click **OK**.
+
7. From the **Add Superseded Template dialog**, select the **Kerberos Authentication** certificate template and click **OK**.
+
8. Add any other enterprise certificate templates that were previously configured for domain controllers to the **Superseded Templates** tab.
+
9. Click **OK** and close the **Certificate Templates** console.
The certificate template is configured to supersede all the certificate templates provided in the certificate templates superseded templates list. However, the certificate template and the superseding of certificate templates is not active until you publish the certificate template to one or more certificate authorities.
@@ -98,16 +117,28 @@ The certificate template is configured to supersede all the certificate template
Windows 10 clients use the https protocol when communicating with Active Directory Federation Services. To meet this need, you must issue a server authentication certificate to all the nodes in the Active Directory Federation Services farm. On-premises deployments can use a server authentication certificate issued by their enterprise PKI. You must configure a server authentication certificate template so the host running the Active Directory Federation Service can request the certificate.
Sign-in to a certificate authority or management workstations with _Domain Admin_ equivalent credentials.
+
1. Open the **Certificate Authority** management console.
+
2. Right-click **Certificate Templates** and click **Manage**.
+
3. In the **Certificate Template Console**, right-click the **Web Server** template in the details pane and click **Duplicate Template**.
+
4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list.
-5. On the **General** tab, type **Internal Web Server** in **Template display name**. Adjust the validity and renewal period to meet your enterprise’s needs.
- **Note:** If you use different template names, you’ll need to remember and substitute these names in different portions of the lab.
+
+5. On the **General** tab, type **Internal Web Server** in **Template display name**. Adjust the validity and renewal period to meet your enterprise’s needs.
+
+ > [!NOTE]
+ > If you use different template names, you’ll need to remember and substitute these names in different portions of the lab.
+
6. On the **Request Handling** tab, select **Allow private key to be exported**.
+
7. On the **Subject** tab, select the **Supply in the request** button if it is not already selected.
+
8. On the **Security** tab, Click **Add**. Type **Domain Computers** in the **Enter the object names to select** box. Click **OK**. Select the **Allow** check box next to the **Enroll** permission.
-9. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list. Click **OK**.
+
+9. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list. Click **OK**.
+
10. Close the console.
### Unpublish Superseded Certificate Templates
@@ -117,10 +148,15 @@ The certificate authority only issues certificates based on published certificat
The newly created domain controller authentication certificate template supersedes previous domain controller certificate templates. Therefore, you need to unpublish these certificate templates from all issuing certificate authorities.
Sign-in to the certificate authority or management workstation with _Enterprise Admin_ equivalent credentials.
+
1. Open the **Certificate Authority** management console.
+
2. Expand the parent node from the navigation pane.
+
3. Click **Certificate Templates** in the navigation pane.
+
4. Right-click the **Domain Controller** certificate template in the content pane and select **Delete**. Click **Yes** on the **Disable certificate templates** window.
+
5. Repeat step 4 for the **Domain Controller Authentication** and **Kerberos Authentication** certificate templates.
### Publish Certificate Templates to the Certificate Authority
@@ -128,13 +164,20 @@ Sign-in to the certificate authority or management workstation with _Enterprise
The certificate authority may only issue certificates for certificate templates that are published to that certificate authority. If you have more than one certificate authority and you want that certificate authority to issue certificates based on a specific certificate template, then you must publish the certificate template to all certificate authorities that are expected to issue the certificate.
Sign-in to the certificate authority or management workstations with an _Enterprise Admin_ equivalent credentials.
+
1. Open the **Certificate Authority** management console.
+
2. Expand the parent node from the navigation pane.
+
3. Click **Certificate Templates** in the navigation pane.
+
4. Right-click the **Certificate Templates** node. Click **New**, and click **Certificate Template** to issue.
+
5. In the **Enable Certificates Templates** window, select the **Domain Controller Authentication (Kerberos)**, and **Internal Web Server** templates you created in the previous steps. Click **OK** to publish the selected certificate templates to the certificate authority.
+
6. If you published the Domain Controller Authentication (Kerberos) certificate template, then you should unpublish the certificate templates you included in the superseded templates list.
- * To unpublish a certificate template, right-click the certificate template you want to unpublish in the details pane of the Certificate Authority console and select **Delete**. Click **Yes** to confirm the operation.
+
+ \* To unpublish a certificate template, right-click the certificate template you want to unpublish in the details pane of the Certificate Authority console and select **Delete**. Click **Yes** to confirm the operation.
7. Close the console.
@@ -143,23 +186,37 @@ Sign-in to the certificate authority or management workstations with an _Enterpr
Domain controllers automatically request a certificate from the domain controller certificate template. However, the domain controller is unaware of newer certificate templates or superseded configurations on certificate templates. To continue automatic enrollment and renewal of domain controller certificates that understand newer certificate template and superseded certificate template configurations, create and configure a Group Policy object for automatic certificate enrollment and link the Group Policy object to the Domain Controllers OU.
1. Start the **Group Policy Management Console** (gpmc.msc)
+
2. Expand the domain and select the **Group Policy Object** node in the navigation pane.
+
3. Right-click **Group Policy object** and select **New**
+
4. Type *Domain Controller Auto Certificate Enrollment* in the name box and click **OK**.
+
5. Right-click the **Domain Controller Auto Certificate Enrollment** Group Policy object and click **Edit**.
+
6. In the navigation pane, expand **Policies** under **Computer Configuration**.
+
7. Expand **Windows Settings**, **Security Settings**, and click **Public Key Policies**.
+
8. In the details pane, right-click **Certificate Services Client – Auto-Enrollment** and select **Properties**.
+
9. Select **Enabled** from the **Configuration Model** list.
-10. Select the **Renew expired certificates**, **update pending certificates**, and **remove revoked certificates** check box.
+
+10. Select the **Renew expired certificates, update pending certificates, and remove revoked certificates** check box.
+
11. Select the **Update certificates that use certificate templates** check box.
+
12. Click **OK**. Close the **Group Policy Management Editor**.
### Deploy the Domain Controller Auto Certificate Enrollment Group Policy Object
Sign-in to a domain controller or management workstations with _Domain Admin_ equivalent credentials.
-1. Start the **Group Policy Management Console** (gpmc.msc)
-2. In the navigation pane, expand the domain and expand the node that has your Active Directory domain name. Right-click the **Domain Controllers** organizational unit and click **Link an existing GPO…**
+
+1. Start the **Group Policy Management Console** (gpmc.msc).
+
+2. In the navigation pane, expand the domain and expand the node that has your Active Directory domain name. Right-click the **Domain Controllers** organizational unit and click **Link an existing GPO…**.
+
3. In the **Select GPO** dialog box, select **Domain Controller Auto Certificate Enrollment** or the name of the domain controller certificate enrollment Group Policy object you previously created and click **OK**.
### Validating your work
diff --git a/windows/security/identity-protection/hello-for-business/hello-overview.md b/windows/security/identity-protection/hello-for-business/hello-overview.md
index 30d604bb53..0b032dbbdc 100644
--- a/windows/security/identity-protection/hello-for-business/hello-overview.md
+++ b/windows/security/identity-protection/hello-for-business/hello-overview.md
@@ -44,19 +44,12 @@ As an administrator in an enterprise or educational organization, you can create
## Biometric sign-in
- Windows Hello provides reliable, fully integrated biometric authentication based on facial recognition or fingerprint matching. Windows Hello uses a combination of special infrared (IR) cameras and software to increase accuracy and guard against spoofing. Major hardware vendors are shipping devices that have integrated Windows Hello-compatible cameras. Fingerprint reader hardware can be used or added to devices that don’t currently have it. On devices that support Windows Hello, an easy biometric gesture unlocks users’ credentials.
+ Windows Hello provides reliable, fully integrated biometric authentication based on facial recognition or fingerprint matching. Windows Hello uses a combination of special infrared (IR) cameras and software to increase accuracy and guard against spoofing. Major hardware vendors are shipping devices that have integrated Windows Hello-compatible cameras. Fingerprint reader hardware can be used or added to devices that don't currently have it. On devices that support Windows Hello, an easy biometric gesture unlocks users' credentials.
- **Facial recognition**. This type of biometric recognition uses special cameras that see in IR light, which allows them to reliably tell the difference between a photograph or scan and a living person. Several vendors are shipping external cameras that incorporate this technology, and major laptop manufacturers are incorporating it into their devices, as well.
- **Fingerprint recognition**. This type of biometric recognition uses a capacitive fingerprint sensor to scan your fingerprint. Fingerprint readers have been available for Windows computers for years, but the current generation of sensors is significantly more reliable and less error-prone. Most existing fingerprint readers (whether external or integrated into laptops or USB keyboards) work with Windows 10.
-Windows stores biometric data that is used to implement Windows Hello securely on the local device only. The biometric data doesn’t roam and is never sent to external devices or servers. Because Windows Hello only stores biometric identification data on the device, there’s no single collection point an attacker can compromise to steal biometric data.
-
-## From Windows 10 version 1803, the Windows Hello feature can be used as a safe and secure sign-in method.
-Fingerprint scan can be enabled on laptop computers using a built-in fingerprint reader or an external USB fingerprint reader, as follows:
-1. Go to **Settings** > **Accounts** > **Sign-in-options** > **Windows Hello Fingerprint** > **Add fingerprint**
-2. Users will need to add a PIN after adding their fingerprint(s) to the reader configuration.
-3. Windows Biometric data is located in the `C:\Windows\System32\WinBioDatabase\` folder (fingerprint data is stored with the .DAT file name extension).
-4. If you are unable to sign in with previously registered fingerprints, delete the entire content of this folder and register your fingerprints again.
+Windows stores biometric data that is used to implement Windows Hello securely on the local device only. The biometric data doesn't roam and is never sent to external devices or servers. Because Windows Hello only stores biometric identification data on the device, there's no single collection point an attacker can compromise to steal biometric data. For more information about biometric authentication with Windows Hello for Business, see [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md).
## The difference between Windows Hello and Windows Hello for Business
diff --git a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
index 17f9e5e49f..24172f6859 100644
--- a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
+++ b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
@@ -23,13 +23,13 @@ ms.reviewer:
Congratulations! You are taking the first step forward in helping move your organizations away from password to a two-factor, convenience authentication for Windows — Windows Hello for Business. This planning guide helps you understand the different topologies, architectures, and components that encompass a Windows Hello for Business infrastructure.
-This guide explains the role of each component within Windows Hello for Business and how certain deployment decisions affect other aspects of the infrastructure. Armed with your planning worksheet, you’ll use that information to select the correct deployment guide for your needs.
+This guide explains the role of each component within Windows Hello for Business and how certain deployment decisions affect other aspects of the infrastructure. Armed with your planning worksheet, you'll use that information to select the correct deployment guide for your needs.
## Using this guide
-There are many options from which you can choose when deploying Windows Hello for Business. Providing multiple options ensures nearly every organization can deploy Windows Hello for Business. Providing many options makes the deployment appear complex, however, most organization will realize they’ve already implemented most of the infrastructure on which the Windows Hello for Business deployment depends. It is important to understand that Windows Hello for Business is a distributed system and does take proper planning across multiple teams within an organization.
+There are many options from which you can choose when deploying Windows Hello for Business. Providing multiple options ensures nearly every organization can deploy Windows Hello for Business. Providing many options makes the deployment appear complex, however, most organization will realize they've already implemented most of the infrastructure on which the Windows Hello for Business deployment depends. It is important to understand that Windows Hello for Business is a distributed system and does take proper planning across multiple teams within an organization.
-This guide removes the appearance of complexity by helping you make decisions on each aspect of your Windows Hello for Business deployment and the options you’ll need to consider. Using this guide also identifies the information needed to help you make decisions about the deployment that best suits your environment. Download the [Windows Hello for Business planning worksheet](https://go.microsoft.com/fwlink/?linkid=852514) from the Microsoft Download Center to help track your progress and make your planning easier.
+This guide removes the appearance of complexity by helping you make decisions on each aspect of your Windows Hello for Business deployment and the options you'll need to consider. Using this guide also identifies the information needed to help you make decisions about the deployment that best suits your environment. Download the [Windows Hello for Business planning worksheet](https://go.microsoft.com/fwlink/?linkid=852514) from the Microsoft Download Center to help track your progress and make your planning easier.
### How to Proceed
@@ -80,13 +80,13 @@ The on-premises deployment model is for organizations that do not have cloud ide
> Reset above lock screen - Windows 10, version 1709, Professional
> Reset above lock screen (_I forgot my PIN_ link) - Windows 10, version 1903
-It’s fundamentally important to understand which deployment model to use for a successful deployment. Some aspects of the deployment may have already been decided for you based on your current infrastructure.
+It's fundamentally important to understand which deployment model to use for a successful deployment. Some aspects of the deployment may have already been decided for you based on your current infrastructure.
#### Trust types
-A deployment's trust type defines how each Windows Hello for Business client authenticates to the on-premises Active Directory. There are two trust types: key trust and certificate trust.
+A deployment's trust type defines how each Windows Hello for Business client authenticates to the on-premises Active Directory. There are two trust types: key trust and certificate trust.
-The key trust type does not require issuing authentication certificates to end users. Users authenticate using a hardware-bound key created during the built-in provisioning experience. This requires an adequate distribution of Windows Server 2016 domain controllers relative to your existing authentication and the number of users included in your Windows Hello for Business deployment. Read the [Planning an adequate number of Windows Server 2016 Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) to learn more.
+The key trust type does not require issuing authentication certificates to end users. Users authenticate using a hardware-bound key created during the built-in provisioning experience. This requires an adequate distribution of Windows Server 2016 or later domain controllers relative to your existing authentication and the number of users included in your Windows Hello for Business deployment. Read the [Planning an adequate number of Windows Server 2016 or later Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) to learn more.
The certificate trust type issues authentication certificates to end users. Users authenticate using a certificate requested using a hardware-bound key created during the built-in provisioning experience. Unlike key trust, certificate trust does not require Windows Server 2016 domain controllers (but still requires [Windows Server 2016 Active Directory schema](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs#directories)). Users can use their certificate to authenticate to any Windows Server 2008 R2, or later, domain controller.
@@ -99,14 +99,14 @@ All devices included in the Windows Hello for Business deployment must go throug
#### Key registration
-The built-in Windows Hello for Business provisioning experience creates a hardware bound asymmetric key pair as their user’s credentials. The private key is protected by the device’s security modules; however, the credential is a user key (not a device key). The provisioning experience registers the user’s public key with the identity provider. For cloud only and hybrid deployments, the identity provider is Azure Active Directory. For on-premises deployments, the identity provider is the on-premises server running Windows Server 2016 Active Directory Federation Services (AD FS) role.
+The built-in Windows Hello for Business provisioning experience creates a hardware bound asymmetric key pair as their user's credentials. The private key is protected by the device's security modules; however, the credential is a user key (not a device key). The provisioning experience registers the user's public key with the identity provider. For cloud only and hybrid deployments, the identity provider is Azure Active Directory. For on-premises deployments, the identity provider is the on-premises server running Windows Server 2016 Active Directory Federation Services (AD FS) role.
#### Multifactor authentication
> [!IMPORTANT]
> As of July 1, 2019, Microsoft will no longer offer MFA Server for new deployments. New customers who require multi-factor authentication for their users should use cloud-based Azure Multi-Factor Authentication. Existing customers who have activated MFA Server prior to July 1, 2019 will be able to download the latest version, future updates and generate activation credentials as usual. See [Getting started with the Azure Multi-Factor Authentication Server](https://docs.microsoft.com/azure/active-directory/authentication/howto-mfaserver-deploy) for more details.
-The goal of Windows Hello for Business is to move organizations away from passwords by providing them a strong credential that provides easy two-factor authentication. The built-in provisioning experience accepts the user’s weak credentials (username and password) as the first factor authentication; however, the user must provide a second factor of authentication before Windows provisions a strong credential.
+The goal of Windows Hello for Business is to move organizations away from passwords by providing them a strong credential that provides easy two-factor authentication. The built-in provisioning experience accepts the user's weak credentials (username and password) as the first factor authentication; however, the user must provide a second factor of authentication before Windows provisions a strong credential.
Cloud only and hybrid deployments provide many choices for multi-factor authentication. On-premises deployments must use a multi-factor authentication that provides an AD FS multi-factor adapter to be used in conjunction with the on-premises Windows Server 2016 AD FS server role. Organizations can use the on-premises Azure Multi-factor Authentication server, or choose from several third parties (Read [Microsoft and third-party additional authentication methods](https://docs.microsoft.com/windows-server/identity/ad-fs/operations/configure-additional-authentication-methods-for-ad-fs#microsoft-and-third-party-additional-authentication-methods) for more information).
> [!NOTE]
@@ -156,9 +156,9 @@ Some deployment combinations require an Azure account, and some require Azure Ac
## Planning a Deployment
-Planning your Windows Hello for Business deployment begins with choosing a deployment type. Like all distributed systems, Windows Hello for Business depends on multiple components within your organization’s infrastructure.
+Planning your Windows Hello for Business deployment begins with choosing a deployment type. Like all distributed systems, Windows Hello for Business depends on multiple components within your organization's infrastructure.
-Use the remainder of this guide to help with planning your deployment. As you make decisions, write the results of those decisions in your planning worksheet. When finished, you’ll have all the information needed to complete the planning process and the appropriate deployment guide that best helps you with your deployment.
+Use the remainder of this guide to help with planning your deployment. As you make decisions, write the results of those decisions in your planning worksheet. When finished, you'll have all the information needed to complete the planning process and the appropriate deployment guide that best helps you with your deployment.
### Deployment Model
@@ -170,8 +170,8 @@ If your organization is federated with Azure or uses any online service, such as
If your organization does not have cloud resources, write **On-Premises** in box **1a** on your planning worksheet.
> [!NOTE]
-> If you’re unsure if your organization is federated, run the following Active Directory Windows PowerShell command from an elevated Windows PowerShell prompt and evaluate the results.
-> ```Get-AdObject “CN=62a0ff2e-97b9-4513-943f-0d221bd30080,CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=corp,DC=[forest_root_CN_name],DC=com" -Properties keywords```
+> If you're unsure if your organization is federated, run the following Active Directory Windows PowerShell command from an elevated Windows PowerShell prompt and evaluate the results.
+> ```Get-AdObject "CN=62a0ff2e-97b9-4513-943f-0d221bd30080,CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=corp,DC=[forest_root_CN_name],DC=com" -Properties keywords```
> * If the command returns an error stating it could not find the object, then you have yet to configured AAD Connect or on-premises Device Registration Services using AD FS. Ensure the name is accurate and validate the object does not exist with another Active Directory Management tool such as **ADSIEdit.msc**. If the object truly does not exist, then your environment does not bind you to a specific deployment or require changes to accommodate the desired deployment type.
> * If the command returns a value, compare that value with the values below. The value indicates the deployment model you should implement
> * If the value begins with **azureADName:** – write **Hybrid** in box **1a**on your planning worksheet.
@@ -209,13 +209,13 @@ If box **1a** on your planning worksheet reads **on-premises**, write **AD FS**
### Directory Synchronization
-Windows Hello for Business is strong user authentication, which usually means there is an identity (a user or username) and a credential (typically a key pair). Some operations require writing or reading user data to or from the directory. For example, reading the user’s phone number to perform multi-factor authentication during provisioning or writing the user’s public key.
+Windows Hello for Business is strong user authentication, which usually means there is an identity (a user or username) and a credential (typically a key pair). Some operations require writing or reading user data to or from the directory. For example, reading the user's phone number to perform multi-factor authentication during provisioning or writing the user's public key.
If box **1a** on your planning worksheet reads **cloud only**, write **N/A** in box **1e**. User information is written directly to Azure Active Directory and there is not another directory with which the information must be synchronized.
If box **1a** on your planning worksheet reads **hybrid**, then write **Azure AD Connect** in box **1e** on your planning worksheet.
-If box **1a** on your planning worksheet reads **on-premises**, then write **Azure MFA Server**. This deployment exclusively uses Active Directory for user information with the exception of the multi-factor authentication. The on-premises Azure MFA server synchronizes a subset of the user information, such as phone number, to provide multi-factor authentication while the user’s credentials remain on the on-premises network.
+If box **1a** on your planning worksheet reads **on-premises**, then write **Azure MFA Server**. This deployment exclusively uses Active Directory for user information with the exception of the multi-factor authentication. The on-premises Azure MFA server synchronizes a subset of the user information, such as phone number, to provide multi-factor authentication while the user's credentials remain on the on-premises network.
### Multifactor Authentication
@@ -341,6 +341,6 @@ Modern managed devices do not require an Azure AD premium subscription. By forg
If boxes **2a** or **2b** read **modern management** and you want devices to automatically enroll in your modern management software, write **Yes** in box **6c** on your planning worksheet. Otherwise, write **No** in box **6c**.
-## Congratulations, You’re Done
+## Congratulations, You're Done
-Your Windows Hello for Business planning worksheet should be complete. This guide provided understanding of the components used in the Windows Hello for Business infrastructure and rationalization of why they are used. The worksheet gives you an overview of the requirements needed to continue the next phase of the deployment. With this worksheet, you’ll be able to identify key elements of your Windows Hello for Business deployment.
+Your Windows Hello for Business planning worksheet should be complete. This guide provided understanding of the components used in the Windows Hello for Business infrastructure and rationalization of why they are used. The worksheet gives you an overview of the requirements needed to continue the next phase of the deployment. With this worksheet, you'll be able to identify key elements of your Windows Hello for Business deployment.
diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md
index 55521c5955..2b444785f5 100644
--- a/windows/security/threat-protection/TOC.md
+++ b/windows/security/threat-protection/TOC.md
@@ -136,8 +136,8 @@
#### [Custom detections]()
-##### [Understand custom detection rules](microsoft-defender-atp/overview-custom-detections.md)
-##### [Create and manage custom detections rules](microsoft-defender-atp/custom-detection-rules.md)
+##### [Understand custom detections](microsoft-defender-atp/overview-custom-detections.md)
+##### [Create and manage detection rules](microsoft-defender-atp/custom-detection-rules.md)
### [Management and APIs]()
#### [Overview of management and APIs](microsoft-defender-atp/management-apis.md)
@@ -277,7 +277,7 @@
###### [Exclusions overview](windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md)
###### [Configure and validate exclusions based on file name, extension, and folder location](windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md)
###### [Configure and validate exclusions for files opened by processes](windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md)
-###### [Configure antivirus exclusions Windows Server 2016](windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md)
+###### [Configure antivirus exclusions Windows Server 2016 and 2019](windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md)
##### [Configure scanning antivirus options](windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md)
##### [Configure remediation for scans](windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md)
diff --git a/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md b/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md
index cf1a7b6902..2506c860d3 100644
--- a/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md
+++ b/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md
@@ -2,7 +2,7 @@
title: Top scoring in industry tests (AV-TEST, AV Comparatives, SE Labs, MITRE ATT&CK)
ms.reviewer:
description: Microsoft Defender ATP consistently achieves high scores in independent tests. View the latest scores and analysis.
-keywords: av-test, av-comparatives, SE labs, MITRE ATT&CK, antivirus test, av testing, security product testing, security industry tests, industry antivirus tests, best antivirus, endpoint protection platform, EPP, endpoint detection and response, EDR, Windows Defender Antivirus, Windows 10, Microsoft Defender Antivirus, WDAV, MDATP, Microsoft Threat Protection, security, malware, av, antivirus, scores, next generation protection
+keywords: Windows Defender Antivirus, av reviews, antivirus test, av testing, latest av scores, detection scores, security product testing, security industry tests, industry antivirus tests, best antivirus, av-test, av-comparatives, SE labs, MITRE ATT&CK, endpoint protection platform, EPP, endpoint detection and response, EDR, Windows 10, Microsoft Defender Antivirus, WDAV, MDATP, Microsoft Threat Protection, security, malware, av, antivirus, scores, next generation protection
ms.prod: w10
ms.mktglfcycl: secure
ms.sitesec: library
@@ -50,7 +50,7 @@ The AV-TEST Product Review and Certification Report tests on three categories: p
### AV-Comparatives: Protection rating of 99.9% in the latest test
-Business Security Test consists of three main parts: the Real-World Protection Test that mimics online malware attacks, the Malware Protection Test where the malware enters the system from outside the internet (for example by USB), and the Performance Test that looks at the impact on the system’s performance.
+Business Security Test consists of three main parts: the Real-World Protection Test that mimics online malware attacks, the Malware Protection Test where the malware enters the system from outside the internet (for example by USB), and the Performance Test that looks at the impact on the system's performance.
- Business Security Test 2019 (August — September): [Real-World Protection Rate 99.9%](https://www.av-comparatives.org/tests/business-security-test-august-september-2019-factsheet/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4kagp) **Latest**
@@ -94,7 +94,7 @@ MITRE tested the ability of products to detect techniques commonly used by the t
## To what extent are tests representative of protection in the real world?
-Independent security industry tests aim to evaluate the best antivirus and security products in an unbiased manner. However, it is important to remember that Microsoft sees a wider and broader set of threats beyond what’s tested in the evaluations highlighted in this topic. For example, in an average month Microsoft's security products identify over 100 million new threats. Even if an independent tester can acquire and test 1% of those threats, that is a million tests across 20 or 30 products. In other words, the vastness of the malware landscape makes it extremely difficult to evaluate the quality of protection against real world threats.
+Independent security industry tests aim to evaluate the best antivirus and security products in an unbiased manner. However, it is important to remember that Microsoft sees a wider and broader set of threats beyond what's tested in the evaluations highlighted in this topic. For example, in an average month Microsoft's security products identify over 100 million new threats. Even if an independent tester can acquire and test 1% of those threats, that is a million tests across 20 or 30 products. In other words, the vastness of the malware landscape makes it extremely difficult to evaluate the quality of protection against real world threats.
The capabilities within Microsoft Defender ATP provide [additional layers of protection](https://cloudblogs.microsoft.com/microsoftsecure/2017/12/11/detonating-a-bad-rabbit-windows-defender-antivirus-and-layered-machine-learning-defenses) that are not factored into industry antivirus tests, and address some of the latest and most sophisticated threats. Isolating AV from the rest of Microsoft Defender ATP creates a partial picture of how Microsoft's security stack operates in the real world. For example, attack surface reduction and endpoint detection & response capabilities can help prevent malware from getting onto devices in the first place. We have proven that [Microsoft Defender ATP components catch samples](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2ouJA) that Windows Defender Antivirus missed in these industry tests, which is more representative of how effectively Microsoft's security suite protects customers in the real world.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md b/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md
index c25ee5cfa4..9698e75980 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md
@@ -35,13 +35,16 @@ If you're already a Microsoft Defender ATP customer, you can apply through the M
1. From the navigation pane, go to **Settings > General > Advanced features > Microsoft Threat Experts**.
-2. Click **Apply**.
+2. Click **Apply**.
+
-3. Enter your name and email address so that Microsoft can get back to you on your application.
+3. Enter your name and email address so that Microsoft can get back to you on your application.
+
-4. Read the privacy statement, then click **Submit** when you're done. You will receive a welcome email once your application is approved.
+4. Read the [privacy statement](https://privacy.microsoft.com/en-us/privacystatement), then click **Submit** when you're done. You will receive a welcome email once your application is approved.
+
6. From the navigation pane, go to **Settings** > **General** > **Advanced features** to turn the **Threat Experts** toggle on. Click **Save preferences**.
@@ -74,15 +77,17 @@ You can partner with Microsoft Threat Experts who can be engaged directly from w
2. From the upper right-hand menu, click **?**. Then, select **Consult a threat expert**.
->
+ 
->A flyout screen opens. The following screen shows when you are on a trial subscription.
->
+ A flyout screen opens. The following screen shows when you are on a trial subscription.
-> The following screen shows when you are on a full Microsoft Threat Experts - Experts on Demand subscription.
->
+ 
->The **Inquiry topic** field is pre-populated with the link to the relevant page for your investigation request. For example, a link to the incident, alert, or machine details page that you were at when you made the request.
+ The following screen shows when you are on a full Microsoft Threat Experts - Experts on Demand subscription.
+
+ 
+
+ The **Inquiry topic** field is pre-populated with the link to the relevant page for your investigation request. For example, a link to the incident, alert, or machine details page that you were at when you made the request.
3. In the next field, provide enough information to give the Microsoft Threat Experts enough context to start the investigation.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md
index c5a436c489..5254713db3 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md
@@ -1,7 +1,7 @@
---
title: Create and manage custom detection rules in Microsoft Defender ATP
ms.reviewer:
-description: Learn how to create and manage custom detections rules based on advanced hunting queries
+description: Learn how to create and manage custom detection rules based on advanced hunting queries
keywords: custom detections, create, manage, alerts, edit, run on demand, frequency, interval, detection rules, advanced hunting, hunt, query, response actions, mdatp, microsoft defender atp
search.product: eADQiWindows 10XVcnh
search.appverid: met150
@@ -19,7 +19,7 @@ ms.topic: article
---
-# Create and manage custom detections rules
+# Create and manage custom detection rules
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@@ -34,7 +34,7 @@ Custom detection rules built from [Advanced hunting](advanced-hunting-overview.m
In Microsoft Defender Security Center, go to **Advanced hunting** and select an existing query or create a new query. When using an new query, run the query to identify errors and understand possible results.
#### Required columns in the query results
-To use a query for a custom detection rule, the query must return the `Timestamp`, `DeviceId`, and `ReportId` columns in the results. Simple queries, such as those that don’t use the `project` or `summarize` operator to customize or aggregate results, typically return these common columns.
+To use a query for a custom detection rule, the query must return the `Timestamp`, `DeviceId`, and `ReportId` columns in the results. Simple queries, such as those that don't use the `project` or `summarize` operator to customize or aggregate results, typically return these common columns.
There are various ways to ensure more complex queries return these columns. For example, if you prefer to aggregate and count by `DeviceId`, you can still return `Timestamp` and `ReportId` by getting them from the most recent event involving each machine.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/event-details.png b/windows/security/threat-protection/microsoft-defender-atp/images/event-details.png
new file mode 100644
index 0000000000..05ac6c4637
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/event-details.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-machines.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-machines.md
index fe9095c926..301ad65ba0 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/investigate-machines.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-machines.md
@@ -144,6 +144,13 @@ More details about certain events are provided in the **Additional information**
You can also use the [Artifact timeline](investigate-alerts.md#artifact-timeline) feature to see the correlation between alerts and events on a specific machine.
+#### Event details
+Select an event to view relevant details about that event. A panel displays to show general event information. When applicable and data is available, a graph showing related entities and their relationships are also shown.
+
+To further inspect the event and related events, you can quickly run an [advanced hunting](advanced-hunting-overview.md) query by selecting **Hunt for related events**. The query will return the selected event and the list of other events that occurred around the same time on the same endpoint.
+
+
+
### Security recommendations
**Security recommendations** are generated from Microsoft Defender ATP's [Threat & Vulnerability Management](tvm-dashboard-insights.md) capability. Selecting a recommendation will show a panel where you can view relevant details such as description of the recommendation and the potential risks associated with not enacting it. See [Security recommendation](tvm-security-recommendation.md) for details.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md b/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md
index 79bae6b394..84d747929e 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md
@@ -1,6 +1,6 @@
---
title: Deploy Microsoft Defender ATP for Linux manually
-ms.reviewer:
+ms.reviewer:
description: Describes how to deploy Microsoft Defender ATP for Linux manually from the command line.
keywords: microsoft, defender, atp, linux, installation, deploy, uninstallation, puppet, ansible, linux, redhat, ubuntu, debian, sles, suse, centos
search.product: eADQiWindows 10XVcnh
@@ -14,7 +14,7 @@ author: dansimp
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection: M365-security-compliance
ms.topic: conceptual
---
@@ -37,11 +37,11 @@ Before you get started, see [Microsoft Defender ATP for Linux](microsoft-defende
## Configure the Linux software repository
-Microsoft Defender ATP for Linux can be deployed from one of the following channels (denoted below as *[channel]*): *insider-fast* or *prod*. Each of these channels corresponds to a Linux software repository. Instructions for configuring your device to use one of these repositories are provided below.
+Microsoft Defender ATP for Linux can be deployed from one of the following channels (denoted below as *[channel]*): *insiders-fast*, *insiders-slow*, or *prod*. Each of these channels corresponds to a Linux software repository. Instructions for configuring your device to use one of these repositories are provided below.
-The choice of the channel determines the type and frequency of updates that are offered to your device. Devices in *insider-fast* can try out new features before devices in *prod*.
+The choice of the channel determines the type and frequency of updates that are offered to your device. Devices in *insiders-fast* are the first ones to receive updates and new features, followed later by *insiders-slow* and lastly by *prod*.
-In order to preview new features and provide early feedback, it is recommended that you configure some devices in your enterprise to use the *insider-fast* channel.
+In order to preview new features and provide early feedback, it is recommended that you configure some devices in your enterprise to use either *insiders-fast* or *insiders-slow*.
### RHEL and variants (CentOS and Oracle EL)
@@ -53,13 +53,13 @@ In order to preview new features and provide early feedback, it is recommended t
> In case of Oracle EL and CentOS 8, replace *[distro]* with “rhel”.
```bash
- sudo yum-config-manager --add-repo=https://packages.microsoft.com/config/[distro]/[version]/[channel].repo
+ sudo yum-config-manager --add-repo=https://packages.microsoft.com/config/[distro]/[version]/[channel].repo
```
- For example, if you are running CentOS 7 and wish to deploy MDATP for Linux from the *insider-fast* channel:
+ For example, if you are running CentOS 7 and wish to deploy MDATP for Linux from the *insiders-fast* channel:
```bash
- sudo yum-config-manager --add-repo=https://packages.microsoft.com/config/centos/7/insiders-fast.repo
+ sudo yum-config-manager --add-repo=https://packages.microsoft.com/config/centos/7/insiders-fast.repo
```
- Install the Microsoft GPG public key:
@@ -67,12 +67,18 @@ In order to preview new features and provide early feedback, it is recommended t
```bash
curl https://packages.microsoft.com/keys/microsoft.asc > microsoft.asc
```
-
+
```bash
sudo rpm --import microsoft.asc
```
-- Download and make usable all the metadata for the currently enabled yum repositories:
+- Install `yum-utils` if it is not already installed:
+
+ ```bash
+ sudo yum install yum-utils
+ ```
+
+- Download and make usable all the metadata for the currently enabled yum repositories:
```bash
yum makecache
@@ -85,10 +91,10 @@ In order to preview new features and provide early feedback, it is recommended t
In the following commands, replace *[distro]* and *[version]* with the information you've identified:
```bash
- sudo zypper addrepo -c -f -n microsoft-[channel] https://packages.microsoft.com/config/[distro]/[version]/[channel].repo
+ sudo zypper addrepo -c -f -n microsoft-[channel] https://packages.microsoft.com/config/[distro]/[version]/[channel].repo
```
- For example, if you are running SLES 12 and wish to deploy MDATP for Linux from the *insider-fast* channel:
+ For example, if you are running SLES 12 and wish to deploy MDATP for Linux from the *insiders-fast* channel:
```bash
sudo zypper addrepo -c -f -n microsoft-insiders-fast https://packages.microsoft.com/config/sles/12/insiders-fast.repo
@@ -99,7 +105,7 @@ In order to preview new features and provide early feedback, it is recommended t
```bash
curl https://packages.microsoft.com/keys/microsoft.asc > microsoft.asc
```
-
+
```bash
rpm --import microsoft.asc
```
@@ -112,6 +118,12 @@ In order to preview new features and provide early feedback, it is recommended t
sudo apt-get install curl
```
+- Install `libplist-utils` if it is not already installed:
+
+ ```bash
+ sudo apt-get install libplist-utils
+ ```
+
- Note your distribution and version, and identify the closest entry for it under `https://packages.microsoft.com/config`.
In the below command, replace *[distro]* and *[version]* with the information you've identified:
@@ -120,10 +132,10 @@ In order to preview new features and provide early feedback, it is recommended t
curl -o microsoft.list https://packages.microsoft.com/config/[distro]/[version]/[channel].list
```
- For example, if you are running Ubuntu 18.04 and wish to deploy MDATP for Linux from the *insider-fast* channel:
+ For example, if you are running Ubuntu 18.04 and wish to deploy MDATP for Linux from the *insiders-fast* channel:
```bash
- curl -o microsoft.list https://packages.microsoft.com/config/ubuntu/18.04/insiders-fast.list
+ curl -o microsoft.list https://packages.microsoft.com/config/ubuntu/18.04/insiders-fast.list
```
- Install the repository configuration:
@@ -141,12 +153,7 @@ In order to preview new features and provide early feedback, it is recommended t
- Install the Microsoft GPG public key:
```bash
- curl https://packages.microsoft.com/keys/microsoft.asc | gpg --dearmor > microsoft.gpg
- ```
-
- ```bash
- sudo mv microsoft.gpg /etc/apt/trusted.gpg.d/
-
+ curl https://packages.microsoft.com/keys/microsoft.asc | sudo apt-key add -
```
- Install the https driver if it's not already present:
@@ -193,7 +200,7 @@ Download the onboarding package from Microsoft Defender Security Center:
4. From a command prompt, verify that you have the file.
Extract the contents of the archive:
-
+
```bash
ls -l
total 8
@@ -234,6 +241,9 @@ Download the onboarding package from Microsoft Defender Security Center:
1
```
+ > [!IMPORTANT]
+ > When the product starts for the first time, it downloads the latest antimalware definitions. Depending on your Internet connection, this can take up to a few minutes. During this time the above command returns a value of `0`.
+
5. Run a detection test to verify that the machine is properly onboarded and reporting to the service. Perform the following steps on the newly onboarded machine:
- Ensure that real-time protection is enabled (denoted by a result of `1` from running the following command):
diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-ansible.md b/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-ansible.md
index 8eae3591a3..bdba284676 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-ansible.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-ansible.md
@@ -42,7 +42,7 @@ Before you get started, please see [the main Microsoft Defender ATP for Linux pa
- Curl
- Unzip
-- All host must be listed in the following format in the `/etc/ansible/hosts` file:
+- All hosts must be listed in the following format in the `/etc/ansible/hosts` file:
```bash
[servers]
@@ -129,11 +129,11 @@ Create subtask or role files that contribute to an actual task. Create the follo
- Add the Microsoft Defender ATP repository and key.
- Microsoft Defender ATP for Linux can be deployed from one of the following channels (denoted below as *[channel]*): *insider-fast* or *prod*. Each of these channels corresponds to a Linux software repository.
+ Microsoft Defender ATP for Linux can be deployed from one of the following channels (denoted below as *[channel]*): *insiders-fast*, *insiders-slow*, or *prod*. Each of these channels corresponds to a Linux software repository.
- The choice of the channel determines the type and frequency of updates that are offered to your device. Devices in *insider-fast* can try out new features before devices in *prod*.
+ The choice of the channel determines the type and frequency of updates that are offered to your device. Devices in *insiders-fast* are the first ones to receive updates and new features, followed later by *insiders-slow* and lastly by *prod*.
- In order to preview new features and provide early feedback, it is recommended that you configure some devices in your enterprise to use the *insider-fast* channel.
+ In order to preview new features and provide early feedback, it is recommended that you configure some devices in your enterprise to use either *insiders-fast* or *insiders-slow*.
Note your distribution and version and identify the closest entry for it under `https://packages.microsoft.com/config/`.
@@ -233,6 +233,9 @@ Now run the tasks files under `/etc/ansible/playbooks/`.
$ ansible-playbook /etc/ansible/playbooks/install_mdatp.yml -i /etc/ansible/hosts
```
+> [!IMPORTANT]
+> When the product starts for the first time, it downloads the latest antimalware definitions. Depending on your Internet connection, this can take up to a few minutes.
+
- Validation/configuration:
```bash
diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md b/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md
index a27c84b264..177ef802de 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md
@@ -78,11 +78,11 @@ install_mdatp
### Contents of `install_mdatp/manifests/init.pp`
-Microsoft Defender ATP for Linux can be deployed from one of the following channels (denoted below as *[channel]*): *insider-fast* or *prod*. Each of these channels corresponds to a Linux software repository.
+Microsoft Defender ATP for Linux can be deployed from one of the following channels (denoted below as *[channel]*): *insiders-fast*, *insiders-slow*, or *prod*. Each of these channels corresponds to a Linux software repository.
-The choice of the channel determines the type and frequency of updates that are offered to your device. Devices in *insider-fast* can try out new features before devices in *prod*.
+The choice of the channel determines the type and frequency of updates that are offered to your device. Devices in *insiders-fast* are the first ones to receive updates and new features, followed later by *insiders-slow* and lastly by *prod*.
-In order to preview new features and provide early feedback, it is recommended that you configure some devices in your enterprise to use the *insider-fast* channel.
+In order to preview new features and provide early feedback, it is recommended that you configure some devices in your enterprise to use either *insiders-fast* or *insiders-slow*.
Note your distribution and version and identify the closest entry for it under `https://packages.microsoft.com/config/`.
@@ -167,6 +167,9 @@ $ mdatp --health healthy
The above command prints `1` if the product is onboarded and functioning as expected.
+> [!IMPORTANT]
+> When the product starts for the first time, it downloads the latest antimalware definitions. Depending on your Internet connection, this can take up to a few minutes. During this time the above command returns a value of `0`.
+
If the product is not healthy, the exit code (which can be checked through `echo $?`) indicates the problem:
- 1 if the device is not yet onboarded.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-preferences.md b/windows/security/threat-protection/microsoft-defender-atp/linux-preferences.md
index 256186213a..537883114e 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/linux-preferences.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/linux-preferences.md
@@ -35,7 +35,7 @@ This topic describes the structure of this profile (including a recommended prof
The configuration profile is a .json file that consists of entries identified by a key (which denotes the name of the preference), followed by a value, which depends on the nature of the preference. Values can be simple, such as a numerical value, or complex, such as a nested list of preferences.
-Typically, you would use a configuration management tool to push a file with the name ```mdatp_maanged.json``` at the location ```/etc/opt/microsoft/mdatp/managed/```.
+Typically, you would use a configuration management tool to push a file with the name ```mdatp_managed.json``` at the location ```/etc/opt/microsoft/mdatp/managed/```.
The top level of the configuration profile includes product-wide preferences and entries for subareas of the product, which are explained in more detail in the next sections.
@@ -51,7 +51,7 @@ The *antivirusEngine* section of the configuration profile is used to manage the
#### Enable / disable real-time protection
-Detemines whether real-time protection (scan files as they are accessed) is enabled or not.
+Determines whether real-time protection (scan files as they are accessed) is enabled or not.
|||
|:---|:---|
@@ -61,7 +61,7 @@ Detemines whether real-time protection (scan files as they are accessed) is enab
#### Enable / disable passive mode
-Detemines whether the antivirus engine runs in passive mode or not. In passive mode:
+Determines whether the antivirus engine runs in passive mode or not. In passive mode:
- Real-time protection is turned off.
- On-demand scanning is turned on.
- Automatic threat remediation is turned off.
@@ -351,6 +351,16 @@ The following configuration profile contains entries for all settings described
}
```
+## Configuration profile validation
+
+The configuration profile must be a valid JSON-formatted file. There are a number of tools that can be used to verify this. For example, if you have `python` installed on your device:
+
+```bash
+$ python -m json.tool mdatp_managed.json
+```
+
+If the JSON is well-formed, the above command outputs it back to the Terminal and returns an exit code of `0`. Otherwise, an error that describes the issue is displayed and the command returns an exit code of `1`.
+
## Configuration profile deployment
Once you've built the configuration profile for your enterprise, you can deploy it through the management tool that your enterprise is using. Microsoft Defender ATP for Linux reads the managed configuration from the */etc/opt/microsoft/mdatp/managed/mdatp_managed.json* file.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-preferences.md b/windows/security/threat-protection/microsoft-defender-atp/mac-preferences.md
index 84b0a77870..4fc8a7c36e 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-preferences.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-preferences.md
@@ -730,13 +730,24 @@ The following configuration profile contains entries for all settings described
```
+## Configuration profile validation
+
+The configuration profile must be a valid *.plist* file. This can be checked by executing:
+
+```bash
+$ plutil -lint com.microsoft.wdav.plist
+com.microsoft.wdav.plist: OK
+```
+
+If the configuration profile is well-formed, the above command outputs `OK` and returns an exit code of `0`. Otherwise, an error that describes the issue is displayed and the command returns an exit code of `1`.
+
## Configuration profile deployment
Once you've built the configuration profile for your enterprise, you can deploy it through the management console that your enterprise is using. The following sections provide instructions on how to deploy this profile using JAMF and Intune.
### JAMF deployment
-From the JAMF console, open **Computers** > **Configuration Profiles**, navigate to the configuration profile you'd like to use, then select **Custom Settings**. Create an entry with `com.microsoft.wdav` as the preference domain and upload the .plist produced earlier.
+From the JAMF console, open **Computers** > **Configuration Profiles**, navigate to the configuration profile you'd like to use, then select **Custom Settings**. Create an entry with `com.microsoft.wdav` as the preference domain and upload the *.plist* produced earlier.
>[!CAUTION]
>You must enter the correct preference domain (`com.microsoft.wdav`); otherwise, the preferences will not be recognized by Microsoft Defender ATP.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-resources.md b/windows/security/threat-protection/microsoft-defender-atp/mac-resources.md
index e35c4b95e5..bda42ad846 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-resources.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-resources.md
@@ -13,7 +13,7 @@ author: dansimp
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection: M365-security-compliance
ms.topic: conceptual
---
@@ -59,7 +59,7 @@ If you can reproduce a problem, please increase the logging level, run the syste
If an error occurs during installation, the installer will only report a general failure.
-The detailed log will be saved to /Library/Logs/Microsoft/mdatp/install.log. If you experience issues during installation, send us this file so we can help diagnose the cause.
+The detailed log will be saved to `/Library/Logs/Microsoft/mdatp/install.log`. If you experience issues during installation, send us this file so we can help diagnose the cause.
## Uninstalling
@@ -72,6 +72,7 @@ There are several ways to uninstall Microsoft Defender ATP for Mac. Please note
### From the command line
- ```sudo rm -rf '/Applications/Microsoft Defender ATP.app'```
+- ```sudo rm -rf '/Library/Application Support/Microsoft/Defender/'```
## Configuring from the command line
@@ -98,29 +99,10 @@ Important tasks, such as controlling product settings and triggering on-demand s
|EDR |Add group tag to machine. EDR tags are used for managing machine groups. For more information, please visit https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine-groups |`mdatp --edr --set-tag GROUP [name]` |
|EDR |Remove group tag from machine |`mdatp --edr --remove-tag [name]` |
+## Client Microsoft Defender ATP quarantine directory
+
+`/Library/Application Support/Microsoft/Defender/quarantine/` contains the files quarantined by `mdatp`. The files are named after the threat trackingId. The current trackingIds is shown with `mdatp --threat --list --pretty`.
+
## Microsoft Defender ATP portal information
-In the Microsoft Defender ATP portal, you'll see two categories of information.
-
-Antivirus alerts, including:
-
- - Severity
- - Scan type
- - Device information (hostname, machine identifier, tenant identifier, app version, and OS type)
- - File information (name, path, size, and hash)
- - Threat information (name, type, and state)
-
-Device information, including:
-
- - Machine identifier
- - Tenant identifier
- - App version
- - Hostname
- - OS type
- - OS version
- - Computer model
- - Processor architecture
- - Whether the device is a virtual machine
-
- > [!NOTE]
- > Certain device information might be subject to upcoming releases. To send us feedback, use the Microsoft Defender ATP for Mac app and select **Help** > **Send feedback** on your device. Optionally, use the **Feedback** button in the Microsoft Defender Security Center.
+[This blog](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/edr-capabilities-for-macos-have-now-arrived/ba-p/1047801) provides detailed guidance on what to expect in Microsoft Defender ATP Security Center.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md b/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md
index 34df1f32fc..ebad1005b3 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md
@@ -19,6 +19,22 @@ ms.topic: conceptual
# What's new in Microsoft Defender Advanced Threat Protection for Mac
+> [!NOTE]
+> In alignment with macOS evolution, we are preparing a Microsoft Defender ATP for Mac update that leverages system extensions instead of kernel extensions.
+>
+> In the meantime, starting with macOS Catalina update 10.15.4, Apple introduced a user facing *Legacy System Extension* warning to signal applications that rely on kernel extensions.
+>
+> If you have previously whitelisted the kernel extension as part of your remote deployment, that warning should not be presented to the end user. If you have not previously deployed a policy to whitelist the kernel extension, your users will be presented with the warning. To proactively silence the warning, you can still deploy a configuration to whitelist the kernel extension. Refer to the instructions in the [JAMF-based deployment](mac-install-with-jamf.md#approved-kernel-extension) and [Microsoft Intune-based deployment](mac-install-with-intune.md#create-system-configuration-profiles) topics.
+
+## 100.86.91
+
+> [!CAUTION]
+> To ensure the most complete protection for your macOS devices and in alignment with Apple stopping delivery of macOS native security updates to OS versions older than [current – 2], MDATP for Mac deployment and updates will no longer be supported on macOS Sierra [10.12]. MDATP for Mac updates and enhancements will be delivered to devices running versions Catalina [10.15], Mojave [10.14], and High Sierra [10.13].
+>
+> If you already have MDATP for Mac deployed to your Sierra [10.12] devices, please upgrade to the latest macOS version to eliminate risks of losing protection.
+
+- Performance improvements & bug fixes
+
## 100.83.73
- Added more controls for IT administrators around [management of exclusions](mac-preferences.md#exclusion-merge-policy), [management of threat type settings](mac-preferences.md#threat-type-settings-merge-policy), and [disallowed threat actions](mac-preferences.md#disallowed-threat-actions)
@@ -37,9 +53,9 @@ ms.topic: conceptual
- Fixed an issue where Microsoft Defender ATP for Mac was sometimes interfering with Time Machine
- Added a new switch to the command-line utility for testing the connectivity with the backend service
-```bash
-$ mdatp --connectivity-test
-```
+ ```bash
+ $ mdatp --connectivity-test
+ ```
- Added ability to view the full threat history in the user interface (can be accessed from the **Protection history** view)
- Performance improvements & bug fixes
@@ -60,12 +76,12 @@ $ mdatp --connectivity-test
- Added support for macOS Catalina
-> [!CAUTION]
-> macOS 10.15 (Catalina) contains new security and privacy enhancements. Beginning with this version, by default, applications are not able to access certain locations on disk (such as Documents, Downloads, Desktop, etc.) without explicit consent. In the absence of this consent, Microsoft Defender ATP is not able to fully protect your device.
->
-> The mechanism for granting this consent depends on how you deployed Microsoft Defender ATP:
->
-> - For manual deployments, see the updated instructions in the [Manual deployment](mac-install-manually.md#how-to-allow-full-disk-access) topic.
-> - For managed deployments, see the updated instructions in the [JAMF-based deployment](mac-install-with-jamf.md#privacy-preferences-policy-control) and [Microsoft Intune-based deployment](mac-install-with-intune.md#create-system-configuration-profiles) topics.
+ > [!CAUTION]
+ > macOS 10.15 (Catalina) contains new security and privacy enhancements. Beginning with this version, by default, applications are not able to access certain locations on disk (such as Documents, Downloads, Desktop, etc.) without explicit consent. In the absence of this consent, Microsoft Defender ATP is not able to fully protect your device.
+ >
+ > The mechanism for granting this consent depends on how you deployed Microsoft Defender ATP:
+ >
+ > - For manual deployments, see the updated instructions in the [Manual deployment](mac-install-manually.md#how-to-allow-full-disk-access) topic.
+ > - For managed deployments, see the updated instructions in the [JAMF-based deployment](mac-install-with-jamf.md#privacy-preferences-policy-control) and [Microsoft Intune-based deployment](mac-install-with-intune.md#create-system-configuration-profiles) topics.
- Performance improvements & bug fixes
diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md
index 36e0aff59f..ad38c483b0 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md
@@ -20,6 +20,15 @@ ms.topic: conceptual
# Microsoft Defender ATP for Linux
+> [!IMPORTANT]
+> **PUBLIC PREVIEW EDITION**
+>
+> This documentation is for a pre-release solution. The guidelines and the solution are subject to change between now and its general availability.
+>
+> As with any pre-release solution, remember to exercise caution when determining the target population for your deployments.
+>
+> If you have preview features turned on in the Microsoft Defender Security Center, you should be able to access the Linux onboarding page immediately. If you have not yet opted into previews, we encourage you to [turn on preview features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/preview) in the Microsoft Defender Security Center today.
+
This topic describes how to install, configure, update, and use Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux.
> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4q3yP]
diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md
index be43f23ee8..fa9b382efb 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md
@@ -114,6 +114,10 @@ Microsoft regularly publishes software updates to improve performance, security,
Guidance for how to configure the product in enterprise environments is available in [Set preferences for Microsoft Defender ATP for Mac](mac-preferences.md).
+## macOS kernel and system extensions
+
+In alignment with macOS evolution, we are preparing a Microsoft Defender ATP for Mac update that leverages system extensions instead of kernel extensions. Visit [What's new in Microsoft Defender Advanced Threat Protection for Mac](mac-whatsnew.md) for relevant details.
+
## Resources
- For more information about logging, uninstalling, or other topics, see the [Resources](mac-resources.md) page.
diff --git a/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md
index 17897257a2..b42e1c8729 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.custom: nextgen
-ms.reviewer:
+ms.reviewer: ksarens
manager: dansimp
---
@@ -22,14 +22,12 @@ manager: dansimp
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-You can perform various Windows Defender Antivirus functions with the dedicated command-line tool *mpcmdrun.exe*.
-
-This utility can be useful when you want to automate Windows Defender Antivirus use.
-
-You can find the utility in _%ProgramFiles%\Windows Defender\MpCmdRun.exe_. You must run it from a command prompt.
+You can perform various Windows Defender Antivirus functions with the dedicated command-line tool *mpcmdrun.exe*. This utility is useful when you want to automate Windows Defender Antivirus use. You can find the utility in `%ProgramFiles%\Windows Defender\MpCmdRun.exe`. You must run it from a command prompt.
> [!NOTE]
> You might need to open an administrator-level version of the command prompt. Right-click the item in the Start menu, click **Run as administrator** and click **Yes** at the permissions prompt.
+>
+> If you're running an updated Windows Defender Platform version, please run `MpCmdRun` from the following location: `C:\ProgramData\Microsoft\Windows Defender\Platform\