| 0x80070003- 0x20007
| This is a failure during SafeOS phase driver installation.
diff --git a/windows/deployment/upgrade/upgrade-error-codes.md b/windows/deployment/upgrade/upgrade-error-codes.md
index 5bb2a95e0c..9f3b61be3a 100644
--- a/windows/deployment/upgrade/upgrade-error-codes.md
+++ b/windows/deployment/upgrade/upgrade-error-codes.md
@@ -91,7 +91,7 @@ The following tables provide the corresponding phase and operation for values of
-| Extend code: phase |
+ | Extend code: phase |
| Hex | Phase
| | 0 | SP_EXECUTION_UNKNOWN
| | 1 | SP_EXECUTION_DOWNLEVEL
@@ -103,7 +103,7 @@ The following tables provide the corresponding phase and operation for values of
-| Extend code: operation |
+ | Extend code: operation |
| Hex | Operation
diff --git a/windows/deployment/windows-10-poc.md b/windows/deployment/windows-10-poc.md
index 7a4fb81ed7..fb9fdbecee 100644
--- a/windows/deployment/windows-10-poc.md
+++ b/windows/deployment/windows-10-poc.md
@@ -1,1106 +1,1109 @@
----
-title: Configure a test lab to deploy Windows 10
-ms.reviewer:
-manager: laurawi
-ms.audience: itpro
author: greg-lindsay
-description: Concepts and procedures for deploying Windows 10 in a proof of concept lab environment.
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: deploy
-keywords: deployment, automate, tools, configure, mdt, sccm
-ms.localizationpriority: medium
-audience: itpro
author: greg-lindsay
-ms.topic: article
----
-
-# Step by step guide: Configure a test lab to deploy Windows 10
-
-**Applies to**
-
-- Windows 10
-
-This guide contains instructions to configure a proof of concept (PoC) environment requiring a minimum amount of resources. The guide makes extensive use of Windows PowerShell and Hyper-V. Subsequent companion guides contain steps to deploy Windows 10 using the PoC environment. After completing this guide, see the following Windows 10 PoC deployment guides:
-
-- [Step by step: Deploy Windows 10 in a test lab using MDT](windows-10-poc-mdt.md)
-- [Step by step: Deploy Windows 10 in a test lab using System Center Configuration Manager](windows-10-poc-sc-config-mgr.md)
-
-The PoC deployment guides are intended to provide a demonstration of Windows 10 deployment tools and processes for IT professionals that are not familiar with these tools, and those that are interested in setting up a proof of concept environment. The instructions in this guide should not be used in a production setting, and are not meant to replace the instructions found in production deployment guidance.
-
-Approximately 3 hours are required to configure the PoC environment. You will need a Hyper-V capable computer running Windows 8.1 or later with at least 16GB of RAM. Detailed [requirements](#hardware-and-software-requirements) are provided below. You will also need to have a [Microsoft account](https://www.microsoft.com/account) to use for downloading evaluation software.
-
-Windows PowerShell commands are provided to set up the PoC environment quickly. You do not need to be an expert in Windows PowerShell to complete the steps in the guide, however you are required to customize some commands to your environment.
-
-> Instructions to "type" Windows PowerShell commands provided in this guide can be followed literally by typing the commands, but the preferred method is to copy and paste these commands.
->
-> A Windows PowerShell window can be used to run all commands in this guide. However, when commands are specified for a command prompt, you must either type CMD at the Windows PowerShell prompt to enter the command prompt, or preface the command with "cmd /c", or if desired you can escape special characters in the command using the back-tick character (`). In most cases, the simplest thing is to type cmd and enter a command prompt, type the necessary commands, then type "exit" to return to Windows PowerShell.
-
-Hyper-V is installed, configured and used extensively in this guide. If you are not familiar with Hyper-V, review the [terminology](#appendix-b-terminology-used-in-this-guide) used in this guide before starting.
-
-## In this guide
-
-This guide contains instructions for three general procedures: Install Hyper-V, configure Hyper-V, and configure VMs. If you already have a computer running Hyper-V, you can use this computer and skip the first procedure. In this case, your virtual switch settings must be modified to match those used in this guide, or the steps in this guide can be modified to use your existing Hyper-V settings.
-
-After completing the instructions in this guide, you will have a PoC environment that enables you to test Windows 10 deployment procedures by following instructions in companion guides that are written to use the PoC environment. Links are provided to download trial versions of Windows Server 2012, Windows 10 Enterprise, and all deployment tools necessary to complete the lab.
-
-Topics and procedures in this guide are summarized in the following table. An estimate of the time required to complete each procedure is also provided. Time required to complete procedures will vary depending on the resources available to the Hyper-V host and assigned to VMs, such as processor speed, memory allocation, disk speed, and network speed.
-
-
-
-
-
-## Hardware and software requirements
-
-One computer that meets the hardware and software specifications below is required to complete the guide; A second computer is recommended to validate the upgrade process.
-
-- **Computer 1**: the computer you will use to run Hyper-V and host virtual machines. This computer should have 16 GB or more of installed RAM and a multi-core processor.
-- **Computer 2**: a client computer from your corporate network. It is shadow-copied to create a VM that can be added to the PoC environment, enabling you to test a mirror image of a computer on your network. If you do not have a computer to use for this simulation, you can download an evaluation VHD and use it to represent this computer. Subsequent guides use this computer to simulate Windows 10 replace and refresh scenarios, so the VM is required even if you cannot create this VM using computer 2.
-
-Harware requirements are displayed below:
-
-
-
-
-
- |
- Computer 1 (required) |
- Computer 2 (recommended) |
-
-
- | Role |
- Hyper-V host |
- Client computer |
-
-
- | Description |
- This computer will run Hyper-V, the Hyper-V management tools, and the Hyper-V Windows PowerShell module. |
- This computer is a Windows 7 or Windows 8/8.1 client on your corporate network that will be converted to a VM to demonstrate the upgrade process. |
-
-
- | OS |
- Windows 8.1/10 or Windows Server 2012/2012 R2/2016* |
- Windows 7 or a later |
-
-
- | Edition |
- Enterprise, Professional, or Education |
- Any |
-
-
- | Architecture |
- 64-bit |
- Any
Note: Retaining applications and settings requires that architecture (32 or 64-bit) is the same before and after the upgrade. |
-
-
- | RAM |
- 8 GB RAM (16 GB recommended) to test Windows 10 deployment with MDT.
-
16 GB RAM to test Windows 10 deployment with System Center Configuration Manager. |
- Any |
-
-
- | Disk |
- 200 GB available hard disk space, any format. |
- Any size, MBR formatted. |
-
-
- | CPU |
- SLAT-Capable CPU |
- Any |
-
-
- | Network |
- Internet connection |
- Any |
-
-
-
-
- \*The Hyper-V server role can also be installed on a computer running Windows Server 2008 R2. However, the Windows PowerShell module for Hyper-V is not available on Windows Server 2008 R2, therefore you cannot use many of the steps provided in this guide to configure Hyper-V. To manage Hyper-V on Windows Server 2008 R2, you can use Hyper-V WMI, or you can use the Hyper-V Manager console. Providing all steps in this guide as Hyper-V WMI or as 2008 R2 Hyper-V Manager procedures is beyond the scope of the guide.
-
- The Hyper-V role cannot be installed on Windows 7 or earlier versions of Windows.
-
-
-[Download VHD and ISO files](#download-vhd-and-iso-files)
-[Convert PC to VM](#convert-pc-to-vm)
-[Resize VHD](#resize-vhd)
-[Configure Hyper-V](#configure-hyper-v)
-[Configure VMs](#configure-vms)
-
-### Verify support and install Hyper-V
-
-Starting with Windows 8, the host computer’s microprocessor must support second level address translation (SLAT) to install Hyper-V. See [Hyper-V: List of SLAT-Capable CPUs for Hosts](https://social.technet.microsoft.com/wiki/contents/articles/1401.hyper-v-list-of-slat-capable-cpus-for-hosts.aspx) for more information.
-
-1. To verify your computer supports SLAT, open an administrator command prompt, type **systeminfo**, press ENTER, and review the section displayed at the bottom of the output, next to Hyper-V Requirements. See the following example:
-
-
- C:\>systeminfo
-
- ...
- Hyper-V Requirements: VM Monitor Mode Extensions: Yes
- Virtualization Enabled In Firmware: Yes
- Second Level Address Translation: Yes
- Data Execution Prevention Available: Yes
-
-
- In this example, the computer supports SLAT and Hyper-V.
-
- If one or more requirements are evaluated as **No** then the computer does not support installing Hyper-V. However, if only the virtualization setting is incompatible, you might be able to enable virtualization in the BIOS and change the **Virtualization Enabled In Firmware** setting from **No** to **Yes**. The location of this setting will depend on the manufacturer and BIOS version, but is typically found associated with the BIOS security settings.
-
- You can also identify Hyper-V support using [tools](https://blogs.msdn.microsoft.com/taylorb/2008/06/19/hyper-v-will-my-computer-run-hyper-v-detecting-intel-vt-and-amd-v/) provided by the processor manufacturer, the [msinfo32](https://technet.microsoft.com/library/cc731397.aspx) tool, or you can download the [coreinfo](https://technet.microsoft.com/sysinternals/cc835722) utility and run it, as shown in the following example:
-
-
- C:\>coreinfo -v
-
- Coreinfo v3.31 - Dump information on system CPU and memory topology
- Copyright (C) 2008-2014 Mark Russinovich
- Sysinternals - www.sysinternals.com
-
- Intel(R) Core(TM) i7-2600 CPU @ 3.40GHz
- Intel64 Family 6 Model 42 Stepping 7, GenuineIntel
- Microcode signature: 0000001B
- HYPERVISOR - Hypervisor is present
- VMX * Supports Intel hardware-assisted virtualization
- EPT * Supports Intel extended page tables (SLAT)
-
-
- Note: A 64-bit operating system is required to run Hyper-V.
-
-2. The Hyper-V feature is not installed by default. To install it, open an elevated Windows PowerShell window and type the following command:
-
- Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V –All
-
- This command works on all operating systems that support Hyper-V, but on Windows Server operating systems you must type an additional command to add the Hyper-V Windows PowerShell module and the Hyper-V Manager console. This command will also install Hyper-V if it isn't already installed, so if desired you can just type the following command on Windows Server 2012 or 2016 instead of using the Enable-WindowsOptionalFeature command:
-
- Install-WindowsFeature -Name Hyper-V -IncludeManagementTools
-
- When you are prompted to restart the computer, choose **Yes**. The computer might restart more than once. After installation is complete, you can open Hyper-V Manager by typing **virtmgmt.msc** at an elevated command prompt.
-
- >Alternatively, you can install Hyper-V using the Control Panel in Windows under **Turn Windows features on or off** for a client operating system, or using Server Manager's **Add Roles and Features Wizard** on a server operating system, as shown below:
-
- 
-
- 
-
- If you choose to install Hyper-V using Server Manager, accept all default selections. Also be sure to install both items under Role Administration Tools\Hyper-V Management Tools.
-
-### Download VHD and ISO files
-
-When you have completed installation of Hyper-V on the host computer, begin configuration of Hyper-V by downloading VHD and ISO files to the Hyper-V host. These files will be used to create the VMs used in the lab. Before you can download VHD and ISO files, you will need to register and sign in to the [TechNet Evaluation Center](https://www.microsoft.com/evalcenter/) using your Microsoft account.
-
-1. Create a directory on your Hyper-V host named **C:\VHD** and download a single [Windows Server 2012 R2 VHD](https://www.microsoft.com/evalcenter/evaluate-windows-server-2012-r2) from the TechNet Evaluation Center to the **C:\VHD** directory.
-
- **Important**: This guide assumes that VHDs are stored in the **C:\VHD** directory on the Hyper-V host. If you use a different directory to store VHDs, you must adjust steps in this guide appropriately.
-
- After completing registration you will be able to download the 7.47 GB Windows Server 2012 R2 evaluation VHD. An example of the download offering is shown below.
-
-
-  |
-
-
-2. Download the file to the **C:\VHD** directory. When the download is complete, rename the VHD file that you downloaded to **2012R2-poc-1.vhd**. This is done to make the filename simple to recognize and type.
-3. Copy the VHD to a second file also in the **C:\VHD** directory and name this VHD **2012R2-poc-2.vhd**.
-4. Download the [Windows 10 Enterprise ISO](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise) from the TechNet Evaluation Center to the **C:\VHD** directory on your Hyper-V host.
-
- >During registration, you must specify the type, version, and language of installation media to download. In this example, a Windows 10 Enterprise, 64 bit, English ISO is chosen. You can choose a different version if desired. **Note: The evaluation version of Windows 10 does not support in-place upgrade**.
-
-5. Rename the ISO file that you downloaded to **w10-enterprise.iso**. Again, this is done so that the filename is simple to type and recognize. After completing registration you will be able to download the 3.63 GB Windows 10 Enterprise evaluation ISO.
-
-After completing these steps, you will have three files in the **C:\VHD** directory: **2012R2-poc-1.vhd**, **2012R2-poc-2.vhd**, **w10-enterprise.iso**.
-
-The following displays the procedures described in this section, both before and after downloading files:
-
-
-C:>mkdir VHD
-C:>cd VHD
-C:\VHD>ren 9600*.vhd 2012R2-poc-1.vhd
-C:\VHD>copy 2012R2-poc-1.vhd 2012R2-poc-2.vhd
- 1 file(s) copied.
-C:\VHD ren *.iso w10-enterprise.iso
-C:\VHD>dir /B
-2012R2-poc-1.vhd
-2012R2-poc-2.vhd
-w10-enterprise.iso
-
-
-### Convert PC to VM
-
->Important: Do not attempt to use the VM resulting from the following procedure as a reference image. Also, to avoid conflicts with existing clients, do not start the VM outside the PoC network.
-
-
-If you do not have a PC available to convert to VM, perform the following steps to download an evaluation VM:
-
-
-- Open the Download virtual machines page.
-
- Under Virtual machine, choose IE11 on Win7.
-
- Under Select platform choose HyperV (Windows).
-
- Click Download .zip. The download is 3.31 GB.
-
- Extract the zip file. Three directories are created.
-
- Open the Virtual Hard Disks directory and then copy IE11 - Win7.vhd to the C:\VHD directory.
-
- Rename IE11 - Win7.vhd to w7.vhd (do not rename the file to w7.vhdx).
-
- In step 5 of the Configure Hyper-V section, replace the VHD file name w7.vhdx with w7.vhd.
-
- |
-
-If you have a PC available to convert to VM (computer 2):
-
-1. Sign in on computer 2 using an account with Administrator privileges.
-
->Important: the account used in this step must have local administrator privileges. You can use a local computer account, or a domain account with administrative rights if domain policy allows the use of cached credentials. After converting the computer to a VM, you must be able to sign in on this VM with administrator rights while the VM is disconnected from the corporate network.
-
-2. [Determine the VM generation and partition type](#determine-the-vm-generation-and-partition-type) that is required.
-3. Based on the VM generation and partition type, perform one of the following procedures: [Prepare a generation 1 VM](#prepare-a-generation-1-vm), [Prepare a generation 2 VM](#prepare-a-generation-2-vm), or [prepare a generation 1 VM from a GPT disk](#prepare-a-generation-1-vm-from-a-gpt-disk).
-
-#### Determine the VM generation and partition type
-
-When creating a VM in Hyper-V, you must specify either generation 1 or generation 2. The following table describes requirements for these two types of VMs.
-
-
-
-
-
- |
- Architecture |
- Operating system |
- Partition style |
-
-
- | Generation 1 |
- 32-bit or 64-bit |
- Windows 7 or later |
- MBR |
-
-
- | Generation 2 |
- 64-bit |
- Windows 8 or later |
- MBR or GPT |
-
-
-
-
-Get-WmiObject -Class Win32_DiskPartition | Select-Object -Property SystemName,Caption,Type
-
-
-If the **Type** column does not indicate GPT, then the disk partition format is MBR ("Installable File System" = MBR). In the following example, the disk is GPT:
-
-
-PS C:> Get-WmiObject -Class Win32_DiskPartition | Select-Object -Property SystemName,Caption,Type
-
-SystemName Caption Type
----------- ------- ----
-USER-PC1 Disk #0, Partition #0 GPT: System
-USER-PC1 Disk #0, Partition #1 GPT: Basic Data
-
-
-On a computer running Windows 8 or later, you can also type **Get-Disk** at a Windows PowerShell prompt to discover the partition style. The default output of this cmdlet displays the partition style for all attached disks. Both commands are displayed below. In this example, the client computer is running Windows 8.1 and uses a GPT style partition format:
-
-
-PS C:> Get-WmiObject -Class Win32_DiskPartition | Select-Object -Property SystemName,Caption,Type
-
-SystemName Caption Type
----------- ------- ----
-PC-X1 Disk #0, Partition #0 GPT: Unknown
-PC-X1 Disk #0, Partition #1 GPT: System
-PC-X1 Disk #0, Partition #2 GPT: Basic Data
-PC-X1 Disk #0, Partition #3 GPT: Basic Data
-PC-X1 Disk #0, Partition #4 GPT: Basic Data
-
-PS C:> Get-Disk
-
-Number Friendly Name OperationalStatus Total Size Partition Style
------- ------------- ----------------- ---------- ---------------
-0 INTEL SSDSCMMW240A3L Online 223.57 GB GPT
-
-
-
-
-**Choosing a VM generation**
-
-The following table displays the Hyper-V VM generation to choose based on the OS, architecture, and partition style. Links to procedures to create the corresponding VMs are included.
-
-
-
-Notes:
-
-- If the PC is running Windows 7, it can only be converted and hosted in Hyper-V as a generation 1 VM. This Hyper-V requirement means that if the Windows 7 PC is also using a GPT partition style, the OS disk can be shadow copied, but a new system partition must be created. In this case, see Prepare a generation 1 VM from a GPT disk.
-
- If the PC is running Windows 8 or later and uses the GPT partition style, you can capture the disk image and create a generation 2 VM. To do this, you must temporarily mount the EFI system partition which is accomplished using the mountvol command. In this case, see Prepare a generation 2 VM.
-
- If the PC is using an MBR partition style, you can convert the disk to VHD and use it to create a generation 1 VM. If you use the Disk2VHD tool described in this guide, it is not necessary to mount the MBR system partition, but it is still necessary to capture it. In this case, see Prepare a generation 1 VM.
-
-
-#### Prepare a generation 1 VM
-
-1. Download the [Disk2vhd utility](https://technet.microsoft.com/library/ee656415.aspx), extract the .zip file and copy **disk2vhd.exe** to a flash drive or other location that is accessible from the computer you wish to convert.
-
- >You might experience timeouts if you attempt to run Disk2vhd from a network share, or specify a network share for the destination. To avoid timeouts, use local, portable media such as a USB drive.
-
-2. On the computer you wish to convert, double-click the disk2vhd utility to start the graphical user interface.
-3. Select the checkboxes next to the **C:\\** and the **system reserved** (BIOS/MBR) volumes. The system volume is not assigned a drive letter, but will be displayed in the Disk2VHD tool with a volume label similar to **\\?\Volume{**. See the following example. **Important**: You must include the system volume in order to create a bootable VHD. If this volume is not displayed in the disk2vhd tool, then the computer is likely to be using the GPT partition style. For more information, see [Determine VM generation](#determine-vm-generation).
-4. Specify a location to save the resulting VHD or VHDX file (F:\VHD\w7.vhdx in the following example) and click **Create**. See the following example:
-
- 
-
- >Disk2vhd can save VHDs to local hard drives, even if they are the same as the volumes being converted. Performance is better however when the VHD is saved on a disk different than those being converted, such as a flash drive.
-
-5. When the Disk2vhd utility has completed converting the source computer to a VHD, copy the VHDX file (w7.vhdx) to your Hyper-V host in the C:\VHD directory. There should now be four files in this directory:
-
-
- C:\vhd>dir /B
- 2012R2-poc-1.vhd
- 2012R2-poc-2.vhd
- w10-enterprise.iso
- w7.VHDX
-
-
-#### Prepare a generation 2 VM
-
-1. Download the [Disk2vhd utility](https://technet.microsoft.com/library/ee656415.aspx), extract the .zip file and copy **disk2vhd.exe** to a flash drive or other location that is accessible from the computer you wish to convert.
-
- >You might experience timeouts if you attempt to run Disk2vhd from a network share, or specify a network share for the destination. To avoid timeouts, use local, portable media such as a USB drive.
-
-2. On the computer you wish to convert, open an elevated command prompt and type the following command:
-
- mountvol s: /s
-
- This command temporarily assigns a drive letter of S to the system volume and mounts it. If the letter S is already assigned to a different volume on the computer, then choose one that is available (ex: mountvol z: /s).
-
-3. On the computer you wish to convert, double-click the disk2vhd utility to start the graphical user interface.
-4. Select the checkboxes next to the **C:\\** and the **S:\\** volumes, and clear the **Use Volume Shadow Copy checkbox**. Volume shadow copy will not work if the EFI system partition is selected.
-
- **Important**: You must include the EFI system partition in order to create a bootable VHD. The Windows RE tools partition (shown below) is not required, but it can also be converted if desired.
-
-5. Specify a location to save the resulting VHD or VHDX file (F:\VHD\PC1.vhdx in the following example) and click **Create**. See the following example:
-
- 
-
- >Disk2vhd can save VHDs to local hard drives, even if they are the same as the volumes being converted. Performance is better however when the VHD is saved on a disk different than those being converted, such as a flash drive.
-
-6. When the Disk2vhd utility has completed converting the source computer to a VHD, copy the VHDX file (PC1.vhdx) to your Hyper-V host in the C:\VHD directory. There should now be four files in this directory:
-
-
- C:\vhd>dir /B
- 2012R2-poc-1.vhd
- 2012R2-poc-2.vhd
- w10-enterprise.iso
- PC1.VHDX
-
-
-#### Prepare a generation 1 VM from a GPT disk
-
-1. Download the [Disk2vhd utility](https://technet.microsoft.com/library/ee656415.aspx), extract the .zip file and copy **disk2vhd.exe** to a flash drive or other location that is accessible from the computer you wish to convert.
-
- >You might experience timeouts if you attempt to run Disk2vhd from a network share, or specify a network share for the destination. To avoid timeouts, use local, portable media such as a USB drive.
-
-2. On the computer you wish to convert, double-click the disk2vhd utility to start the graphical user interface.
-3. Select the checkbox next to the **C:\\** volume and clear the checkbox next to **Use Vhdx**. Note: the system volume is not copied in this scenario, it will be added later.
-4. Specify a location to save the resulting VHD file (F:\VHD\w7.vhd in the following example) and click **Create**. See the following example:
-
- 
-
- >Disk2vhd can save VHDs to local hard drives, even if they are the same as the volumes being converted. Performance is better however when the VHD is saved on a disk different than those being converted, such as a flash drive.
-
-5. When the Disk2vhd utility has completed converting the source computer to a VHD, copy the VHD file (w7.vhd) to your Hyper-V host in the C:\VHD directory. There should now be four files in this directory:
-
-
- C:\vhd>dir /B
- 2012R2-poc-1.vhd
- 2012R2-poc-2.vhd
- w10-enterprise.iso
- w7.VHD
-
-
- >In its current state, the w7.VHD file is not bootable. The VHD will be used to create a bootable VM later in the [Configure Hyper-V](#configure-hyper-v) section.
-
-### Resize VHD
-
-
-Enhanced session mode
-
-**Important**: Before proceeding, verify that you can take advantage of [enhanced session mode](https://technet.microsoft.com/windows-server-docs/compute/hyper-v/learn-more/Use-local-resources-on-Hyper-V-virtual-machine-with-VMConnect) when completing instructions in this guide. Enhanced session mode enables you to copy and paste the commands from the Hyper-V host to VMs, between VMs, and between RDP sessions. After copying some text, you can paste into a Windows PowerShell window by simply right-clicking. Before right-clicking, do not left click other locations as this can empty the clipboard. You can also copy and paste files directly from one computer to another by right-clicking and selecting copy on one computer, then right-clicking and selecting paste on another computer.
-
-To ensure that enhanced session mode is enabled on the Hyper-V host, type the following command at an elevated Windows PowerShell prompt on the Hyper-V host:
-
-Set-VMhost -EnableEnhancedSessionMode $TRUE
-
->If enhanced session mode was not previously enabled, close any existing virtual machine connections and re-open them to enable access to enhanced session mode. As mentioned previously: instructions to "type" commands provided in this guide can be typed, but the preferred method is to copy and paste these commands. Most of the commands to this point in the guide have been brief, but many commands in sections below are longer and more complex.
-
-
-
-The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to 100GB to support installing imaging tools and storing OS images.
-
-1. To add available space for the partition, type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host:
-
-
- Resize-VHD –Path c:\VHD\2012R2-poc-2.vhd –SizeBytes 100GB
- $x = (Mount-VHD –Path c:\VHD\2012R2-poc-2.vhd -passthru | Get-Disk | Get-Partition | Get-Volume).DriveLetter
- Resize-Partition -DriveLetter $x -Size (Get-PartitionSupportedSize -DriveLetter $x).SizeMax
-
-
-2. Verify that the mounted VHD drive is resized to 100 GB, and then dismount the drive:
-
-
- Get-Volume -DriveLetter $x
- Dismount-VHD –Path c:\VHD\2012R2-poc-2.vhd
-
-### Configure Hyper-V
-
-1. Open an elevated Windows PowerShell window and type the following command to create two virtual switches named "poc-internal" and "poc-external":
-
- >If the Hyper-V host already has an external virtual switch bound to a physical NIC, do not attempt to add a second external virtual switch. Attempting to add a second external switch will result in an error indicating that the NIC is **already bound to the Microsoft Virtual Switch protocol.** In this case, choose one of the following options:
- A) Remove the existing external virtual switch, then add the poc-external switch
- B) Rename the existing external switch to "poc-external"
- C) Replace each instance of "poc-external" used in this guide with the name of your existing external virtual switch
- If you choose B) or C), then do not run the second command below.
-
-
- New-VMSwitch -Name poc-internal -SwitchType Internal -Notes "PoC Network"
- New-VMSwitch -Name poc-external -NetAdapterName (Get-NetAdapter |?{$_.Status -eq "Up" -and !$_.Virtual}).Name -Notes "PoC External"
-
-
- **Note**: The second command above will temporarily interrupt network connectivity on the Hyper-V host.
-
- >Since an external virtual switch is associated to a physical network adapter on the Hyper-V host, this adapter must be specified when adding the virtual switch. The previous commands automate this by filtering for active non-virtual ethernet adapters using the Get-NetAdapter cmdlet ($_.Status -eq "Up" -and !$_.Virtual). If your Hyper-V host is dual-homed with multiple active ethernet adapters, this automation will not work, and the second command above will fail. In this case, you must edit the command used to add the "poc-external" virtual switch by inserting the appropriate NetAdapterName. The NetAdapterName value corresponds to the name of the network interface you wish to use. For example, if the network interface you use on the Hyper-V host to connect to the Internet is named "Ethernet 2" then type the following command to create an external virtual switch: New-VMSwitch -Name poc-external -NetAdapterName "Ethernet 2" -Notes "PoC External"
-
-2. At the elevated Windows PowerShell prompt, type the following command to determine the megabytes of RAM that are currently available on the Hyper-V host:
-
-
- (Get-VMHostNumaNode).MemoryAvailable
-
-
- This command will display the megabytes of RAM available for VMs. On a Hyper-V host computer with 16 GB of physical RAM installed, 10,000 MB of RAM or greater should be available if the computer is not also running other applications. On a computer with 8 GB of physical RAM installed, at least 4000 MB should be available. If the computer has less RAM available than this, try closing applications to free up more memory.
-
-3. Determine the available memory for VMs by dividing the available RAM by 4. For example:
-
-
- (Get-VMHostNumaNode).MemoryAvailable/4
- 2775.5
-
-
- In this example, VMs can use a maximum of 2700 MB of RAM each, to run four VMs simultaneously.
-
-4. At the elevated Windows PowerShell prompt, type the following command to create two new VMs. Other VMs will be added later.
- >**Important**: Replace the value of 2700MB for $maxRAM in the first command below with the RAM value that you calculated in the previous step.
-
-
- $maxRAM = 2700MB
- New-VM -Name "DC1" -VHDPath c:\vhd\2012R2-poc-1.vhd -SwitchName poc-internal
- Set-VMMemory -VMName "DC1" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes $maxRAM -Buffer 20
- Enable-VMIntegrationService -Name "Guest Service Interface" -VMName DC1
- New-VM -Name "SRV1" -VHDPath c:\vhd\2012R2-poc-2.vhd -SwitchName poc-internal
- Add-VMNetworkAdapter -VMName "SRV1" -SwitchName "poc-external"
- Set-VMMemory -VMName "SRV1" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes $maxRAM -Buffer 80
- Enable-VMIntegrationService -Name "Guest Service Interface" -VMName SRV1
-
-
- **Note**: The RAM values assigned to VMs in this step are not permanent, and can be easily increased or decreased later if needed to address performance issues.
-
-5. Using the same elevated Windows PowerShell prompt that was used in the previous step, type one of the following sets of commands, depending on the type of VM that was prepared in the [Determine VM generation](#determine-vm-generation) section, either generation 1, generation 2, or generation 1 with GPT.
-
- To create a generation 1 VM (using c:\vhd\w7.vhdx):
-
-
- New-VM -Name "PC1" -VHDPath c:\vhd\w7.vhdx -SwitchName poc-internal
- Set-VMMemory -VMName "PC1" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes $maxRAM -Buffer 20
- Enable-VMIntegrationService -Name "Guest Service Interface" -VMName PC1
-
-
- To create a generation 2 VM (using c:\vhd\PC1.vhdx):
-
-
- New-VM -Name "PC1" -Generation 2 -VHDPath c:\vhd\PC1.vhdx -SwitchName poc-internal
- Set-VMMemory -VMName "PC1" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes $maxRAM -Buffer 20
- Enable-VMIntegrationService -Name "Guest Service Interface" -VMName PC1
-
-
- To create a generation 1 VM from a GPT disk (using c:\vhd\w7.vhd):
-
- >Note: The following procedure is more complex because it includes steps to convert the OS partition from GPT to MBR format. Steps are included to create a temporary VHD and attach it to the VM, the OS image is saved to this drive, the OS drive is then reformatted to MBR, the OS image restored, and the temporary drive is removed.
-
- First, type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host to create a temporary VHD that will be used to save the OS image. Do not forget to include a pipe (|) at the end of the first five commands:
-
-
- New-VHD -Path c:\vhd\d.vhd -SizeBytes 1TB |
- Mount-VHD -Passthru |
- Get-Disk -Number {$_.DiskNumber} |
- Initialize-Disk -PartitionStyle MBR -PassThru |
- New-Partition -UseMaximumSize |
- Format-Volume -Confirm:$false -FileSystem NTFS -force
- Dismount-VHD -Path c:\vhd\d.vhd
-
-
- Next, create the PC1 VM with two attached VHDs, and boot to DVD ($maxram must be defined previously using the same Windows PowerShell promt):
-
-
- New-VM -Name "PC1" -VHDPath c:\vhd\w7.vhd -SwitchName poc-internal
- Add-VMHardDiskDrive -VMName PC1 -Path c:\vhd\d.vhd
- Set-VMDvdDrive -VMName PC1 -Path c:\vhd\w10-enterprise.iso
- Set-VMMemory -VMName "PC1" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes $maxRAM -Buffer 20
- Enable-VMIntegrationService -Name "Guest Service Interface" -VMName PC1
- Start-VM PC1
- vmconnect localhost PC1
-
-
- The VM will automatically boot into Windows Setup. In the PC1 window:
-
- 1. Click **Next**.
- 2. Click **Repair your computer**.
- 3. Click **Troubleshoot**.
- 4. Click **Command Prompt**.
- 5. Type the following command to save an image of the OS drive:
-
-
- dism /Capture-Image /ImageFile:D:\c.wim /CaptureDir:C:\ /Name:Drive-C
-
-
- 6. Wait for the OS image to complete saving, and then type the following commands to convert the C: drive to MBR:
-
-
- diskpart
- select disk 0
- clean
- convert MBR
- create partition primary size=100
- format fs=ntfs quick
- active
- create partition primary
- format fs=ntfs quick label=OS
- assign letter=c
- exit
-
-
- 7. Type the following commands to restore the OS image and boot files:
-
-
- dism /Apply-Image /ImageFile:D:\c.wim /Index:1 /ApplyDir:C:\
- bcdboot c:\windows
- exit
-
-
- 8. Click **Continue** and verify the VM boots successfully (do not boot from DVD).
- 9. Click **Ctrl+Alt+Del**, and then in the bottom right corner, click **Shut down**.
- 10. Type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host to remove the temporary disks and drives from PC1:
-
-
- Remove-VMHardDiskDrive -VMName PC1 -ControllerType IDE -ControllerNumber 0 -ControllerLocation 1
- Set-VMDvdDrive -VMName PC1 -Path $null
-
-
-### Configure VMs
-
-1. At an elevated Windows PowerShell prompt on the Hyper-V host, start the first Windows Server VM and connect to it by typing the following commands:
-
-
- Start-VM DC1
- vmconnect localhost DC1
-
-
-2. Click **Next** to accept the default settings, read the license terms and click **I accept**, provide an administrator password of pass@word1, and click **Finish**.
-3. Click **Ctrl+Alt+Del** in the upper left corner of the virtual machine connection window, and then sign in to DC1 using the Administrator account.
-4. Right-click **Start**, point to **Shut down or sign out**, and click **Sign out**. The VM connection will reset and a new connection dialog box will appear enabling you to choose a custom display configuration. Select a desktop size, click **Connect** and sign in again with the local Administrator account. Note: Signing in this way ensures that [enhanced session mode](https://technet.microsoft.com/windows-server-docs/compute/hyper-v/learn-more/Use-local-resources-on-Hyper-V-virtual-machine-with-VMConnect) is enabled. It is only necessary to do this the first time you sign in to a new VM.
-5. If DC1 is configured as described in this guide, it will currently be assigned an APIPA address, have a randomly generated hostname, and a single network adapter named "Ethernet." Open an elevated Windows PowerShell prompt on DC1 and type or paste the following commands to provide a new hostname and configure a static IP address and gateway:
-
-
- Rename-Computer DC1
- New-NetIPAddress –InterfaceAlias Ethernet –IPAddress 192.168.0.1 –PrefixLength 24 -DefaultGateway 192.168.0.2
- Set-DnsClientServerAddress -InterfaceAlias Ethernet -ServerAddresses 192.168.0.1,192.168.0.2
-
-
- > The default gateway at 192.168.0.2 will be configured later in this guide.
- >
- > Note: A list of available tasks for an app will be populated the first time you run it on the taskbar. Because these tasks aren't available until the App has been run, you will not see the **Run as Administrator** task until you have left-clicked Windows PowerShell for the first time. In this newly created VM, you will need to left-click Windows PowerShell one time, and then you can right-click and choose Run as Administrator to open an elevated Windows PowerShell prompt.
-
-6. Install the Active Directory Domain Services role by typing the following command at an elevated Windows PowerShell prompt:
-
-
- Install-WindowsFeature -Name AD-Domain-Services -IncludeAllSubFeature -IncludeManagementTools
-
-
-7. Before promoting DC1 to a Domain Controller, you must reboot so that the name change in step 3 above takes effect. To restart the computer, type the following command at an elevated Windows PowerShell prompt:
-
-
- Restart-Computer
-
-
-8. When DC1 has rebooted, sign in again and open an elevated Windows PowerShell prompt. Now you can promote the server to be a domain controller. The directory services restore mode password must be entered as a secure string. Type the following commands at the elevated Windows PowerShell prompt:
-
-
- $pass = "pass@word1" | ConvertTo-SecureString -AsPlainText -Force
- Install-ADDSForest -DomainName contoso.com -InstallDns -SafeModeAdministratorPassword $pass -Force
-
-
- Ignore any warnings that are displayed. The computer will automatically reboot upon completion.
-
-9. When the reboot has completed, reconnect to DC1, sign in using the CONTOSO\Administrator account, open an elevated Windows PowerShell prompt, and use the following commands to add a reverse lookup zone for the PoC network, add the DHCP Server role, authorize DHCP in Active Directory, and suppress the post-DHCP-install alert:
-
-
- Add-DnsServerPrimaryZone -NetworkID "192.168.0.0/24" -ReplicationScope Forest
- Add-WindowsFeature -Name DHCP -IncludeManagementTools
- netsh dhcp add securitygroups
- Restart-Service DHCPServer
- Add-DhcpServerInDC dc1.contoso.com 192.168.0.1
- Set-ItemProperty –Path registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ServerManager\Roles\12 –Name ConfigurationState –Value 2
-
-
-10. Next, add a DHCP scope and set option values:
-
-
- Add-DhcpServerv4Scope -Name "PoC Scope" -StartRange 192.168.0.100 -EndRange 192.168.0.199 -SubnetMask 255.255.255.0 -Description "Windows 10 PoC" -State Active
- Set-DhcpServerv4OptionValue -ScopeId 192.168.0.0 -DnsDomain contoso.com -Router 192.168.0.2 -DnsServer 192.168.0.1,192.168.0.2 -Force
-
-
- >The -Force option is necessary when adding scope options to skip validation of 192.168.0.2 as a DNS server because we have not configured it yet. The scope should immediately begin issuing leases on the PoC network. The first DHCP lease that will be issued is to vEthernet interface on the Hyper-V host, which is a member of the internal network. You can verify this by using the command: Get-DhcpServerv4Lease -ScopeId 192.168.0.0.
-
-11. The DNS server role will also be installed on the member server, SRV1, at 192.168.0.2 so that we can forward DNS queries from DC1 to SRV1 to resolve Internet names without having to configure a forwarder outside the PoC network. Since the IP address of SRV1 already exists on DC1's network adapter, it will be automatically added during the DCPROMO process. To verify this server-level DNS forwarder on DC1, type the following command at an elevated Windows PowerShell prompt on DC1:
-
-
- Get-DnsServerForwarder
-
-
- The following output should be displayed:
-
-
- UseRootHint : True
- Timeout(s) : 3
- EnableReordering : True
- IPAddress : 192.168.0.2
- ReorderedIPAddress : 192.168.0.2
-
-
- If this output is not displayed, you can use the following command to add SRV1 as a forwarder:
-
-
- Add-DnsServerForwarder -IPAddress 192.168.0.2
-
-
- **Configure service and user accounts**
-
- Windows 10 deployment with MDT and System Center Configuration Manager requires specific accounts to perform some actions. Service accounts will be created to use for these tasks. A user account is also added in the contoso.com domain that can be used for testing purposes. In the test lab environment, passwords are set to never expire.
-
- >To keep this test lab relatively simple, we will not create a custom OU structure and set permissions. Required permissions are enabled by adding accounts to the Domain Admins group. To configure these settings in a production environment, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](deploy-windows-sccm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
-
- On DC1, open an elevated Windows PowerShell prompt and type the following commands:
-
-
- New-ADUser -Name User1 -UserPrincipalName user1 -Description "User account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -Enabled $true
- New-ADUser -Name MDT_BA -UserPrincipalName MDT_BA -Description "MDT Build Account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -Enabled $true
- New-ADUser -Name CM_JD -UserPrincipalName CM_JD -Description "Configuration Manager Join Domain Account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -Enabled $true
- New-ADUser -Name CM_NAA -UserPrincipalName CM_NAA -Description "Configuration Manager Network Access Account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -Enabled $true
- Add-ADGroupMember "Domain Admins" MDT_BA,CM_JD,CM_NAA
- Set-ADUser -Identity user1 -PasswordNeverExpires $true
- Set-ADUser -Identity administrator -PasswordNeverExpires $true
- Set-ADUser -Identity MDT_BA -PasswordNeverExpires $true
- Set-ADUser -Identity CM_JD -PasswordNeverExpires $true
- Set-ADUser -Identity CM_NAA -PasswordNeverExpires $true
-
-
-12. Minimize the DC1 VM window but **do not stop** the VM.
-
- Next, the client VM will be started and joined to the contoso.com domain. This is done before adding a gateway to the PoC network so that there is no danger of duplicate DNS registrations for the physical client and its cloned VM in the corporate domain.
-
-13. If the PC1 VM is not started yet, using an elevated Windows PowerShell prompt on the Hyper-V host, start the client VM (PC1), and connect to it:
-
-
- Start-VM PC1
- vmconnect localhost PC1
-
-
-14. Sign in to PC1 using an account that has local administrator rights.
-
- >PC1 will be disconnected from its current domain, so you cannot use a domain account to sign on unless these credentials are cached and the use of cached credentials is permitted by Group Policy. If cached credentials are available and permitted, you can use these credentials to sign in. Otherwise, use an existing local administrator account.
-
-15. After signing in, the operating system detects that it is running in a new environment. New drivers will be automatically installed, including the network adapter driver. The network adapter driver must be updated before you can proceed, so that you will be able to join the contoso.com domain. Depending on the resources allocated to PC1, installing the network adapter driver might take a few minutes. You can monitor device driver installation by clicking **Show hidden icons** in the notification area.
-
- 
-
- >If the client was configured with a static address, you must change this to a dynamic one so that it can obtain a DHCP lease.
-
-16. When the new network adapter driver has completed installation, you will receive an alert to set a network location for the contoso.com network. Select **Work network** and then click **Close**. When you receive an alert that a restart is required, click **Restart Later**.
-
-17. Open an elevated Windows PowerShell prompt on PC1 and verify that the client VM has received a DHCP lease and can communicate with the consoto.com domain controller.
-
- To open Windows PowerShell on Windows 7, click **Start**, and search for "**power**." Right-click **Windows PowerShell** and then click **Pin to Taskbar** so that it is simpler to use Windows Powershell during this lab. Click **Windows PowerShell** on the taskbar, and then type **ipconfig** at the prompt to see the client's current IP address. Also type **ping dc1.contoso.com** and **nltest /dsgetdc:contoso.com** to verify that it can reach the domain controller. See the following examples of a successful network connection:
-
- ```
- ipconfig
-
- Windows IP Configuration
-
- Ethernet adapter Local Area Connection 3:
- Connection-specific DNS Suffix . : contoso.com
- Link-local IPv6 Address . . . . . : fe80::64c2:4d2a:7403:6e02%18
- Ipv4 Address. . . . . . . . . . . : 192.168.0.101
- Subnet Mask . . . . . . . . . . . : 255.255.255.0
- Default Gateway . . . . . . . . . : 192.168.0.2
-
- ping dc1.contoso.com
-
- Pinging dc1.contoso.com [192.168.0.1] with 32 bytes of data:
- Reply from 192.168.0.1: bytes=32 time<1ms TTL=128
- Reply from 192.168.0.1: bytes=32 time<1ms TTL=128
- Reply from 192.168.0.1: bytes=32 time<1ms TTL=128
- Reply from 192.168.0.1: bytes=32 time<1ms TTL=128
-
- nltest /dsgetdc:contoso.com
- DC: \\DC1
- Address: \\192.168.0.1
- Dom Guid: fdbd0643-d664-411b-aea0-fe343d7670a8
- Dom Name: CONTOSO
- Forest Name: contoso.com
- Dc Site Name: Default-First-Site-Name
- Our Site Name: Default-First-Site-Name
- Flags: PDC GC DS LDAP KDC TIMESERV WRITABLE DNS_FOREST CLOSE_SITE FULL_SECRET WS 0xC000
- ```
-
- >If PC1 is running Windows 7, enhanced session mode might not be available, which means that you cannot copy and paste commands from the Hyper-V host to a Windows PowerShell prompt on PC1. However, it is possible to use integration services to copy a file from the Hyper-V host to a VM. The next procedure demonstrates this. If the Copy-VMFile command fails, then type the commands below at an elevated Windows PowerShell prompt on PC1 instead of saving them to a script to run remotely. If PC1 is running Windows 8 or a later operating system, you can use enhanced session mode to copy and paste these commands instead of typing them.
-
-18. Minimize the PC1 window and switch to the Hyper-V host computer. Open an elevated Windows PowerShell ISE window on the Hyper-V host (right-click Windows PowerShell and then click **Run ISE as Administrator**) and type the following commands in the (upper) script editor pane:
-
-
- (Get-WmiObject Win32_ComputerSystem).UnjoinDomainOrWorkgroup($null,$null,0)
- $pass = "pass@word1" | ConvertTo-SecureString -AsPlainText -Force
- $user = "contoso\administrator"
- $cred = New-Object System.Management.Automation.PSCredential($user,$pass)
- Add-Computer -DomainName contoso.com -Credential $cred
- Restart-Computer
-
-
- >If you do not see the script pane, click **View** and verify **Show Script Pane Top** is enabled. Click **File** and then click **New**.
-
- See the following example:
-
- 
-
-19. Click **File**, click **Save As**, and save the commands as **c:\VHD\pc1.ps1** on the Hyper-V host.
-20. In the (lower) terminal input window, type the following commands to enable Guest Service Interface on PC1 and then use this service to copy the script to PC1:
-
-
- Enable-VMIntegrationService -VMName PC1 -Name "Guest Service Interface"
- Copy-VMFile "PC1" –SourcePath "C:\VHD\pc1.ps1" –DestinationPath "C:\pc1.ps1" –CreateFullPath –FileSource Host
-
-
- >In order for this command to work properly, PC1 must be running the vmicguestinterface (Hyper-V Guest Service Interface) service. If this service is not enabled in this step, then the copy-VMFile command will fail. In this case, you can try updating integration services on the VM by mounting the Hyper-V Integration Services Setup (vmguest.iso), which is located in C:\Windows\System32 on Windows Server 2012 and 2012 R2 operating systems that are running the Hyper-V role service.
-
- If the copy-vmfile command does not work and you cannot properly enable or upgrade integration services on PC1, then create the file c:\pc1.ps1 on the VM by typing the commands into this file manually. The copy-vmfile command is only used in this procedure as a demonstration of automation methods that can be used in a Hyper-V environment when enhanced session mode is not available. After typing the script file manually, be sure to save the file as a Windows PowerShell script file with the .ps1 extension and not as a text (.txt) file.
-
-21. On PC1, type the following commands at an elevated Windows PowerShell prompt:
-
-
- Get-Content c:\pc1.ps1 | powershell.exe -noprofile -
-
-
- >The commands in this script might take a few moments to complete. If an error is displayed, check that you typed the command correctly, paying close attention to spaces. PC1 is removed from its domain in this step while not connected to the corporate network so as to ensure the computer object in the corporate domain is unaffected. PC1 is also not renamed to "PC1" in system properties so that it maintains some of its mirrored identity. However, if desired you can also rename the computer.
-
-22. Upon completion of the script, PC1 will automatically restart. When it has restarted, sign in to the contoso.com domain using the **Switch User** option, with the **user1** account you created in step 11 of this section.
- >**Important**: The settings that will be used later to migrate user data specifically select only accounts that belong to the CONTOSO domain. However, this can be changed to migrate all user accounts, or only other specified accounts. If you wish to test migration of user data and settings with accounts other than those in the CONTOSO domain, you must specify these accounts or domains when you configure the value of **ScanStateArgs** in the MDT test lab guide. This value is specifically called out when you get to that step. If you wish to only migrate CONTOSO accounts, then you can log in with the user1 account or the administrator account at this time and modify some of the files and settings for later use in migration testing.
-23. Minimize the PC1 window but do not turn it off while the second Windows Server 2012 R2 VM (SRV1) is configured. This verifies that the Hyper-V host has enough resources to run all VMs simultaneously. Next, SRV1 will be started, joined to the contoso.com domain, and configured with RRAS and DNS services.
-24. On the Hyper-V host computer, at an elevated Windows PowerShell prompt, type the following commands:
-
-
- Start-VM SRV1
- vmconnect localhost SRV1
-
-
-25. Accept the default settings, read license terms and accept them, provide an administrator password of pass@word1, and click **Finish**. When you are prompted about finding PCs, devices, and content on the network, click **Yes**.
-26. Sign in to SRV1 using the local administrator account. In the same way that was done on DC1, sign out of SRV1 and then sign in again to enable enhanced session mode. This will enable you to copy and paste Windows PowerShell commands from the Hyper-V host to the VM.
-27. Open an elevated Windows PowerShell prompt on SRV1 and type the following commands:
-
-
- Rename-Computer SRV1
- New-NetIPAddress –InterfaceAlias Ethernet –IPAddress 192.168.0.2 –PrefixLength 24
- Set-DnsClientServerAddress -InterfaceAlias Ethernet -ServerAddresses 192.168.0.1,192.168.0.2
- Restart-Computer
-
-
- >[!IMPORTANT]
- >Verify that you are configuring the correct interface in this step. The commands in this step assume that the poc-internal interface on SRV1 is named "Ethernet." If you are unsure how to check the interface, see step #30 below for instructions and tips on how to verify and modify the interface name.
-
-28. Wait for the computer to restart, sign in again, then type the following commands at an elevated Windows PowerShell prompt:
-
-
- $pass = "pass@word1" | ConvertTo-SecureString -AsPlainText -Force
- $user = "contoso\administrator"
- $cred = New-Object System.Management.Automation.PSCredential($user,$pass)
- Add-Computer -DomainName contoso.com -Credential $cred
- Restart-Computer
-
-
-29. Sign in to the contoso.com domain on SRV1 using the domain administrator account (enter contoso\administrator as the user), open an elevated Windows PowerShell prompt, and type the following commands:
-
-
- Install-WindowsFeature -Name DNS -IncludeManagementTools
- Install-WindowsFeature -Name WDS -IncludeManagementTools
- Install-WindowsFeature -Name Routing -IncludeManagementTools
-
-
-30. Before configuring the routing service that was just installed, verify that network interfaces were added to SRV1 in the right order, resulting in an interface alias of "Ethernet" for the private interface, and an interface alias of "Ethernet 2" for the public interface. Also verify that the external interface has a valid external DHCP IP address lease.
-
- To view a list of interfaces, associated interface aliases, and IP addresses on SRV1, type the following Windows PowerShell command. Example output of the command is also shown below:
-
-
- Get-NetAdapter | ? status -eq ‘up’ | Get-NetIPAddress -AddressFamily IPv4 | ft IPAddress, InterfaceAlias
-
- IPAddress InterfaceAlias
- --------- --------------
- 10.137.130.118 Ethernet 2
- 192.168.0.2 Ethernet
-
-
- In this example, the poc-internal network interface at 192.168.0.2 is associated with the "Ethernet" interface and the Internet-facing poc-external interface is associated with the "Ethernet 2" interface. If your interfaces are different, you must adjust the commands provided in the next step appropriately to configure routing services. Also note that if the "Ethernet 2" interface has an IP address in the 192.168.0.100-105 range then it likely is getting a DHCP lease from DC1 instead of your corporate network. If this is the case, you can try removing and re-adding the second network interface from the SRV1 VM through its Hyper-V settings.
-
- >[!TIP]
- >Sometimes a computer will have hidden, disconnected interfaces that prevent you from naming a network adapter. When you attempt to rename an adapter, you will receive an error that the adapter name already exists. These disconnected devices can be viewed in device manager by clicking **View** and then clicking **Show hidden devices**. The disconnected device can then be uninstalled, enabling you to reuse the adapter name.
-
-
-31. To configure SRV1 with routing capability for the PoC network, type or paste the following commands at an elevated Windows PowerShell prompt on SRV1:
-
-
- Install-RemoteAccess -VpnType Vpn
- cmd /c netsh routing ip nat install
- cmd /c netsh routing ip nat add interface name="Ethernet 2" mode=FULL
- cmd /c netsh routing ip nat add interface name="Ethernet" mode=PRIVATE
- cmd /c netsh routing ip nat add interface name="Internal" mode=PRIVATE
-
-
-32. The DNS service on SRV1 also needs to resolve hosts in the contoso.com domain. This can be accomplished with a conditional forwarder. Open an elevated Windows PowerShell prompt on SRV1 and type the following command:
-
-
- Add-DnsServerConditionalForwarderZone -Name contoso.com -MasterServers 192.168.0.1
-
-
-33. In most cases, this completes configuration of the PoC network. However, if your corporate network has a firewall that filters queries from local DNS servers, you will also need to configure a server-level DNS forwarder on SRV1 to resolve Internet names. To test whether or not DNS is working without this forwarder, try to reach a name on the Internet from DC1 or PC1, which are only using DNS services on the PoC network. You can test DNS with the ping command, for example:
-
-
- ping www.microsoft.com
-
-
- If you see "Ping request could not find host www.microsoft.com" on PC1 and DC1, but not on SRV1, then you will need to configure a server-level DNS forwarder on SRV1. To do this, open an elevated Windows PowerShell prompt on SRV1 and type the following command.
-
- **Note**: This command also assumes that "Ethernet 2" is the external-facing network adapter on SRV1. If the external adapter has a different name, replace "Ethernet 2" in the command below with that name:
-
-
- Add-DnsServerForwarder -IPAddress (Get-DnsClientServerAddress -InterfaceAlias "Ethernet 2").ServerAddresses
-
-
-34. If DNS and routing are both working correctly, you will see the following on DC1 and PC1 (the IP address might be different, but that is OK):
-
-
- PS C:\> ping www.microsoft.com
-
- Pinging e2847.dspb.akamaiedge.net [23.222.146.170] with 32 bytes of data:
- Reply from 23.222.146.170: bytes=32 time=3ms TTL=51
- Reply from 23.222.146.170: bytes=32 time=2ms TTL=51
- Reply from 23.222.146.170: bytes=32 time=2ms TTL=51
- Reply from 23.222.146.170: bytes=32 time=1ms TTL=51
-
- Ping statistics for 23.222.146.170:
- Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
- Approximate round trip times in milli-seconds:
- Minimum = 1ms, Maximum = 3ms, Average = 2ms
-
-
-35. Verify that all three VMs can reach each other, and the Internet. See [Appendix A: Verify the configuration](#appendix-a-verify-the-configuration) for more information.
-36. Lastly, because the client computer has different hardware after copying it to a VM, its Windows activation will be invalidated and you might receive a message that you must activate Windows in 3 days. To extend this period to 30 days, type the following commands at an elevated Windows PowerShell prompt on PC1:
-
-
- runas /noprofile /env /user:administrator@contoso.com "cmd /c slmgr -rearm"
- Restart-Computer
-
-
-This completes configuration of the starting PoC environment. Additional services and tools are installed in subsequent guides.
-
-## Appendix A: Verify the configuration
-
-Use the following procedures to verify that the PoC environment is configured properly and working as expected.
-
-1. On DC1, open an elevated Windows PowerShell prompt and type the following commands:
-
-
- Get-Service NTDS,DNS,DHCP
- DCDiag -a
- Get-DnsServerResourceRecord -ZoneName contoso.com -RRType A
- Get-DnsServerForwarder
- Resolve-DnsName -Server dc1.contoso.com -Name www.microsoft.com
- Get-DhcpServerInDC
- Get-DhcpServerv4Statistics
- ipconfig /all
-
-
- **Get-Service** displays a status of "Running" for all three services.
- **DCDiag** displays "passed test" for all tests.
- **Get-DnsServerResourceRecord** displays the correct DNS address records for DC1, SRV1, and the computername of PC1. Additional address records for the zone apex (@), DomainDnsZones, and ForestDnsZones will also be registered.
- **Get-DnsServerForwarder** displays a single forwarder of 192.168.0.2.
- **Resolve-DnsName** displays public IP address results for www.microsoft.com.
- **Get-DhcpServerInDC** displays 192.168.0.1, dc1.contoso.com.
- **Get-DhcpServerv4Statistics** displays 1 scope with 2 addresses in use (these belong to PC1 and the Hyper-V host).
- **ipconfig** displays a primary DNS suffix and suffix search list of contoso.com, IP address of 192.168.0.1, subnet mask of 255.255.255.0, default gateway of 192.168.0.2, and DNS server addresses of 192.168.0.1 and 192.168.0.2.
-
-2. On SRV1, open an elevated Windows PowerShell prompt and type the following commands:
-
-
- Get-Service DNS,RemoteAccess
- Get-DnsServerForwarder
- Resolve-DnsName -Server dc1.contoso.com -Name www.microsoft.com
- ipconfig /all
- netsh int ipv4 show address
-
-
- **Get-Service** displays a status of "Running" for both services.
- **Get-DnsServerForwarder** either displays no forwarders, or displays a list of forwarders you are required to use so that SRV1 can resolve Internet names.
- **Resolve-DnsName** displays public IP address results for www.microsoft.com.
- **ipconfig** displays a primary DNS suffix of contoso.com. The suffix search list contains contoso.com and your corporate domain. Two ethernet adapters are shown: Ethernet adapter "Ethernet" has an IP addresses of 192.168.0.2, subnet mask of 255.255.255.0, no default gateway, and DNS server addresses of 192.168.0.1 and 192.168.0.2. Ethernet adapter "Ethernet 2" has an IP address, subnet mask, and default gateway configured by DHCP on your corporate network.
- **netsh** displays three interfaces on the computer: interface "Ethernet 2" with DHCP enabled = Yes and IP address assigned by your corporate network, interface "Ethernet" with DHCP enabled = No and IP address of 192.168.0.2, and interface "Loopback Pseudo-Interface 1" with IP address of 127.0.0.1.
-
-3. On PC1, open an elevated Windows PowerShell prompt and type the following commands:
-
-
- whoami
- hostname
- nslookup www.microsoft.com
- ping -n 1 dc1.contoso.com
- tracert www.microsoft.com
-
-
- **whoami** displays the current user context, for example in an elevated Windows PowerShell prompt, contoso\administrator is displayed.
- **hostname** displays the name of the local computer, for example W7PC-001.
- **nslookup** displays the DNS server used for the query, and the results of the query. For example, server dc1.contoso.com, address 192.168.0.1, Name e2847.dspb.akamaiedge.net.
- **ping** displays if the source can resolve the target name, and whether or not the target responds to ICMP. If it cannot be resolved, "..could not find host" will be diplayed and if the target is found and also responds to ICMP, you will see "Reply from" and the IP address of the target.
- **tracert** displays the path to reach the destination, for example srv1.contoso.com [192.168.0.2] followed by a list of hosts and IP addresses corresponding to subsequent routing nodes between the source and the destination.
-
-
-## Appendix B: Terminology used in this guide
-
-
-
-
-
-
-| Term | Definition
- | | GPT | GUID partition table (GPT) is an updated hard-disk formatting scheme that enables the use of newer hardware. GPT is one of the partition formats that can be chosen when first initializing a hard drive, prior to creating and formatting partitions.
- | | Hyper-V | Hyper-V is a server role introduced with Windows Server 2008 that lets you create a virtualized computing environment. Hyper-V can also be installed as a Windows feature on Windows client operating systems, starting with Windows 8.
- | | Hyper-V host | The computer where Hyper-V is installed.
- | | Hyper-V Manager | The user-interface console used to view and configure Hyper-V.
- | | MBR | Master Boot Record (MBR) is a legacy hard-disk formatting scheme that limits support for newer hardware. MBR is one of the partition formats that can be chosen when first initializing a hard drive, prior to creating and formatting partitions. MBR is in the process of being replaced by the GPT partition format.
- | | Proof of concept (PoC) | Confirmation that a process or idea works as intended. A PoC is carried out in a test environment to learn about and verify a process.
- | | Shadow copy | A copy or "snapshot" of a computer at a point in time, created by the Volume Shadow Copy Service (VSS), typically for backup purposes.
- | | Virtual machine (VM) | A VM is a virtual computer with its own operating system, running on the Hyper-V host.
- | | Virtual switch | A virtual network connection used to connect VMs to each other and to physical network adapters on the Hyper-V host.
- | | VM snapshot | A point in time image of a VM that includes its disk, memory and device state. It can be used to return a virtual machine to a former state corresponding to the time the snapshot was taken.
- |
-
-
+- [Step by step: Deploy Windows 10 in a test lab using System Center Configuration Manager](windows-10-poc-sc-config-mgr.md)
+
+The PoC deployment guides are intended to provide a demonstration of Windows 10 deployment tools and processes for IT professionals that are not familiar with these tools, and those that are interested in setting up a proof of concept environment. The instructions in this guide should not be used in a production setting, and are not meant to replace the instructions found in production deployment guidance.
+
+Approximately 3 hours are required to configure the PoC environment. You will need a Hyper-V capable computer running Windows 8.1 or later with at least 16GB of RAM. Detailed [requirements](#hardware-and-software-requirements) are provided below. You will also need to have a [Microsoft account](https://www.microsoft.com/account) to use for downloading evaluation software.
+
+Windows PowerShell commands are provided to set up the PoC environment quickly. You do not need to be an expert in Windows PowerShell to complete the steps in the guide, however you are required to customize some commands to your environment.
+
+> Instructions to "type" Windows PowerShell commands provided in this guide can be followed literally by typing the commands, but the preferred method is to copy and paste these commands.
+>
+> A Windows PowerShell window can be used to run all commands in this guide. However, when commands are specified for a command prompt, you must either type CMD at the Windows PowerShell prompt to enter the command prompt, or preface the command with "cmd /c", or if desired you can escape special characters in the command using the back-tick character (`). In most cases, the simplest thing is to type cmd and enter a command prompt, type the necessary commands, then type "exit" to return to Windows PowerShell.
+
+Hyper-V is installed, configured and used extensively in this guide. If you are not familiar with Hyper-V, review the [terminology](#appendix-b-terminology-used-in-this-guide) used in this guide before starting.
+
+## In this guide
+
+This guide contains instructions for three general procedures: Install Hyper-V, configure Hyper-V, and configure VMs. If you already have a computer running Hyper-V, you can use this computer and skip the first procedure. In this case, your virtual switch settings must be modified to match those used in this guide, or the steps in this guide can be modified to use your existing Hyper-V settings.
+
+After completing the instructions in this guide, you will have a PoC environment that enables you to test Windows 10 deployment procedures by following instructions in companion guides that are written to use the PoC environment. Links are provided to download trial versions of Windows Server 2012, Windows 10 Enterprise, and all deployment tools necessary to complete the lab.
+
+Topics and procedures in this guide are summarized in the following table. An estimate of the time required to complete each procedure is also provided. Time required to complete procedures will vary depending on the resources available to the Hyper-V host and assigned to VMs, such as processor speed, memory allocation, disk speed, and network speed.
+
+
+
+
+
+## Hardware and software requirements
+
+One computer that meets the hardware and software specifications below is required to complete the guide; A second computer is recommended to validate the upgrade process.
+
+- **Computer 1**: the computer you will use to run Hyper-V and host virtual machines. This computer should have 16 GB or more of installed RAM and a multi-core processor.
+- **Computer 2**: a client computer from your corporate network. It is shadow-copied to create a VM that can be added to the PoC environment, enabling you to test a mirror image of a computer on your network. If you do not have a computer to use for this simulation, you can download an evaluation VHD and use it to represent this computer. Subsequent guides use this computer to simulate Windows 10 replace and refresh scenarios, so the VM is required even if you cannot create this VM using computer 2.
+
+Hardware requirements are displayed below:
+
+
+
+
+
+ |
+ Computer 1 (required) |
+ Computer 2 (recommended) |
+
+
+ | Role |
+ Hyper-V host |
+ Client computer |
+
+
+ | Description |
+ This computer will run Hyper-V, the Hyper-V management tools, and the Hyper-V Windows PowerShell module. |
+ This computer is a Windows 7 or Windows 8/8.1 client on your corporate network that will be converted to a VM to demonstrate the upgrade process. |
+
+
+ | OS |
+ Windows 8.1/10 or Windows Server 2012/2012 R2/2016* |
+ Windows 7 or a later |
+
+
+ | Edition |
+ Enterprise, Professional, or Education |
+ Any |
+
+
+ | Architecture |
+ 64-bit |
+ Any
Note: Retaining applications and settings requires that architecture (32 or 64-bit) is the same before and after the upgrade. |
+
+
+ | RAM |
+ 8 GB RAM (16 GB recommended) to test Windows 10 deployment with MDT.
+
16 GB RAM to test Windows 10 deployment with System Center Configuration Manager. |
+ Any |
+
+
+ | Disk |
+ 200 GB available hard disk space, any format. |
+ Any size, MBR formatted. |
+
+
+ | CPU |
+ SLAT-Capable CPU |
+ Any |
+
+
+ | Network |
+ Internet connection |
+ Any |
+
+
+
+
+ \*The Hyper-V server role can also be installed on a computer running Windows Server 2008 R2. However, the Windows PowerShell module for Hyper-V is not available on Windows Server 2008 R2, therefore you cannot use many of the steps provided in this guide to configure Hyper-V. To manage Hyper-V on Windows Server 2008 R2, you can use Hyper-V WMI, or you can use the Hyper-V Manager console. Providing all steps in this guide as Hyper-V WMI or as 2008 R2 Hyper-V Manager procedures is beyond the scope of the guide.
+
+ The Hyper-V role cannot be installed on Windows 7 or earlier versions of Windows.
+
+
+[Download VHD and ISO files](#download-vhd-and-iso-files)
+[Convert PC to VM](#convert-pc-to-vm)
+[Resize VHD](#resize-vhd)
+[Configure Hyper-V](#configure-hyper-v)
+[Configure VMs](#configure-vms)
+
+### Verify support and install Hyper-V
+
+Starting with Windows 8, the host computer’s microprocessor must support second level address translation (SLAT) to install Hyper-V. See [Hyper-V: List of SLAT-Capable CPUs for Hosts](https://social.technet.microsoft.com/wiki/contents/articles/1401.hyper-v-list-of-slat-capable-cpus-for-hosts.aspx) for more information.
+
+1. To verify your computer supports SLAT, open an administrator command prompt, type **systeminfo**, press ENTER, and review the section displayed at the bottom of the output, next to Hyper-V Requirements. See the following example:
+
+
+ C:\>systeminfo
+
+ ...
+ Hyper-V Requirements: VM Monitor Mode Extensions: Yes
+ Virtualization Enabled In Firmware: Yes
+ Second Level Address Translation: Yes
+ Data Execution Prevention Available: Yes
+
+
+ In this example, the computer supports SLAT and Hyper-V.
+
+ If one or more requirements are evaluated as **No** then the computer does not support installing Hyper-V. However, if only the virtualization setting is incompatible, you might be able to enable virtualization in the BIOS and change the **Virtualization Enabled In Firmware** setting from **No** to **Yes**. The location of this setting will depend on the manufacturer and BIOS version, but is typically found associated with the BIOS security settings.
+
+ You can also identify Hyper-V support using [tools](https://blogs.msdn.microsoft.com/taylorb/2008/06/19/hyper-v-will-my-computer-run-hyper-v-detecting-intel-vt-and-amd-v/) provided by the processor manufacturer, the [msinfo32](https://technet.microsoft.com/library/cc731397.aspx) tool, or you can download the [coreinfo](https://technet.microsoft.com/sysinternals/cc835722) utility and run it, as shown in the following example:
+
+
+ C:\>coreinfo -v
+
+ Coreinfo v3.31 - Dump information on system CPU and memory topology
+ Copyright (C) 2008-2014 Mark Russinovich
+ Sysinternals - www.sysinternals.com
+
+ Intel(R) Core(TM) i7-2600 CPU @ 3.40GHz
+ Intel64 Family 6 Model 42 Stepping 7, GenuineIntel
+ Microcode signature: 0000001B
+ HYPERVISOR - Hypervisor is present
+ VMX * Supports Intel hardware-assisted virtualization
+ EPT * Supports Intel extended page tables (SLAT)
+
+
+ Note: A 64-bit operating system is required to run Hyper-V.
+
+2. The Hyper-V feature is not installed by default. To install it, open an elevated Windows PowerShell window and type the following command:
+
+ Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V –All
+
+ This command works on all operating systems that support Hyper-V, but on Windows Server operating systems you must type an additional command to add the Hyper-V Windows PowerShell module and the Hyper-V Manager console. This command will also install Hyper-V if it isn't already installed, so if desired you can just type the following command on Windows Server 2012 or 2016 instead of using the Enable-WindowsOptionalFeature command:
+
+ Install-WindowsFeature -Name Hyper-V -IncludeManagementTools
+
+ When you are prompted to restart the computer, choose **Yes**. The computer might restart more than once. After installation is complete, you can open Hyper-V Manager by typing **virtmgmt.msc** at an elevated command prompt.
+
+ >Alternatively, you can install Hyper-V using the Control Panel in Windows under **Turn Windows features on or off** for a client operating system, or using Server Manager's **Add Roles and Features Wizard** on a server operating system, as shown below:
+
+ 
+
+ 
+
+ If you choose to install Hyper-V using Server Manager, accept all default selections. Also be sure to install both items under Role Administration Tools\Hyper-V Management Tools.
+
+### Download VHD and ISO files
+
+When you have completed installation of Hyper-V on the host computer, begin configuration of Hyper-V by downloading VHD and ISO files to the Hyper-V host. These files will be used to create the VMs used in the lab. Before you can download VHD and ISO files, you will need to register and sign in to the [TechNet Evaluation Center](https://www.microsoft.com/evalcenter/) using your Microsoft account.
+
+1. Create a directory on your Hyper-V host named **C:\VHD** and download a single [Windows Server 2012 R2 VHD](https://www.microsoft.com/evalcenter/evaluate-windows-server-2012-r2) from the TechNet Evaluation Center to the **C:\VHD** directory.
+
+ **Important**: This guide assumes that VHDs are stored in the **C:\VHD** directory on the Hyper-V host. If you use a different directory to store VHDs, you must adjust steps in this guide appropriately.
+
+ After completing registration you will be able to download the 7.47 GB Windows Server 2012 R2 evaluation VHD. An example of the download offering is shown below.
+
+
+ | |
+
+
+2. Download the file to the **C:\VHD** directory. When the download is complete, rename the VHD file that you downloaded to **2012R2-poc-1.vhd**. This is done to make the filename simple to recognize and type.
+3. Copy the VHD to a second file also in the **C:\VHD** directory and name this VHD **2012R2-poc-2.vhd**.
+4. Download the [Windows 10 Enterprise ISO](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise) from the TechNet Evaluation Center to the **C:\VHD** directory on your Hyper-V host.
+
+ >During registration, you must specify the type, version, and language of installation media to download. In this example, a Windows 10 Enterprise, 64 bit, English ISO is chosen. You can choose a different version if desired. **Note: The evaluation version of Windows 10 does not support in-place upgrade**.
+
+5. Rename the ISO file that you downloaded to **w10-enterprise.iso**. Again, this is done so that the filename is simple to type and recognize. After completing registration you will be able to download the 3.63 GB Windows 10 Enterprise evaluation ISO.
+
+After completing these steps, you will have three files in the **C:\VHD** directory: **2012R2-poc-1.vhd**, **2012R2-poc-2.vhd**, **w10-enterprise.iso**.
+
+The following displays the procedures described in this section, both before and after downloading files:
+
+
+C:>mkdir VHD
+C:>cd VHD
+C:\VHD>ren 9600*.vhd 2012R2-poc-1.vhd
+C:\VHD>copy 2012R2-poc-1.vhd 2012R2-poc-2.vhd
+ 1 file(s) copied.
+C:\VHD ren *.iso w10-enterprise.iso
+C:\VHD>dir /B
+2012R2-poc-1.vhd
+2012R2-poc-2.vhd
+w10-enterprise.iso
+
+
+### Convert PC to VM
+
+>Important: Do not attempt to use the VM resulting from the following procedure as a reference image. Also, to avoid conflicts with existing clients, do not start the VM outside the PoC network.
+
+
+If you do not have a PC available to convert to VM, perform the following steps to download an evaluation VM:
+
+
+- Open the Download virtual machines page.
+
- Under Virtual machine, choose IE11 on Win7.
+
- Under Select platform choose HyperV (Windows).
+
- Click Download .zip. The download is 3.31 GB.
+
- Extract the zip file. Three directories are created.
+
- Open the Virtual Hard Disks directory and then copy IE11 - Win7.vhd to the C:\VHD directory.
+
- Rename IE11 - Win7.vhd to w7.vhd (do not rename the file to w7.vhdx).
+
- In step 5 of the Configure Hyper-V section, replace the VHD file name w7.vhdx with w7.vhd.
+
+ |
+
+If you have a PC available to convert to VM (computer 2):
+
+1. Sign in on computer 2 using an account with Administrator privileges.
+
+>Important: the account used in this step must have local administrator privileges. You can use a local computer account, or a domain account with administrative rights if domain policy allows the use of cached credentials. After converting the computer to a VM, you must be able to sign in on this VM with administrator rights while the VM is disconnected from the corporate network.
+
+2. [Determine the VM generation and partition type](#determine-the-vm-generation-and-partition-type) that is required.
+3. Based on the VM generation and partition type, perform one of the following procedures: [Prepare a generation 1 VM](#prepare-a-generation-1-vm), [Prepare a generation 2 VM](#prepare-a-generation-2-vm), or [prepare a generation 1 VM from a GPT disk](#prepare-a-generation-1-vm-from-a-gpt-disk).
+
+#### Determine the VM generation and partition type
+
+When creating a VM in Hyper-V, you must specify either generation 1 or generation 2. The following table describes requirements for these two types of VMs.
+
+
+
+
+
+ |
+ Architecture |
+ Operating system |
+ Partition style |
+
+
+ | Generation 1 |
+ 32-bit or 64-bit |
+ Windows 7 or later |
+ MBR |
+
+
+ | Generation 2 |
+ 64-bit |
+ Windows 8 or later |
+ MBR or GPT |
+
+
+
+
+Get-WmiObject -Class Win32_DiskPartition | Select-Object -Property SystemName,Caption,Type
+
+
+If the **Type** column does not indicate GPT, then the disk partition format is MBR ("Installable File System" = MBR). In the following example, the disk is GPT:
+
+
+PS C:> Get-WmiObject -Class Win32_DiskPartition | Select-Object -Property SystemName,Caption,Type
+
+SystemName Caption Type
+---------- ------- ----
+USER-PC1 Disk #0, Partition #0 GPT: System
+USER-PC1 Disk #0, Partition #1 GPT: Basic Data
+
+
+On a computer running Windows 8 or later, you can also type **Get-Disk** at a Windows PowerShell prompt to discover the partition style. The default output of this cmdlet displays the partition style for all attached disks. Both commands are displayed below. In this example, the client computer is running Windows 8.1 and uses a GPT style partition format:
+
+
+PS C:> Get-WmiObject -Class Win32_DiskPartition | Select-Object -Property SystemName,Caption,Type
+
+SystemName Caption Type
+---------- ------- ----
+PC-X1 Disk #0, Partition #0 GPT: Unknown
+PC-X1 Disk #0, Partition #1 GPT: System
+PC-X1 Disk #0, Partition #2 GPT: Basic Data
+PC-X1 Disk #0, Partition #3 GPT: Basic Data
+PC-X1 Disk #0, Partition #4 GPT: Basic Data
+
+PS C:> Get-Disk
+
+Number Friendly Name OperationalStatus Total Size Partition Style
+------ ------------- ----------------- ---------- ---------------
+0 INTEL SSDSCMMW240A3L Online 223.57 GB GPT
+
+
+
+
+**Choosing a VM generation**
+
+The following table displays the Hyper-V VM generation to choose based on the OS, architecture, and partition style. Links to procedures to create the corresponding VMs are included.
+
+
+
+Notes:
+
+- If the PC is running Windows 7, it can only be converted and hosted in Hyper-V as a generation 1 VM. This Hyper-V requirement means that if the Windows 7 PC is also using a GPT partition style, the OS disk can be shadow copied, but a new system partition must be created. In this case, see Prepare a generation 1 VM from a GPT disk.
+
- If the PC is running Windows 8 or later and uses the GPT partition style, you can capture the disk image and create a generation 2 VM. To do this, you must temporarily mount the EFI system partition which is accomplished using the mountvol command. In this case, see Prepare a generation 2 VM.
+
- If the PC is using an MBR partition style, you can convert the disk to VHD and use it to create a generation 1 VM. If you use the Disk2VHD tool described in this guide, it is not necessary to mount the MBR system partition, but it is still necessary to capture it. In this case, see Prepare a generation 1 VM.
+
+
+#### Prepare a generation 1 VM
+
+1. Download the [Disk2vhd utility](https://technet.microsoft.com/library/ee656415.aspx), extract the .zip file and copy **disk2vhd.exe** to a flash drive or other location that is accessible from the computer you wish to convert.
+
+ >You might experience timeouts if you attempt to run Disk2vhd from a network share, or specify a network share for the destination. To avoid timeouts, use local, portable media such as a USB drive.
+
+2. On the computer you wish to convert, double-click the disk2vhd utility to start the graphical user interface.
+3. Select the checkboxes next to the **C:\\** and the **system reserved** (BIOS/MBR) volumes. The system volume is not assigned a drive letter, but will be displayed in the Disk2VHD tool with a volume label similar to **\\?\Volume{**. See the following example. **Important**: You must include the system volume in order to create a bootable VHD. If this volume is not displayed in the disk2vhd tool, then the computer is likely to be using the GPT partition style. For more information, see [Determine VM generation](#determine-vm-generation).
+4. Specify a location to save the resulting VHD or VHDX file (F:\VHD\w7.vhdx in the following example) and click **Create**. See the following example:
+
+ 
+
+ >Disk2vhd can save VHDs to local hard drives, even if they are the same as the volumes being converted. Performance is better however when the VHD is saved on a disk different than those being converted, such as a flash drive.
+
+5. When the Disk2vhd utility has completed converting the source computer to a VHD, copy the VHDX file (w7.vhdx) to your Hyper-V host in the C:\VHD directory. There should now be four files in this directory:
+
+
+ C:\vhd>dir /B
+ 2012R2-poc-1.vhd
+ 2012R2-poc-2.vhd
+ w10-enterprise.iso
+ w7.VHDX
+
+
+#### Prepare a generation 2 VM
+
+1. Download the [Disk2vhd utility](https://technet.microsoft.com/library/ee656415.aspx), extract the .zip file and copy **disk2vhd.exe** to a flash drive or other location that is accessible from the computer you wish to convert.
+
+ >You might experience timeouts if you attempt to run Disk2vhd from a network share, or specify a network share for the destination. To avoid timeouts, use local, portable media such as a USB drive.
+
+2. On the computer you wish to convert, open an elevated command prompt and type the following command:
+
+ mountvol s: /s
+
+ This command temporarily assigns a drive letter of S to the system volume and mounts it. If the letter S is already assigned to a different volume on the computer, then choose one that is available (ex: mountvol z: /s).
+
+3. On the computer you wish to convert, double-click the disk2vhd utility to start the graphical user interface.
+4. Select the checkboxes next to the **C:\\** and the **S:\\** volumes, and clear the **Use Volume Shadow Copy checkbox**. Volume shadow copy will not work if the EFI system partition is selected.
+
+ **Important**: You must include the EFI system partition in order to create a bootable VHD. The Windows RE tools partition (shown below) is not required, but it can also be converted if desired.
+
+5. Specify a location to save the resulting VHD or VHDX file (F:\VHD\PC1.vhdx in the following example) and click **Create**. See the following example:
+
+ 
+
+ >Disk2vhd can save VHDs to local hard drives, even if they are the same as the volumes being converted. Performance is better however when the VHD is saved on a disk different than those being converted, such as a flash drive.
+
+6. When the Disk2vhd utility has completed converting the source computer to a VHD, copy the VHDX file (PC1.vhdx) to your Hyper-V host in the C:\VHD directory. There should now be four files in this directory:
+
+
+ C:\vhd>dir /B
+ 2012R2-poc-1.vhd
+ 2012R2-poc-2.vhd
+ w10-enterprise.iso
+ PC1.VHDX
+
+
+#### Prepare a generation 1 VM from a GPT disk
+
+1. Download the [Disk2vhd utility](https://technet.microsoft.com/library/ee656415.aspx), extract the .zip file and copy **disk2vhd.exe** to a flash drive or other location that is accessible from the computer you wish to convert.
+
+ >You might experience timeouts if you attempt to run Disk2vhd from a network share, or specify a network share for the destination. To avoid timeouts, use local, portable media such as a USB drive.
+
+2. On the computer you wish to convert, double-click the disk2vhd utility to start the graphical user interface.
+3. Select the checkbox next to the **C:\\** volume and clear the checkbox next to **Use Vhdx**. Note: the system volume is not copied in this scenario, it will be added later.
+4. Specify a location to save the resulting VHD file (F:\VHD\w7.vhd in the following example) and click **Create**. See the following example:
+
+ 
+
+ >Disk2vhd can save VHDs to local hard drives, even if they are the same as the volumes being converted. Performance is better however when the VHD is saved on a disk different than those being converted, such as a flash drive.
+
+5. When the Disk2vhd utility has completed converting the source computer to a VHD, copy the VHD file (w7.vhd) to your Hyper-V host in the C:\VHD directory. There should now be four files in this directory:
+
+
+ C:\vhd>dir /B
+ 2012R2-poc-1.vhd
+ 2012R2-poc-2.vhd
+ w10-enterprise.iso
+ w7.VHD
+
+
+ >In its current state, the w7.VHD file is not bootable. The VHD will be used to create a bootable VM later in the [Configure Hyper-V](#configure-hyper-v) section.
+
+### Resize VHD
+
+
+Enhanced session mode
+
+**Important**: Before proceeding, verify that you can take advantage of [enhanced session mode](https://technet.microsoft.com/windows-server-docs/compute/hyper-v/learn-more/Use-local-resources-on-Hyper-V-virtual-machine-with-VMConnect) when completing instructions in this guide. Enhanced session mode enables you to copy and paste the commands from the Hyper-V host to VMs, between VMs, and between RDP sessions. After copying some text, you can paste into a Windows PowerShell window by simply right-clicking. Before right-clicking, do not left click other locations as this can empty the clipboard. You can also copy and paste files directly from one computer to another by right-clicking and selecting copy on one computer, then right-clicking and selecting paste on another computer.
+
+To ensure that enhanced session mode is enabled on the Hyper-V host, type the following command at an elevated Windows PowerShell prompt on the Hyper-V host:
+
+Set-VMhost -EnableEnhancedSessionMode $TRUE
+
+>If enhanced session mode was not previously enabled, close any existing virtual machine connections and re-open them to enable access to enhanced session mode. As mentioned previously: instructions to "type" commands provided in this guide can be typed, but the preferred method is to copy and paste these commands. Most of the commands to this point in the guide have been brief, but many commands in sections below are longer and more complex.
+
+
+
+The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to 100GB to support installing imaging tools and storing OS images.
+
+1. To add available space for the partition, type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host:
+
+
+ Resize-VHD –Path c:\VHD\2012R2-poc-2.vhd –SizeBytes 100GB
+ $x = (Mount-VHD –Path c:\VHD\2012R2-poc-2.vhd -passthru | Get-Disk | Get-Partition | Get-Volume).DriveLetter
+ Resize-Partition -DriveLetter $x -Size (Get-PartitionSupportedSize -DriveLetter $x).SizeMax
+
+
+2. Verify that the mounted VHD drive is resized to 100 GB, and then dismount the drive:
+
+
+ Get-Volume -DriveLetter $x
+ Dismount-VHD –Path c:\VHD\2012R2-poc-2.vhd
+
+### Configure Hyper-V
+
+1. Open an elevated Windows PowerShell window and type the following command to create two virtual switches named "poc-internal" and "poc-external":
+
+ >If the Hyper-V host already has an external virtual switch bound to a physical NIC, do not attempt to add a second external virtual switch. Attempting to add a second external switch will result in an error indicating that the NIC is **already bound to the Microsoft Virtual Switch protocol.** In this case, choose one of the following options:
+ A) Remove the existing external virtual switch, then add the poc-external switch
+ B) Rename the existing external switch to "poc-external"
+ C) Replace each instance of "poc-external" used in this guide with the name of your existing external virtual switch
+ If you choose B) or C), then do not run the second command below.
+
+
+ New-VMSwitch -Name poc-internal -SwitchType Internal -Notes "PoC Network"
+ New-VMSwitch -Name poc-external -NetAdapterName (Get-NetAdapter |?{$_.Status -eq "Up" -and !$_.Virtual}).Name -Notes "PoC External"
+
+
+ **Note**: The second command above will temporarily interrupt network connectivity on the Hyper-V host.
+
+ >Since an external virtual switch is associated to a physical network adapter on the Hyper-V host, this adapter must be specified when adding the virtual switch. The previous commands automate this by filtering for active non-virtual ethernet adapters using the Get-NetAdapter cmdlet ($_.Status -eq "Up" -and !$_.Virtual). If your Hyper-V host is dual-homed with multiple active ethernet adapters, this automation will not work, and the second command above will fail. In this case, you must edit the command used to add the "poc-external" virtual switch by inserting the appropriate NetAdapterName. The NetAdapterName value corresponds to the name of the network interface you wish to use. For example, if the network interface you use on the Hyper-V host to connect to the Internet is named "Ethernet 2" then type the following command to create an external virtual switch: New-VMSwitch -Name poc-external -NetAdapterName "Ethernet 2" -Notes "PoC External"
+
+2. At the elevated Windows PowerShell prompt, type the following command to determine the megabytes of RAM that are currently available on the Hyper-V host:
+
+
+ (Get-VMHostNumaNode).MemoryAvailable
+
+
+ This command will display the megabytes of RAM available for VMs. On a Hyper-V host computer with 16 GB of physical RAM installed, 10,000 MB of RAM or greater should be available if the computer is not also running other applications. On a computer with 8 GB of physical RAM installed, at least 4000 MB should be available. If the computer has less RAM available than this, try closing applications to free up more memory.
+
+3. Determine the available memory for VMs by dividing the available RAM by 4. For example:
+
+
+ (Get-VMHostNumaNode).MemoryAvailable/4
+ 2775.5
+
+
+ In this example, VMs can use a maximum of 2700 MB of RAM each, to run four VMs simultaneously.
+
+4. At the elevated Windows PowerShell prompt, type the following command to create two new VMs. Other VMs will be added later.
+ >**Important**: Replace the value of 2700MB for $maxRAM in the first command below with the RAM value that you calculated in the previous step.
+
+
+ $maxRAM = 2700MB
+ New-VM -Name "DC1" -VHDPath c:\vhd\2012R2-poc-1.vhd -SwitchName poc-internal
+ Set-VMMemory -VMName "DC1" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes $maxRAM -Buffer 20
+ Enable-VMIntegrationService -Name "Guest Service Interface" -VMName DC1
+ New-VM -Name "SRV1" -VHDPath c:\vhd\2012R2-poc-2.vhd -SwitchName poc-internal
+ Add-VMNetworkAdapter -VMName "SRV1" -SwitchName "poc-external"
+ Set-VMMemory -VMName "SRV1" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes $maxRAM -Buffer 80
+ Enable-VMIntegrationService -Name "Guest Service Interface" -VMName SRV1
+
+
+ **Note**: The RAM values assigned to VMs in this step are not permanent, and can be easily increased or decreased later if needed to address performance issues.
+
+5. Using the same elevated Windows PowerShell prompt that was used in the previous step, type one of the following sets of commands, depending on the type of VM that was prepared in the [Determine VM generation](#determine-vm-generation) section, either generation 1, generation 2, or generation 1 with GPT.
+
+ To create a generation 1 VM (using c:\vhd\w7.vhdx):
+
+
+ New-VM -Name "PC1" -VHDPath c:\vhd\w7.vhdx -SwitchName poc-internal
+ Set-VMMemory -VMName "PC1" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes $maxRAM -Buffer 20
+ Enable-VMIntegrationService -Name "Guest Service Interface" -VMName PC1
+
+
+ To create a generation 2 VM (using c:\vhd\PC1.vhdx):
+
+
+ New-VM -Name "PC1" -Generation 2 -VHDPath c:\vhd\PC1.vhdx -SwitchName poc-internal
+ Set-VMMemory -VMName "PC1" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes $maxRAM -Buffer 20
+ Enable-VMIntegrationService -Name "Guest Service Interface" -VMName PC1
+
+
+ To create a generation 1 VM from a GPT disk (using c:\vhd\w7.vhd):
+
+ >Note: The following procedure is more complex because it includes steps to convert the OS partition from GPT to MBR format. Steps are included to create a temporary VHD and attach it to the VM, the OS image is saved to this drive, the OS drive is then reformatted to MBR, the OS image restored, and the temporary drive is removed.
+
+ First, type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host to create a temporary VHD that will be used to save the OS image. Do not forget to include a pipe (|) at the end of the first five commands:
+
+
+ New-VHD -Path c:\vhd\d.vhd -SizeBytes 1TB |
+ Mount-VHD -Passthru |
+ Get-Disk -Number {$_.DiskNumber} |
+ Initialize-Disk -PartitionStyle MBR -PassThru |
+ New-Partition -UseMaximumSize |
+ Format-Volume -Confirm:$false -FileSystem NTFS -force
+ Dismount-VHD -Path c:\vhd\d.vhd
+
+
+ Next, create the PC1 VM with two attached VHDs, and boot to DVD ($maxram must be defined previously using the same Windows PowerShell prompt):
+
+
+ New-VM -Name "PC1" -VHDPath c:\vhd\w7.vhd -SwitchName poc-internal
+ Add-VMHardDiskDrive -VMName PC1 -Path c:\vhd\d.vhd
+ Set-VMDvdDrive -VMName PC1 -Path c:\vhd\w10-enterprise.iso
+ Set-VMMemory -VMName "PC1" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes $maxRAM -Buffer 20
+ Enable-VMIntegrationService -Name "Guest Service Interface" -VMName PC1
+ Start-VM PC1
+ vmconnect localhost PC1
+
+
+ The VM will automatically boot into Windows Setup. In the PC1 window:
+
+ 1. Click **Next**.
+ 2. Click **Repair your computer**.
+ 3. Click **Troubleshoot**.
+ 4. Click **Command Prompt**.
+ 5. Type the following command to save an image of the OS drive:
+
+
+ dism /Capture-Image /ImageFile:D:\c.wim /CaptureDir:C:\ /Name:Drive-C
+
+
+ 6. Wait for the OS image to complete saving, and then type the following commands to convert the C: drive to MBR:
+
+
+ diskpart
+ select disk 0
+ clean
+ convert MBR
+ create partition primary size=100
+ format fs=ntfs quick
+ active
+ create partition primary
+ format fs=ntfs quick label=OS
+ assign letter=c
+ exit
+
+
+ 7. Type the following commands to restore the OS image and boot files:
+
+
+ dism /Apply-Image /ImageFile:D:\c.wim /Index:1 /ApplyDir:C:\
+ bcdboot c:\windows
+ exit
+
+
+ 8. Click **Continue** and verify the VM boots successfully (do not boot from DVD).
+ 9. Click **Ctrl+Alt+Del**, and then in the bottom right corner, click **Shut down**.
+ 10. Type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host to remove the temporary disks and drives from PC1:
+
+
+ Remove-VMHardDiskDrive -VMName PC1 -ControllerType IDE -ControllerNumber 0 -ControllerLocation 1
+ Set-VMDvdDrive -VMName PC1 -Path $null
+
+
+### Configure VMs
+
+1. At an elevated Windows PowerShell prompt on the Hyper-V host, start the first Windows Server VM and connect to it by typing the following commands:
+
+
+ Start-VM DC1
+ vmconnect localhost DC1
+
+
+2. Click **Next** to accept the default settings, read the license terms and click **I accept**, provide an administrator password of pass@word1, and click **Finish**.
+3. Click **Ctrl+Alt+Del** in the upper left corner of the virtual machine connection window, and then sign in to DC1 using the Administrator account.
+4. Right-click **Start**, point to **Shut down or sign out**, and click **Sign out**. The VM connection will reset and a new connection dialog box will appear enabling you to choose a custom display configuration. Select a desktop size, click **Connect** and sign in again with the local Administrator account. Note: Signing in this way ensures that [enhanced session mode](https://technet.microsoft.com/windows-server-docs/compute/hyper-v/learn-more/Use-local-resources-on-Hyper-V-virtual-machine-with-VMConnect) is enabled. It is only necessary to do this the first time you sign in to a new VM.
+5. If DC1 is configured as described in this guide, it will currently be assigned an APIPA address, have a randomly generated hostname, and a single network adapter named "Ethernet." Open an elevated Windows PowerShell prompt on DC1 and type or paste the following commands to provide a new hostname and configure a static IP address and gateway:
+
+
+ Rename-Computer DC1
+ New-NetIPAddress –InterfaceAlias Ethernet –IPAddress 192.168.0.1 –PrefixLength 24 -DefaultGateway 192.168.0.2
+ Set-DnsClientServerAddress -InterfaceAlias Ethernet -ServerAddresses 192.168.0.1,192.168.0.2
+
+
+ > The default gateway at 192.168.0.2 will be configured later in this guide.
+ >
+ > Note: A list of available tasks for an app will be populated the first time you run it on the taskbar. Because these tasks aren't available until the App has been run, you will not see the **Run as Administrator** task until you have left-clicked Windows PowerShell for the first time. In this newly created VM, you will need to left-click Windows PowerShell one time, and then you can right-click and choose Run as Administrator to open an elevated Windows PowerShell prompt.
+
+6. Install the Active Directory Domain Services role by typing the following command at an elevated Windows PowerShell prompt:
+
+
+ Install-WindowsFeature -Name AD-Domain-Services -IncludeAllSubFeature -IncludeManagementTools
+
+
+7. Before promoting DC1 to a Domain Controller, you must reboot so that the name change in step 3 above takes effect. To restart the computer, type the following command at an elevated Windows PowerShell prompt:
+
+
+ Restart-Computer
+
+
+8. When DC1 has rebooted, sign in again and open an elevated Windows PowerShell prompt. Now you can promote the server to be a domain controller. The directory services restore mode password must be entered as a secure string. Type the following commands at the elevated Windows PowerShell prompt:
+
+
+ $pass = "pass@word1" | ConvertTo-SecureString -AsPlainText -Force
+ Install-ADDSForest -DomainName contoso.com -InstallDns -SafeModeAdministratorPassword $pass -Force
+
+
+ Ignore any warnings that are displayed. The computer will automatically reboot upon completion.
+
+9. When the reboot has completed, reconnect to DC1, sign in using the CONTOSO\Administrator account, open an elevated Windows PowerShell prompt, and use the following commands to add a reverse lookup zone for the PoC network, add the DHCP Server role, authorize DHCP in Active Directory, and suppress the post-DHCP-install alert:
+
+
+ Add-DnsServerPrimaryZone -NetworkID "192.168.0.0/24" -ReplicationScope Forest
+ Add-WindowsFeature -Name DHCP -IncludeManagementTools
+ netsh dhcp add securitygroups
+ Restart-Service DHCPServer
+ Add-DhcpServerInDC dc1.contoso.com 192.168.0.1
+ Set-ItemProperty –Path registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ServerManager\Roles\12 –Name ConfigurationState –Value 2
+
+
+10. Next, add a DHCP scope and set option values:
+
+
+ Add-DhcpServerv4Scope -Name "PoC Scope" -StartRange 192.168.0.100 -EndRange 192.168.0.199 -SubnetMask 255.255.255.0 -Description "Windows 10 PoC" -State Active
+ Set-DhcpServerv4OptionValue -ScopeId 192.168.0.0 -DnsDomain contoso.com -Router 192.168.0.2 -DnsServer 192.168.0.1,192.168.0.2 -Force
+
+
+ >The -Force option is necessary when adding scope options to skip validation of 192.168.0.2 as a DNS server because we have not configured it yet. The scope should immediately begin issuing leases on the PoC network. The first DHCP lease that will be issued is to vEthernet interface on the Hyper-V host, which is a member of the internal network. You can verify this by using the command: Get-DhcpServerv4Lease -ScopeId 192.168.0.0.
+
+11. The DNS server role will also be installed on the member server, SRV1, at 192.168.0.2 so that we can forward DNS queries from DC1 to SRV1 to resolve Internet names without having to configure a forwarder outside the PoC network. Since the IP address of SRV1 already exists on DC1's network adapter, it will be automatically added during the DCPROMO process. To verify this server-level DNS forwarder on DC1, type the following command at an elevated Windows PowerShell prompt on DC1:
+
+
+ Get-DnsServerForwarder
+
+
+ The following output should be displayed:
+
+
+ UseRootHint : True
+ Timeout(s) : 3
+ EnableReordering : True
+ IPAddress : 192.168.0.2
+ ReorderedIPAddress : 192.168.0.2
+
+
+ If this output is not displayed, you can use the following command to add SRV1 as a forwarder:
+
+
+ Add-DnsServerForwarder -IPAddress 192.168.0.2
+
+
+ **Configure service and user accounts**
+
+ Windows 10 deployment with MDT and System Center Configuration Manager requires specific accounts to perform some actions. Service accounts will be created to use for these tasks. A user account is also added in the contoso.com domain that can be used for testing purposes. In the test lab environment, passwords are set to never expire.
+
+ >To keep this test lab relatively simple, we will not create a custom OU structure and set permissions. Required permissions are enabled by adding accounts to the Domain Admins group. To configure these settings in a production environment, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](deploy-windows-sccm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
+
+ On DC1, open an elevated Windows PowerShell prompt and type the following commands:
+
+
+ New-ADUser -Name User1 -UserPrincipalName user1 -Description "User account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -Enabled $true
+ New-ADUser -Name MDT_BA -UserPrincipalName MDT_BA -Description "MDT Build Account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -Enabled $true
+ New-ADUser -Name CM_JD -UserPrincipalName CM_JD -Description "Configuration Manager Join Domain Account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -Enabled $true
+ New-ADUser -Name CM_NAA -UserPrincipalName CM_NAA -Description "Configuration Manager Network Access Account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -Enabled $true
+ Add-ADGroupMember "Domain Admins" MDT_BA,CM_JD,CM_NAA
+ Set-ADUser -Identity user1 -PasswordNeverExpires $true
+ Set-ADUser -Identity administrator -PasswordNeverExpires $true
+ Set-ADUser -Identity MDT_BA -PasswordNeverExpires $true
+ Set-ADUser -Identity CM_JD -PasswordNeverExpires $true
+ Set-ADUser -Identity CM_NAA -PasswordNeverExpires $true
+
+
+12. Minimize the DC1 VM window but **do not stop** the VM.
+
+ Next, the client VM will be started and joined to the contoso.com domain. This is done before adding a gateway to the PoC network so that there is no danger of duplicate DNS registrations for the physical client and its cloned VM in the corporate domain.
+
+13. If the PC1 VM is not started yet, using an elevated Windows PowerShell prompt on the Hyper-V host, start the client VM (PC1), and connect to it:
+
+
+ Start-VM PC1
+ vmconnect localhost PC1
+
+
+14. Sign in to PC1 using an account that has local administrator rights.
+
+ >PC1 will be disconnected from its current domain, so you cannot use a domain account to sign on unless these credentials are cached and the use of cached credentials is permitted by Group Policy. If cached credentials are available and permitted, you can use these credentials to sign in. Otherwise, use an existing local administrator account.
+
+15. After signing in, the operating system detects that it is running in a new environment. New drivers will be automatically installed, including the network adapter driver. The network adapter driver must be updated before you can proceed, so that you will be able to join the contoso.com domain. Depending on the resources allocated to PC1, installing the network adapter driver might take a few minutes. You can monitor device driver installation by clicking **Show hidden icons** in the notification area.
+
+ 
+
+ >If the client was configured with a static address, you must change this to a dynamic one so that it can obtain a DHCP lease.
+
+16. When the new network adapter driver has completed installation, you will receive an alert to set a network location for the contoso.com network. Select **Work network** and then click **Close**. When you receive an alert that a restart is required, click **Restart Later**.
+
+17. Open an elevated Windows PowerShell prompt on PC1 and verify that the client VM has received a DHCP lease and can communicate with the consoto.com domain controller.
+
+ To open Windows PowerShell on Windows 7, click **Start**, and search for "**power**." Right-click **Windows PowerShell** and then click **Pin to Taskbar** so that it is simpler to use Windows PowerShell during this lab. Click **Windows PowerShell** on the taskbar, and then type **ipconfig** at the prompt to see the client's current IP address. Also type **ping dc1.contoso.com** and **nltest /dsgetdc:contoso.com** to verify that it can reach the domain controller. See the following examples of a successful network connection:
+
+ ```
+ ipconfig
+
+ Windows IP Configuration
+
+ Ethernet adapter Local Area Connection 3:
+ Connection-specific DNS Suffix . : contoso.com
+ Link-local IPv6 Address . . . . . : fe80::64c2:4d2a:7403:6e02%18
+ Ipv4 Address. . . . . . . . . . . : 192.168.0.101
+ Subnet Mask . . . . . . . . . . . : 255.255.255.0
+ Default Gateway . . . . . . . . . : 192.168.0.2
+
+ ping dc1.contoso.com
+
+ Pinging dc1.contoso.com [192.168.0.1] with 32 bytes of data:
+ Reply from 192.168.0.1: bytes=32 time<1ms TTL=128
+ Reply from 192.168.0.1: bytes=32 time<1ms TTL=128
+ Reply from 192.168.0.1: bytes=32 time<1ms TTL=128
+ Reply from 192.168.0.1: bytes=32 time<1ms TTL=128
+
+ nltest /dsgetdc:contoso.com
+ DC: \\DC1
+ Address: \\192.168.0.1
+ Dom Guid: fdbd0643-d664-411b-aea0-fe343d7670a8
+ Dom Name: CONTOSO
+ Forest Name: contoso.com
+ Dc Site Name: Default-First-Site-Name
+ Our Site Name: Default-First-Site-Name
+ Flags: PDC GC DS LDAP KDC TIMESERV WRITABLE DNS_FOREST CLOSE_SITE FULL_SECRET WS 0xC000
+ ```
+
+ >If PC1 is running Windows 7, enhanced session mode might not be available, which means that you cannot copy and paste commands from the Hyper-V host to a Windows PowerShell prompt on PC1. However, it is possible to use integration services to copy a file from the Hyper-V host to a VM. The next procedure demonstrates this. If the Copy-VMFile command fails, then type the commands below at an elevated Windows PowerShell prompt on PC1 instead of saving them to a script to run remotely. If PC1 is running Windows 8 or a later operating system, you can use enhanced session mode to copy and paste these commands instead of typing them.
+
+18. Minimize the PC1 window and switch to the Hyper-V host computer. Open an elevated Windows PowerShell ISE window on the Hyper-V host (right-click Windows PowerShell and then click **Run ISE as Administrator**) and type the following commands in the (upper) script editor pane:
+
+
+ (Get-WmiObject Win32_ComputerSystem).UnjoinDomainOrWorkgroup($null,$null,0)
+ $pass = "pass@word1" | ConvertTo-SecureString -AsPlainText -Force
+ $user = "contoso\administrator"
+ $cred = New-Object System.Management.Automation.PSCredential($user,$pass)
+ Add-Computer -DomainName contoso.com -Credential $cred
+ Restart-Computer
+
+
+ >If you do not see the script pane, click **View** and verify **Show Script Pane Top** is enabled. Click **File** and then click **New**.
+
+ See the following example:
+
+ 
+
+19. Click **File**, click **Save As**, and save the commands as **c:\VHD\pc1.ps1** on the Hyper-V host.
+20. In the (lower) terminal input window, type the following commands to enable Guest Service Interface on PC1 and then use this service to copy the script to PC1:
+
+
+ Enable-VMIntegrationService -VMName PC1 -Name "Guest Service Interface"
+ Copy-VMFile "PC1" –SourcePath "C:\VHD\pc1.ps1" –DestinationPath "C:\pc1.ps1" –CreateFullPath –FileSource Host
+
+
+ >In order for this command to work properly, PC1 must be running the vmicguestinterface (Hyper-V Guest Service Interface) service. If this service is not enabled in this step, then the copy-VMFile command will fail. In this case, you can try updating integration services on the VM by mounting the Hyper-V Integration Services Setup (vmguest.iso), which is located in C:\Windows\System32 on Windows Server 2012 and 2012 R2 operating systems that are running the Hyper-V role service.
+
+ If the copy-vmfile command does not work and you cannot properly enable or upgrade integration services on PC1, then create the file c:\pc1.ps1 on the VM by typing the commands into this file manually. The copy-vmfile command is only used in this procedure as a demonstration of automation methods that can be used in a Hyper-V environment when enhanced session mode is not available. After typing the script file manually, be sure to save the file as a Windows PowerShell script file with the .ps1 extension and not as a text (.txt) file.
+
+21. On PC1, type the following commands at an elevated Windows PowerShell prompt:
+
+
+ Get-Content c:\pc1.ps1 | powershell.exe -noprofile -
+
+
+ >The commands in this script might take a few moments to complete. If an error is displayed, check that you typed the command correctly, paying close attention to spaces. PC1 is removed from its domain in this step while not connected to the corporate network so as to ensure the computer object in the corporate domain is unaffected. PC1 is also not renamed to "PC1" in system properties so that it maintains some of its mirrored identity. However, if desired you can also rename the computer.
+
+22. Upon completion of the script, PC1 will automatically restart. When it has restarted, sign in to the contoso.com domain using the **Switch User** option, with the **user1** account you created in step 11 of this section.
+ >**Important**: The settings that will be used later to migrate user data specifically select only accounts that belong to the CONTOSO domain. However, this can be changed to migrate all user accounts, or only other specified accounts. If you wish to test migration of user data and settings with accounts other than those in the CONTOSO domain, you must specify these accounts or domains when you configure the value of **ScanStateArgs** in the MDT test lab guide. This value is specifically called out when you get to that step. If you wish to only migrate CONTOSO accounts, then you can log in with the user1 account or the administrator account at this time and modify some of the files and settings for later use in migration testing.
+23. Minimize the PC1 window but do not turn it off while the second Windows Server 2012 R2 VM (SRV1) is configured. This verifies that the Hyper-V host has enough resources to run all VMs simultaneously. Next, SRV1 will be started, joined to the contoso.com domain, and configured with RRAS and DNS services.
+24. On the Hyper-V host computer, at an elevated Windows PowerShell prompt, type the following commands:
+
+
+ Start-VM SRV1
+ vmconnect localhost SRV1
+
+
+25. Accept the default settings, read license terms and accept them, provide an administrator password of pass@word1, and click **Finish**. When you are prompted about finding PCs, devices, and content on the network, click **Yes**.
+26. Sign in to SRV1 using the local administrator account. In the same way that was done on DC1, sign out of SRV1 and then sign in again to enable enhanced session mode. This will enable you to copy and paste Windows PowerShell commands from the Hyper-V host to the VM.
+27. Open an elevated Windows PowerShell prompt on SRV1 and type the following commands:
+
+
+ Rename-Computer SRV1
+ New-NetIPAddress –InterfaceAlias Ethernet –IPAddress 192.168.0.2 –PrefixLength 24
+ Set-DnsClientServerAddress -InterfaceAlias Ethernet -ServerAddresses 192.168.0.1,192.168.0.2
+ Restart-Computer
+
+
+ >[!IMPORTANT]
+ >Verify that you are configuring the correct interface in this step. The commands in this step assume that the poc-internal interface on SRV1 is named "Ethernet." If you are unsure how to check the interface, see step #30 below for instructions and tips on how to verify and modify the interface name.
+
+28. Wait for the computer to restart, sign in again, then type the following commands at an elevated Windows PowerShell prompt:
+
+
+ $pass = "pass@word1" | ConvertTo-SecureString -AsPlainText -Force
+ $user = "contoso\administrator"
+ $cred = New-Object System.Management.Automation.PSCredential($user,$pass)
+ Add-Computer -DomainName contoso.com -Credential $cred
+ Restart-Computer
+
+
+29. Sign in to the contoso.com domain on SRV1 using the domain administrator account (enter contoso\administrator as the user), open an elevated Windows PowerShell prompt, and type the following commands:
+
+
+ Install-WindowsFeature -Name DNS -IncludeManagementTools
+ Install-WindowsFeature -Name WDS -IncludeManagementTools
+ Install-WindowsFeature -Name Routing -IncludeManagementTools
+
+
+30. Before configuring the routing service that was just installed, verify that network interfaces were added to SRV1 in the right order, resulting in an interface alias of "Ethernet" for the private interface, and an interface alias of "Ethernet 2" for the public interface. Also verify that the external interface has a valid external DHCP IP address lease.
+
+ To view a list of interfaces, associated interface aliases, and IP addresses on SRV1, type the following Windows PowerShell command. Example output of the command is also shown below:
+
+
+ Get-NetAdapter | ? status -eq ‘up’ | Get-NetIPAddress -AddressFamily IPv4 | ft IPAddress, InterfaceAlias
+
+ IPAddress InterfaceAlias
+ --------- --------------
+ 10.137.130.118 Ethernet 2
+ 192.168.0.2 Ethernet
+
+
+ In this example, the poc-internal network interface at 192.168.0.2 is associated with the "Ethernet" interface and the Internet-facing poc-external interface is associated with the "Ethernet 2" interface. If your interfaces are different, you must adjust the commands provided in the next step appropriately to configure routing services. Also note that if the "Ethernet 2" interface has an IP address in the 192.168.0.100-105 range then it likely is getting a DHCP lease from DC1 instead of your corporate network. If this is the case, you can try removing and re-adding the second network interface from the SRV1 VM through its Hyper-V settings.
+
+ >[!TIP]
+ >Sometimes a computer will have hidden, disconnected interfaces that prevent you from naming a network adapter. When you attempt to rename an adapter, you will receive an error that the adapter name already exists. These disconnected devices can be viewed in device manager by clicking **View** and then clicking **Show hidden devices**. The disconnected device can then be uninstalled, enabling you to reuse the adapter name.
+
+
+31. To configure SRV1 with routing capability for the PoC network, type or paste the following commands at an elevated Windows PowerShell prompt on SRV1:
+
+
+ Install-RemoteAccess -VpnType Vpn
+ cmd /c netsh routing ip nat install
+ cmd /c netsh routing ip nat add interface name="Ethernet 2" mode=FULL
+ cmd /c netsh routing ip nat add interface name="Ethernet" mode=PRIVATE
+ cmd /c netsh routing ip nat add interface name="Internal" mode=PRIVATE
+
+
+32. The DNS service on SRV1 also needs to resolve hosts in the `contoso.com` domain. This can be accomplished with a conditional forwarder. Open an elevated Windows PowerShell prompt on SRV1 and type the following command:
+
+
+ Add-DnsServerConditionalForwarderZone -Name contoso.com -MasterServers 192.168.0.1
+
+
+33. In most cases, this completes configuration of the PoC network. However, if your corporate network has a firewall that filters queries from local DNS servers, you will also need to configure a server-level DNS forwarder on SRV1 to resolve Internet names. To test whether or not DNS is working without this forwarder, try to reach a name on the Internet from DC1 or PC1, which are only using DNS services on the PoC network. You can test DNS with the ping command, for example:
+
+
+ ping www.microsoft.com
+
+
+ If you see "Ping request could not find host `www.microsoft.com`" on PC1 and DC1, but not on SRV1, then you will need to configure a server-level DNS forwarder on SRV1. To do this, open an elevated Windows PowerShell prompt on SRV1 and type the following command.
+
+ **Note**: This command also assumes that "Ethernet 2" is the external-facing network adapter on SRV1. If the external adapter has a different name, replace "Ethernet 2" in the command below with that name:
+
+
+ Add-DnsServerForwarder -IPAddress (Get-DnsClientServerAddress -InterfaceAlias "Ethernet 2").ServerAddresses
+
+
+34. If DNS and routing are both working correctly, you will see the following on DC1 and PC1 (the IP address might be different, but that is OK):
+
+
+ PS C:\> ping www.microsoft.com
+
+ Pinging e2847.dspb.akamaiedge.net [23.222.146.170] with 32 bytes of data:
+ Reply from 23.222.146.170: bytes=32 time=3ms TTL=51
+ Reply from 23.222.146.170: bytes=32 time=2ms TTL=51
+ Reply from 23.222.146.170: bytes=32 time=2ms TTL=51
+ Reply from 23.222.146.170: bytes=32 time=1ms TTL=51
+
+ Ping statistics for 23.222.146.170:
+ Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
+ Approximate round trip times in milli-seconds:
+ Minimum = 1ms, Maximum = 3ms, Average = 2ms
+
+
+35. Verify that all three VMs can reach each other, and the Internet. See [Appendix A: Verify the configuration](#appendix-a-verify-the-configuration) for more information.
+36. Lastly, because the client computer has different hardware after copying it to a VM, its Windows activation will be invalidated and you might receive a message that you must activate Windows in 3 days. To extend this period to 30 days, type the following commands at an elevated Windows PowerShell prompt on PC1:
+
+
+ runas /noprofile /env /user:administrator@contoso.com "cmd /c slmgr -rearm"
+ Restart-Computer
+
+
+This completes configuration of the starting PoC environment. Additional services and tools are installed in subsequent guides.
+
+## Appendix A: Verify the configuration
+
+Use the following procedures to verify that the PoC environment is configured properly and working as expected.
+
+1. On DC1, open an elevated Windows PowerShell prompt and type the following commands:
+
+
+ Get-Service NTDS,DNS,DHCP
+ DCDiag -a
+ Get-DnsServerResourceRecord -ZoneName contoso.com -RRType A
+ Get-DnsServerForwarder
+ Resolve-DnsName -Server dc1.contoso.com -Name www.microsoft.com
+ Get-DhcpServerInDC
+ Get-DhcpServerv4Statistics
+ ipconfig /all
+
+
+ **Get-Service** displays a status of "Running" for all three services.
+ **DCDiag** displays "passed test" for all tests.
+ **Get-DnsServerResourceRecord** displays the correct DNS address records for DC1, SRV1, and the computername of PC1. Additional address records for the zone apex (@), DomainDnsZones, and ForestDnsZones will also be registered.
+ **Get-DnsServerForwarder** displays a single forwarder of 192.168.0.2.
+ **Resolve-DnsName** displays public IP address results for `www.microsoft.com`.
+ **Get-DhcpServerInDC** displays 192.168.0.1, `dc1.contoso.com`.
+ **Get-DhcpServerv4Statistics** displays 1 scope with 2 addresses in use (these belong to PC1 and the Hyper-V host).
+ **ipconfig** displays a primary DNS suffix and suffix search list of `contoso.com`, IP address of 192.168.0.1, subnet mask of 255.255.255.0, default gateway of 192.168.0.2, and DNS server addresses of 192.168.0.1 and 192.168.0.2.
+
+2. On SRV1, open an elevated Windows PowerShell prompt and type the following commands:
+
+
+ Get-Service DNS,RemoteAccess
+ Get-DnsServerForwarder
+ Resolve-DnsName -Server dc1.contoso.com -Name www.microsoft.com
+ ipconfig /all
+ netsh int ipv4 show address
+
+
+ **Get-Service** displays a status of "Running" for both services.
+ **Get-DnsServerForwarder** either displays no forwarders, or displays a list of forwarders you are required to use so that SRV1 can resolve Internet names.
+ **Resolve-DnsName** displays public IP address results for `www.microsoft.com`.
+ **ipconfig** displays a primary DNS suffix of `contoso.com`. The suffix search list contains `contoso.com` and your corporate domain. Two ethernet adapters are shown: Ethernet adapter "Ethernet" has an IP addresses of 192.168.0.2, subnet mask of 255.255.255.0, no default gateway, and DNS server addresses of 192.168.0.1 and 192.168.0.2. Ethernet adapter "Ethernet 2" has an IP address, subnet mask, and default gateway configured by DHCP on your corporate network.
+ **netsh** displays three interfaces on the computer: interface "Ethernet 2" with DHCP enabled = Yes and IP address assigned by your corporate network, interface "Ethernet" with DHCP enabled = No and IP address of 192.168.0.2, and interface "Loopback Pseudo-Interface 1" with IP address of 127.0.0.1.
+
+3. On PC1, open an elevated Windows PowerShell prompt and type the following commands:
+
+
+ whoami
+ hostname
+ nslookup www.microsoft.com
+ ping -n 1 dc1.contoso.com
+ tracert www.microsoft.com
+
+
+ **whoami** displays the current user context, for example in an elevated Windows PowerShell prompt, contoso\administrator is displayed.
+ **hostname** displays the name of the local computer, for example W7PC-001.
+ **nslookup** displays the DNS server used for the query, and the results of the query. For example, server `dc1.contoso.com`, address 192.168.0.1, Name `e2847.dspb.akamaiedge.net`.
+ **ping** displays if the source can resolve the target name, and whether or not the target responds to ICMP. If it cannot be resolved, "..could not find host" will be displayed and if the target is found and also responds to ICMP, you will see "Reply from" and the IP address of the target.
+ **tracert** displays the path to reach the destination, for example `srv1.contoso.com` [192.168.0.2] followed by a list of hosts and IP addresses corresponding to subsequent routing nodes between the source and the destination.
+
+
+## Appendix B: Terminology used in this guide
+
+
+
+
+
+
+| Term
+ | Definition
+ | | GPT | GUID partition table (GPT) is an updated hard-disk formatting scheme that enables the use of newer hardware. GPT is one of the partition formats that can be chosen when first initializing a hard drive, prior to creating and formatting partitions.
+ | | Hyper-V | Hyper-V is a server role introduced with Windows Server 2008 that lets you create a virtualized computing environment. Hyper-V can also be installed as a Windows feature on Windows client operating systems, starting with Windows 8.
+ | | Hyper-V host | The computer where Hyper-V is installed.
+ | | Hyper-V Manager | The user-interface console used to view and configure Hyper-V.
+ | | MBR | Master Boot Record (MBR) is a legacy hard-disk formatting scheme that limits support for newer hardware. MBR is one of the partition formats that can be chosen when first initializing a hard drive, prior to creating and formatting partitions. MBR is in the process of being replaced by the GPT partition format.
+ | | Proof of concept (PoC) | Confirmation that a process or idea works as intended. A PoC is carried out in a test environment to learn about and verify a process.
+ | | Shadow copy | A copy or "snapshot" of a computer at a point in time, created by the Volume Shadow Copy Service (VSS), typically for backup purposes.
+ | | Virtual machine (VM) | A VM is a virtual computer with its own operating system, running on the Hyper-V host.
+ | | Virtual switch | A virtual network connection used to connect VMs to each other and to physical network adapters on the Hyper-V host.
+ | | VM snapshot | A point in time image of a VM that includes its disk, memory and device state. It can be used to return a virtual machine to a former state corresponding to the time the snapshot was taken.
+ |
+
+
-| Platform/Portal
- | Register devices?
- | Create/Assign profile
- | Acceptable DeviceID
+ | Platform/Portal |
+Register devices? |
+Create/Assign profile |
+Acceptable DeviceID |
diff --git a/windows/deployment/windows-autopilot/existing-devices.md b/windows/deployment/windows-autopilot/existing-devices.md
index 0fd535d10e..a5c02be0ef 100644
--- a/windows/deployment/windows-autopilot/existing-devices.md
+++ b/windows/deployment/windows-autopilot/existing-devices.md
@@ -68,15 +68,16 @@ See the following examples.
Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force
Install-Module AzureAD -Force
Install-Module WindowsAutopilotIntune -Force
+ Install-Module Microsoft.Graph.Intune -Force
```
-
+
3. Enter the following lines and provide Intune administrative credentials
- - In the following command, replace the example user principal name for Azure authentication (admin@M365x373186.onmicrosoft.com) with your user account. Be sure that the user account you specify has sufficient administrative rights.
+ - Be sure that the user account you specify has sufficient administrative rights.
```powershell
- Connect-MSGraph -user admin@M365x373186.onmicrosoft.com
+ Connect-MSGraph
```
- The password for your account will be requested using a standard Azure AD form. Type your password and then click **Sign in**.
+ The user and password for your account will be requested using a standard Azure AD form. Type your username and password and then click **Sign in**.
See the following example:
diff --git a/windows/security/identity-protection/access-control/security-identifiers.md b/windows/security/identity-protection/access-control/security-identifiers.md
index f8a3185eb0..c8bdc813a2 100644
--- a/windows/security/identity-protection/access-control/security-identifiers.md
+++ b/windows/security/identity-protection/access-control/security-identifiers.md
@@ -289,6 +289,16 @@ Capability Security Identifiers (SIDs) are used to uniquely and immutably identi
All Capability SIDs that the operating system is aware of are stored in the Windows Registry in the path `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities'. Any Capability SID added to Windows by first or third-party applications will be added to this location.
+## Examples of registry keys taken from Windows 10, version 1909, 64-bit Enterprise edition
+You may see the following registry keys under AllCachedCapabilities:
+
+HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities\capabilityClass_DevUnlock
+HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities\capabilityClass_DevUnlock_Internal
+HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities\capabilityClass_Enterprise
+HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities\capabilityClass_General
+HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities\capabilityClass_Restricted
+HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities\capabilityClass_Windows
+
All Capability SIDs are prefixed by S-1-15-3
## See also
diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md
index fbeab9d3aa..7e2204a44a 100644
--- a/windows/security/threat-protection/TOC.md
+++ b/windows/security/threat-protection/TOC.md
@@ -129,7 +129,7 @@
##### [DeviceTvmSecureConfigurationAssessment](microsoft-defender-atp/advanced-hunting-tvm-configassessment-table.md)
##### [DeviceTvmSecureConfigurationAssessmentKB](microsoft-defender-atp/advanced-hunting-tvm-secureconfigkb-table.md)
#### [Apply query best practices](microsoft-defender-atp/advanced-hunting-best-practices.md)
-#### [Stream advanced hunting events to Azure Event Hubs](microsoft-defender-atp/raw-data-export-event-hub.md)
+
#### [Custom detections]()
##### [Understand custom detection rules](microsoft-defender-atp/overview-custom-detections.md)
@@ -137,8 +137,6 @@
### [Management and APIs]()
#### [Overview of management and APIs](microsoft-defender-atp/management-apis.md)
-#### [Understand threat intelligence concepts](microsoft-defender-atp/threat-indicator-concepts.md)
-#### [Managed security service provider support](microsoft-defender-atp/mssp-support.md)
### [Integrations]()
#### [Microsoft Defender ATP integrations](microsoft-defender-atp/threat-protection-integration.md)
@@ -362,15 +360,15 @@
###### [Troubleshoot subscription and portal access issues](microsoft-defender-atp/troubleshoot-onboarding-error-messages.md)
#### [Microsoft Defender ATP API]()
-##### [Microsoft Defender ATP API license and terms](microsoft-defender-atp/api-terms-of-use.md)
##### [Get started with Microsoft Defender ATP APIs]()
-###### [Introduction](microsoft-defender-atp/apis-intro.md)
+###### [Microsoft Defender ATP API license and terms](microsoft-defender-atp/api-terms-of-use.md)
+###### [Access the Microsoft Defender ATP APIs](microsoft-defender-atp/apis-intro.md)
###### [Hello World](microsoft-defender-atp/api-hello-world.md)
###### [Get access with application context](microsoft-defender-atp/exposed-apis-create-app-webapp.md)
###### [Get access with user context](microsoft-defender-atp/exposed-apis-create-app-nativeapp.md)
###### [Get partner application access](microsoft-defender-atp/exposed-apis-create-app-partners.md)
-##### [APIs]()
+##### [Microsoft Defender ATP APIs Schema]()
###### [Supported Microsoft Defender ATP APIs](microsoft-defender-atp/exposed-apis-list.md)
###### [Advanced Hunting](microsoft-defender-atp/run-advanced-query-api.md)
@@ -444,14 +442,14 @@
###### [Advanced Hunting using PowerShell](microsoft-defender-atp/run-advanced-query-sample-powershell.md)
###### [Using OData Queries](microsoft-defender-atp/exposed-apis-odata-samples.md)
-#### [Windows updates (KB) info]()
-##### [Get KbInfo collection](microsoft-defender-atp/get-kbinfo-collection.md)
+#### [Raw data streaming API]()
+##### [Raw data streaming (preview)](microsoft-defender-atp/raw-data-export.md)
+##### [Stream advanced hunting events to Azure Events hub](microsoft-defender-atp/raw-data-export-event-hub.md)
+##### [Stream advanced hunting events to your storage account](microsoft-defender-atp/raw-data-export-storage.md)
+
-#### [Common Vulnerabilities and Exposures (CVE) to KB map]()
-##### [Get CVE-KB map](microsoft-defender-atp/get-cvekbmap-collection.md)
-
-
-#### [Pull detections to your SIEM tools]()
+#### [SIEM integration]()
+##### [Understand threat intelligence concepts](microsoft-defender-atp/threat-indicator-concepts.md)
##### [Learn about different ways to pull detections](microsoft-defender-atp/configure-siem.md)
##### [Enable SIEM integration](microsoft-defender-atp/enable-siem-integration.md)
##### [Configure Splunk to pull detections](microsoft-defender-atp/configure-splunk.md)
@@ -460,6 +458,7 @@
##### [Pull detections using SIEM REST API](microsoft-defender-atp/pull-alerts-using-rest-api.md)
##### [Troubleshoot SIEM tool integration issues](microsoft-defender-atp/troubleshoot-siem.md)
+
#### [Reporting]()
##### [Power BI - How to use API - Samples](microsoft-defender-atp/api-power-bi.md)
##### [Create and build Power BI reports using Microsoft Defender ATP data connectors (deprecated)](microsoft-defender-atp/powerbi-reports.md)
@@ -486,45 +485,55 @@
###### [Using machine groups](microsoft-defender-atp/machine-groups.md)
###### [Create and manage machine tags](microsoft-defender-atp/machine-tags.md)
-#### [Configure managed security service provider (MSSP) support](microsoft-defender-atp/configure-mssp-support.md)
+#### [Configure managed security service provider (MSSP) integration](microsoft-defender-atp/configure-mssp-support.md)
+
+## [Partner integration scenarios]()
+### [Technical partner opportunities](microsoft-defender-atp/partner-integration.md)
+### [Managed security service provider opportunity](microsoft-defender-atp/mssp-support.md)
+### [Become a Microsoft Defender ATP partner](microsoft-defender-atp/get-started-partner-integration.md)
+
+
+## [Configure Microsoft threat protection integration]()
+### [Configure conditional access](microsoft-defender-atp/configure-conditional-access.md)
+### [Configure Microsoft Cloud App Security integration](microsoft-defender-atp/microsoft-cloud-app-security-config.md)
+### [Configure information protection in Windows](microsoft-defender-atp/information-protection-in-windows-config.md)
+
+## [Configure portal settings]()
+### [Set up preferences](microsoft-defender-atp/preferences-setup.md)
+### [General]()
+#### [Update data retention settings](microsoft-defender-atp/data-retention-settings.md)
+#### [Configure alert notifications](microsoft-defender-atp/configure-email-notifications.md)
+#### [Enable and create Power BI reports using Windows Defender Security center data](microsoft-defender-atp/powerbi-reports.md)
+#### [Enable Secure score security controls](microsoft-defender-atp/enable-secure-score.md)
+#### [Configure advanced features](microsoft-defender-atp/advanced-features.md)
+
+### [Permissions]()
+#### [Use basic permissions to access the portal](microsoft-defender-atp/basic-permissions.md)
+#### [Manage portal access using RBAC](microsoft-defender-atp/rbac.md)
+##### [Create and manage roles](microsoft-defender-atp/user-roles.md)
+##### [Create and manage machine groups](microsoft-defender-atp/machine-groups.md)
+###### [Create and manage machine tags](microsoft-defender-atp/machine-tags.md)
+
+### [APIs]()
+#### [Enable Threat intel (Deprecated)](microsoft-defender-atp/enable-custom-ti.md)
+#### [Enable SIEM integration](microsoft-defender-atp/enable-siem-integration.md)
+
+### [Rules]()
+#### [Manage suppression rules](microsoft-defender-atp/manage-suppression-rules.md)
+#### [Manage indicators](microsoft-defender-atp/manage-indicators.md)
+#### [Manage automation file uploads](microsoft-defender-atp/manage-automation-file-uploads.md)
+#### [Manage automation folder exclusions](microsoft-defender-atp/manage-automation-folder-exclusions.md)
+
+### [Machine management]()
+#### [Onboarding machines](microsoft-defender-atp/onboard-configure.md)
+#### [Offboarding machines](microsoft-defender-atp/offboard-machines.md)
+
+### [Configure Microsoft Defender Security Center time zone settings](microsoft-defender-atp/time-settings.md)
-### [Configure Microsoft threat protection integration]()
-#### [Configure conditional access](microsoft-defender-atp/configure-conditional-access.md)
-#### [Configure Microsoft Cloud App Security integration](microsoft-defender-atp/microsoft-cloud-app-security-config.md)
-#### [Configure information protection in Windows](microsoft-defender-atp/information-protection-in-windows-config.md)
-### [Configure portal settings]()
-#### [Set up preferences](microsoft-defender-atp/preferences-setup.md)
-#### [General]()
-##### [Update data retention settings](microsoft-defender-atp/data-retention-settings.md)
-##### [Configure alert notifications](microsoft-defender-atp/configure-email-notifications.md)
-##### [Enable and create Power BI reports using Windows Defender Security center data](microsoft-defender-atp/powerbi-reports.md)
-##### [Enable Secure score security controls](microsoft-defender-atp/enable-secure-score.md)
-##### [Configure advanced features](microsoft-defender-atp/advanced-features.md)
-#### [Permissions]()
-##### [Use basic permissions to access the portal](microsoft-defender-atp/basic-permissions.md)
-##### [Manage portal access using RBAC](microsoft-defender-atp/rbac.md)
-###### [Create and manage roles](microsoft-defender-atp/user-roles.md)
-###### [Create and manage machine groups](microsoft-defender-atp/machine-groups.md)
-####### [Create and manage machine tags](microsoft-defender-atp/machine-tags.md)
-#### [APIs]()
-##### [Enable Threat intel (Deprecated)](microsoft-defender-atp/enable-custom-ti.md)
-##### [Enable SIEM integration](microsoft-defender-atp/enable-siem-integration.md)
-
-#### [Rules]()
-##### [Manage suppression rules](microsoft-defender-atp/manage-suppression-rules.md)
-##### [Manage indicators](microsoft-defender-atp/manage-indicators.md)
-##### [Manage automation file uploads](microsoft-defender-atp/manage-automation-file-uploads.md)
-##### [Manage automation folder exclusions](microsoft-defender-atp/manage-automation-folder-exclusions.md)
-
-#### [Machine management]()
-##### [Onboarding machines](microsoft-defender-atp/onboard-configure.md)
-##### [Offboarding machines](microsoft-defender-atp/offboard-machines.md)
-
-#### [Configure Microsoft Defender Security Center time zone settings](microsoft-defender-atp/time-settings.md)
## [Troubleshoot Microsoft Defender ATP]()
diff --git a/windows/security/threat-protection/auditing/event-4771.md b/windows/security/threat-protection/auditing/event-4771.md
index 10876a5671..f97c972551 100644
--- a/windows/security/threat-protection/auditing/event-4771.md
+++ b/windows/security/threat-protection/auditing/event-4771.md
@@ -184,6 +184,7 @@ The most common values:
| 2 | PA-ENC-TIMESTAMP | This is a normal type for standard password authentication. |
| 11 | PA-ETYPE-INFO | The ETYPE-INFO pre-authentication type is sent by the KDC in a KRB-ERROR indicating a requirement for additional pre-authentication. It is usually used to notify a client of which key to use for the encryption of an encrypted timestamp for the purposes of sending a PA-ENC-TIMESTAMP pre-authentication value.
Never saw this Pre-Authentication Type in Microsoft Active Directory environment. |
| 15 | PA-PK-AS-REP\_OLD | Used for Smart Card logon authentication. |
+| 16 | PA-PK-AS-REQ | Request sent to KDC in Smart Card authentication scenarios.|
| 17 | PA-PK-AS-REP | This type should also be used for Smart Card authentication, but in certain Active Directory environments, it is never seen. |
| 19 | PA-ETYPE-INFO2 | The ETYPE-INFO2 pre-authentication type is sent by the KDC in a KRB-ERROR indicating a requirement for additional pre-authentication. It is usually used to notify a client of which key to use for the encryption of an encrypted timestamp for the purposes of sending a PA-ENC-TIMESTAMP pre-authentication value.
Never saw this Pre-Authentication Type in Microsoft Active Directory environment. |
| 20 | PA-SVR-REFERRAL-INFO | Used in KDC Referrals tickets. |
diff --git a/windows/security/threat-protection/auditing/event-4912.md b/windows/security/threat-protection/auditing/event-4912.md
index 06ffbee5b0..4e98d50f44 100644
--- a/windows/security/threat-protection/auditing/event-4912.md
+++ b/windows/security/threat-protection/auditing/event-4912.md
@@ -126,8 +126,9 @@ This event is always logged regardless of the "Audit Policy Change" sub-category
- **Subcategory** \[Type = UnicodeString\]**:** the name of auditing subcategory which state was changed. Possible values:
-| Audit Credential Validation | Audit Process Termination | Audit Other Logon/Logoff Events |
+| Value | Value | Value |
|------------------------------------------|----------------------------------------------|--------------------------------------|
+| Audit Credential Validation | Audit Process Termination | Audit Other Logon/Logoff Events |
| Audit Kerberos Authentication Service | Audit RPC Events | Audit Special Logon |
| Audit Kerberos Service Ticket Operations | Audit Detailed Directory Service Replication | Audit Application Generated |
| Audit Other Logon/Logoff Events | Audit Directory Service Access | Audit Certification Services |
@@ -145,7 +146,7 @@ This event is always logged regardless of the "Audit Policy Change" sub-category
| Audit Policy Change | Audit Non-Sensitive Privilege Use | Audit System Integrity |
| Audit Authentication Policy Change | Audit Sensitive Privilege Use | Audit PNP Activity |
| Audit Authorization Policy Change | Audit Other Privilege Use Events | |
-| Group Membership | Audit Network Policy Server | |
+| Audit Group Membership | Audit Network Policy Server | |
- **Subcategory GUID** \[Type = GUID\]**:** the unique GUID of changed subcategory.
diff --git a/windows/security/threat-protection/images/securityrecs-tamperprotect.jpg b/windows/security/threat-protection/images/securityrecs-tamperprotect.jpg
new file mode 100644
index 0000000000..e79d2b057d
Binary files /dev/null and b/windows/security/threat-protection/images/securityrecs-tamperprotect.jpg differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/apis-intro.md b/windows/security/threat-protection/microsoft-defender-atp/apis-intro.md
index 425ad57ee8..589b46db48 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/apis-intro.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/apis-intro.md
@@ -1,5 +1,5 @@
---
-title: Microsoft Defender Advanced Threat Protection API overview
+title: Access the Microsoft Defender Advanced Threat Protection APIs
ms.reviewer:
description: Learn how you can use APIs to automate workflows and innovate based on Microsoft Defender ATP capabilities
keywords: apis, api, wdatp, open api, windows defender atp api, public api, supported apis, alerts, machine, user, domain, ip, file, advanced hunting, query
@@ -17,7 +17,7 @@ ms.collection: M365-security-compliance
ms.topic: conceptual
---
-# Microsoft Defender ATP API overview
+# Access the Microsoft Defender Advanced Threat Protection APIs
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-siem.md b/windows/security/threat-protection/microsoft-defender-atp/configure-siem.md
index 521fbb5621..ad965c75e5 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-siem.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-siem.md
@@ -15,7 +15,6 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
-ms.date: 10/16/2017
---
# Pull detections to your SIEM tools
@@ -56,13 +55,3 @@ Microsoft Defender ATP supports the OAuth 2.0 protocol to pull detections using
For more information, see [Pull Microsoft Defender ATP detections using REST API](pull-alerts-using-rest-api.md).
-## In this section
-
-Topic | Description
-:---|:---
-[Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md)| Learn about enabling the SIEM integration feature in the **Settings** page in the portal so that you can use and generate the required information to configure supported SIEM tools.
-[Configure Splunk to pull Microsoft Defender ATP detections](configure-splunk.md)| Learn about installing the REST API Modular Input App and other configuration settings to enable Splunk to pull Microsoft Defender ATP detections.
-[Configure HP ArcSight to pull Microsoft Defender ATP detections](configure-arcsight.md)| Learn about installing the HP ArcSight REST FlexConnector package and the files you need to configure ArcSight to pull Microsoft Defender ATP detections.
-[Microsoft Defender ATP Detection fields](api-portal-mapping.md) | Understand what data fields are exposed as part of the alerts API and how they map to Microsoft Defender Security Center.
-[Pull Microsoft Defender ATP detections using REST API](pull-alerts-using-rest-api.md) | Use the Client credentials OAuth 2.0 flow to pull detections from Microsoft Defender ATP using REST API.
-[Troubleshoot SIEM tool integration issues](troubleshoot-siem.md) | Address issues you might encounter when using the SIEM integration feature.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/endpoint-detection-response-mac-preview.md b/windows/security/threat-protection/microsoft-defender-atp/endpoint-detection-response-mac-preview.md
index 5e9a5f5e75..1741fdf531 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/endpoint-detection-response-mac-preview.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/endpoint-detection-response-mac-preview.md
@@ -130,7 +130,7 @@ h. Select **Manage > Assignments**. In the **Include** tab, select *
In terminal, run:
```bash
- mdatp --edr --earlypreview true
+ mdatp --edr --early-preview true
```
For versions earlier than 100.78.0, run:
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-started-partner-integration.md b/windows/security/threat-protection/microsoft-defender-atp/get-started-partner-integration.md
new file mode 100644
index 0000000000..066146d158
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-started-partner-integration.md
@@ -0,0 +1,54 @@
+---
+title: Become a Microsoft Defender ATP partner
+ms.reviewer:
+description: Learn the steps and requirements so that you can integrate your solution with Microsoft Defender ATP and be a partner
+keywords: partner, integration, solution validation, certification, requirements, member, misa, application portal
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: conceptual
+---
+
+# Become a Microsoft Defender ATP partner
+
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+To become a Microsoft Defender ATP solution partner, you'll need to follow and complete the following steps.
+
+## Step 1: Subscribe to a Microsoft Defender ATP Developer license
+Subscribing to the [Microsoft Defender ATP Developer license](https://winatpregistration-prd.trafficmanager.net/Developer/UserAgreement?Length=9) allows you to use a Microsoft Defender ATP tenant with up to 10 devices for developing solutions to integrate with Microsoft Defender ATP.
+
+## Step 2: Fulfill the solution validation and certification requirements
+The best way for technology partners to certify their integration works, is to have a joint customer approve the suggested integration design and have it tested and demoed to the Microsoft Defender ATP team.
+
+Once the Microsoft Defender ATP team has reviewed and approves the integration, we will direct you to be included as a partner at the Microsoft Intelligent Security Association.
+
+## Step 3: Become a Microsoft Intelligent Security Association member
+[Microsoft Intelligent Security Association](https://www.microsoft.com/security/partnerships/intelligent-security-association) is a program specifically for Microsoft security partners to help enrich your security products and improve customer discoverability of your integrations to Microsoft security products.
+
+## Step 4: Get listed in the Microsoft Defender ATP partner application portal
+Microsoft Defender ATP supports third-party applications discovery and integration using the in-product [partner page](partner-applications.md) that is embedded within the Microsoft Defender ATP management portal.
+
+To have your company listed as a partner in the in-product partner page, you will need to provide the following:
+
+1. A square logo (SVG).
+2. Name of the product to be presented.
+3. Provide a 15-word product description.
+4. Link to the landing page for the customer to complete the integration or blog post that will include sufficient information for customers. Please note that any press release including the Microsoft Defender ATP product name should be reviewed by the marketing and engineering teams. You should allow at least 10 days for review process to be performed.
+5. If you use a multi-tenant Azure AD approach, we will need the AAD application name to track usage of the application.
+
+
+Partnership with Microsoft Defender ATP help our mutual customers to further streamline, integrate, and orchestrate defenses. We are happy that you chose to become a Microsoft Defender ATP partner and to achieve our common goal of effectively protecting customers and their assets by preventing and responding to modern threats together.
+
+## Related topics
+- [Technical partner opportunities](partner-integration.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/api-and-integration.png b/windows/security/threat-protection/microsoft-defender-atp/images/api-and-integration.png
new file mode 100644
index 0000000000..b7dea8615b
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/api-and-integration.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-apis.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-apis.png
new file mode 100644
index 0000000000..7a74411ba6
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-apis.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mdatp-apis.png b/windows/security/threat-protection/microsoft-defender-atp/images/mdatp-apis.png
new file mode 100644
index 0000000000..26eed612da
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mdatp-apis.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/remediationtype_swupdatefilter.png b/windows/security/threat-protection/microsoft-defender-atp/images/remediationtype_swupdatefilter.png
new file mode 100644
index 0000000000..76dce431e1
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/remediationtype_swupdatefilter.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/secrec_flyouteolsw.png b/windows/security/threat-protection/microsoft-defender-atp/images/secrec_flyouteolsw.png
new file mode 100644
index 0000000000..5d1588dee2
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/secrec_flyouteolsw.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-jamf.md b/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-jamf.md
index 259e8692cd..083d1a181e 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-jamf.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-jamf.md
@@ -225,7 +225,7 @@ $ mdatp --health healthy
The above command prints "1" if the product is onboarded and functioning as expected.
If the product is not healthy, the exit code (which can be checked through `echo $?`) indicates the problem:
-- 1 if the device is not yet onboarded
+- 0 if the device is not yet onboarded
- 3 if the connection to the daemon cannot be established—for example, if the daemon is not running
## Logging installation issues
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-preferences.md b/windows/security/threat-protection/microsoft-defender-atp/mac-preferences.md
index c5b8407fc6..85deccc918 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-preferences.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-preferences.md
@@ -371,10 +371,6 @@ The following configuration profile will:
### Intune profile
```XML
-
-
-
-
PayloadUUID
C4E6A782-0C8D-44AB-A025-EB893987A295
PayloadType
@@ -443,8 +439,6 @@ The following configuration profile will:
-
-
```
## Full configuration profile example
@@ -530,10 +524,6 @@ The following configuration profile contains entries for all settings described
### Intune profile
```XML
-
-
-
-
PayloadUUID
C4E6A782-0C8D-44AB-A025-EB893987A295
PayloadType
@@ -640,8 +630,6 @@ The following configuration profile contains entries for all settings described
-
-
```
## Configuration profile deployment
diff --git a/windows/security/threat-protection/microsoft-defender-atp/management-apis.md b/windows/security/threat-protection/microsoft-defender-atp/management-apis.md
index 30bbd5efe4..e23db78609 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/management-apis.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/management-apis.md
@@ -1,8 +1,8 @@
---
title: Overview of management and APIs
ms.reviewer:
-description:
-keywords:
+description: Learn about the management tools and API categories in Microsoft Defender ATP
+keywords: onboarding, api, siem, rbac, access, portal, integration, investigation, response, entities, entity, user context, application context, streaming
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
@@ -29,40 +29,51 @@ Microsoft Defender ATP supports a wide variety of options to ensure that custome
Acknowledging that customer environments and structures can vary, Microsoft Defender ATP was created with flexibility and granular control to fit varying customer requirements.
+## Endpoint onboarding and portal access
+
Machine onboarding is fully integrated into System Center Configuration Manager and Microsoft Intune for client machines and Azure Security Center for server machines, providing complete end-to-end experience of configuration, deployment, and monitoring. In addition, Microsoft Defender ATP supports Group Policy and other third-party tools used for machines management.
Microsoft Defender ATP provides fine-grained control over what users with access to the portal can see and do through the flexibility of role-based access control (RBAC). The RBAC model supports all flavors of security teams structure:
- Globally distributed organizations and security teams
- Tiered model security operations teams
-- Fully segregated devisions with single centralized global security operations teams
+- Fully segregated divisions with single centralized global security operations teams
-The Microsoft Defender ATP solution is built on top of an integration-ready platform:
-- It supports integration with a number of security information and event management (SIEM) solutions and also exposes APIs to fully support pulling all the alerts and detection information into any SIEM solution.
-- It supports a rich set of application programming interface (APIs) providing flexibility for those who are already heavily invested in data enrichment and automation:
- - Enriching events coming from other security systems with foot print or prevalence information
- - Triggering file or machine level response actions through APIs
- - Keeping systems in-sync such as importing machine tags from asset management systems into Microsoft Defender ATP, synchronize alerts and incidents status cross ticketing systems with Microsoft Defender ATP.
+## Available APIs
+The Microsoft Defender ATP solution is built on top of an integration-ready platform.
-An important aspect of machine management is the ability to analyze the environment from varying and broad perspectives. This often helps drive new insights and proper priority identification:
-- The Secure score dashboard provides metrics based method of prioritizing the most important proactive security measures.
-- Microsoft Defender ATP includes a built-in PowerBI based reporting solution to quickly review trends and details related to Microsoft Defender ATP alerts and secure score of machines. The platform also supports full customization of the reports, including mashing of Microsoft Defender ATP data with your own data stream to produce business specific reports.
+Microsoft Defender ATP exposes much of its data and actions through a set of programmatic APIs. Those APIs will enable you to automate workflows and innovate based on Microsoft Defender ATP capabilities.
+
+
+
+The Microsoft Defender ATP APIs can be grouped into three:
+- Microsoft Defender ATP APIs
+- Raw data streaming API
+- SIEM integration
-## In this section
-Topic | Description
-:---|:---
-Understand threat intelligence concepts | Learn about alert definitions, indicators of compromise, and other threat intelligence concepts.
-Managed security service provider | Get a quick overview on managed security service provider support.
+## Microsoft Defender ATP APIs
+
+Microsoft Defender ATP offers a layered API model exposing data and capabilities in a structured, clear and easy to use model, exposed through a standard Azure AD-based authentication and authorization model allowing access in context of users or SaaS applications. The API model was designed to expose entities and capabilities in a consistent form.
+
+The **Investigation API** exposes the richness of Microsoft Defender ATP - exposing calculated or 'profiled' entities (for example, machine, user, and file) and discrete events (for example, process creation and file creation) which typically describes a behavior related to an entity, enabling access to data via investigation interfaces allowing a query-based access to data. For more information see, [Supported APIs](exposed-apis-list.md).
+
+The **Response API** exposes the ability to take actions in the service and on devices, enabling customers to ingest indicators, manage settings, alert status, as well as take response actions on devices programmatically such as isolate machines from the network, quarantine files, and others.
+
+## Raw data streaming API
+Microsoft Defender ATP raw data streaming API provides the ability for customers to ship real-time events and alerts from their instances as they occur within a single data stream, providing a low latency, high throughput delivery mechanism.
+
+The Microsoft Defender ATP event information is pushed directly to Azure storage for long-term data retention, or to Azure Event Hubs for consumption by visualization services or additional data processing engines.
+
+For more information see, [Raw data streaming API](raw-data-export.md).
+## SIEM API
+When you enable security information and event management (SIEM) integration it allows you to pull detections from Microsoft Defender Security Center using your SIEM solution or by connecting directly to the detections REST API. This activates the SIEM connector access details section with pre-populated values and an application is created under you Azure Active Directory (AAD) tenant. For more information see, [SIEM integration](enable-siem-integration.md)
## Related topics
-- [Onboard machines](onboard-configure.md)
-- [Enable the custom threat intelligence application](enable-custom-ti.md)
-- [Microsoft Defender ATP Public API](apis-intro.md)
-- [Pull alerts to your SIEM tools](configure-siem.md)
-- [Create and build Power BI reports using Microsoft Defender ATP data](powerbi-reports.md)
-- [Role-based access control](rbac.md)
+- [Access the Microsoft Defender Advanced Threat Protection APIs ](apis-intro.md)
+- [Supported APIs](exposed-apis-list.md)
+- [Technical partner opportunities](partner-integration.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md b/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md
index aaf95f6065..b2c1bdcbf9 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md
@@ -174,6 +174,9 @@ When Windows Defender Antivirus is not the active antimalware in your organizati
If you are onboarding servers and Windows Defender Antivirus is not the active antimalware on your servers, you shouldn't uninstall Windows Defender Antivirus. You'll need to configure it to run on passive mode. For more information, see [Onboard servers](configure-server-endpoints.md).
+> [!NOTE]
+> Your regular group policy doesn’t apply to Tamper Protection, and changes to Windows Defender Antivirus settings will be ignored when Tamper Protection is on.
+
For more information, see [Windows Defender Antivirus compatibility](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mssp-support.md b/windows/security/threat-protection/microsoft-defender-atp/mssp-support.md
index 4859c4cd49..dc86cb4ea9 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mssp-support.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mssp-support.md
@@ -1,5 +1,5 @@
---
-title: Managed security service provider (MSSP) support
+title: Managed security service provider (MSSP) partnership opportunities
description: Understand how Microsoft Defender ATP integrates with managed security service providers (MSSP)
keywords: mssp, integration, managed, security, service, provider
search.product: eADQiWindows 10XVcnh
@@ -17,7 +17,7 @@ ms.collection: M365-security-compliance
ms.topic: conceptual
---
-# Managed security service provider support
+# Managed security service provider partnership opportunities
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@@ -25,14 +25,13 @@ ms.topic: conceptual
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-mssp-support-abovefoldlink)
-
Security is recognized as a key component in running an enterprise, however some organizations might not have the capacity or expertise to have a dedicated security operations team to manage the security of their endpoints and network, others may want to have a second set of eyes to review alerts in their network.
To address this demand, managed security service providers (MSSP) offer to deliver managed detection and response (MDR) services on top of Microsoft Defender ATP.
-Microsoft Defender ATP adds support for this scenario and to allow MSSPs to take the following actions:
+Microsoft Defender ATP adds partnership opportunities for this scenario and allows MSSPs to take the following actions:
- Get access to MSSP customer's Microsoft Defender Security Center portal
- Get email notifications, and
diff --git a/windows/security/threat-protection/microsoft-defender-atp/partner-integration.md b/windows/security/threat-protection/microsoft-defender-atp/partner-integration.md
new file mode 100644
index 0000000000..f9914b49c5
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/partner-integration.md
@@ -0,0 +1,55 @@
+---
+title: Microsoft Defender ATP partner opportunities and scenarios
+ms.reviewer:
+description: Learn how you can extend existing security offerings on top of the open framework and a rich set of APIs to build extensions and integrations with Microsoft Defender ATP
+keywords: API, partner, extend, open framework, apis, extensions, integrations, detection, management, response, vulnerabilities, intelligence
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: conceptual
+---
+
+# Microsoft Defender ATP partner opportunities and scenarios
+
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+
+
+Partners can easily extend their existing security offerings on top of the open framework and a rich and complete set of APIs to build extensions and integrations with Microsoft Defender ATP.
+
+The APIs span functional areas including detection, management, response, vulnerabilities and intelligence wide range of use cases. Based on the use case and need, partners can either stream or query data from Microsoft Defender ATP.
+
+
+## Scenario 1: External alert correlation and Automated investigation and remediation
+Microsoft Defender ATP offers unique automated investigation and remediation capabilities to drive incident response at scale.
+
+Integrating the automated investigation and response capability with other solutions such as network security products or other endpoint security products will help to address alerts and minimize the complexities surrounding network and device signal correlation, effectively streamlining the investigation and threat remediation actions on devices.
+
+Microsoft Defender ATP adds support for this scenario in the following forms:
+- External alerts can be pushed into Microsoft Defender ATP and presented side-by-side with additional device-based alerts from Microsoft Defender ATP. This view provides the full context of the alert - with the real process and the full story of attack.
+
+- Once an alert is generated, the signal is shared across all Microsoft Defender ATP protected endpoints in the enterprise. Microsoft Defender ATP takes immediate automated or operator-assisted response to address the alert.
+
+## Scenario 2: Security orchestration and automation response (SOAR) integration
+Orchestration solutions can help build playbooks and integrate the rich data model and actions that Microsoft Defender ATP APIs exposes to orchestrate responses, such as query for device data, trigger machine isolation, block/allow, resolve alert and others.
+
+## Scenario 3: Indicators matching
+Indicator of compromise (IoCs) matching is an essential feature in every endpoint protection solution. This capability is available in Microsoft Defender ATP and gives the ability to set a list of indicators for prevention, detection and exclusion of entities. One can define the action to be taken as well as the duration for when to apply the action.
+
+The above scenarios serve as examples of the extensibility of the platform. You are not limited to these and we certainly encourage you leverage the open framework to discover and explore other scenarios.
+
+Follow the steps in [Become a Microsoft Defender ATP partner](get-started-partner-integration.md) to integrate your solution in Microsoft Defender ATP.
+
+## Related topic
+- [Overview of management and APIs](management-apis.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-indicator-concepts.md b/windows/security/threat-protection/microsoft-defender-atp/threat-indicator-concepts.md
index c9d50043b1..c003b67a2d 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/threat-indicator-concepts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/threat-indicator-concepts.md
@@ -50,5 +50,19 @@ Here is an example of an IOC:
IOCs have a many-to-one relationship with alert definitions such that an alert definition can have many IOCs that correspond to it.
+## In this section
+
+Topic | Description
+:---|:---
+[Pull detections to your SIEM tools](configure-siem.md)| Learn about different ways to pull detections.
+[Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md)| Learn about enabling the SIEM integration feature in the **Settings** page in the portal so that you can use and generate the required information to configure supported SIEM tools.
+[Configure Splunk to pull Microsoft Defender ATP detections](configure-splunk.md)| Learn about installing the REST API Modular Input App and other configuration settings to enable Splunk to pull Microsoft Defender ATP detections.
+[Configure HP ArcSight to pull Microsoft Defender ATP detections](configure-arcsight.md)| Learn about installing the HP ArcSight REST FlexConnector package and the files you need to configure ArcSight to pull Microsoft Defender ATP detections.
+[Microsoft Defender ATP Detection fields](api-portal-mapping.md) | Understand what data fields are exposed as part of the alerts API and how they map to Microsoft Defender Security Center.
+[Pull Microsoft Defender ATP detections using REST API](pull-alerts-using-rest-api.md) | Use the Client credentials OAuth 2.0 flow to pull detections from Microsoft Defender ATP using REST API.
+[Troubleshoot SIEM tool integration issues](troubleshoot-siem.md) | Address issues you might encounter when using the SIEM integration feature.
+
+
+
## Related topics
- [Manage indicators](manage-indicators.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md
index e55608222d..4f71aff441 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md
@@ -44,12 +44,21 @@ Each machine in the organization is scored based on three important factors: thr
You can access the security recommendation from the Microsoft Defender ATP Threat & Vulnerability Management menu, dashboard, software page, and machine page, to give you the context that you need, as you require it.
-From the menu, select **Security recommendations** to get an overview of the running list with its weaknesses, related components, application, operating system, network, accounts, and security controls, associated breach, threats, and recommendation insights, exposed machine trends, status, remediation type and activities.
+*Security recommendations option from the left navigation menu*
+1. Go to the Threat & Vulnerability Management navigation menu and select **Security recommendations** to open up the list of security recommendations for the threats and vulnerabilities found in your organization. It gives you an overview of the security recommendation context: weaknesses found, related components, the application and operating system where the threat or vulnerabilities were found, network, accounts, and security controls, associated breach, threats, and recommendation insights, exposed machine trends, status, remediation type and activities.
->[!NOTE]
-> The color of the **Exposed machines** graph changes as the trend changes. If the number of exposed machines is on the rise, the color changes into red. If there's a decrease in the amount of exposed machines, the color of the graph will change into green. This happens per change, which means an increase or decrease of even a single machine will change the graph's color.
+ >[!NOTE]
+ > The color of the **Exposed machines** graph changes as the trend changes. If the number of exposed machines is on the rise, the color changes into red. If there's a decrease in the amount of exposed machines, the color of the graph will change into green. This happens when the numbers on the right hand side is greater than what’s on the left, which means an increase or decrease at the end of even a single machine will change the graph's color.
+
+ You can filter your view based on related components, status, and remediation type. If you want to see the remediation activities of software and software versions which have reached their end-of-life, select **Active**, then select **Software update** from the **Remediation Type** filter, and click **Apply**.
+
+
+2. Select the security recommendation that you need to investigate or process.
+
+
+ *Top security recommendations from the dashboard*
In a given day as a Security Administrator, you can take a look at the dashboard to see your exposure score side-by-side with your configuration score. The goal is to lower down your organization's exposure from vulnerabilities, and increase your organization's security configuration to be more resilient against cybersecurity threat attacks. The top security recommendations list can help you achieve that goal.
diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-inactivity-limit.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-inactivity-limit.md
index b836aabd10..accf7f1ab2 100644
--- a/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-inactivity-limit.md
+++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-inactivity-limit.md
@@ -26,7 +26,7 @@ Describes the best practices, location, values, management, and security conside
## Reference
-Beginning with Windows Server 2012 and Windows 8, Windows detects user-input inactivity of a sign-in (logon) session by using the security policy setting **Interactive logon: Machine inactivity limit**. If the amount of inactive time exceeds the inactivity limit set by this policy, then the user’s session locks by invoking the screen saver (screen saver should be active on the destination machine). This policy setting allows you to control the locking time by using Group Policy.
+Beginning with Windows Server 2012 and Windows 8, Windows detects user-input inactivity of a sign-in (logon) session by using the security policy setting **Interactive logon: Machine inactivity limit**. If the amount of inactive time exceeds the inactivity limit set by this policy, then the user’s session locks by invoking the screen saver (screen saver should be active on the destination machine). You can activate the screen saver by enabling the Group Policy **User Configuration\Administrative Templates\Control Panel\Personalization\Enable screen saver**. This policy setting allows you to control the locking time by using Group Policy.
### Possible values
diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus.md
index c51a7da9ea..fa061b9284 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus.md
@@ -84,7 +84,7 @@ You can disable this setting to ensure that only globally-defined lists (such as
4. Double-click **Configure local administrator merge behavior for lists** and set the option to **Disabled**. Click **OK**.
> [!NOTE]
-> If you disable local list merging, it will override controlled folder access settings. It also overrides any protected folders or allowed apps set by the local administrator. For more information about controlled folder access settings, see [Enable controlled folder access](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard).
+> If you disable local list merging, it will override controlled folder access settings. It also overrides any protected folders or allowed apps set by the local administrator. For more information about controlled folder access settings, see [Allow a blocked app in Windows Security](https://support.microsoft.com/help/4046851/windows-10-allow-blocked-app-windows-security).
## Related topics
diff --git a/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md
index 0013143d29..ed7b30ece9 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md
@@ -13,7 +13,7 @@ author: denisebmsft
ms.author: deniseb
ms.custom: nextgen
audience: ITPro
-ms.date: 10/02/2018
+ms.date: 01/06/2020
ms.reviewer:
manager: dansimp
---
@@ -25,13 +25,13 @@ manager: dansimp
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- [Microsoft Edge](https://docs.microsoft.com/microsoft-edge/deploy/microsoft-edge)
-Potentially unwanted applications are not considered viruses, malware, or other types of threats, but they might perform actions on endpoints which adversely affect endpoint performance or use. _PUA_ can also refer to an application that has a poor reputation, as assessed by Microsoft Defender ATP, due to certain kinds of undesirable behavior.
+Potentially unwanted applications (PUA) are not considered viruses, malware, or other types of threats, but they might perform actions on endpoints which adversely affect endpoint performance or use. _PUA_ can also refer to an application that has a poor reputation, as assessed by Microsoft Defender ATP, due to certain kinds of undesirable behavior.
For example:
-* **Advertising software:** Software that displays advertisements or promotions, including software that inserts advertisements to webpages.
-* **Bundling software:** Software that offers to install other software that is not digitally signed by the same entity. Also, software that offers to install other software that qualify as PUA.
-* **Evasion software:** Software that actively tries to evade detection by security products, including software that behaves differently in the presence of security products.
+* **Advertising software**: Software that displays advertisements or promotions, including software that inserts advertisements to webpages.
+* **Bundling software**: Software that offers to install other software that is not digitally signed by the same entity. Also, software that offers to install other software that qualify as PUA.
+* **Evasion software**: Software that actively tries to evade detection by security products, including software that behaves differently in the presence of security products.
For more examples and a discussion of the criteria we use to label applications for special attention from security features, see [How Microsoft identifies malware and potentially unwanted applications](../intelligence/criteria.md).
@@ -45,11 +45,11 @@ The next major version of Microsoft Edge, which is Chromium-based, blocks potent
#### Enable PUA protection in Chromium-based Microsoft Edge
-Although potentially unwanted application protection in Microsoft Edge (Chromium-based) is off by default, it can easily be turned on from within the browser.
+Although potentially unwanted application protection in Microsoft Edge (Chromium-based) is turned off by default, it can easily be turned on from within the browser.
-1. From the tool bar, select **Settings and more** > **Settings**
-1. Select **Privacy and services**
-1. Under the **Services** section, you can toggle **Potentially unwanted app blocking** on or off
+1. From the tool bar, select **Settings and more** > **Settings**.
+2. Select **Privacy and services**.
+3. Under the **Services** section, you can toggle **Potentially unwanted app blocking** on or off.
> [!TIP]
> If you are running Microsoft Edge (Chromium-based), you can safely explore the URL-blocking feature of PUA protection by testing it out on one of our Windows Defender SmartScreen [demo pages](https://demo.smartscreen.msft.net/).
@@ -58,7 +58,7 @@ Although potentially unwanted application protection in Microsoft Edge (Chromium
In Chromium-based Edge with PUA protection turned on, Windows Defender SmartScreen will protect you from PUA-associated URLs.
-Admins can [configure](https://docs.microsoft.com/DeployEdge/configure-microsoft-edge) how Microsoft Edge and Windows Defender SmartScreen work together to protect groups of users from PUA-associated URLs. There are several group policy [settings](https://docs.microsoft.com/DeployEdge/microsoft-edge-policies#smartscreen-settings) explicitly for Windows
+Admins can [configure](https://docs.microsoft.com/DeployEdge/configure-microsoft-edge) how Microsoft Edge and Windows Defender SmartScreen work together to protect groups of users from PUA-associated URLs. There are several group policy [settings](https://docs.microsoft.com/DeployEdge/microsoft-edge-policies#smartscreen-settings) explicitly for Windows
Defender SmartScreen available, including [one for blocking PUA](https://docs.microsoft.com/DeployEdge/microsoft-edge-policies#smartscreenpuaenabled). In addition, admins can
[configure Windows Defender SmartScreen](https://docs.microsoft.com/microsoft-edge/deploy/available-policies?source=docs#configure-windows-defender-smartscreen) as a whole, using group policy settings to turn Windows Defender SmartScreen on or off.
@@ -71,11 +71,11 @@ The potentially unwanted application (PUA) protection feature in Windows Defende
> [!NOTE]
> This feature is only available in Windows 10.
-Windows Defender Antivirus blocks detected PUA files, and any attempts to download, move, run, or install them. Blocked PUA files are then moved to quarantine.
+Windows Defender Antivirus blocks detected PUA files and any attempts to download, move, run, or install them. Blocked PUA files are then moved to quarantine.
-When a PUA is detected on an endpoint, Windows Defender Antivirus sends a notification to the user ([unless notifications have been disabled](configure-notifications-windows-defender-antivirus.md)) in the same format as other threat detections. The notification will be prefaced with _PUA:_ to indicate its content.
+When a PUA file is detected on an endpoint, Windows Defender Antivirus sends a notification to the user ([unless notifications have been disabled](configure-notifications-windows-defender-antivirus.md)) in the same format as other threat detections. The notification will be prefaced with _PUA:_ to indicate its content.
-The notification will appear in the usual [quarantine list within the Windows Security app](windows-defender-security-center-antivirus.md#detection-history).
+The notification appears in the usual [quarantine list within the Windows Security app](windows-defender-security-center-antivirus.md#detection-history).
#### Configure PUA protection in Windows Defender Antivirus
@@ -105,7 +105,7 @@ For Configuration Manager 2012, see [How to Deploy Potentially Unwanted Applicat
##### Use Group Policy to configure PUA protection
-1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure, and select **Edit**.
+1. On your Group Policy management computer, open the [Group Policy Management Console](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure, and select **Edit**.
2. In the **Group Policy Management Editor**, go to **Computer configuration** and select **Administrative templates**.
@@ -119,17 +119,30 @@ For Configuration Manager 2012, see [How to Deploy Potentially Unwanted Applicat
##### Use PowerShell cmdlets to configure PUA protection
-Use the following cmdlet:
+###### To enable PUA protection
```PowerShell
-Set-MpPreference -PUAProtection
+Set-MpPreference -PUAProtection enable
```
-
Setting the value for this cmdlet to `Enabled` will turn the feature on if it has been disabled.
+###### To set PUA protection to audit mode
+
+```PowerShell
+Set-MpPreference -PUAProtection auditmode
+```
Setting `AuditMode` will detect PUAs without blocking them.
-See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus.
+###### To disable PUA protection
+
+We recommend keeping PUA protection turned on. However, you can turn it off by using the following cmdlet:
+
+```PowerShell
+Set-MpPreference -PUAProtection disable
+```
+Setting the value for this cmdlet to `Disabled` will turn the feature off if it has been enabled.
+
+See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://docs.microsoft.com/powershell/module/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus.
#### View PUA events
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/turnontamperprotection.png b/windows/security/threat-protection/windows-defender-antivirus/images/turnontamperprotection.png
new file mode 100644
index 0000000000..3d0c58844b
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-antivirus/images/turnontamperprotection.png differ
diff --git a/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md b/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md
index 39c7314643..5b4eaf3994 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md
@@ -1,9 +1,9 @@
---
-title: Protect security settings with Tamper Protection
+title: Protect security settings with tamper protection
ms.reviewer:
manager: dansimp
-description: Use Tamper Protection to prevent malicious apps from changing important security settings.
-keywords: malware, defender, antivirus, Tamper Protection
+description: Use tamper protection to prevent malicious apps from changing important security settings.
+keywords: malware, defender, antivirus, tamper protection
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
@@ -17,7 +17,7 @@ ms.author: deniseb
ms.custom: nextgen
---
-# Protect security settings with Tamper Protection
+# Protect security settings with tamper protection
**Applies to:**
@@ -25,9 +25,9 @@ ms.custom: nextgen
## Overview
-During some kinds of cyber attacks, bad actors try to disable security features, such as anti-virus protection, on your machines. They do this to get easier access to your data, to install malware, or to otherwise exploit your data, identity, and devices. Tamper Protection helps prevent this from occurring.
+During some kinds of cyber attacks, bad actors try to disable security features, such as anti-virus protection, on your machines. They do this to get easier access to your data, to install malware, or to otherwise exploit your data, identity, and devices. Tamper protection helps prevent this from occurring.
-With Tamper Protection, malicious apps are prevented from taking actions like these:
+With tamper protection, malicious apps are prevented from taking actions like these:
- Disabling virus and threat protection
- Disabling real-time protection
- Turning off behavior monitoring
@@ -35,25 +35,40 @@ With Tamper Protection, malicious apps are prevented from taking actions like th
- Disabling cloud-delivered protection
- Removing security intelligence updates
+Tamper protection now integrates with [Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt). Security recommendations include a check to make sure tamper protection is turned on.
+
+
+
+In the results, you can select **Turn on Tamper Protection** to learn more and turn it on.
+
+
+
## How it works
- Tamper Protection essentially locks Windows Defender Antivirus and prevents your security settings from being changed through apps and methods like these:
+ Tamper protection essentially locks Windows Defender Antivirus and prevents your security settings from being changed through apps and methods like these:
- Configuring settings in Registry Editor on your Windows machine
- Changing settings through PowerShell cmdlets
- Editing or removing security settings through group policies
- and so on.
-Tamper Protection doesn't prevent you from viewing your security settings. And, Tamper Protection doesn't affect how third-party antivirus apps register with the Windows Security app. If your organization is using Windows 10 Enterprise E5, individual users can't change the Tamper Protection setting; this is managed by your security team.
+Tamper protection doesn't prevent you from viewing your security settings. And, tamper protection doesn't affect how third-party antivirus apps register with the Windows Security app. If your organization is using Windows 10 Enterprise E5, individual users can't change the tamper protection setting; this is managed by your security team.
### What do you want to do?
-[Turn Tamper Protection on (or off) for an individual machine using Windows Security](#turn-tamper-protection-on-or-off-for-an-individual-machine)
+[Turn tamper protection on (or off) for an individual machine using Windows Security](#turn-tamper-protection-on-or-off-for-an-individual-machine)
-[Turn Tamper Protection on (or off) for your organization using Intune](#turn-tamper-protection-on-or-off-for-your-organization-using-intune)
+[Turn tamper protection on (or off) for your organization using Intune](#turn-tamper-protection-on-or-off-for-your-organization-using-intune)
-## Turn Tamper Protection on (or off) for an individual machine
+## Turn tamper protection on (or off) for an individual machine
-If you are a home user, or you are not subject to settings managed by a security team, you can use the Windows Security app to turn Tamper Protection on or off. You must have appropriate admin permissions on your machine to perform the following task.
+> [!NOTE]
+> Tamper protection blocks attempts to modify Windows Defender Antivirus settings through the registry.
+>
+> To help ensure that tamper protection doesn’t interfere with third-party security products or enterprise installation scripts that modify these settings, go to **Windows Security** and update **Security intelligence** to version 1.287.60.0 or later. (See [Security intelligence updates](https://www.microsoft.com/wdsi/definitions).)
+>
+> Once you’ve made this update, tamper protection will continue to protect your registry settings, and will also log attempts to modify them without returning errors.
+
+If you are a home user, or you are not subject to settings managed by a security team, you can use the Windows Security app to turn tamper protection on or off. You must have appropriate admin permissions on your machine to perform the following task.
1. Click **Start**, and start typing *Defender*. In the search results, select **Windows Security**.
@@ -61,21 +76,13 @@ If you are a home user, or you are not subject to settings managed by a security
3. Set **Tamper Protection** to **On** or **Off**.
-> [!NOTE]
-> Tamper Protection blocks attempts to modify Windows Defender Antivirus settings through the registry.
->
-> To help ensure that Tamper Protection doesn’t interfere with third-party security products or enterprise installation scripts that modify these settings, go to **Windows Security** and update **Security intelligence** to version 1.287.60.0 or later. (See [Security intelligence updates](https://www.microsoft.com/wdsi/definitions).)
->
-> Once you’ve made this update, Tamper Protection will continue to protect your registry settings, and will also log attempts to modify them without returning errors.
+## Turn tamper protection on (or off) for your organization using Intune
-
-## Turn Tamper Protection on (or off) for your organization using Intune
-
-If you are part of your organization's security team, you can turn Tamper Protection on (or off) for your organization in the Microsoft 365 Device Management portal (Intune). (This feature is rolling out now; if you don't have it yet, you should very soon, assuming your organization has [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md) (Microsoft Defender ATP) and that you meet the prerequisites listed below.)
+If you are part of your organization's security team, you can turn tamper protection on (or off) for your organization in the Microsoft 365 Device Management portal (Intune). (This feature is rolling out now; if you don't have it yet, you should very soon, assuming your organization has [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md) (Microsoft Defender ATP) and that you meet the prerequisites listed below.)
You must have appropriate [permissions](../microsoft-defender-atp/assign-portal-access.md), such as global admin, security admin, or security operations, to perform the following task.
-1. Make sure your organization meets the following requirements:
+1. Make sure your organization meets all of the following requirements:
- Your organization must have [Microsoft Defender ATP E5](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp) (this is included in Microsoft 365 E5. See [Microsoft 365 Enterprise overview](https://docs.microsoft.com/microsoft-365/enterprise/microsoft-365-overview) for more details.)
- Your organization's devices must be managed by [Intune](https://docs.microsoft.com/intune/device-management-capabilities).
@@ -90,44 +97,67 @@ You must have appropriate [permissions](../microsoft-defender-atp/assign-portal-
4. Create a profile that includes the following settings:
- **Platform**: Windows 10 and later
+
- **ProfileType**: Endpoint protection
+
- **Settings** > Windows Defender Security Center > Tamper Protection
5. Assign the profile to one or more groups.
+### Are you using Windows OS 1709?
+
+If you are using Windows OS 1709, you don't have the Windows Security app on your computer. In this case, the one of the following procedures to determine whether tamper protection is enabled.
+
+#### To determine whether tamper protection is turned on by using PowerShell
+
+1. Open the Windows PowerShell app.
+
+2. Use the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/get-mpcomputerstatus?view=win10-ps) PowerShell cmdlet.
+
+3. In the list of results, look for `IsTamperProtected`. (A value of *true* means tamper protection is enabled.)
+
+#### To determine whether tamper protection is turned on by viewing a registry key
+
+1. Open the Registry Editor app.
+
+2. Go to **HKEY_LOCAL_MACHINE** > **SOFTWARE** > **Microsoft** > **Windows Defender** > **Features**.
+
+3. Look for an entry of **TamperProtection** of type **REG_DWORD**, with a value of **0x5**.
+ - If you see **TamperProtection** with a value of **0**, tamper protection is not turned on.
+ - If you do not see **TamperProtection** at all, tamper protection is not turned on.
+
## Frequently asked questions
-### To which Windows OS versions is configuring Tamper Protection is applicable?
+### To which Windows OS versions is configuring tamper protection is applicable?
-[Windows 1709](https://docs.microsoft.com/windows/release-information/status-windows-10-1709) or later
+[Windows 1709](https://docs.microsoft.com/windows/release-information/status-windows-10-1709) or later together with [Microsoft Defender Advanced Threat Protection E5](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp).
-### Is configuring Tamper Protection in Intune supported on servers?
+### Is configuring tamper protection in Intune supported on servers?
No
-### Will Tamper Protection have any impact on third party antivirus registration?
+### Will tamper protection have any impact on third party antivirus registration?
No, third-party antivirus will continue to register with the Windows Security application.
### What happens if Windows Defender Antivirus is not active on a device?
-Tamper Protection will not have any impact on such devices.
+Tamper protection will not have any impact on such devices.
-### How can I turn Tamper Protection on/off?
+### How can I turn tamper protection on/off?
-If you are a home user, see [Turn Tamper Protection on (or off) for an individual machine](#turn-tamper-protection-on-or-off-for-an-individual-machine).
+If you are a home user, see [Turn tamper protection on (or off) for an individual machine](#turn-tamper-protection-on-or-off-for-an-individual-machine).
-If you are an organization using [Microsoft Defender ATP E5](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp), you should be able to manage Tamper Protection in Intune similar to how you manage other endpoint protection features. See [Turn Tamper Protection on (or off) for your organization using Intune](#turn-tamper-protection-on-or-off-for-your-organization-using-intune).
+If you are an organization using [Microsoft Defender ATP E5](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp), you should be able to manage tamper protection in Intune similar to how you manage other endpoint protection features. See [Turn tamper protection on (or off) for your organization using Intune](#turn-tamper-protection-on-or-off-for-your-organization-using-intune).
-### How does configuring Tamper Protection in Intune affect how I manage Windows Defender Antivirus through my group policy?
+### How does configuring tamper protection in Intune affect how I manage Windows Defender Antivirus through my group policy?
-Your regular group policy doesn’t apply to Tamper Protection, and changes to Windows Defender Antivirus settings will be ignored when Tamper Protection is on.
+Your regular group policy doesn’t apply to tamper protection, and changes to Windows Defender Antivirus settings will be ignored when tamper protection is on.
>[!NOTE]
->A small delay in Group Policy (GPO) processing may occur if Group Policy settings include values that control Windows Defender Antivirus features protected by Tamper Protection.
-To avoid any potential delays, it is recommended to remove settings that control Windows Defender Antivirus related behavior from GPO and simply allow Tamper Protection to protect Windows Defender Antivirus settings.
+>A small delay in Group Policy (GPO) processing may occur if Group Policy settings include values that control Windows Defender Antivirus features protected by tamper protection. To avoid any potential delays, we recommend that you remove settings that control Windows Defender Antivirus related behavior from GPO and simply allow tamper protection to protect Windows Defender Antivirus settings.
> Sample Windows Defender Antivirus settings:
> Turn off Windows Defender Antivirus
> Computer Configuration\Administrative Templates\Windows Components\Windows Defender\
@@ -137,31 +167,31 @@ Computer Configuration\Administrative Templates\Windows Components\Windows Defen
Value DisableRealtimeMonitoring = 0
-### For Microsoft Defender ATP E5, is configuring Tamper Protection in Intune targeted to the entire organization only?
+### For Microsoft Defender ATP E5, is configuring tamper protection in Intune targeted to the entire organization only?
-Configuring Tamper Protection in Intune can be targeted to your entire organization as well as to devices and user groups with Intune.
+Configuring tamper protection in Intune can be targeted to your entire organization as well as to devices and user groups with Intune.
-### Can I configure Tamper Protection in System Center Configuration Manager?
+### Can I configure tamper protection in System Center Configuration Manager?
-Currently we do not have support to manage Tamper Protection through System Center Configuration Manager.
+Currently we do not have support to manage tamper protection through System Center Configuration Manager.
-### I have the Windows E3 enrollment. Can I use configuring Tamper Protection in Intune?
+### I have the Windows E3 enrollment. Can I use configuring tamper protection in Intune?
-Currently, configuring Tamper Protection in Intune is only available for customers who have [Microsoft Defender Advanced Threat Protection E5](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp).
+Currently, configuring tamper protection in Intune is only available for customers who have [Microsoft Defender Advanced Threat Protection E5](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp).
-### What happens if I try to change Microsoft Defender ATP settings in Intune, System Center Configuration Manager, and Windows Management Instrumentation when Tamper Protection is enabled on a device?
+### What happens if I try to change Microsoft Defender ATP settings in Intune, System Center Configuration Manager, and Windows Management Instrumentation when tamper protection is enabled on a device?
-You won’t be able to change the features that are protected by Tamper Protection; those change requests are ignored.
+You won’t be able to change the features that are protected by tamper protection; those change requests are ignored.
-### I’m an enterprise customer. Can local admins change Tamper Protection on their devices?
+### I’m an enterprise customer. Can local admins change tamper protection on their devices?
-No. Local admins cannot change or modify Tamper Protection settings.
+No. Local admins cannot change or modify tamper protection settings.
### What happens if my device is onboarded with Microsoft Defender ATP and then goes into an off-boarded state?
-In this case, Tamper Protection status changes, and this feature is no longer applied.
+In this case, tamper protection status changes, and this feature is no longer applied.
-### Will there be an alert about Tamper Protection status changing in the Microsoft Defender Security Center?
+### Will there be an alert about tamper protection status changing in the Microsoft Defender Security Center?
Yes. The alert is shown in [https://securitycenter.microsoft.com](https://securitycenter.microsoft.com) under **Alerts**.
@@ -169,7 +199,7 @@ In addition, your security operations team can use hunting queries, such as the
`AlertEvents | where Title == "Tamper Protection bypass"`
-### Will there be a group policy setting for Tamper Protection?
+### Will there be a group policy setting for tamper protection?
No.
| | | |