deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 13:27:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge pull request #9510 from MicrosoftDocs/main

Browse Source 
publish main to live, 3:30 PM 1/29/24
This commit is contained in:
Jeff Borsecnik 2024-01-29 15:39:52 -08:00 committed by GitHub
commit abba3c108d
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
50 changed files with 305 additions and 7199 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

126
.openpublishing.redirection.json
View File

@ -1682,12 +1682,12 @@
},
{
"source_path": "windows/deploy/assign-applications-using-roles-in-mdt.md",
"redirect_url": "/windows/deployment/deploy-windows-mdt/assign-applications-using-roles-in-mdt",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/deploy-windows-mdt/assign-applications-using-roles-in-mdt",
"redirect_document_id": false
},
{
"source_path": "windows/deploy/build-a-distributed-environment-for-windows-10-deployment.md",
"redirect_url": "/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment",
"redirect_document_id": false
},
{
@ -1717,17 +1717,17 @@
},
{
"source_path": "windows/deploy/configure-mdt-deployment-share-rules.md",
"redirect_url": "/windows/deployment/deploy-windows-mdt/configure-mdt-deployment-share-rules",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/deploy-windows-mdt/configure-mdt-deployment-share-rules",
"redirect_document_id": false
},
{
"source_path": "windows/deploy/configure-mdt-for-userexit-scripts.md",
"redirect_url": "/windows/deployment/deploy-windows-mdt/configure-mdt-for-userexit-scripts",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/deploy-windows-mdt/configure-mdt-for-userexit-scripts",
"redirect_document_id": false
},
{
"source_path": "windows/deploy/configure-mdt-settings.md",
"redirect_url": "/windows/deployment/deploy-windows-mdt/configure-mdt-settings",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/deploy-windows-mdt/configure-mdt-settings",
"redirect_document_id": false
},
{
@ -1742,7 +1742,7 @@
},
{
"source_path": "windows/deploy/create-a-windows-10-reference-image.md",
"redirect_url": "/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/deploy-windows-mdt/create-a-windows-10-reference-image",
"redirect_document_id": false
},
{
@ -1752,7 +1752,7 @@
},
{
"source_path": "windows/deploy/deploy-a-windows-10-image-using-mdt.md",
"redirect_url": "/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt",
"redirect_document_id": false
},
{
@ -1782,7 +1782,7 @@
},
{
"source_path": "windows/deploy/get-started-with-the-microsoft-deployment-toolkit.md",
"redirect_url": "/windows/deployment/deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit",
"redirect_document_id": false
},
{
@ -1922,7 +1922,7 @@
},
{
"source_path": "windows/deploy/prepare-for-windows-deployment-with-mdt.md",
"redirect_url": "/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt",
"redirect_document_id": false
},
{
@ -2002,7 +2002,7 @@
},
{
"source_path": "windows/deploy/refresh-a-windows-7-computer-with-windows-10.md",
"redirect_url": "/windows/deployment/deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10",
"redirect_document_id": false
},
{
@ -2017,7 +2017,7 @@
},
{
"source_path": "windows/deploy/replace-a-windows-7-computer-with-a-windows-10-computer.md",
"redirect_url": "/windows/deployment/deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer",
"redirect_document_id": false
},
{
@ -2047,7 +2047,7 @@
},
{
"source_path": "windows/deploy/set-up-mdt-for-bitlocker.md",
"redirect_url": "/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker",
"redirect_document_id": false
},
{
@ -2057,7 +2057,7 @@
},
{
"source_path": "windows/deploy/simulate-a-windows-10-deployment-in-a-test-environment.md",
"redirect_url": "/windows/deployment/deploy-windows-mdt/simulate-a-windows-10-deployment-in-a-test-environment",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/deploy-windows-mdt/simulate-a-windows-10-deployment-in-a-test-environment",
"redirect_document_id": false
},
{
@ -2207,7 +2207,7 @@
},
{
"source_path": "windows/deploy/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md",
"redirect_url": "/windows/deployment/upgrade/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit",
"redirect_document_id": false
},
{
@ -2217,12 +2217,12 @@
},
{
"source_path": "windows/deploy/use-orchestrator-runbooks-with-mdt.md",
"redirect_url": "/windows/deployment/deploy-windows-mdt/use-orchestrator-runbooks-with-mdt",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/deploy-windows-mdt/use-orchestrator-runbooks-with-mdt",
"redirect_document_id": false
},
{
"source_path": "windows/deploy/use-the-mdt-database-to-stage-windows-10-deployment-information.md",
"redirect_url": "/windows/deployment/deploy-windows-mdt/use-the-mdt-database-to-stage-windows-10-deployment-information",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/deploy-windows-mdt/use-the-mdt-database-to-stage-windows-10-deployment-information",
"redirect_document_id": false
},
{
@ -2252,7 +2252,7 @@
},
{
"source_path": "windows/deploy/use-web-services-in-mdt.md",
"redirect_url": "/windows/deployment/deploy-windows-mdt/use-web-services-in-mdt",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/deploy-windows-mdt/use-web-services-in-mdt",
"redirect_document_id": false
},
{
@ -2532,7 +2532,7 @@
},
{
"source_path": "windows/deploy/windows-10-poc-mdt.md",
"redirect_url": "/windows/deployment/windows-10-poc-mdt",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/windows-10-poc-mdt",
"redirect_document_id": false
},
{
@ -12735,6 +12735,96 @@
"redirect_url": "/licensing/",
"redirect_document_id": false
},
{
"source_path": "windows/deployment/deploy-windows-mdt/assign-applications-using-roles-in-mdt.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/deploy-windows-mdt/assign-applications-using-roles-in-mdt",
"redirect_document_id": false
},
{
"source_path": "windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment",
"redirect_document_id": false
},
{
"source_path": "windows/deployment/deploy-windows-mdt/configure-mdt-deployment-share-rules.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/deploy-windows-mdt/configure-mdt-deployment-share-rules",
"redirect_document_id": false
},
{
"source_path": "windows/deployment/deploy-windows-mdt/configure-mdt-for-userexit-scripts.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/deploy-windows-mdt/configure-mdt-for-userexit-scripts",
"redirect_document_id": false
},
{
"source_path": "windows/deployment/deploy-windows-mdt/configure-mdt-settings.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/deploy-windows-mdt/configure-mdt-settings",
"redirect_document_id": false
},
{
"source_path": "windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/deploy-windows-mdt/create-a-windows-10-reference-image",
"redirect_document_id": false
},
{
"source_path": "windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt",
"redirect_document_id": false
},
{
"source_path": "windows/deployment/deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit",
"redirect_document_id": false
},
{
"source_path": "windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt",
"redirect_document_id": false
},
{
"source_path": "windows/deployment/deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10",
"redirect_document_id": false
},
{
"source_path": "windows/deployment/deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer",
"redirect_document_id": false
},
{
"source_path": "windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker",
"redirect_document_id": false
},
{
"source_path": "windows/deployment/deploy-windows-mdt/simulate-a-windows-10-deployment-in-a-test-environment.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/deploy-windows-mdt/simulate-a-windows-10-deployment-in-a-test-environment",
"redirect_document_id": false
},
{
"source_path": "windows/deployment/deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit",
"redirect_document_id": false
},
{
"source_path": "windows/deployment/deploy-windows-mdt/use-orchestrator-runbooks-with-mdt.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/deploy-windows-mdt/use-orchestrator-runbooks-with-mdt",
"redirect_document_id": false
},
{
"source_path": "windows/deployment/deploy-windows-mdt/use-the-mdt-database-to-stage-windows-10-deployment-information.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/deploy-windows-mdt/use-the-mdt-database-to-stage-windows-10-deployment-information",
"redirect_document_id": false
},
{
"source_path": "windows/deployment/deploy-windows-mdt/use-web-services-in-mdt.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/deploy-windows-mdt/use-web-services-in-mdt",
"redirect_document_id": false
},
{
"source_path": "windows/deployment/windows-10-poc-mdt.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/deploy-windows-mdt/windows-10-poc-mdt",
"redirect_document_id": false
},
{
"source_path": "windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md",
"redirect_url": "/windows/deployment/upgrade/resolve-windows-upgrade-errors",

10
.openpublishing.redirection.windows-deployment.json
View File

@ -12,7 +12,7 @@
},
{
"source_path": "windows/deployment/deploy-windows-mdt/deploy-a-windows-11-image-using-mdt.md",
"redirect_url": "/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt",
"redirect_document_id": false
},
{
@ -22,17 +22,17 @@
},
{
"source_path": "windows/deployment/deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md",
"redirect_url": "/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt",
"redirect_document_id": false
},
{
"source_path": "windows/deployment/deploy-windows-mdt/key-features-in-mdt.md",
"redirect_url": "/windows/deployment/deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit#key-features-in-mdt",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit#key-features-in-mdt",
"redirect_document_id": false
},
{
"source_path": "windows/deployment/deploy-windows-mdt/mdt-lite-touch-components.md",
"redirect_url": "/windows/deployment/deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit#mdt-lite-touch-components",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit#mdt-lite-touch-components",
"redirect_document_id": false
},
{
@ -692,7 +692,7 @@
},
{
"source_path": "windows/deployment/upgrade/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md",
"redirect_url": "/windows/deployment/deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit",
"redirect_document_id": false
},
{

281
.openpublishing.redirection.windows-whats-new.json
View File

@ -1,114 +1,169 @@
{
"redirections": [
{
"source_path": "windows/whats-new/applocker.md",
"redirect_url": "/windows/whats-new/whats-new-windows-10-version-1507-and-1511",
"redirect_document_id": false
},
{
"source_path": "windows/whats-new/bitlocker.md",
"redirect_url": "/windows/whats-new/whats-new-windows-10-version-1507-and-1511",
"redirect_document_id": false
},
{
"source_path": "windows/whats-new/change-history-for-what-s-new-in-windows-10.md",
"redirect_url": "/windows/whats-new/index",
"redirect_document_id": false
},
{
"source_path": "windows/whats-new/contribute-to-a-topic.md",
"redirect_url": "https://github.com/MicrosoftDocs/windows-itpro-docs/blob/public/CONTRIBUTING.md#editing-windows-it-professional-documentation",
"redirect_document_id": false
},
{
"source_path": "windows/whats-new/credential-guard.md",
"redirect_url": "/windows/whats-new/whats-new-windows-10-version-1507-and-1511",
"redirect_document_id": false
},
{
"source_path": "windows/whats-new/device-guard-overview.md",
"redirect_url": "/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control",
"redirect_document_id": false
},
{
"source_path": "windows/whats-new/device-management.md",
"redirect_url": "/windows/client-management/index",
"redirect_document_id": false
},
{
"source_path": "windows/whats-new/edge-ie11-whats-new-overview.md",
"redirect_url": "/microsoft-edge/deploy/emie-to-improve-compatibility",
"redirect_document_id": false
},
{
"source_path": "windows/whats-new/edp-whats-new-overview.md",
"redirect_url": "/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip",
"redirect_document_id": false
},
{
"source_path": "windows/whats-new/lockdown-features-windows-10.md",
"redirect_url": "/windows/configuration/lockdown-features-windows-10",
"redirect_document_id": false
},
{
"source_path": "windows/whats-new/microsoft-passport.md",
"redirect_url": "/windows/access-protection/hello-for-business/hello-identity-verification",
"redirect_document_id": false
},
{
"source_path": "windows/whats-new/new-provisioning-packages.md",
"redirect_url": "/windows/configuration/provisioning-packages/provisioning-packages",
"redirect_document_id": false
},
{
"source_path": "windows/whats-new/security-auditing.md",
"redirect_url": "/windows/whats-new/whats-new-windows-10-version-1507-and-1511",
"redirect_document_id": false
},
{
"source_path": "windows/whats-new/security.md",
"redirect_url": "/windows/threat-protection/overview-of-threat-mitigations-in-windows-10",
"redirect_document_id": false
},
{
"source_path": "windows/whats-new/trusted-platform-module.md",
"redirect_url": "/windows/device-security/tpm/trusted-platform-module-overview",
"redirect_document_id": false
},
{
"source_path": "windows/whats-new/user-account-control.md",
"redirect_url": "/windows/whats-new/whats-new-windows-10-version-1507-and-1511",
"redirect_document_id": false
},
{
"source_path": "windows/whats-new/windows-10-insider-preview.md",
"redirect_url": "/windows/whats-new",
"redirect_document_id": false
},
{
"source_path": "windows/whats-new/windows-11-whats-new.md",
"redirect_url": "/windows/whats-new/windows-11-overview",
"redirect_document_id": false
},
{
"source_path": "windows/whats-new/windows-11.md",
"redirect_url": "/windows/whats-new/windows-11-whats-new",
"redirect_document_id": false
},
{
"source_path": "windows/whats-new/windows-spotlight.md",
"redirect_url": "/windows/configuration/windows-spotlight",
"redirect_document_id": false
},
{
"source_path": "windows/whats-new/windows-store-for-business-overview.md",
"redirect_url": "/microsoft-store/windows-store-for-business-overview",
"redirect_document_id": false
},
{
"source_path": "windows/whats-new/windows-update-for-business.md",
"redirect_url": "/windows/whats-new/whats-new-windows-10-version-1507-and-1511",
"redirect_document_id": false
}
]
}
"redirections":[
{
"source_path":"windows/whats-new/applocker.md",
"redirect_url":"/previous-versions/windows/it-pro/windows-10/whats-new/whats-new-windows-10-version-1507-and-1511",
"redirect_document_id":false
},
{
"source_path":"windows/whats-new/bitlocker.md",
"redirect_url":"/previous-versions/windows/it-pro/windows-10/whats-new/whats-new-windows-10-version-1507-and-1511",
"redirect_document_id":false
},
{
"source_path":"windows/whats-new/change-history-for-what-s-new-in-windows-10.md",
"redirect_url":"/windows/whats-new/index",
"redirect_document_id":false
},
{
"source_path":"windows/whats-new/contribute-to-a-topic.md",
"redirect_url":"https://github.com/MicrosoftDocs/windows-itpro-docs/blob/public/CONTRIBUTING.md#editing-windows-it-professional-documentation",
"redirect_document_id":false
},
{
"source_path":"windows/whats-new/credential-guard.md",
"redirect_url":"/previous-versions/windows/it-pro/windows-10/whats-new/whats-new-windows-10-version-1507-and-1511",
"redirect_document_id":false
},
{
"source_path":"windows/whats-new/device-guard-overview.md",
"redirect_url":"/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control",
"redirect_document_id":false
},
{
"source_path":"windows/whats-new/device-management.md",
"redirect_url":"/windows/client-management/index",
"redirect_document_id":false
},
{
"source_path":"windows/whats-new/edge-ie11-whats-new-overview.md",
"redirect_url":"/microsoft-edge/deploy/emie-to-improve-compatibility",
"redirect_document_id":false
},
{
"source_path":"windows/whats-new/edp-whats-new-overview.md",
"redirect_url":"/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip",
"redirect_document_id":false
},
{
"source_path":"windows/whats-new/lockdown-features-windows-10.md",
"redirect_url":"/windows/configuration/lockdown-features-windows-10",
"redirect_document_id":false
},
{
"source_path":"windows/whats-new/microsoft-passport.md",
"redirect_url":"/windows/access-protection/hello-for-business/hello-identity-verification",
"redirect_document_id":false
},
{
"source_path":"windows/whats-new/new-provisioning-packages.md",
"redirect_url":"/windows/configuration/provisioning-packages/provisioning-packages",
"redirect_document_id":false
},
{
"source_path":"windows/whats-new/security-auditing.md",
"redirect_url":"/previous-versions/windows/it-pro/windows-10/whats-new/whats-new-windows-10-version-1507-and-1511",
"redirect_document_id":false
},
{
"source_path":"windows/whats-new/security.md",
"redirect_url":"/windows/threat-protection/overview-of-threat-mitigations-in-windows-10",
"redirect_document_id":false
},
{
"source_path":"windows/whats-new/trusted-platform-module.md",
"redirect_url":"/windows/device-security/tpm/trusted-platform-module-overview",
"redirect_document_id":false
},
{
"source_path":"windows/whats-new/user-account-control.md",
"redirect_url":"/previous-versions/windows/it-pro/windows-10/whats-new/whats-new-windows-10-version-1507-and-1511",
"redirect_document_id":false
},
{
"source_path":"windows/whats-new/windows-10-insider-preview.md",
"redirect_url":"/windows/whats-new",
"redirect_document_id":false
},
{
"source_path":"windows/whats-new/windows-11-whats-new.md",
"redirect_url":"/windows/whats-new/windows-11-overview",
"redirect_document_id":false
},
{
"source_path":"windows/whats-new/windows-11.md",
"redirect_url":"/windows/whats-new/windows-11-whats-new",
"redirect_document_id":false
},
{
"source_path":"windows/whats-new/windows-spotlight.md",
"redirect_url":"/windows/configuration/windows-spotlight",
"redirect_document_id":false
},
{
"source_path":"windows/whats-new/windows-store-for-business-overview.md",
"redirect_url":"/microsoft-store/windows-store-for-business-overview",
"redirect_document_id":false
},
{
"source_path":"windows/whats-new/windows-update-for-business.md",
"redirect_url":"/previous-versions/windows/it-pro/windows-10/whats-new/whats-new-windows-10-version-1507-and-1511",
"redirect_document_id":false
},
{
"source_path":"windows/whats-new/whats-new-windows-10-version-1507-and-1511.md",
"redirect_url":"/previous-versions/windows/it-pro/windows-10/whats-new/whats-new-windows-10-version-1507-and-1511",
"redirect_document_id":false
},
{
"source_path":"windows/whats-new/whats-new-windows-10-version-1607.md",
"redirect_url":"/previous-versions/windows/it-pro/windows-10/whats-new/whats-new-windows-10-version-1607",
"redirect_document_id":false
},
{
"source_path":"windows/whats-new/whats-new-windows-10-version-1703.md",
"redirect_url":"/previous-versions/windows/it-pro/windows-10/whats-new/whats-new-windows-10-version-1703",
"redirect_document_id":false
},
{
"source_path":"windows/whats-new/whats-new-windows-10-version-1709.md",
"redirect_url":"/previous-versions/windows/it-pro/windows-10/whats-new/whats-new-windows-10-version-1709",
"redirect_document_id":false
},
{
"source_path":"windows/whats-new/whats-new-windows-10-version-1803.md",
"redirect_url":"/previous-versions/windows/it-pro/windows-10/whats-new/whats-new-windows-10-version-1803",
"redirect_document_id":false
},
{
"source_path":"windows/whats-new/whats-new-windows-10-version-1809.md",
"redirect_url":"/previous-versions/windows/it-pro/windows-10/whats-new/whats-new-windows-10-version-1809",
"redirect_document_id":false
},
{
"source_path":"windows/whats-new/whats-new-windows-10-version-1903.md",
"redirect_url":"/previous-versions/windows/it-pro/windows-10/whats-new/whats-new-windows-10-version-1903",
"redirect_document_id":false
},
{
"source_path":"windows/whats-new/whats-new-windows-10-version-1909.md",
"redirect_url":"/previous-versions/windows/it-pro/windows-10/whats-new/whats-new-windows-10-version-1909",
"redirect_document_id":false
},
{
"source_path":"windows/whats-new/whats-new-windows-10-version-2004.md",
"redirect_url":"/previous-versions/windows/it-pro/windows-10/whats-new/whats-new-windows-10-version-2004",
"redirect_document_id":false
},
{
"source_path":"windows/whats-new/whats-new-windows-10-version-20H2.md",
"redirect_url":"/previous-versions/windows/it-pro/windows-10/whats-new/whats-new-windows-10-version-20H2",
"redirect_document_id":false
},
{
"source_path":"windows/whats-new/whats-new-windows-10-version-21H1.md",
"redirect_url":"/previous-versions/windows/it-pro/windows-10/whats-new/whats-new-windows-10-version-21H1",
"redirect_document_id":false
}
]
}

40
windows/deployment/deploy-windows-mdt/TOC.yml
View File

@ -1,40 +0,0 @@
- name: Deploy Windows 10 with the Microsoft Deployment Toolkit (MDT)
items:
- name: Get started with MDT
href: get-started-with-the-microsoft-deployment-toolkit.md
- name: Deploy Windows 10 with MDT
items:
- name: Prepare for deployment with MDT
href: prepare-for-windows-deployment-with-mdt.md
- name: Create a Windows 10 reference image
href: create-a-windows-10-reference-image.md
- name: Deploy a Windows 10 image using MDT
href: deploy-a-windows-10-image-using-mdt.md
- name: Build a distributed environment for Windows 10 deployment
href: build-a-distributed-environment-for-windows-10-deployment.md
- name: Refresh a Windows 7 computer with Windows 10
href: refresh-a-windows-7-computer-with-windows-10.md
- name: Replace a Windows 7 computer with a Windows 10 computer
href: replace-a-windows-7-computer-with-a-windows-10-computer.md
- name: Perform an in-place upgrade to Windows 10 with MDT
href: upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md
- name: Customize MDT
items:
- name: Configure MDT settings
href: configure-mdt-settings.md
- name: Set up MDT for BitLocker
href: set-up-mdt-for-bitlocker.md
- name: Configure MDT deployment share rules
href: configure-mdt-deployment-share-rules.md
- name: Configure MDT for UserExit scripts
href: configure-mdt-for-userexit-scripts.md
- name: Simulate a Windows 10 deployment in a test environment
href: simulate-a-windows-10-deployment-in-a-test-environment.md
- name: Use the MDT database to stage Windows 10 deployment information
href: use-the-mdt-database-to-stage-windows-10-deployment-information.md
- name: Assign applications using roles in MDT
href: assign-applications-using-roles-in-mdt.md
- name: Use web services in MDT
href: use-web-services-in-mdt.md
- name: Use Orchestrator runbooks with MDT
href: use-orchestrator-runbooks-with-mdt.md

136
windows/deployment/deploy-windows-mdt/assign-applications-using-roles-in-mdt.md
View File

@ -1,136 +0,0 @@
---
title: Assign applications using roles in MDT (Windows 10)
description: This article will show you how to add applications to a role in the MDT database and then assign that role to a computer.
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
ms.localizationpriority: medium
author: frankroj
ms.topic: article
ms.technology: itpro-deploy
ms.date: 11/28/2022
---
# Assign applications using roles in MDT
This article will show you how to add applications to a role in the MDT database and then assign that role to a computer. For the purposes of this article, the application we're adding is Adobe Reader XI. In addition to using computer-specific entries in the database, you can use roles in MDT to group settings together.
## Create and assign a role entry in the database
1. On MDT01, using Deployment Workbench, in the MDT Production deployment share, expand **Advanced Configuration** and then expand **Database**.
2. In the **Database** node, right-click **Role**, select **New**, and create a role entry with the following settings:
1. Role name: Standard PC
2. Applications / Lite Touch Applications:
3. Install - Adobe Reader XI - x86
![figure 12.](../images/mdt-09-fig12.png)
Figure 12. The Standard PC role with the application added
## Associate the role with a computer in the database
After creating the role, you can associate it with one or more computer entries.
1. Using Deployment Workbench, expand **MDT Production**, expand **Advanced Configuration**, expand **Database**, and select **Computers**.
2. In the **Computers** node, double-click the **PC00075** entry, and add the following setting:
- Roles: Standard PC
![figure 13.](../images/mdt-09-fig13.png)
Figure 13. The Standard PC role added to PC00075 (having ID 1 in the database).
## Verify database access in the MDT simulation environment
When the database is populated, you can use the MDT simulation environment to simulate a deployment. The applications aren't installed, but you can see which applications would be installed if you did a full deployment of the computer.
1. On PC0001, log on as **CONTOSO\\MDT\_BA**.
2. Modify the C:\\MDT\\CustomSettings.ini file to look like below:
```ini
[Settings]
Priority=CSettings, CRoles, RApplications, Default
[Default]
_SMSTSORGNAME=Contoso
OSInstall=Y
UserDataLocation=AUTO
TimeZoneName=Pacific Standard Time
AdminPassword=P@ssw0rd
JoinDomain=contoso.com
DomainAdmin=CONTOSO\MDT_JD
DomainAdminPassword=P@ssw0rd
MachineObjectOU=OU=Workstations,OU=Computers,OU=Contoso,DC=contoso,DC=com
SLShare=\\MDT01\Logs$
ScanStateArgs=/ue:*\* /ui:CONTOSO\*
USMTMigFiles001=MigApp.xml
USMTMigFiles002=MigUser.xml
HideShell=YES
ApplyGPOPack=NO
SkipAppsOnUpgrade=NO
SkipAdminPassword=YES
SkipProductKey=YES
SkipComputerName=NO
SkipDomainMembership=YES
SkipUserData=NO
SkipLocaleSelection=YES
SkipTaskSequence=NO
SkipTimeZone=YES
SkipApplications=NO
SkipBitLocker=YES
SkipSummary=YES
SkipCapture=YES
SkipFinalSummary=NO
EventService=http://MDT01:9800
[CSettings]
SQLServer=MDT01
Instance=SQLEXPRESS
Database=MDT
Netlib=DBNMPNTW
SQLShare=Logs$
Table=ComputerSettings
Parameters=UUID, AssetTag, SerialNumber, MacAddress
ParameterCondition=OR
[CRoles]
SQLServer=MDT01
Instance=SQLEXPRESS
Database=MDT
Netlib=DBNMPNTW
SQLShare=Logs$
Table=ComputerRoles
Parameters=UUID, AssetTag, SerialNumber, MacAddress
ParameterCondition=OR
[RApplications]
SQLServer=MDT01
Instance=SQLEXPRESS
Database=MDT
Netlib=DBNMPNTW
SQLShare=Logs$
Table=RoleApplications
Parameters=Role
Order=Sequence
```
3. Using an elevated Windows PowerShell prompt (run as Administrator), run the following commands. Press **Enter** after each command:
```powershell
Set-Location C:\MDT
.\Gather.ps1
```
![figure 14.](../images/mdt-09-fig14.png)
Figure 14. ZTIGather.log displaying the application GUID belonging to the Adobe Reader XI application that would have been installed if you deployed this machine.
## Related articles
- [Set up MDT for BitLocker](set-up-mdt-for-bitlocker.md)
- [Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md)
- [Configure MDT for UserExit scripts](configure-mdt-for-userexit-scripts.md)
- [Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md)
- [Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md)
- [Use web services in MDT](use-web-services-in-mdt.md)
- [Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt.md)

304
windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md
View File

@ -1,304 +0,0 @@
---
title: Build a distributed environment for Windows 10 deployment (Windows 10)
description: In this article, you'll learn how to replicate your Windows 10 deployment shares to facilitate the deployment of Windows 10 in remote or branch locations.
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
ms.localizationpriority: medium
author: frankroj
ms.topic: article
ms.technology: itpro-deploy
ms.date: 11/28/2022
---
# Build a distributed environment for Windows 10 deployment
**Applies to:**
- Windows 10
Perform the steps in this article to build a distributed environment for Windows 10 deployment. A distributed environment for deployment is useful when you have a segmented network, for example one that is segmented geographically into two branch locations. If you work in a distributed environment, replicating the deployment shares is an important part of a deployment solution because images of 5 GB or more in size can present bandwidth issues when deployed over the wire. Replicating this content enables clients to do local deployments.
Four computers are used in this article: DC01, MDT01, MDT02, and PC0006. DC01 is a domain controller, MDT01 and MDT02 are domain member computers running Windows Server 2019, and PC0006 is a blank device where we'll deploy Windows 10. The second deployment server (MDT02) will be configured for a remote site (Stockholm) by replicating the deployment share on MDT01 at the original site (New York). All devices are members of the domain contoso.com for the fictitious Contoso Corporation.
For the purposes of this article, we assume that MDT02 is prepared with the same network and storage capabilities that were specified for MDT01, except that MDT02 is located on a different subnet than MDT01. For more information on the infrastructure setup for this article, see [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md).
![figure 1.](../images/mdt-10-fig01.png)
Computers used in this article.
> [!NOTE]
> HV01 is also used in this topic to host the PC0006 virtual machine.
## Replicate deployment shares
Replicating the content between MDT01 (New York) and MDT02 (Stockholm) can be done in different ways. The most common content replication solutions with Microsoft Deployment Toolkit (MDT) use either the Linked Deployment Shares (LDS) feature or Distributed File System Replication (DFS-R). Some organizations have used a simple robocopy script for replication of the content.
> [!NOTE]
> Robocopy has options that allow for synchronization between folders. It has a simple reporting function; it supports transmission retry; and, by default, it will only copy/remove files from the source that are newer than files on the target.
### Linked deployment shares in MDT
LDS is a built-in feature in MDT for replicating content. However, LDS works best with strong connections such as LAN connections with low latency. For most WAN links, DFS-R is the better option.
### Why DFS-R is a better option
DFS-R isn't only fast and reliable, but it also offers central monitoring, bandwidth control, and a great delta replication engine. DFS-R will work equally well whether you have 2 sites or 90. When using DFS-R for MDT, we recommend running your deployment servers on Windows Server 2008 R2 or higher. From that version on, you can configure the replication targets as read-only, which is exactly what you want for MDT. This way, you can have your main deployment share centralized and replicate out changes as they happen. DFS-R will quickly pick up changes at the central deployment share in MDT01 and replicate the delta changes to MDT02.
## Set up Distributed File System Replication (DFS-R) for replication
Setting up DFS-R for replication is a quick and straightforward process: Prepare the deployment servers, create a replication group, then configure some replication settings.
### Prepare MDT01 for replication
On **MDT01**:
1. Install the DFS Replication role on MDT01 by entering the following at an elevated Windows PowerShell prompt:
```powershell
Install-WindowsFeature -Name FS-DFS-Replication -IncludeManagementTools
```
2. Wait for installation to complete, and then verify that the installation was successful. See the following output:
```output
PS C:\> Install-WindowsFeature -Name FS-DFS-Replication -IncludeManagementTools
Success Restart Needed Exit Code Feature Result
------- -------------- --------- --------------
True No Success {DFS Replication, DFS Management Tools, Fi...
```
### Prepare MDT02 for replication
On **MDT02**:
1. Perform the same procedure on MDT02 by entering the following at an elevated Windows PowerShell prompt:
```powershell
Install-WindowsFeature -Name FS-DFS-Replication -IncludeManagementTools
```
2. Wait for installation to complete, and then verify that the installation was successful. See the following output:
```output
PS C:\> Install-WindowsFeature -Name FS-DFS-Replication -IncludeManagementTools
Success Restart Needed Exit Code Feature Result
------- -------------- --------- --------------
True No Success {DFS Replication, DFS Management Tools, Fi...
```
### Create the MDTProduction folder on MDT02
On **MDT02**:
1. Create and share the **D:\\MDTProduction** folder using default permissions by entering the following at an elevated command prompt:
```powershell
mkdir d:\MDTProduction
New-SmbShare -Name "MDTProduction$" -Path "D:\MDTProduction"
```
2. You should see the following output:
```output
C:\> New-SmbShare -Name "MDTProduction$" -Path "D:\MDTProduction"
Name ScopeName Path Description
---- --------- ---- -----------
MDTProduction$ * D:\MDTProduction
```
### Configure the deployment share
When you have multiple deployment servers sharing the same content, you need to configure the Bootstrap.ini file with information about which server to connect to based on where the client is located. In MDT that can be done by using the **DefaultGateway** property.
On **MDT01**:
1. Using Notepad, navigate to the **D:\\MDTProduction\\Control** folder and modify the `Boostrap.ini` file as follows. Under `[DefaultGateway]` enter the IP addresses for the client's default gateway in New York and Stockholm, respectively (replace 10.10.10.1 and 10.10.20.1 with your default gateways). The default gateway setting is what tells the client which deployment share (that is, server) to use.
```ini
[Settings]
Priority=DefaultGateway, Default
[DefaultGateway]
10.10.10.1=NewYork
10.10.20.1=Stockholm
[NewYork]
DeployRoot=\\MDT01\MDTProduction$
[Stockholm]
DeployRoot=\\MDT02\MDTProduction$
[Default]
UserDomain=CONTOSO
UserID=MDT_BA
UserPassword=pass@word1
SkipBDDWelcome=YES
```
> [!NOTE]
> The DeployRoot value needs to go into the Bootstrap.ini file, but you can use the same logic in the CustomSettings.ini file. For example, you can redirect the logs to the local deployment server (SLSHARE), or have the User State Migration Tool (USMT) migration store (UDDIR) local. To learn more about USMT, see [Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md) and [Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md).
2. Save the `Bootstrap.ini` file.
3. Using the Deployment Workbench, right-click the **MDT Production** deployment share and select **Update Deployment Share**. Use the default settings for the Update Deployment Share Wizard. This process will take a few minutes.
4. After the update is complete, use the Windows Deployment Services console on MDT01. In the **Boot Images** node, right-click the **MDT Production x64** boot image and select **Replace Image**.
5. Browse and select the **D:\\MDTProduction\\Boot\\LiteTouchPE\_x64.wim** boot image, and then complete Replace Boot Image Wizard using the default settings.
![figure 5.](../images/mdt-10-fig05.png)
Replacing the updated boot image in WDS.
> [!TIP]
> If you modify bootstrap.ini again later, be sure to repeat the process of updating the deployment share in the Deployment Workbench and replacing the boot image in the WDS console.
## Replicate the content
Once the MDT01 and MDT02 servers are prepared, you're ready to configure the actual replication.
### Create the replication group
1. On MDT01, using DFS Management (dfsmgmt.msc), right-click **Replication**, and select **New Replication Group**.
2. On the **Replication Group Type** page, select **Multipurpose replication group**, and select **Next**.
3. On the **Name and Domain** page, assign the **MDTProduction** name, and select **Next**.
4. On the **Replication Group Members** page, select **Add**, add **MDT01** and **MDT02**, and then select **Next**.
![figure 6.](../images/mdt-10-fig06.png)
Adding the Replication Group Members.
5. On the **Topology Selection** page, select the **Full mesh** option and select **Next**.
6. On the **Replication Group Schedule and Bandwidth** page, accept the default settings and select **Next**.
7. On the **Primary Member** page, select **MDT01** and select **Next**.
8. On the **Folders to Replicate** page, select **Add**, enter **D:\\MDTProduction** as the folder to replicate, select **OK**, and then select **Next**.
9. On the **Local Path of MDTProduction** on the **Other Members** page, select **MDT02**, and select **Edit**.
10. On the **Edit** page, select the **Enabled** option, type in **D:\\MDTProduction** as the local path of folder, select the **Make the selected replicated folder on this member read-only** check box, select **OK**, and then select **Next**.
11. On the **Review Settings and Create Replication Group** page, select **Create**.
12. On the **Confirmation** page, select **Close**.
### Configure replicated folders
1. On **MDT01**, using DFS Management, expand **Replication** and then select **MDTProduction**.
2. In the middle pane, right-click the **MDT01** member and select **Properties**.
3. On the **MDT01 (MDTProduction) Properties** page, configure the following and then select **OK**:
1. In the **Staging** tab, set the quota to **20480 MB**.
2. In the **Advanced** tab, set the quota to **8192 MB**.
In this scenario the size of the deployment share is known, but you might need to change the values for your environment. A good rule of thumb is to get the size of the 16 largest files and make sure they fit in the staging area. Below is a Windows PowerShell example that calculates the size of the 16 largest files in the D:\\MDTProduction deployment share:
```powershell
(Get-ChildItem D:\MDTProduction -Recurse | Sort-Object Length -Descending | Select-Object -First 16 | Measure-Object -Property Length -Sum).Sum /1GB
```
4. In the middle pane, right-click the **MDT02** member and select **Properties**.
5. On the **MDT02 (MDTProduction) Properties** page, configure the following and then select **OK**:
1. In the **Staging** tab, set the quota to **20480 MB**.
2. In the **Advanced** tab, set the quota to **8192 MB**.
> [!NOTE]
> It will take some time for the replication configuration to be picked up by the replication members (MDT01 and MDT02). The time for the initial sync will depend on the WAN link speed between the sites. After that, delta changes are replicated quickly.
6. Verify that MDT01 and MDT02 are members of the MDTProduction replication group, with MDT01 being primary as follows using an elevated command prompt:
```cmd
C:\> dfsradmin membership list /rgname:MDTProduction /attr:MemName,IsPrimary
MemName IsPrimary
MDT01 Yes
MDT02 No
```
### Verify replication
On **MDT02**:
1. Wait until you start to see content appear in the **D:\\MDTProduction** folder.
2. Using DFS Management, expand **Replication**, right-click **MDTProduction**, and select **Create Diagnostics Report**.
3. In the Diagnostics Report Wizard, on the **Type of Diagnostics Report or Test** page, choose **Health report** and select **Next**.
4. On the **Path and Name** page, accept the default settings and select **Next**.
5. On the **Members to Include** page, accept the default settings and select **Next**.
6. On the **Options** page, accept the default settings and select **Next**.
7. On the **Review Settings and Create Report** page, select **Create**.
8. Open the report in Internet Explorer, and if necessary, select the **Allow blocked content** option.
![figure 9.](../images/mdt-10-fig09.png)
The DFS Replication Health Report.
> [!NOTE]
> If there are replication errors you can review the DFS event log in Event Viewer under **Applications and Services Logs**.
## Configure Windows Deployment Services (WDS) in a remote site
Like you did in the previous article for MDT01, you need to add the MDT Production Lite Touch x64 Boot image to Windows Deployment Services on MDT02. For the following steps, we assume that WDS has already been installed on MDT02.
1. On MDT02, using the WDS console, right-click **Boot Images** and select **Add Boot Image**.
2. Browse to the **D:\\MDTProduction\\Boot\\LiteTouchPE\_x64.wim** file and add the image with the default settings.
## Deploy a Windows 10 client to the remote site
Now you should have a solution ready for deploying the Windows 10 client to the remote site: Stockholm, using the MDTProduction deployment share replica on MDT02. You can test this deployment with the following optional procedure.
> [!NOTE]
> For demonstration purposes, the following procedure uses a virtual machine (PC0006) hosted by the Hyper-V server HV01. To use the remote site server (MDT02) the VM must be assigned a default gateway that matches the one you entered in the `Boostrap.ini` file.
1. Create a virtual machine with the following settings:
1. **Name**: PC0006
2. **Location**: C:\\VMs
3. **Generation**: 2
4. **Memory**: 2048 MB
5. **Hard disk**: 60 GB (dynamic disk)
6. Install an operating system from a network-based installation server
2. Start the PC0006 virtual machine, and press **Enter** to start the Pre-Boot Execution Environment (PXE) boot. The VM will now load the Windows PE boot image from the WDS server.
3. After Windows Preinstallation Environment (Windows PE) has booted, complete the Windows Deployment Wizard using the following settings:
1. Select a task sequence to execute on this computer: Windows 10 Enterprise x64 RTM Custom Image
2. Computer Name: PC0006
3. Applications: Select the Install - Adobe Reader
4. Setup will now start and perform the following steps:
1. Install the Windows 10 Enterprise operating system.
2. Install applications.
3. Update the operating system using your local Windows Server Update Services (WSUS) server.
![pc0001.](../images/pc0006.png)
## Related articles
- [Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md)
- [Create a Windows 10 reference image](create-a-windows-10-reference-image.md)
[Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md)
- [Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md)
- [Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md)
- [Configure MDT settings](configure-mdt-settings.md)

116
windows/deployment/deploy-windows-mdt/configure-mdt-deployment-share-rules.md
View File

@ -1,116 +0,0 @@
---
title: Configure MDT deployment share rules (Windows 10)
description: Learn how to configure the MDT rules engine to reach out to other resources for additional information instead of storing settings directly in the rules engine.
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
ms.localizationpriority: medium
author: frankroj
ms.topic: article
ms.technology: itpro-deploy
ms.date: 11/28/2022
---
# Configure MDT deployment share rules
In this article, you'll learn how to configure the MDT rules engine to reach out to other resources, including external scripts, databases, and web services, for additional information instead of storing settings directly in the rules engine. The rules engine in MDT is powerful: most of the settings used for operating system deployments are retrieved and assigned via the rules engine. In its simplest form, the rules engine is the CustomSettings.ini text file.
## Assign settings
When using MDT, you can assign setting in three distinct ways:
- You can pre-stage the information before deployment.
- You can prompt the user or technician for information.
- You can have MDT generate the settings automatically.
In order to illustrate these three options, let's look at some sample configurations.
## Sample configurations
Before adding the more advanced components like scripts, databases, and web services, consider the commonly used configurations below; they demonstrate the power of the rules engine.
### Set computer name by MAC Address
If you have a small test environment, or simply want to assign settings to a limited number of machines, you can edit the rules to assign settings directly for a given MAC Address. When you have many machines, it makes sense to use the database instead.
```ini
[Settings]
Priority=MacAddress, Default
[Default]
OSInstall=YES
[00:15:5D:85:6B:00]
OSDComputerName=PC00075
```
In the preceding sample, you set the PC00075 computer name for a machine with a MAC Address of 00:15:5D:85:6B:00.
### Set computer name by serial number
Another way to assign a computer name is to identify the machine via its serial number.
```ini
[Settings]
Priority=SerialNumber, Default
[Default]
OSInstall=YES
[CND0370RJ7]
OSDComputerName=PC00075
```
In this sample, you set the PC00075 computer name for a machine with a serial number of CND0370RJ7.
### Generate a computer name based on a serial number
You also can configure the rules engine to use a known property, like a serial number, to generate a computer name on the fly.
```ini
[Settings]
Priority=Default
[Default]
OSInstall=YES
OSDComputerName=PC-%SerialNumber%
```
In this sample, you configure the rules to set the computer name to a prefix (PC-) and then the serial number. If the serial number of the machine is CND0370RJ7, the preceding configuration sets the computer name to PC-CND0370RJ7.
> [!NOTE]
> Be careful when using the serial number to assign computer names. A serial number can contain more than 15 characters, but the Windows setup limits a computer name to 15 characters.
### Generate a limited computer name based on a serial number
To avoid assigning a computer name longer than 15 characters, you can configure the rules in more detail by adding VBScript functions, as follows:
```ini
[Settings]
Priority=Default
[Default]
OSInstall=YES
OSDComputerName=PC-#Left("%SerialNumber%",12)#
```
In the preceding sample, you still configure the rules to set the computer name to a prefix (PC-) followed by the serial number. However, by adding the Left VBScript function, you configure the rule to use only the first 12 serial-number characters for the name.
### Add laptops to a different organizational unit (OU) in Active Directory
In the rules, you find built-in properties that use a Windows Management Instrumentation (WMI) query to determine whether the machine you're deploying is a laptop, desktop, or server. In this sample, we assume you want to add laptops to different OUs in Active Directory. Note that ByLaptopType isn't a reserved word; rather, it's the name of the section to read.
```ini
[Settings]
Priority=ByLaptopType, Default
[Default]
MachineObjectOU=OU=Workstations,OU=Contoso,DC=contoso,DC=com
[ByLaptopType]
Subsection=Laptop-%IsLaptop%
[Laptop-True]
MachineObjectOU=OU=Laptops,OU=Contoso,DC=contoso,DC=com
```
## Related articles
- [Set up MDT for BitLocker](set-up-mdt-for-bitlocker.md)
- [Configure MDT for UserExit scripts](configure-mdt-for-userexit-scripts.md)
- [Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md)
- [Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md)
- [Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md)
- [Use web services in MDT](use-web-services-in-mdt.md)
- [Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt.md)

64
windows/deployment/deploy-windows-mdt/configure-mdt-for-userexit-scripts.md
View File

@ -1,64 +0,0 @@
---
title: Configure MDT for UserExit scripts (Windows 10)
description: In this article, you'll learn how to configure the MDT rules engine to use a UserExit script to generate computer names based on a prefix and the computer MAC Address.
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
ms.localizationpriority: medium
author: frankroj
ms.topic: article
ms.technology: itpro-deploy
ms.date: 11/28/2022
---
# Configure MDT for UserExit scripts
In this article, you'll learn how to configure the MDT rules engine to use a UserExit script to generate computer names based on a prefix and the computer MAC Address. MDT supports calling external VBScripts as part of the Gather process; these scripts are referred to as UserExit scripts. The script also removes the colons in the MAC Address.
## Configure the rules to call a UserExit script
You can call a UserExit by referencing the script in your rules. Then you can configure a property to be set to the result of a function of the VBScript. In this example, we have a VBScript named Setname.vbs (provided in the book sample files, in the UserExit folder).
```ini
[Settings]
Priority=Default
[Default]
OSINSTALL=YES
UserExit=Setname.vbs
OSDComputerName=#SetName("%MACADDRESS%")#
```
The UserExit=Setname.vbs calls the script and then assigns the computer name to what the SetName function in the script returns. In this sample, the %MACADDRESS% variable is passed to the script
## The Setname.vbs UserExit script
The Setname.vbs script takes the MAC Address passed from the rules. The script then does some string manipulation to add a prefix (PC) and remove the semicolons from the MAC Address.
```vb
Function UserExit(sType, sWhen, sDetail, bSkip)
UserExit = Success
End Function
Function SetName(sMac)
Dim re
Set re = new RegExp
re.IgnoreCase = true
re.Global = true
re.Pattern = ":"
SetName = "PC" & re.Replace(sMac, "")
End Function
```
The first three lines of the script make up a header that all UserExit scripts have. The interesting part is the lines between Function and End Function. Those lines add a prefix (PC), remove the colons from the MAC Address, and return the value to the rules by setting the SetName value.
> [!NOTE]
> The purpose of this sample isn't to recommend that you use the MAC Address as a base for computer naming, but to show you how to take a variable from MDT, pass it to an external script, make some changes to it, and then return the new value to the deployment process.
## Related articles
- [Set up MDT for BitLocker](set-up-mdt-for-bitlocker.md)
- [Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md)
- [Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md)
- [Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md)
- [Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md)
- [Use web services in MDT](use-web-services-in-mdt.md)
- [Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt.md)

41
windows/deployment/deploy-windows-mdt/configure-mdt-settings.md
View File

@ -1,41 +0,0 @@
---
title: Configure MDT settings (Windows 10)
description: One of the most powerful features in Microsoft Deployment Toolkit (MDT) is its extension capabilities; there's virtually no limitation to what you can do in terms of customization.
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
ms.localizationpriority: medium
author: frankroj
ms.topic: article
ms.technology: itpro-deploy
ms.date: 11/28/2022
---
# Configure MDT settings
One of the most powerful features in Microsoft Deployment Toolkit (MDT) is its extension capabilities; there's virtually no limitation to what you can do in terms of customization. In this article, you learn about configuring customizations for your environment.
For the purposes of this article, we'll use four machines: DC01, MDT01, HV01, and PC0001. DC01 is a domain controller, MDT01 is a Windows Server 2012 R2 Standard server, and PC0001 is a Windows 10 Enterprise x64 client used for the MDT simulation environment. OR01 has Microsoft System Center 2012 R2 Orchestrator installed. MDT01, OR01, and PC0001 are members of the domain contoso.com for the fictitious Contoso Corporation. For more information on the setup for this article, see [Deploy Windows 10 with the Microsoft Deployment Toolkit](./prepare-for-windows-deployment-with-mdt.md).
![figure 1.](../images/mdt-09-fig01.png)
The computers used in this article.
## In this section
- [Set up MDT for BitLocker](set-up-mdt-for-bitlocker.md)
- [Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md)
- [Configure MDT for UserExit scripts](configure-mdt-for-userexit-scripts.md)
- [Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md)
- [Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md)
- [Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md)
- [Use web services in MDT](use-web-services-in-mdt.md)
- [Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt.md)
## Related articles
- [Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md)
- [Create a Windows 10 reference image](create-a-windows-10-reference-image.md)
- [Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md)
- [Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md)
- [Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md)
- [Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md)

775
windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md
View File

@ -1,775 +0,0 @@
---
title: Create a Windows 10 reference image (Windows 10)
description: Creating a reference image is important because that image serves as the foundation for the devices in your organization.
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
ms.localizationpriority: medium
author: frankroj
ms.topic: article
ms.technology: itpro-deploy
ms.date: 11/28/2022
---
# Create a Windows 10 reference image
**Applies to:**
- Windows 10
Creating a reference image is important because that image serves as the foundation for the devices in your organization. In this article, you 'll learn how to create a Windows 10 reference image using the Microsoft Deployment Toolkit (MDT). You 'll create a deployment share, configure rules and settings, and import all the applications and operating system files required to build a Windows 10 reference image. After completing the steps outlined in this article, you 'll have a Windows 10 reference image that can be used in your deployment solution.
> [!NOTE]
> For more information about the server, client, and network infrastructure used in this guide, see [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md).
For the purposes of this article, we'll use three computers: DC01, MDT01, and HV01.
- DC01 is a domain controller for the contoso.com domain.
- MDT01 is a contoso.com domain member server.
- HV01 is a Hyper-V server that will be used to build the reference image.
![devices.](../images/mdt-08-fig01.png)
Computers used in this article.
## The reference image
The reference image described in this guide is designed primarily for deployment to physical devices. However, the reference image is typically created on a virtual platform, before being automatically run through the System Preparation (Sysprep) tool process and captured to a Windows Imaging (WIM) file. The reasons for creating the reference image on a virtual platform are:
- To reduce development time and can use snapshots to test different configurations quickly.
- To rule out hardware issues. You get the best possible image, and if you've a problem, it's not likely to be hardware related.
- To ensure that you won't have unwanted applications that could be installed as part of a driver install but not removed by the Sysprep process.
- The image is easy to move between lab, test, and production.
## Set up the MDT build lab deployment share
With Windows 10, there's no hard requirement to create reference images. However, to reduce the time needed for deployment, you might want to create a reference image that contains a few base applications and all of the latest updates. This section will show you how to create and configure the MDT Build Lab deployment share to create a Windows 10 reference image. Because reference images will be deployed only to virtual machines during the creation process and have specific settings (rules), you should always create a separate deployment share specifically for this process.
### Create the MDT build lab deployment share
On **MDT01**:
1. Sign in as **contoso\\administrator** using a password of **pass@word1** (credentials from the [prepare for deployment](prepare-for-windows-deployment-with-mdt.md) article).
2. Start the MDT deployment workbench, and pin this workbench to the taskbar for easy access.
3. Using the Deployment Workbench, right-click **Deployment Shares** and select **New Deployment Share**.
4. Use the following settings for the New Deployment Share Wizard:
- Deployment share path: **D:\\MDTBuildLab**
- Share name: **MDTBuildLab$**
- Deployment share description: **MDT Build Lab**
5. Accept the default selections on the Options page and select **Next**.
6. Review the Summary page, select **Next**, wait for the deployment share to be created, then select **Finish**.
7. Verify that you can access the **\\\\MDT01\\MDTBuildLab$** share.
![figure 2.](../images/mdt-08-fig02.png)
The Deployment Workbench with the MDT Build Lab deployment share.
### Enable monitoring
To monitor the task sequence as it happens, right-click the **MDT Build Lab** deployment share, select **Properties**, select the **Monitoring** tab, and select **Enable monitoring for this deployment share**. This step is optional.
### Configure permissions for the deployment share
In order to read files in the deployment share and write the reference image back to it, you need to assign NTFS and SMB permissions to the MDT Build Account (MDT\_BA) for the **D:\\MDTBuildLab** folder
On **MDT01**:
1. Ensure you're signed in as **contoso\\administrator**.
2. Modify the NTFS permissions for the **D:\\MDTBuildLab** folder by running the following command in an elevated Windows PowerShell prompt:
```powershell
icacls "D:\MDTBuildLab" /grant '"CONTOSO\MDT_BA":(OI)(CI)(M)'
grant-smbshareaccess -Name MDTBuildLab$ -AccountName "Contoso\MDT_BA" -AccessRight Full -force
```
## Add setup files
This section will show you how to populate the MDT deployment share with the Windows 10 operating system source files, commonly referred to as setup files, which will be used to create a reference image. Setup files are used during the reference image creation process and are the foundation for the reference image.
### Add the Windows 10 installation files
MDT supports adding both full source Windows 10 DVDs (ISOs) and custom images that you've created. In this case, you create a reference image, so you add the full source setup files from Microsoft.
> [!NOTE]
> Due to the Windows limits on path length, we are purposely keeping the operating system destination directory short, using the folder name W10EX64RTM rather than a more descriptive name like Windows 10 Enterprise x64 RTM.
### Add Windows 10 Enterprise x64 (full source)
On **MDT01**:
1. Sign in as **contoso\\administrator** and copy the content of a Windows 10 Enterprise x64 DVD/ISO to the **D:\\Downloads\\Windows 10 Enterprise x64** folder on MDT01, or just insert the DVD or mount an ISO on MDT01. The following example shows the files copied to the D:\\Downloads folder, but you can also choose to import the OS directly from an ISO or DVD.
![ISO.](../images/iso-data.png)
2. Using the Deployment Workbench, expand the **Deployment Shares** node, and then expand **MDT Build Lab**.
3. Right-click the **Operating Systems** node, and create a new folder named **Windows 10**.
4. Expand the **Operating Systems** node, right-click the **Windows 10** folder, and select **Import Operating System**. Use the following settings for the Import Operating System Wizard:
- Full set of source files
- Source directory: (location of your source files)
- Destination directory name: **W10EX64RTM**
5. After adding the operating system, in the **Operating Systems** > **Windows 10** folder, double-click it and change the name to: **Windows 10 Enterprise x64 RTM Default Image**. See the following example.
![Default image.](../images/deployment-workbench01.png)
> [!NOTE]
> Depending on the DVD you used, there might be multiple editions available. For the purposes of this guide, we are using the Windows 10 Enterprise image, but other images will also work.
## Add applications
Before you create an MDT task sequence, you need to add applications and scripts you wish to install to the MDT Build Lab share.
On **MDT01**:
First, create an MDT folder to store the Microsoft applications that will be installed:
1. In the MDT Deployment Workbench, expand **Deployment Shares \\ MDT Build Lab \\ Applications**
2. Right-click **Applications** and then select **New Folder**.
3. Under **Folder name**, type **Microsoft**.
4. Select **Next** twice, and then select **Finish**.
The steps in this section use a strict naming standard for your MDT applications.
- Use the **Install -** prefix for typical application installations that run a setup installer of some kind.
- Use the **Configure -** prefix when an application configures a setting in the operating system.
- You also add an **- x86**, **- x64**, or **- x86-x64** suffix to indicate the application's architecture (some applications have installers for both architectures).
Using a script naming standard is always recommended when using MDT as it helps maintain order and consistency.
By storing configuration items as MDT applications, it's easy to move these objects between various solutions, or between test and production environments.
In example sections, you 'll add the following applications:
- Install - Microsoft Office 365 Pro Plus - x64
- Install - Microsoft Visual C++ Redistributable 2019 - x86
- Install - Microsoft Visual C++ Redistributable 2019 - x64
>The 64-bit version of Microsoft Office 365 Pro Plus is recommended unless you need legacy app support. For more information, see [Choose between the 64-bit or 32-bit version of Office](https://support.office.com/article/choose-between-the-64-bit-or-32-bit-version-of-office-2dee7807-8f95-4d0c-b5fe-6c6f49b8d261)
Download links:
- [Office Deployment Tool](https://www.microsoft.com/download/details.aspx?id=49117)
- [Microsoft Visual C++ Redistributable 2019 - x86](https://aka.ms/vs/16/release/VC_redist.x86.exe)
- [Microsoft Visual C++ Redistributable 2019 - x64](https://aka.ms/vs/16/release/VC_redist.x64.exe)
Download all three items in this list to the D:\\Downloads folder on MDT01.
> [!NOTE]
> For the purposes of this lab, we'll leave the MSVC files in the D:\\Downloads folder and the Office365 files will be extracted to a child folder. If you prefer, you can place each application in its own separate child folder, and then modify the $ApplicationSourcePath below as needed (instead of just D:\\Downloads).
> [!NOTE]
> All the Microsoft Visual C++ downloads can be found on [The latest supported Visual C++ downloads](https://go.microsoft.com/fwlink/p/?LinkId=619523). Visual C++ 2015, 2017 and 2019 all share the same redistributable files.
### Create configuration file: Microsoft Office 365 Professional Plus x64
1. After downloading the most current version of the Office Deployment tool from the Microsoft Download Center using the link provided above, run the self-extracting executable file and extract the files to **D:\\Downloads\\Office365**. The Office Deployment Tool (setup.exe) and several sample configuration.xml files will be extracted.
2. Using a text editor (such as Notepad), create an XML file in the D:\\Downloads\\Office365 directory with the installation settings for Microsoft 365 Apps for enterprise that are appropriate for your organization. The file uses an XML format, so the file you create must have an extension of .xml but the file can have any filename.
For example, you can use the following configuration.xml file, which provides these configuration settings:
- Install the 64-bit version of Microsoft 365 Apps for enterprise in English directly from the Office Content Delivery Network (CDN) on the internet.
> [!NOTE]
> 64-bit is now the default and recommended edition.
- Use the General Availability Channel and get updates directly from the Office CDN on the internet.
- Perform a silent installation. You won't see anything that shows the progress of the installation and you won't see any error messages.
```xml
<Configuration>
<Add OfficeClientEdition="64" Channel="Broad">
<Product ID="O365ProPlusRetail">
<Language ID="en-us" />
</Product>
</Add>
<Display Level="None" AcceptEULA="TRUE" />
<Updates Enabled="TRUE" />
</Configuration>
```
When you use these settings, anytime you build the reference image you'll be installing the most up-to-date General Availability Channel version of Microsoft 365 Apps for enterprise.
> [!TIP]
> You can also use the web-based interface of the [Office Customization Tool](https://config.office.com/) to help you create your configuration.xml file.
For more information, see [Configuration options for the Office Deployment Tool](/deployoffice/configuration-options-for-the-office-2016-deployment-tool) and [Overview of the Office Deployment Tool](/DeployOffice/overview-of-the-office-2016-deployment-tool).
3. Ensure the configuration.xml file is in the D:\\Downloads\\Office365 folder. See the following example of the extracted files plus the configuration.xml file in the Downloads\\Office365 folder:
![folder.](../images/office-folder.png)
Assuming you've named the file `configuration.xml` as shown above, we'll use the command **`setup.exe /configure configuration.xml`** when we create the application in MDT. This command execution will perform the installation of Microsoft 365 Apps for enterprise using the configuration settings in the configuration.xml file. Don't perform this step yet.
> [!IMPORTANT]
> After Microsoft 365 Apps for enterprise is installed on the reference image, do NOT open any Office programs. if you open an Office program, you're prompted to sign-in, which activates the installation of Microsoft 365 Apps for enterprise. Even if you don't sign in and you close the Sign in to set up Office dialog box, a temporary product key is installed. You don't want any kind of product key for Microsoft 365 Apps for enterprise installed as part of your reference image.
Additional information
- Microsoft 365 Apps for enterprise is updated on a monthly basis with security updates and other quality updates (bug fixes), and possibly new features (depending on which update channel you're using). That means that once you've deployed your reference image, Microsoft 365 Apps for enterprise will most likely need to download and install the latest updates that have been released since you created your reference image.
> [!NOTE]
> With the installing Office Deployment Tool being used as part of the reference image, Microsoft 365 Apps for enterprise is installed immediately after the reference image is deployed to the user's device, rather than including Office apps part of the reference image. This way the user will have the most up-to-date version of Microsoft 365 Apps for enterprise right away and won't have to download any new updates (which is most likely what would happen if Microsoft 365 Apps for enterprise was installed as part of the reference image.)
- When you're creating your reference image, instead of installing Microsoft 365 Apps for enterprise directly from the Office CDN on the internet, you can install Microsoft 365 Apps for enterprise from a location on your local network, such as a file share. To do that, you would use the Office Deployment Tool in /download mode to download the installation files to that file share. Then you could use the Office Deployment Tool in /configure mode to install Microsoft 365 Apps for enterprise from that location on to your reference image. As part of that process, you'll need to point to that location in your configuration.xml file so that the Office Deployment Tool knows where to get the Microsoft 365 Apps for enterprise files. If you decide to do this step, the next time you create a new reference image, you'll want to be sure to use the Office Deployment Tool to download the most up-to-date installation files for Microsoft 365 Apps for enterprise to that location on your internal network. That way your new reference image will have a more up-to-date installation of Microsoft 365 Apps for enterprise.
### Connect to the deployment share using Windows PowerShell
If you need to add many applications, you can take advantage of the PowerShell support that MDT has. To start using PowerShell against the deployment share, you must first load the MDT PowerShell snap-in, and then make the deployment share a PowerShell drive (PSDrive).
On **MDT01**:
1. Ensure you're signed in as **contoso\\Administrator**.
2. Import the snap-in and create the PSDrive by running the following commands in an elevated PowerShell prompt:
```powershell
Import-Module "C:\Program Files\Microsoft Deployment Toolkit\bin\MicrosoftDeploymentToolkit.psd1"
New-PSDrive -Name "DS001" -PSProvider MDTProvider -Root "D:\MDTBuildLab"
```
> [!TIP]
> Use `Get-Command -module MicrosoftDeploymentToolkit` to see a list of available cmdlets
### Create the install: Microsoft Office 365 Pro Plus - x64
In these steps, we assume that you've downloaded the Office Deployment Tool. You might need to modify the path to the source folder to reflect your current environment. In this example, the source path is set to D:\\Downloads\\Office365.
On **MDT01**:
1. Ensure you're signed on as **contoso\\Administrator**.
2. Create the application by running the following commands in an elevated PowerShell prompt:
```powershell
$ApplicationName = "Install - Office365 ProPlus - x64"
$CommandLine = "setup.exe /configure configuration.xml"
$ApplicationSourcePath = "D:\Downloads\Office365"
Import-MDTApplication -Path "DS001:\Applications\Microsoft" -Enable "True" -Name $ApplicationName -ShortName $ApplicationName -CommandLine $CommandLine -WorkingDirectory ".\Applications\$ApplicationName" -ApplicationSourcePath $ApplicationSourcePath -DestinationFolder $ApplicationName -Verbose
```
Upon successful installation, the following text is displayed:
```output
VERBOSE: Performing the operation "import" on target "Application".
VERBOSE: Beginning application import
VERBOSE: Copying application source files from D:\Downloads\Office365 to D:\MDTBuildLab\Applications\Install -
Office365 ProPlus - x64
VERBOSE: Creating new item named Install - Office365 ProPlus - x64 at DS001:\Applications\Microsoft.
Name
----
Install - Office365 ProPlus - x64
VERBOSE: Import processing finished.
```
### Create the install: Microsoft Visual C++ Redistributable 2019 - x86
> [!NOTE]
> We have abbreviated "Microsoft Visual C++ Redistributable" in the $ApplicationName below as "MSVC" to avoid the path name exceeding the maxiumum allowed length of 248 characters.
In these steps, we assume that you've downloaded Microsoft Visual C++ Redistributable 2019 - x86. You might need to modify the path to the source folder to reflect your current environment. In this example, the source path is set to D:\\Downloads.
On **MDT01**:
1. Ensure you're signed on as **contoso\\Administrator**.
2. Create the application by running the following commands in an elevated PowerShell prompt:
```powershell
$ApplicationName = "Install - MSVC 2019 - x86"
$CommandLine = "vc_redist.x86.exe /Q"
$ApplicationSourcePath = "D:\Downloads"
Import-MDTApplication -Path "DS001:\Applications\Microsoft" -Enable "True" -Name $ApplicationName -ShortName $ApplicationName -CommandLine $CommandLine -WorkingDirectory ".\Applications\$ApplicationName" -ApplicationSourcePath $ApplicationSourcePath -DestinationFolder $ApplicationName -Verbose
```
Upon successful installation, the following text is displayed:
```output
VERBOSE: Performing the operation "import" on target "Application".
VERBOSE: Beginning application import
VERBOSE: Copying application source files from D:\Downloads to D:\MDTBuildLab\Applications\Install - MSVC 2019 - x86
VERBOSE: Creating new item named Install - MSVC 2019 - x86 at DS001:\Applications\Microsoft.
Name
----
Install - MSVC 2019 - x86
VERBOSE: Import processing finished.
```
### Create the install: Microsoft Visual C++ Redistributable 2019 - x64
In these steps, we assume that you've downloaded Microsoft Visual C++ Redistributable 2019 - x64. You might need to modify the path to the source folder to reflect your current environment. In this example, the source path is set to D:\\Downloads.
On **MDT01**:
1. Ensure you're signed on as **contoso\\Administrator**.
2. Create the application by running the following commands in an elevated PowerShell prompt:
```powershell
$ApplicationName = "Install - MSVC 2019 - x64"
$CommandLine = "vc_redist.x64.exe /Q"
$ApplicationSourcePath = "D:\Downloads"
Import-MDTApplication -Path "DS001:\Applications\Microsoft" -Enable "True" -Name $ApplicationName -ShortName $ApplicationName -CommandLine $CommandLine -WorkingDirectory ".\Applications\$ApplicationName" -ApplicationSourcePath $ApplicationSourcePath -DestinationFolder $ApplicationName -Verbose
```
## Create the reference image task sequence
In order to build and capture your Windows 10 reference image for deployment using MDT, you 'll create a task sequence. The task sequence will reference the operating system and applications that you previously imported into the MDT Build Lab deployment share to build a Windows 10 reference image.
After creating the task sequence, you configure it to enable patching against the Windows Server Update Services (WSUS) server. The Task Sequence Windows Update action supports getting updates directly from Microsoft Update, but you get more stable patching if you use a local WSUS server. WSUS also allows for an easy process of approving the patches that you're deploying.
### Drivers and the reference image
Because we use modern virtual platforms for creating our reference images, we don't need to worry about drivers when creating reference images for Windows 10. We use Hyper-V in our environment, and Windows Preinstallation Environment (Windows PE) already has all the needed drivers built-in for Hyper-V.
### Create a task sequence for Windows 10 Enterprise
To create a Windows 10 reference image task sequence, the process is as follows:
On **MDT01**:
1. When you're using the Deployment Workbench, under **Deployment Shares > MDT Build Lab** right-click **Task Sequences**, and create a **New Folder** named **Windows 10**.
2. Right-click the new **Windows 10** folder and select **New Task Sequence**. Use the following settings for the New Task Sequence Wizard:
1. **Task sequence ID**: REFW10X64-001
2. **Task sequence name**: Windows 10 Enterprise x64 RTM Default Image
3. **Task sequence comments**: Reference Build
4. **Template**: Standard Client Task Sequence
5. **Select OS**: Windows 10 Enterprise x64 RTM Default Image
6. **Specify Product Key**: Don't specify a product key at this time
7. **Full Name**: Contoso
8. **Organization**: Contoso
9. **Internet Explorer home page**: `http://www.contoso.com`
10. **Admin Password**: Don't specify an Administrator Password at this time
### Edit the Windows 10 task sequence
The steps below walk you through the process of editing the Windows 10 reference image task sequence to include the actions required to update the reference image with the latest updates from WSUS, install roles and features, and utilities, and install Microsoft Office365 ProPlus x64.
On **MDT01**:
1. In the **Task Sequences / Windows 10** folder, right-click the **Windows 10 Enterprise x64 RTM Default Image** task sequence, and select **Properties**.
2. On the **Task Sequence** tab, configure the Windows 10 Enterprise x64 RTM Default Image task sequence with the following settings:
- **State Restore > Windows Update (Pre-Application Installation)** action: Enable this action by clicking the **Options** tab and clearing the **Disable this step** check box.
- **State Restore > Windows Update (Post-Application Installation)** action: Also enable this action.
- **State Restore**: After the **Tattoo** action, add a new **Group** action (select **Add** then select **New Group**) with the following setting:
- Name: **Custom Tasks (Pre-Windows Update)**
- **State Restore**: After **Windows Update (Post-Application Installation)** action, rename **Custom Tasks** to **Custom Tasks (Post-Windows Update)**.
> [!NOTE]
> The reason for adding the applications after the Tattoo action but before running Windows Update is simply to save time during the deployment. This way we can add all applications that will upgrade some of the built-in components and avoid unnecessary updating.
- **State Restore > Custom Tasks (Pre-Windows Update)**: Add a new **Install Roles and Features** action with the following settings:
- **Name**: Install - Microsoft NET Framework 3.5.1
- **Select the operating system for which roles are to be installed**: Windows 10
- **Select the roles and features that should be installed**: .NET Framework 3.5 (includes .NET 2.0 and 3.0)
> [!IMPORTANT]
> This is probably the most important step when creating a reference image. Many applications need the .NET Framework, and we strongly recommend having it available in the image. The one thing that makes this different from other components is that .NET Framework 3.5.1 is not included in the WIM file. It's installed from the **Sources\\SxS** folder on the media, and that makes it more difficult to add after the image has been deployed.
![task sequence.](../images/fig8-cust-tasks.png)
The task sequence after creating the Custom Tasks (Pre-Windows Update) group and adding the Install - Microsoft NET Framework 3.5.1 action.
- **State Restore > Custom Tasks (Pre-Windows Update)**: After the **Install - Microsoft NET Framework 3.5.1** action, add a new **Install Application** action (selected from the **General** group) with the following settings:
- **Name**: Microsoft Visual C++ Redistributable 2019 - x86
- **Install a Single Application**: browse to **Install - MSVC 2019 - x86**
- Repeat these steps (add a new **Install Application**) to add Microsoft Visual C++ Redistributable 2019 - x64 and Microsoft 365 Apps for enterprise as well.
3. Select **OK**.
![apps.](../images/mdt-apps.png)
### Optional configuration: Add a suspend action
The goal when creating a reference image is to automate everything. But sometimes you've a special configuration or application setup that is too time-consuming to automate. If you need to do some manual configuration, you can add a little-known feature called Lite Touch Installation (LTI) Suspend. If you add the LTISuspend.wsf script as a custom action in the task sequence, it will suspend the task sequence until you select the Resume Task Sequence shortcut icon on the desktop. In addition to using the LTI Suspend feature for manual configuration or installation, you can also use it simply for verifying a reference image before you allow the task sequence to continue and use Sysprep and capture the virtual machine.
![figure 8.](../images/fig8-suspend.png)
A task sequence with optional Suspend action (LTISuspend.wsf) added.
![figure 9.](../images/fig9-resumetaskseq.png)
The Windows 10 desktop with the Resume Task Sequence shortcut.
### Edit the Unattend.xml file for Windows 10 Enterprise
When using MDT, you don't need to edit the Unattend.xml file often because most configurations are taken care of by MDT. However if, for example, you want to configure Internet Explorer behavior, then you can edit the Unattend.xml. Editing the Unattend.xml for basic Internet Explorer settings is easy, but for more advanced settings, you 'll want to use the Internet Explorer Administration Kit (IEAK).
> [!WARNING]
> Don't use **SkipMachineOOBE** or **SkipUserOOBE** in your Unattend.xml file. These settings are deprecated and can have unintended effects if used.
> [!NOTE]
> You also can use the Unattend.xml to enable components in Windows 10, like the Telnet Client or Hyper-V client. Normally we prefer to do this via the **Install Roles and Features** action, or using Deployment Image Servicing and Management (DISM) command-line tools, because then we can add that as an application, being dynamic, having conditions, and so forth. Also, if you're adding packages via Unattend.xml, it's version specific, so Unattend.xml must match the exact version of the operating system you're servicing.
Follow these steps to configure Internet Explorer settings in Unattend.xml for the Windows 10 Enterprise x64 RTM Default Image task sequence:
On **MDT01**:
1. When you're using the Deployment Workbench, under **Deployment Shares > MDT Build Lab > Task Sequences** right-click the **Windows 10 Enterprise x64 RTM Default Image** task sequence and select **Properties**.
2. In the **OS Info** tab, select **Edit Unattend.xml**. MDT now generates a catalog file. This file generation process will take a few minutes, and then Windows System Image Manager (Windows SIM) will start.
> [!IMPORTANT]
> The ADK version 1903 has a [known issue](/windows-hardware/get-started/what-s-new-in-kits-and-tools#whats-new-in-the-windows-adk-for-windows-10-version-1903) generating a catalog file for Windows 10, version 1903 or 1909 X64 install.wim. You might see the error **Could not load file or assembly** in in the console output. To avoid this issue, [install the ADK, version 2004 or a later version](/windows-hardware/get-started/adk-install). A workaround is also available for the ADK version 1903:
>
> - Close the Deployment Workbench and install the [WSIM 1903 update](https://go.microsoft.com/fwlink/?linkid=2095334). This will update imagecat.exe and imgmgr.exe to version 10.0.18362.144.
>
> - Manually run imgmgr.exe (C:\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Deployment Tools\\WSIM\\imgmgr.exe).
>
> - Generate a catalog (Tools/Create Catalog) for the selected install.wim (ex: D:\\MDTBuildLab\\Operating Systems\\W10EX64RTM\\sources\\install.wim).
>
> - After manually creating the catalog file (ex: D:\\MDTBuildLab\\Operating Systems\\W10EX64RTM\\sources\\install_Windows 10 Enterprise.clg), open the Deployment Workbench and proceed to edit unattend.xml.
3. In Windows SIM, expand the **4 specialize** node in the **Answer File** pane and select the amd64\_Microsoft-Windows-IE-InternetExplorer\_neutral entry.
4. In the **amd64\_Microsoft-Windows-IE-InternetExplorer\_neutral properties** window (right-hand window), set the following values:
- **DisableDevTools**: true
5. Save the Unattend.xml file, and close Windows SIM.
> [!NOTE]
> If errors are reported that certain display values are incorrect, you can ignore this message or browse to **7oobeSystem\\amd64_Microsoft-Windows-Shell-Setup__neutral\\Display** and enter the following: ColorDepth 32, HorizontalResolution 1, RefreshRate 60, VerticalResolution 1.
6. On the Windows 10 Enterprise x64 RTM Default Image Properties, select **OK**.
![figure 10.](../images/fig10-unattend.png)
Windows System Image Manager with the Windows 10 Unattend.xml.
## Configure the MDT deployment share rules
Understanding rules is critical to successfully using MDT. Rules are configured using the **Rules** tab of the deployment share's properties. The **Rules** tab is essentially a shortcut to edit the **CustomSettings.ini** file that exists in the **D:\\MDTBuildLab\\Control** folder. This section discusses how to configure the MDT deployment share rules as part of your Windows 10 Enterprise deployment.
### MDT deployment share rules overview
In MDT, there are always two rule files: the **CustomSettings.ini** file and the **Bootstrap.ini** file. You can add almost any rule to either. However, the Bootstrap.ini file is copied from the Control folder to the boot image, so the boot image needs to be updated every time you change that file. For this reason, add only a minimal set of rules to Bootstrap.ini, such as which deployment server and share to connect to - the DEPLOYROOT value. Put the other rules in CustomSettings.ini because that file is updated immediately when you select OK.
To configure the rules for the MDT Build Lab deployment share:
On **MDT01**:
1. Using the Deployment Workbench, right-click the **MDT Build Lab** deployment share and select **Properties**.
2. Select the **Rules** tab and replace the existing content with the following information (edit the settings as needed to match your deployment). For example, If you don't have a WSUS server in your environment, delete the **WSUSServer** line from the configuration:
```ini
[Settings]
Priority=Default
[Default]
_SMSTSORGNAME=Contoso
UserDataLocation=NONE
DoCapture=YES
OSInstall=Y
AdminPassword=pass@word1
TimeZoneName=Pacific Standard Time
JoinWorkgroup=WORKGROUP
HideShell=YES
FinishAction=SHUTDOWN
DoNotCreateExtraPartition=YES
WSUSServer=http://mdt01.contoso.com:8530
ApplyGPOPack=NO
SLSHARE=\\MDT01\Logs$
SkipAdminPassword=YES
SkipProductKey=YES
SkipComputerName=YES
SkipDomainMembership=YES
SkipUserData=YES
SkipLocaleSelection=YES
SkipTaskSequence=NO
SkipTimeZone=YES
SkipApplications=YES
SkipBitLocker=YES
SkipSummary=YES
SkipRoles=YES
SkipCapture=NO
SkipFinalSummary=YES
```
![figure 11.](../images/mdt-rules.png)
The server-side rules for the MDT Build Lab deployment share.
3. Select **Edit Bootstrap.ini** and modify using the following information:
```ini
[Settings]
Priority=Default
[Default]
DeployRoot=\\MDT01\MDTBuildLab$
UserDomain=CONTOSO
UserID=MDT_BA
UserPassword=pass@word1
SkipBDDWelcome=YES
```
> [!NOTE]
> For security reasons, you normally don't add the password to the Bootstrap.ini file; however, because this deployment share is for creating reference image builds only, and should not be published to the production network, it's acceptable to do so in this situation. Obviously if you're not using the same password (pass@word3) that is provided in this lab, you must enter your own custom password on the Rules tab and in Bootstrap.ini.
4. On the **Windows PE** tab, in the **Platform** drop-down list, select **x86**.
5. In the **Lite Touch Boot Image Settings** area, configure the following settings:
- **Image description**: MDT Build Lab x86
- **ISO file name**: MDT Build Lab x86.iso
6. On the **Windows PE** tab, in the **Platform** drop-down list, select **x64**.
7. In the **Lite Touch Boot Image Settings** area, configure the following settings:
- **Image description**: MDT Build Lab x64
- **ISO file name**: MDT Build Lab x64.iso
8. Select **OK**.
> [!NOTE]
> In MDT, the x86 boot image can deploy both x86 and x64 operating systems (except on computers based on Unified Extensible Firmware Interface).
### Update the deployment share
After the deployment share has been configured, it needs to be updated. This update-process is the one when the Windows PE boot images are created.
1. In the Deployment Workbench, right-click the **MDT Build Lab** deployment share and select **Update Deployment Share**.
2. Use the default options for the Update Deployment Share Wizard.
> [!NOTE]
> The update process will take 5 to 10 minutes.
### The rules explained
Now that the MDT Build Lab deployment share (the share used to create the reference images) has been configured, it's time to explain the various settings used in the Bootstrap.ini and CustomSettings.ini files.
The Bootstrap.ini and CustomSettings.ini files work together. The Bootstrap.ini file is always present on the boot image and is read first. The basic purpose for Bootstrap.ini is to provide enough information for MDT to find the CustomSettings.ini.
The CustomSettings.ini file is normally stored on the server, in the Deployment share\\Control folder, but also can be stored on the media (when using offline media).
> [!NOTE]
> The settings, or properties, that are used in the rules (CustomSettings.ini and Bootstrap.ini) are listed in the MDT documentation, in the Microsoft Deployment Toolkit Reference / Properties / Property Definition section.
### The Bootstrap.ini file
The Bootstrap.ini file is available via the deployment share's Properties dialog box, or via the D:\\MDTBuildLab\\Control folder on MDT01.
```ini
[Settings]
Priority=Default
[Default]
DeployRoot=\\MDT01\MDTBuildLab$
UserDomain=CONTOSO
UserID=MDT_BA
UserPassword=pass@word1
SkipBDDWelcome=YES
```
So, what are these settings?
- **Priority**: This setting determines the order in which different sections are read. This Bootstrap.ini has only one section, named \[Default\].
- **DeployRoot**: This location is of the deployment share. Normally, this value is set by MDT, but you need to update the DeployRoot value if you move to another server or other share. If you don't specify a value, the Windows Deployment Wizard prompts you for a location.
- **UserDomain, UserID, and UserPassword**: These values are used for automatic sign in to the deployment share. Again, if they aren't specified, the wizard prompts you.
> [!WARNING]
> Caution is advised. These values are stored in clear text on the boot image. Use them only for the MDT Build Lab deployment share and not for the MDT Production deployment share that you learn to create in the next topic.
- **SkipBDDWelcome**: Even if it's nice to be welcomed every time we start a deployment, we prefer to skip the initial welcome page of the Windows Deployment Wizard.
> [!NOTE]
> All properties beginning with "Skip" control only whether to display that pane in the Windows Deployment Wizard. Most of the panes also require you to actually set one or more values.
### The CustomSettings.ini file
The CustomSettings.ini file, whose content you see on the Rules tab of the deployment share Properties dialog box, contains most of the properties used in the configuration.
```ini
[Settings]
Priority=Default
[Default]
_SMSTSORGNAME=Contoso
UserDataLocation=NONE
DoCapture=YES
OSInstall=Y
AdminPassword=pass@word1
TimeZoneName=Pacific Standard Time
JoinWorkgroup=WORKGROUP
HideShell=YES
FinishAction=SHUTDOWN
DoNotCreateExtraPartition=YES
WSUSServer=http://mdt01.contoso.com:8530
ApplyGPOPack=NO
SLSHARE=\\MDT01\Logs$
SkipAdminPassword=YES
SkipProductKey=YES
SkipComputerName=YES
SkipDomainMembership=YES
SkipUserData=YES
SkipLocaleSelection=YES
SkipTaskSequence=NO
SkipTimeZone=YES
SkipApplications=YES
SkipBitLocker=YES
SkipSummary=YES
SkipRoles=YES
SkipCapture=NO
SkipFinalSummary=YES
```
- **Priority**: Has the same function as in Bootstrap.ini. Priority determines the order in which different sections are read. This CustomSettings.ini has only one section, named \[Default\]. In general, if you've multiple sections that set the same value, the value from the first section (higher priority) wins. The rare exceptions are listed in the ZTIGather.xml file.
- **\_SMSTSORGNAME**: The organization name displayed in the task sequence progress bar window during deployment.
- **UserDataLocation**: Controls the settings for user state backup. You don't need to use when building and capturing a reference image.
- **DoCapture**: Configures the task sequence to run the System Preparation (Sysprep) tool and capture the image to a file when the operating system is installed.
- **OSInstall**: Must be set to Y or YES (the code just looks for the Y character) for the setup to proceed.
- **AdminPassword**: Sets the local Administrator account password.
- **TimeZoneName**: Establishes the time zone to use. Don't confuse this value with TimeZone, which is only for legacy operating systems (Windows 7 and Windows Server 2003).
> [!NOTE]
> The easiest way to find the current time zone name on a Windows 10 machine is to run tzutil /g in a command prompt. You can also run tzutil /l to get a listing of all available time zone names.
- **JoinWorkgroup**: Configures Windows to join a workgroup.
- **HideShell**: Hides the Windows Shell during deployment. This hide-operation is especially useful for Windows 10 deployments in which the deployment wizard will otherwise appear behind the tiles.
- **FinishAction**: Instructs MDT what to do when the task sequence is complete.
- **DoNotCreateExtraPartition**: Configures the task sequence not to create the extra partition for BitLocker. There's no need to do this configuration for your reference image.
- **WSUSServer**: Specifies which Windows Server Update Services (WSUS) server (and port, if needed) to use during the deployment. Without this option MDT will use Microsoft Update directly, which will increase deployment time and limit your options of controlling which updates are applied.
- **SLSHARE**: Instructs MDT to copy the log files to a server share if something goes wrong during deployment, or when a deployment is successfully completed.
- **ApplyGPOPack**: Allows you to deploy local group policies created by Microsoft Security Compliance Manager (SCM).
- **SkipAdminPassword**: Skips the pane that asks for the Administrator password.
- **SkipProductKey**: Skips the pane that asks for the product key.
- **SkipComputerName**: Skips the Computer Name pane.
- **SkipDomainMemberShip**: Skips the Domain Membership pane. If set to Yes, you need to configure either the JoinWorkgroup value or the JoinDomain, DomainAdmin, DomainAdminDomain, and DomainAdminPassword properties.
- **SkipUserData**: Skips the pane for user state migration.
- **SkipLocaleSelection**: Skips the pane for selecting language and keyboard settings.
- **SkipTimeZone**: Skips the pane for setting the time zone.
- **SkipApplications**: Skips the Applications pane.
- **SkipBitLocker**: Skips the BitLocker pane.
- **SkipSummary**: Skips the initial Windows Deployment Wizard summary pane.
- **SkipRoles**: Skips the Install Roles and Features pane.
- **SkipCapture**: Skips the Capture pane.
- **SkipFinalSummary**: Skips the final Windows Deployment Wizard summary. Because you use FinishAction=Shutdown, you don't want the wizard to stop in the end so that you need to select OK before the machine shuts down.
## Build the Windows 10 reference image
As previously described, this section requires a Hyper-V host. For more information, see [Hyper-V requirements](prepare-for-windows-deployment-with-mdt.md#hyper-v-requirements).
Once you've created your task sequence, you're ready to create the Windows 10 reference image. This image creation will be performed by launching the task sequence from a virtual machine that will then automatically perform the reference image creation and capture process.
The steps below outline the process used to boot a virtual machine using an ISO boot image created by MDT, and then run the reference image task sequence image to create and capture the Windows 10 reference image.
1. Copy D:\\MDTBuildLab\\Boot\\MDT Build Lab x86.iso on MDT01 to C:\\ISO on your Hyper-V host (HV01).
> [!NOTE]
> Remember, in MDT you can use the x86 boot image to deploy both x86 and x64 operating system images. That's why you can use the x86 boot image instead of the x64 boot image.
On **HV01**:
1. Create a new virtual machine with the following settings:
1. Name: REFW10X64-001
2. Store the virtual machine in a different location: C:\VM
3. Generation 1
4. Memory: 1024 MB
5. Network: Must be able to connect to \\MDT01\MDTBuildLab$
6. Hard disk: 60 GB (dynamic disk)
7. Install OS with image file: C:\\ISO\\MDT Build Lab x86.iso
2. Before you start the VM, add a checkpoint for REFW10X64-001, and name it **Clean with MDT Build Lab x86 ISO**.
> [!NOTE]
> Checkpoints are useful if you need to restart the process and want to make sure you can start clean.
3. Start the REFW10X64-001 virtual machine and connect to it.
> [!NOTE]
> Up to this point we haven't discussed IP addressing or DHCP. In the initial setup for this guide, DC01 was provisioned as a DHCP server to provide IP address leases to client computers. You might have a different DHCP server on your network that you wish to use. The REFW10X64-001 virtual machine requires an IP address lease that provides it with connectivity to MDT01 so that it can connect to the \\MDT01\MDTBuildLab$ share. In the current scenario, this connectivity is accomplished with a DHCP scope that provides IP addresses in the 10.10.10.100 - 10.10.10.200 range, as part of a /24 subnet so that the client can connect to MDT01 at 10.10.10.11.
After booting into Windows PE, complete the Windows Deployment Wizard with the following settings:
- **Select a task sequence to execute on this computer**: Windows 10 Enterprise x64 RTM Default Image
- **Specify whether to capture an image**: Capture an image of this reference computer
- Location: \\\\MDT01\\MDTBuildLab$\\Captures
- **File name**: REFW10X64-001.wim
![capture image.](../images/captureimage.png)
The Windows Deployment Wizard for the Windows 10 reference image.
4. The setup now starts and does the following steps:
1. Installs the Windows 10 Enterprise operating system.
2. Installs the added applications, roles, and features.
3. Updates the operating system via your local Windows Server Update Services (WSUS) server.
4. Stages Windows PE on the local disk.
5. Runs System Preparation (Sysprep) and reboots into Windows PE.
6. Captures the installation to a Windows Imaging (WIM) file.
7. Turns off the virtual machine.
After some time, you 'll have a Windows 10 Enterprise x64 image that is fully patched and has run through Sysprep, located in the D:\\MDTBuildLab\\Captures folder on your deployment server. The file name is REFW10X64-001.wim.
![image.](../images/image-captured.png)
## Troubleshooting
> [!IMPORTANT]
> If you encounter errors applying the image when using a BIOS firmware type, see [Windows 10 deployments fail with Microsoft Deployment Toolkit on computers with BIOS type firmware](https://support.microsoft.com/topic/windows-10-deployments-fail-with-microsoft-deployment-toolkit-on-computers-with-bios-type-firmware-70557b0b-6be3-81d2-556f-b313e29e2cb7).
If you [enabled monitoring](#enable-monitoring), you can check the progress of the task sequence.
![monitoring.](../images/mdt-monitoring.png)
If there are problems with your task sequence, you can troubleshoot in Windows PE by pressing F8 to open a command prompt. There are several [MDT log files](/configmgr/mdt/troubleshooting-reference#mdt-logs) created that can be helpful determining the origin of an error, such as BDD.log. From the command line in Windows PE, you can copy these logs from the client to your MDT server for viewing with CMTrace. For example: copy BDD.log \\\\mdt01\\logs$.
After some time, you 'll have a Windows 10 Enterprise x64 image that is fully patched and has run through Sysprep, located in the D:\\MDTBuildLab\\Captures folder on your deployment server. The file name is REFW10X64-001.wim.
## Related articles
- [Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md)
- [Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md)
- [Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md)
- [Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md)
- [Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md)
- [Configure MDT settings](configure-mdt-settings.md)

883
windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md
View File

@ -1,883 +0,0 @@
---
title: Deploy a Windows 10 image using MDT (Windows 10)
description: This article will show you how to take your reference image for Windows 10, and deploy that image to your environment using the Microsoft Deployment Toolkit (MDT).
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
ms.localizationpriority: medium
author: frankroj
ms.topic: article
ms.technology: itpro-deploy
ms.collection:
- highpri
- tier3
ms.date: 11/28/2022
---
# Deploy a Windows 10 image using MDT
**Applies to:**
- Windows 10
This article will show you how to take your reference image for Windows 10 (that was [created](create-a-windows-10-reference-image.md)), and deploy that image to your environment using the Microsoft Deployment Toolkit (MDT).
We'll prepare for this deployment by creating an MDT deployment share that is used solely for image deployment. Separating the processes of creating reference images from the processes used to deploy them in production allows greater control of on both processes. We'll configure Active Directory permissions, configure the deployment share, create a new task sequence, and add applications, drivers, and rules.
For the purposes of this article, we'll use four computers: DC01, MDT01, HV01 and PC0005.
- DC01 is a domain controller
- MDT01 is a domain member server
- HV01 is a Hyper-V server
- PC0005 is a blank device to which we'll deploy Windows 10
MDT01 and PC0005 are members of the domain contoso.com for the fictitious Contoso Corporation. HV01 used to test deployment of PC0005 in a virtual environment.
![devices.](../images/mdt-07-fig01.png)
> [!NOTE]
> For details about the setup for the procedures in this article, please see [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md).
## Step 1: Configure Active Directory permissions
These steps will show you how to configure an Active Directory account with the permissions required to deploy a Windows 10 machine to the domain using MDT. These steps assume you've The account is used for Windows Preinstallation Environment (Windows PE) to connect to MDT01. In order for MDT to join machines into the contoso.com domain you need to create an account and configure permissions in Active Directory.
On **DC01**:
1. Download the [Set-OUPermissions.ps1 script](https://go.microsoft.com/fwlink/p/?LinkId=619362) and copy it to the **C:\\Setup\\Scripts** directory on **DC01**. This script configures permissions to allow the **MDT_JD** account to manage computer accounts in the contoso > Computers organizational unit.
2. Create the **MDT_JD** service account by running the following command from an elevated **Windows PowerShell prompt**:
```powershell
New-ADUser -Name MDT_JD -UserPrincipalName MDT_JD@contoso.com -path "OU=Service Accounts,OU=Accounts,OU=Contoso,DC=CONTOSO,DC=COM" -Description "MDT join domain account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -PasswordNeverExpires $true -Enabled $true
```
3. Next, run the Set-OuPermissions script to apply permissions to the **MDT\_JD** service account, enabling it to manage computer accounts in the Contoso / Computers OU. Run the following commands from an elevated Windows PowerShell prompt:
```powershell
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force
Set-Location C:\Setup\Scripts
.\Set-OUPermissions.ps1 -Account MDT_JD -TargetOU "OU=Workstations,OU=Computers,OU=Contoso"
```
The following list is of the permissions being granted:
- Scope: This object and all descendant objects
- Create Computer objects
- Delete Computer objects
- Scope: Descendant Computer objects
- Read All Properties
- Write All Properties
- Read Permissions
- Modify Permissions
- Change Password
- Reset Password
- Validated write to DNS host name
- Validated write to service principal name
## Step 2: Set up the MDT production deployment share
Next, create a new MDT deployment share. You shouldn't use the same deployment share that you used to create the reference image for a production deployment. Perform this procedure on the MDT01 server.
### Create the MDT production deployment share
On **MDT01**:
The steps for creating the deployment share for production are the same as when you created the deployment share for creating the custom reference image:
1. Ensure you're signed on as: contoso\administrator.
2. In the Deployment Workbench console, right-click **Deployment Shares** and select **New Deployment Share**.
3. On the **Path** page, in the **Deployment share path** text box, type **D:\\MDTProduction** and select **Next**.
4. On the **Share** page, in the **Share name** text box, type **MDTProduction$** and select **Next**.
5. On the **Descriptive Name** page, in the **Deployment share description** text box, type **MDT Production** and select **Next**.
6. On the **Options** page, accept the default settings and select **Next** twice, and then select **Finish**.
7. Using File Explorer, verify that you can access the **\\\\MDT01\\MDTProduction$** share.
### Configure permissions for the production deployment share
To read files in the deployment share, you need to assign NTFS and SMB permissions to the MDT Build Account (MDT\_BA) for the **D:\\MDTProduction** folder
On **MDT01**:
1. Ensure you're signed in as **contoso\\administrator**.
2. Modify the NTFS permissions for the **D:\\MDTProduction** folder by running the following command in an elevated Windows PowerShell prompt:
```powershell
icacls.exe "D:\MDTProduction" /grant '"CONTOSO\MDT_BA":(OI)(CI)(M)'
grant-smbshareaccess -Name MDTProduction$ -AccountName "Contoso\MDT_BA" -AccessRight Full -force
```
## Step 3: Add a custom image
The next step is to add a reference image into the deployment share with the setup files required to successfully deploy Windows 10. When adding a custom image, you still need to copy setup files (an option in the wizard) because Windows 10 stores other components in the Sources\\SxS folder that is outside the image and may be required when installing components.
### Add the Windows 10 Enterprise x64 RTM custom image
In these steps, we assume that you've completed the steps in the [Create a Windows 10 reference image](create-a-windows-10-reference-image.md) article, so you've a Windows 10 reference image at **D:\\MDTBuildLab\\Captures\REFW10X64-001.wim** on MDT01.
1. Using the Deployment Workbench, expand the **Deployment Shares** node, and then expand **MDT Production**; select the **Operating Systems** node, and create a folder named **Windows 10**.
2. Right-click the **Windows 10** folder and select **Import Operating System**.
3. On the **OS Type** page, select **Custom image file** and select **Next**.
4. On the **Image** page, in the **Source file** text box, browse to **D:\\MDTBuildLab\\Captures\\REFW10X64-001.wim** and select **Next**.
5. On the **Setup** page, select the **Copy Windows 7, Windows Server 2008 R2, or later setup files from the specified path** option; in the **Setup source directory** text box, browse to **D:\\MDTBuildLab\\Operating Systems\\W10EX64RTM** and select **Next**.
6. On the **Destination** page, in the **Destination directory name** text box, type **W10EX64RTM**, select **Next** twice, and then select **Finish**.
7. After adding the operating system, double-click the added operating system name in the **Operating Systems / Windows 10** node and change the name to **Windows 10 Enterprise x64 RTM Custom Image**.
> [!NOTE]
> The reason for adding the setup files has changed since earlier versions of MDT. MDT 2010 used the setup files to install Windows. MDT uses DISM to apply the image; however, you still need the setup files because some components in roles and features are stored outside the main image.
![imported OS.](../images/fig2-importedos.png)
## Step 4: Add an application
When you configure your MDT Build Lab deployment share, you can also add applications to the new deployment share before creating your task sequence. This section walks you through the process of adding an application to the MDT Production deployment share using Adobe Reader as an example.
### Create the install: Adobe Reader DC
On **MDT01**:
1. Download the Enterprise distribution version of [Adobe Acrobat Reader DC](https://get.adobe.com/reader/enterprise/) (AcroRdrDC2200320282_en_US.exe) to **D:\\setup\\adobe** on MDT01.
2. Extract the .exe file that you downloaded to a .msi (ex: .\AcroRdrDC2200320282_en_US.exe -sfx_o"d:\setup\adobe\install\" -sfx_ne).
3. In the Deployment Workbench, expand the **MDT Production** node and navigate to the **Applications** node.
4. Right-click the **Applications** node, and create a new folder named **Adobe**.
5. In the **Applications** node, right-click the **Adobe** folder and select **New Application**.
6. On the **Application Type** page, select the **Application with source files** option and select **Next**.
7. On the **Details** page, in the **Application Name** text box, type **Install - Adobe Reader** and select *Next**.
8. On the **Source** page, in the **Source Directory** text box, browse to **D:\\setup\\adobe\\install** and select **Next**.
9. On the **Destination** page, in the **Specify the name of the directory that should be created** text box, type **Install - Adobe Reader** and select **Next**.
10. On the **Command Details** page, in the **Command Line** text box, type **msiexec /i AcroRead.msi /q**, select **Next** twice, and then select **Finish**.
![acroread image.](../images/acroread.png)
The Adobe Reader application added to the Deployment Workbench.
## Step 5: Prepare the drivers repository
In order to deploy Windows 10 with MDT successfully, you need drivers for the boot images and for the actual operating system. This section will show you how to add drivers for the boot image and operating system, using the following hardware models as examples:
- Lenovo ThinkPad T420
- Dell Latitude 7390
- HP EliteBook 8560w
- Microsoft Surface Pro
For boot images, you need to have storage and network drivers; for the operating system, you need to have the full suite of drivers.
> [!NOTE]
> You should only add drivers to the Windows PE images if the default drivers don't work. Adding drivers that are not necessary will only make the boot image larger and potentially delay the download time.
### Create the driver source structure in the file system
The key to successful management of drivers for MDT, and for any other deployment solution, is to have a good driver repository. From this repository, you import drivers into MDT for deployment, but you should always maintain the repository for future use.
On **MDT01**:
> [!IMPORTANT]
> In the steps below, it's critical that the folder names used for various computer makes and models exactly match the results of **wmic computersystem get model,manufacturer** on the target system.
1. Using File Explorer, create the **D:\\drivers** folder.
2. In the **D:\\drivers** folder, create the following folder structure:
1. WinPE x86
2. WinPE x64
3. Windows 10 x64
3. In the new Windows 10 x64 folder, create the following folder structure:
- Dell Inc.
- Latitude E7450
- Hewlett-Packard
- HP EliteBook 8560w
- Lenovo
- ThinkStation P500 (30A6003TUS)
- Microsoft Corporation
- Surface Laptop
> [!NOTE]
> Even if you're not going to use both x86 and x64 boot images, we still recommend that you add the support structure for future use.
### Create the logical driver structure in MDT
When you import drivers to the MDT driver repository, MDT creates a single instance folder structure based on driver class names. However, you can, and should, mimic the driver structure of your driver source repository in the Deployment Workbench. This mimic is done by creating logical folders in the Deployment Workbench.
1. On MDT01, using Deployment Workbench, select the **Out-of-Box Drivers** node.
2. In the **Out-Of-Box Drivers** node, create the following folder structure:
1. WinPE x86
2. WinPE x64
3. Windows 10 x64
3. In the **Windows 10 x64** folder, create the following folder structure:
- Dell Inc.
- Latitude E7450
- Hewlett-Packard
- HP EliteBook 8560w
- Lenovo
- 30A6003TUS
- Microsoft Corporation
- Surface Laptop
The preceding folder names should match the actual make and model values that MDT reads from devices during deployment. You can find out the model values for your machines by using the following command in Windows PowerShell:
```powershell
Get-WmiObject -Class:Win32_ComputerSystem
```
Or, you can use this command in a normal command prompt:
```cmd
wmic.exe csproduct get name
```
If you want a more standardized naming convention, try the **ModelAliasExit.vbs script** from the Deployment Guys blog post, entitled [Using and Extending Model Aliases for Hardware Specific Application Installation](/archive/blogs/deploymentguys/using-and-extending-model-aliases-for-hardware-specific-application-installation).
![drivers.](../images/fig4-oob-drivers.png)
The Out-of-Box Drivers structure in the Deployment Workbench.
### Create the selection profiles for boot image drivers
By default, MDT adds any storage and network drivers that you import to the boot images. However, you should add only the drivers that are necessary to the boot image. You can control which drivers are added by using selection profiles.
The drivers that are used for the boot images (Windows PE) are Windows 10 drivers. If you can't locate Windows 10 drivers for your device, a Windows 7 or Windows 8.1 driver will most likely work, but Windows 10 drivers should be your first choice.
On **MDT01**:
1. In the Deployment Workbench, under the **MDT Production** node, expand the **Advanced Configuration** node, right-click the **Selection Profiles** node, and select **New Selection Profile**.
2. In the **New Selection Profile Wizard**, create a selection profile with the following settings:
- **Selection Profile name**: WinPE x86
- **Folders**: Select the WinPE x86 folder in Out-of-Box Drivers.
- Select **Next**, **Next** and **Finish**.
3. Right-click the **Selection Profiles** node again, and select **New Selection Profile**.
4. In the New Selection Profile Wizard, create a selection profile with the following settings:
- **Selection Profile name**: WinPE x64
- **Folders**: Select the WinPE x64 folder in Out-of-Box Drivers.
- Select **Next**, **Next** and **Finish**.
![figure 5.](../images/fig5-selectprofile.png)
Creating the WinPE x64 selection profile.
### Extract and import drivers for the x64 boot image
Windows PE supports all the hardware models that we have, but here you learn to add boot image drivers to accommodate any new hardware that might require more drivers. In this example, you add the latest Intel network drivers to the x64 boot image.
On **MDT01**:
1. Download **PROWinx64.exe** from Intel.com (ex: [PROWinx64.exe](https://downloadcenter.intel.com/downloads/eula/25016/Intel-Network-Adapter-Driver-for-Windows-10?httpDown=https%3A%2F%2Fdownloadmirror.intel.com%2F25016%2Feng%2FPROWinx64.exe)).
2. Extract PROWinx64.exe to a temporary folder - in this example to the **C:\\Tmp\\ProWinx64** folder.
> [!NOTE]
> Extracting the .exe file manually requires an extraction utility. You can also run the .exe and it will self-extract files to the **%userprofile%\AppData\Local\Temp\RarSFX0** directory. This directory is temporary and will be deleted when the .exe terminates.
3. Using File Explorer, create the **D:\\Drivers\\WinPE x64\\Intel PRO1000** folder.
4. Copy the content of the **C:\\Tmp\\PROWinx64\\PRO1000\\Winx64\\NDIS64** folder to the **D:\\Drivers\\WinPE x64\\Intel PRO1000** folder.
5. In the Deployment Workbench, expand the **MDT Production** > **Out-of-Box Drivers** node, right-click the **WinPE x64** node, and select **Import Drivers**, and use the following Driver source directory to import drivers: **D:\\Drivers\\WinPE x64\\Intel PRO1000**.
### Download, extract, and import drivers
### For the Lenovo ThinkStation P500
For the ThinkStation P500 model, you use the Lenovo ThinkVantage Update Retriever software to download the drivers. With Update Retriever, you need to specify the correct Lenovo Machine Type for the actual hardware (the first four characters of the model name). As an example, the Lenovo ThinkStation P500 model has the 30A6003TUS model name, meaning the Machine Type is 30A6.
![ThinkStation image.](../images/thinkstation.png)
To get the updates, download the drivers from the Lenovo ThinkVantage Update Retriever using its export function. You can also download the drivers by searching PC Support on the [Lenovo website](https://go.microsoft.com/fwlink/p/?LinkId=619543).
In this example, we assume you've downloaded and extracted the drivers using ThinkVantage Update Retriever to the **D:\\Drivers\\Lenovo\\ThinkStation P500 (30A6003TUS)** directory.
On **MDT01**:
1. In the Deployment Workbench, in the **MDT Production** > **Out-Of-Box Drivers** > **Windows 10 x64** node, expand the **Lenovo** node.
2. Right-click the **30A6003TUS** folder and select **Import Drivers** and use the following Driver source directory to import drivers:
**D:\\Drivers\\Windows 10 x64\\Lenovo\\ThinkStation P500 (30A6003TUS)**
The folder you select and all subfolders will be checked for drivers, expanding any .cab files that are present and searching for drivers.
### For the Latitude E7450
For the Dell Latitude E7450 model, you use the Dell Driver CAB file, which is accessible via the [Dell TechCenter website](https://go.microsoft.com/fwlink/p/?LinkId=619544).
In these steps, we assume you've downloaded and extracted the CAB file for the Latitude E7450 model to the **D:\\Drivers\\Dell Inc.\\Latitude E7450** folder.
On **MDT01**:
1. In the **Deployment Workbench**, in the **MDT Production** > **Out-Of-Box Drivers** > **Windows 10 x64** node, expand the **Dell Inc.** node.
2. Right-click the **Latitude E7450** folder and select **Import Drivers** and use the following Driver source directory to import drivers:
**`D:\Drivers\Windows 10 x64\Dell Inc.\Latitude E7450`**
### For the HP EliteBook 8560w
For the HP EliteBook 8560w, you use HP Image Assistant to get the drivers. The HP Image Assistant can be accessed on the [HP Support site](https://ftp.ext.hp.com/pub/caps-softpaq/cmit/HPIA.html).
In these steps, we assume you've downloaded and extracted the drivers for the HP EliteBook 8650w model to the **D:\\Drivers\\Windows 10 x64\\Hewlett-Packard\\HP EliteBook 8560w** folder.
On **MDT01**:
1. In the **Deployment Workbench**, in the **MDT Production** > **Out-Of-Box Drivers** > **Windows 10 x64** node, expand the **Hewlett-Packard** node.
2. Right-click the **HP EliteBook 8560w** folder and select **Import Drivers** and use the following Driver source directory to import drivers:
**`D:\Drivers\Windows 10 x64\Hewlett-Packard\HP EliteBook 8560w`**
### For the Microsoft Surface Laptop
For the Microsoft Surface Laptop model, you find the drivers on the Microsoft website. In these steps, we assume you've downloaded and extracted the Surface Laptop drivers to the **D:\\Drivers\\Windows 10 x64\\Microsoft\\Surface Laptop** folder.
On **MDT01**:
1. In the Deployment Workbench, in the **MDT Production** > **Out-Of-Box Drivers** > **Windows 10 x64** node, expand the **Microsoft** node.
2. Right-click the **Surface Laptop** folder and select **Import Drivers**; and use the following Driver source directory to import drivers:
**`D:\Drivers\Windows 10 x64\Microsoft\Surface Laptop`**
## Step 6: Create the deployment task sequence
This section will show you how to create the task sequence used to deploy your production Windows 10 reference image. You'll then configure the task sequence to enable patching via a Windows Server Update Services (WSUS) server.
### Create a task sequence for Windows 10 Enterprise
On **MDT01**:
1. In the Deployment Workbench, under the **MDT Production** node, right-click **Task Sequences**, and create a folder named **Windows 10**.
2. Right-click the new **Windows 10** folder and select **New Task Sequence**. Use the following settings for the New Task Sequence Wizard:
- Task sequence ID: W10-X64-001
- Task sequence name: Windows 10 Enterprise x64 RTM Custom Image
- Task sequence comments: Production Image
- Template: Standard Client Task Sequence
- Select OS: Windows 10 Enterprise x64 RTM Custom Image
- Specify Product Key: Don't specify a product key at this time
- Full Name: Contoso
- Organization: Contoso
- Internet Explorer home page: `https://www.contoso.com`
- Admin Password: Don't specify an Administrator Password at this time
### Edit the Windows 10 task sequence
1. Continuing from the previous procedure, right-click the **Windows 10 Enterprise x64 RTM Custom Image** task sequence, and select **Properties**.
2. On the **Task Sequence** tab, configure the **Windows 10 Enterprise x64 RTM Custom Image** task sequence with the following settings:
1. Preinstall: After the **Enable BitLocker (Offline)** action, add a **Set Task Sequence Variable** action with the following settings:
- **Name**: Set DriverGroup001
- **Task Sequence Variable**: DriverGroup001
- **Value**: Windows 10 x64\\%Make%\\%Model%
2. Configure the **Inject Drivers** action with the following settings:
- **Choose a selection profile**: Nothing
- Install all drivers from the selection profile
> [!NOTE]
> The configuration above indicates that MDT should only use drivers from the folder specified by the DriverGroup001 property, which is defined by the "Choose a selection profile: Nothing" setting, and that MDT shouldn't use plug and play to determine which drivers to copy, which is defined by the "Install all drivers from the selection profile" setting.
3. State Restore. Enable the **Windows Update (Pre-Application Installation)** action.
4. State Restore. Enable the **Windows Update (Post-Application Installation)** action.
3. Select **OK**.
![drivergroup.](../images/fig6-taskseq.png)
The task sequence for production deployment.
## Step 7: Configure the MDT production deployment share
In this section, you'll learn how to configure the MDT Build Lab deployment share with the rules required to create a dynamic deployment process. This configuration includes commonly used rules and an explanation of how these rules work.
### Configure the rules
> [!NOTE]
> The following instructions assume the device is online. If you're offline you can remove SLShare variable.
On **MDT01**:
1. Right-click the **MDT Production** deployment share and select **Properties**.
2. Select the **Rules** tab and replace the existing rules with the following information (modify the domain name, WSUS server, and administrative credentials to match your environment):
```ini
[Settings]
Priority=Default
[Default]
_SMSTSORGNAME=Contoso
OSInstall=YES
UserDataLocation=AUTO
TimeZoneName=Pacific Standard Time
AdminPassword=pass@word1
JoinDomain=contoso.com
DomainAdmin=CONTOSO\MDT_JD
DomainAdminPassword=pass@word1
MachineObjectOU=OU=Workstations,OU=Computers,OU=Contoso,DC=contoso,DC=com
SLShare=\\MDT01\Logs$
ScanStateArgs=/ue:*\* /ui:CONTOSO\*
USMTMigFiles001=MigApp.xml
USMTMigFiles002=MigUser.xml
HideShell=YES
ApplyGPOPack=NO
WSUSServer=mdt01.contoso.com:8530
SkipAppsOnUpgrade=NO
SkipAdminPassword=YES
SkipProductKey=YES
SkipComputerName=NO
SkipDomainMembership=YES
SkipUserData=YES
SkipLocaleSelection=YES
SkipTaskSequence=NO
SkipTimeZone=YES
SkipApplications=NO
SkipBitLocker=YES
SkipSummary=YES
SkipCapture=YES
SkipFinalSummary=NO
```
3. Select **Edit Bootstrap.ini** and modify using the following information:
```ini
[Settings]
Priority=Default
[Default]
DeployRoot=\\MDT01\MDTProduction$
UserDomain=CONTOSO
UserID=MDT_BA
UserPassword=pass@word1
SkipBDDWelcome=YES
```
4. On the **Windows PE** tab, in the **Platform** drop-down list, make sure **x86** is selected.
5. On the **General** sub tab (still under the main Windows PE tab), configure the following settings:
In the **Lite Touch Boot Image Settings** area:
- Image description: MDT Production x86
- ISO file name: MDT Production x86.iso
> [!NOTE]
>
> Because you're going to use Pre-Boot Execution Environment (PXE) later to deploy the machines, you don't need the ISO file; however, we recommend creating ISO files because they're useful when troubleshooting deployments and for quick tests.
6. On the **Drivers and Patches** sub tab, select the **WinPE x86** selection profile and select the **Include all drivers from the selection profile** option.
7. On the **Windows PE** tab, in the **Platform** drop-down list, select **x64**.
8. On the **General** sub tab, configure the following settings:
In the **Lite Touch Boot Image Settings** area:
- Image description: MDT Production x64
- ISO file name: MDT Production x64.iso
9. In the **Drivers and Patches** sub tab, select the **WinPE x64** selection profile and select the **Include all drivers from the selection profile** option.
10. In the **Monitoring** tab, select the **Enable monitoring for this deployment share** check box.
11. Select **OK**.
> [!NOTE]
> It will take a while for the Deployment Workbench to create the monitoring database and web service.
![figure 8.](../images/mdt-07-fig08.png)
The Windows PE tab for the x64 boot image.
### The rules explained
The rules for the MDT Production deployment share are different from those rules for the MDT Build Lab deployment share. The biggest differences are that you deploy the machines into a domain instead of a workgroup.
You can optionally remove the **UserID** and **UserPassword** entries from Bootstrap.ini so that users performing PXE boot are prompted to provide credentials with permission to connect to the deployment share. Setting **SkipBDDWelcome=NO** enables the welcome screen that displays options to run the deployment wizard, run DaRT tools (if installed), exit to a Windows PE command prompt, set the keyboard layout, or configure a static IP address. In this example, we're skipping the welcome screen and providing credentials.
### The Bootstrap.ini file
This file is the MDT Production Bootstrap.ini:
```ini
[Settings]
Priority=Default
[Default]
DeployRoot=\\MDT01\MDTProduction$
UserDomain=CONTOSO
UserID=MDT_BA
UserPassword=pass@word1
SkipBDDWelcome=YES
```
### The CustomSettings.ini file
This file is the CustomSettings.ini file with the new join domain information:
```ini
[Settings]
Priority=Default
[Default]
_SMSTSORGNAME=Contoso
OSInstall=Y
UserDataLocation=AUTO
TimeZoneName=Pacific Standard Time
AdminPassword=pass@word1
JoinDomain=contoso.com
DomainAdmin=CONTOSO\MDT_JD
DomainAdminPassword=pass@word1
MachineObjectOU=OU=Workstations,OU=Computers,OU=Contoso,DC=contoso,DC=com
SLShare=\\MDT01\Logs$
ScanStateArgs=/ue:*\* /ui:CONTOSO\*
USMTMigFiles001=MigApp.xml
USMTMigFiles002=MigUser.xml
HideShell=YES
ApplyGPOPack=NO
WSUSServer=http://mdt01.contoso.com:8530
SkipAppsOnUpgrade=NO
SkipAdminPassword=YES
SkipProductKey=YES
SkipComputerName=NO
SkipDomainMembership=YES
SkipUserData=YES
SkipLocaleSelection=YES
SkipTaskSequence=NO
SkipTimeZone=YES
SkipApplications=NO
SkipBitLocker=YES
SkipSummary=YES
SkipCapture=YES
SkipFinalSummary=NO
EventService=http://MDT01:9800
```
Some properties to use in the MDT Production rules file are as follows:
- **JoinDomain.** The domain to join.
- **DomainAdmin.** The account to use when joining the machine to the domain.
- **DomainAdminDomain.** The domain for the join domain account.
- **DomainAdminPassword.** The password for the join domain account.
- **MachineObjectOU.** The organizational unit (OU) to which to add the computer account.
- **ScanStateArgs.** Arguments for the User State Migration Tool (USMT) ScanState command.
- **USMTMigFiles(\*).** List of USMT templates (controlling what to back up and restore).
- **EventService.** Activates logging information to the MDT monitoring web service.
> [!NOTE]
> For more information about localization support, see the following articles:
>
> - [MDT sample guide](/mem/configmgr/mdt/samples-guide#fully-automated-lti-deployment-for-a-refresh-computer-scenario)
> - [LCID (Locale ID) codes](/openspecs/office_standards/ms-oe376/6c085406-a698-4e12-9d4d-c3b0ee3dbc4a)
### Optional deployment share configuration
If your organization has a Microsoft Software Assurance agreement, you also can subscribe to another Microsoft Desktop Optimization Package (MDOP) license (at an extra cost). Included in MDOP is Microsoft Diagnostics and Recovery Toolkit (DaRT), which contains tools that can help you troubleshoot MDT deployments, and troubleshoot Windows itself.
### Add DaRT 10 to the boot images
If you've licensing for MDOP and DaRT, you can add DaRT to the boot images using the steps in this section. If you don't have DaRT licensing, or don't want to use it, skip to the next section, [Update the Deployment Share](#update-the-deployment-share). To enable the remote connection feature in MDT, you need to do the following steps:
> [!NOTE]
> DaRT 10 is part of [MDOP 2015](/microsoft-desktop-optimization-pack/#how-to-get-mdop).
>
> MDOP might be available as a download from your [Visual Studio subscription](https://my.visualstudio.com/Downloads). When searching, be sure to look for **Desktop Optimization Pack**.
On **MDT01**:
1. Download MDOP 2015 and copy the DaRT 10 installer file to the D:\\Setup\\DaRT 10 folder on MDT01 (DaRT\\DaRT 10\\Installers\\\<lang\>\\x64\\MSDaRT100.msi).
2. Install DaRT 10 (MSDaRT10.msi) using the default settings.
![DaRT image.](../images/dart.png)
3. Copy the two tools CAB files from **C:\\Program Files\\Microsoft DaRT\\v10** (**Toolsx86.cab** and **Toolsx64.cab**) to the production deployment share at **D:\\MDTProduction\\Tools\\x86** and **D:\\MDTProduction\\Tools\\x64**, respectively.
4. In the Deployment Workbench, right-click the **MDT Production** deployment share and select **Properties**.
5. On the **Windows PE** tab, in the **Platform** drop-down list, make sure **x86** is selected.
6. On the **Features** sub tab, select the **Microsoft Diagnostics and Recovery Toolkit (DaRT)** checkbox.
![DaRT selection.](../images/mdt-07-fig09.png)
Selecting the DaRT 10 feature in the deployment share.
7. In the **Windows PE** tab, in the **Platform** drop-down list, select **x64**.
8. In the **Features** sub tab, in addition to the default selected feature pack, select the **Microsoft Diagnostics and Recovery Toolkit (DaRT)** check box.
9. Select **OK**.
### Update the deployment share
Like the MDT Build Lab deployment share, the MDT Production deployment share needs to be updated after it has been configured. This update-process is the one during which the Windows PE boot images are created.
1. Right-click the **MDT Production** deployment share and select **Update Deployment Share**.
2. Use the default options for the Update Deployment Share Wizard.
> [!NOTE]
> The update process will take 5 to 10 minutes.
## Step 8: Deploy the Windows 10 client image
These steps will walk you through the process of using task sequences to deploy Windows 10 images through a fully automated process. First, you need to add the boot image to Windows Deployment Services (WDS) and then start the deployment. In contrast with deploying images from the MDT Build Lab deployment share, we recommend using the Pre-Installation Execution Environment (PXE) to start the full deployments in the datacenter, even though you technically can use an ISO/CD or USB to start the process.
### Configure Windows Deployment Services
You need to add the MDT Production Lite Touch x64 Boot image to WDS in preparation for the deployment. In this procedure, we assume that WDS is already installed and initialized on MDT01 as described in the [Prepare for Windows deployment](prepare-for-windows-deployment-with-mdt.md#install-and-initialize-windows-deployment-services-wds) article.
On **MDT01**:
1. Open the Windows Deployment Services console, expand the **Servers** node and then expand **MDT01.contoso.com**.
2. Right-click **Boot Images** and select **Add Boot Image**.
3. Browse to the **D:\\MDTProduction\\Boot\\LiteTouchPE\_x64.wim** file and add the image with the default settings.
![figure 9.](../images/mdt-07-fig10.png)
The boot image added to the WDS console.
### Deploy the Windows 10 client
At this point, you should have a solution ready for deploying the Windows 10 client. We recommend starting by trying a few deployments at a time until you're confident that your configuration works as expected. We find it useful to try some initial tests on virtual machines before testing on physical hardware. These tests help rule out hardware issues when testing or troubleshooting. Here are the steps to deploy your Windows 10 image to a virtual machine:
On **HV01**:
1. Create a virtual machine with the following settings:
- Name: PC0005
- Store the virtual machine in a different location: C:\VM
- Generation: 2
- Memory: 2048 MB
- Network: Must be able to connect to \\MDT01\MDTProduction$
- Hard disk: 60 GB (dynamic disk)
- Installation Options: Install an operating system from a network-based installation server
2. Start the PC0005 virtual machine, and press **Enter** to start the PXE boot. The VM will now load the Windows PE boot image from the WDS server.
![figure 10.](../images/mdt-07-fig11.png)
The initial PXE boot process of PC0005.
3. After Windows PE has booted, complete the Windows Deployment Wizard using the following setting:
- Select a task sequence to execute on this computer: Windows 10 Enterprise x64 RTM Custom Image
- Computer Name: **PC0005**
- Applications: Select the **Install - Adobe Reader** checkbox.
4. Setup now begins and does the following steps:
- Installs the Windows 10 Enterprise operating system.
- Installs the added application.
- Updates the operating system via your local Windows Server Update Services (WSUS) server.
![pc0005 image1.](../images/pc0005-vm.png)
### Application installation
Following OS installation, Microsoft Office 365 Pro Plus - x64 is installed automatically.
![pc0005 image2.](../images/pc0005-vm-office.png)
### Use the MDT monitoring feature
Since you've enabled the monitoring on the MDT Production deployment share, you can follow your deployment of PC0005 via the monitoring node.
On **MDT01**:
1. In the Deployment Workbench, expand the **MDT Production** deployment share folder.
2. Select the **Monitoring** node, and wait until you see PC0005.
3. Double-click PC0005, and review the information.
![figure 11.](../images/mdt-07-fig13.png)
The Monitoring node, showing the deployment progress of PC0005.
### Use information in the Event Viewer
When monitoring is enabled, MDT also writes information to the event viewer on MDT01. This information can be used to trigger notifications via scheduled tasks when deployment is completed. For example, you can configure scheduled tasks to send an email when a certain event is created in the event log.
![figure 12.](../images/mdt-07-fig14.png)
The Event Viewer showing a successful deployment of PC0005.
## Multicast deployments
Multicast deployment allows for image deployment with reduced network load during simultaneous deployments. Multicast is a useful operating system deployment feature in MDT deployments, however it's important to ensure that your network supports it and is designed for it. If you've a limited number of simultaneous deployments, you probably don't need to enable multicast.
### Requirements
Multicast requires that Windows Deployment Services (WDS) is running on Windows Server 2008 or later. In addition to the core MDT setup for multicast, the network needs to be configured to support multicast. In general, this configuration means involvement of the organization networking team to ensure that Internet Group Management Protocol (IGMP) snooping is turned on and that the network is designed for multicast traffic. The multicast solution uses IGMPv3.
### Set up MDT for multicast
Setting up MDT for multicast is straightforward. You enable multicast on the deployment share, and MDT takes care of the rest.
On **MDT01**:
1. In the Deployment Workbench, right-click the **MDT Production** deployment share folder and select **Properties**.
2. On the **General** tab, select the **Enable multicast for this deployment share (requires Windows Server 2008 R2 Windows Deployment Services)** check box, and select **OK**.
3. Right-click the **MDT Production** deployment share folder and select **Update Deployment Share**.
4. After updating the deployment share, use the Windows Deployment Services console to, verify that the multicast namespace was created.
![figure 13.](../images/mdt-07-fig15.png)
The newly created multicast namespace.
## Use offline media to deploy Windows 10
In addition to network-based deployments, MDT supports the use of offline media-based deployments of Windows 10. You can easily generate an offline version of your deployment share - either the full deployment share or a subset of it - by using selection profiles. The generated offline media can be burned to a DVD or copied to a USB stick for deployment.
Offline media are useful not only when you don't have network connectivity to the deployment share, but also when you've limited connection to the deployment share and don't want to copy 5 GB of data over the wire. Offline media can still join the domain, but you save the transfer of operating system images, drivers, and applications over the wire.
### Create the offline media selection profile
To filter what is being added to the media, you create a selection profile. When creating selection profiles, you quickly realize the benefits of having created a good logical folder structure in the Deployment Workbench.
On **MDT01**:
1. In the Deployment Workbench, under the **MDT Production / Advanced Configuration** node, right-click **Selection Profiles**, and select **New Selection Profile**.
2. Use the following settings for the New Selection Profile Wizard:
- General Settings
- **Selection profile name**: Windows 10 Offline Media
- Folders
- Applications / Adobe
- Operating Systems / Windows 10
- Out-Of-Box Drivers / WinPE x64
- Out-Of-Box Drivers / Windows 10 x64
- Task Sequences / Windows 10
![offline media.](../images/mdt-offline-media.png)
### Create the offline media
In these steps, you generate offline media from the MDT Production deployment share. To filter what is being added to the media, you use the previously created selection profile.
1. On MDT01, using File Explorer, create the **D:\\MDTOfflineMedia** folder.
> [!NOTE]
> When creating offline media, you need to create the target folder first. It's crucial that you don't create a subfolder inside the deployment share folder because it will break the offline media.
2. In the Deployment Workbench, under the **MDT Production / Advanced Configuration** node, right-click the **Media** node, and select **New Media**.
3. Use the following settings for the New Media Wizard:
- General Settings
- Media path: **D:\\MDTOfflineMedia**
- Selection profile: **Windows 10 Offline Media**
### Configure the offline media
Offline media has its own rules, its own Bootstrap.ini and CustomSettings.ini files. These files are stored in the Control folder of the offline media; they also can be accessed via properties of the offline media in the Deployment Workbench.
On **MDT01**:
1. Copy the CustomSettings.ini file from the **D:\MDTProduction\Control** folder to **D:\\MDTOfflineMedia\\Content\\Deploy\\Control**. Overwrite the existing files.
2. In the Deployment Workbench, under the **MDT Production / Advanced Configuration / Media** node, right-click the **MEDIA001** media, and select **Properties**.
3. In the **General** tab, configure the following:
- Clear the Generate x86 boot image check box.
- ISO file name: Windows 10 Offline Media.iso
4. On the **Windows PE** tab, in the **Platform** drop-down list, select **x64**.
5. On the **General** sub tab, configure the following settings:
- In the **Lite Touch Boot Image Settings** area:
- **Image description**: MDT Production x64
- In the **Windows PE Customizations** area, set the Scratch space size to 128.
6. On the **Drivers and Patches** sub tab, select the **WinPE x64** selection profile and select the **Include all drivers from the selection profile** option.
7. Select **OK**.
### Generate the offline media
You've now configured the offline media deployment share, however the share hasn't yet been populated with the files required for deployment. Now everything is ready you populate the deployment share content folder and generate the offline media ISO.
On **MDT01**:
1. In the Deployment Workbench, navigate to the **MDT Production / Advanced Configuration / Media** node.
2. Right-click the **MEDIA001** media, and select **Update Media Content**. The Update Media Content process now generates the offline media in the **D:\\MDTOfflineMedia\\Content** folder. The process might require several minutes.
### Create a bootable USB stick
The ISO that you got when updating the offline media item can be burned to a DVD and used directly (it will be bootable), but it's often more efficient to use USB sticks instead since they're faster and can hold more data. (A dual-layer DVD is limited to 8.5 GB.)
> [!TIP]
> In this example, the .wim file is 5.5 GB in size. However, bootable USB sticks are formatted with the FAT32 file system which limits file size to 4.0 GB. You can place the image on a different drive (ex: E:\Deploy\Operating Systems\W10EX64RTM\REFW10X64-001.swm) and then modify E:\Deploy\Control\OperatingSystems.xml to point to it. Alternatively to keep using the USB you must split the .wim file, which can be done using DISM:
>
> **`Dism.exe /Split-Image /ImageFile:D:\MDTOfflinemedia\Content\Deploy\Operating Systems\W10EX64RTM\REFW10X64-001.wim /SWMFile:E:\sources\install.swm /FileSize:3800.`**
>
> Windows Setup automatically installs from this file, provided you name it install.swm. The file names for the next files include numbers, for example: install2.swm, install3.swm.
>
> To enable split image in MDT, the Settings.xml file in your deployment share (ex: D:\MDTProduction\Control\Settings.xml) must have the **SkipWimSplit** value set to **False**. By default this value is set to True (`<SkipWimSplit>True</SkipWimSplit>`), so this must be changed and the offline media content updated.
Follow these steps to create a bootable USB stick from the offline media content:
1. On a physical machine running Windows 7 or later, insert the USB stick you want to use.
2. Copy the content of the **MDTOfflineMedia\\Content** folder to the root of the USB stick.
3. Start an elevated command prompt (run as Administrator), and start the Diskpart utility by typing **Diskpart** and pressing **Enter**.
4. In the Diskpart utility, you can type **list volume** (or the shorter **list vol**) to list the volumes, but you only need to remember the drive letter of the USB stick to which you copied the content. In our example, the USB stick had the drive letter F.
5. In the Diskpart utility, type **select volume F** (replace F with your USB stick drive letter).
6. In the Diskpart utility, type **active**, and then type **exit**.
## Unified Extensible Firmware Interface (UEFI)-based deployments
As referenced in [Windows 10 deployment scenarios and tools](../windows-deployment-scenarios-and-tools.md), Unified Extensible Firmware Interface (UEFI)-based deployments are becoming more common. In fact, when you create a generation 2 virtual machine in Hyper-V, you get a UEFI-based computer. During deployment, MDT automatically detects that you've an UEFI-based machine and creates the partitions UEFI requires. You don't need to update or change your task sequences in any way to accommodate UEFI.
![figure 14.](../images/mdt-07-fig16.png)
The partitions when deploying an UEFI-based machine.
## Related articles
- [Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md)
- [Create a Windows 10 reference image](create-a-windows-10-reference-image.md)
- [Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md)
- [Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md)
- [Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md)
- [Configure MDT settings](configure-mdt-settings.md)

203
windows/deployment/deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit.md
View File

@ -1,203 +0,0 @@
---
title: Get started with the Microsoft Deployment Toolkit (MDT) (Windows 10)
description: This article will help you gain a better understanding of how to use the Microsoft Deployment Toolkit (MDT), as part of a Windows operating system deployment.
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
ms.localizationpriority: medium
author: frankroj
ms.topic: article
ms.technology: itpro-deploy
ms.collection:
- highpri
- tier3
ms.date: 11/28/2022
---
# Get started with MDT
**Applies to:**
- Windows 10
This article provides an overview of the features, components, and capabilities of the [Microsoft Deployment Toolkit (MDT)](/mem/configmgr/mdt/). When you have finished reviewing this information, see [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md).
## About MDT
MDT is a unified collection of tools, processes, and guidance for automating desktop and server deployment. You can use it to create reference images or as a complete deployment solution. MDT is one of the most important tools available to IT professionals today.
In addition to reducing deployment time and standardizing desktop and server images, MDT enables you to more easily manage security and ongoing configurations. MDT builds on top of the core deployment tools in the [Windows Assessment and Deployment Kit](/windows-hardware/get-started/adk-install) (Windows ADK) with more guidance and features designed to reduce the complexity and time required for deployment in an enterprise environment.
MDT supports the deployment of Windows 10, and Windows 7, Windows 8.1, and Windows Server. It also includes support for zero-touch installation (ZTI) with [Microsoft Configuration Manager](/configmgr/).
> [!IMPORTANT]
> For more information about MDT supported platforms, see [MDT Release Notes](/mem/configmgr/mdt/release-notes#supported-platforms) and [MDT FAQ](/mem/configmgr/mdt/faq#is-this-release-only-supported-with-version--x--of-windows-client--windows-adk--or-configuration-manager-).
## Key features in MDT
MDT has been in existence since 2003, when it was first introduced as Business Desktop Deployment (BDD) 1.0. The toolkit has evolved, both in functionality and popularity, and today it's considered fundamental to Windows operating system and enterprise application deployment.
MDT has many useful features, such as:
- **Windows Client support**: Supports Windows 7, Windows 8.1, and Windows 10.
- **Windows Server support**: Supports Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, and Windows Server 2019.
- **Additional operating systems support**: Supports Windows Thin PC and [Windows Embedded POSReady 7](https://www.microsoft.com/download/details.aspx?id=26558), and Windows 8.1 Embedded Industry.
- **UEFI support**: Supports deployment to machines using Unified Extensible Firmware Interface (UEFI) version 2.3.1.
- **GPT support**: Supports deployment to machines that require the new GPT partition table format. This feature is related to UEFI.
- **Enhanced Windows PowerShell support**: Provides support for running PowerShell scripts.
![figure 2.](../images/mdt-05-fig02.png)
The deployment share mounted as a standard PSDrive allows for administration using PowerShell.
- **Add local administrator accounts**: Allows you to add multiple user accounts to the local Administrators group on the target computers, either via settings or the deployment wizard.
- **Automated participation in CEIP and WER**: Provides configuration for participation in Windows Customer Experience Improvement Program (CEIP) and Windows Error Reporting (WER).
- **Deploy Windows RE**: Enables deployment of a customized Windows Recovery Environment (Windows RE) as part of the task sequence.
- **Deploy to VHD**: Provides ready-made task sequence templates for deploying Windows into a virtual hard disk (VHD) file.
- **Improved deployment wizard**: Provides more progress information and a cleaner UI for the Lite Touch Deployment Wizard.
- **Monitoring**: Allows you to see the status of currently running deployments.
- **Apply GPO Pack**: Allows you to deploy local group policy objects created by Microsoft Security Compliance Manager (SCM).
- **Partitioning routines**: Provides improved partitioning routines to ensure that deployments work regardless of the current hard drive structure.
- **Offline BitLocker**: Provides the capability to have BitLocker enabled during the Windows Preinstallation Environment (Windows PE) phase, thus saving hours of encryption time.
- **USMT offline user-state migration**: Provides support for running the User State Migration Tool (USMT) capture offline, during the Windows PE phase of the deployment.
![figure 3.](../images/mdt-05-fig03.png)
The offline USMT backup in action.
- **Install or uninstall Windows roles or features**: Enables you to select roles and features as part of the deployment wizard. MDT also supports uninstall of roles and features.
- **Microsoft System Center Orchestrator integration**: Provides the capability to use Orchestrator runbooks as part of the task sequence.
- **Support for DaRT**: Supports optional integration of the DaRT components into the boot image.
- **Support for Microsoft Office**: Provides added support for deploying Microsoft Office.
- **Support for Modern UI app package provisioning**: Provisions applications based on the new Windows app package standard, which is used in Windows 8 and later.
- **Extensibility**: Provides the capability to extend MDT far beyond the built-in features by adding custom scripts, web services, System Center Orchestrator runbooks, PowerShell scripts, and VBScripts.
- **Upgrade task sequence**: Provides a new upgrade task sequence template that you can use to upgrade existing Windows 7, Windows 8, and Windows 8.1 systems directly to Windows 10, automatically preserving all data, settings, applications, and drivers. For more information about using this new upgrade task sequence, see the [Microsoft Deployment Toolkit resource page](/mem/configmgr/mdt/).
## MDT Lite Touch components
Many features in MDT support Lite Touch Installation (LTI) for Windows 10. An LTI deployment strategy requires little infrastructure or user interaction, and can be used to deploy an operating system from a network share or from a physical media, such as a USB flash drive or disk.
When the Windows operating system is being deployed using MDT, most of the administration and configuration is done through the Deployment Workbench, but you also can perform many of the tasks using Windows PowerShell. The easiest way to find out how to use PowerShell in MDT is to use the Deployment Workbench to perform an operation and at the end of that task, select **View Script**. You're provided the PowerShell command.
![figure 4.](../images/mdt-05-fig04.png)
If you select **View Script** on the right side, you'll get the PowerShell code that was used to perform the task.
## Deployment shares
A deployment share is essentially a folder on the server that is shared and contains all the setup files and scripts needed for the deployment solution. It also holds the configuration files (called rules) that are gathered when a machine is deployed. These configuration files can reach out to other sources, like a database, external script, or web server to get more settings for the deployment. For Lite Touch deployments, it's common to have two deployment shares: one for creating the reference images and one for deployment. For Zero Touch, it's common to have only the deployment share for creating reference images because Configuration Manager deploys the image in the production environment.
## Rules
The rules (CustomSettings.ini and Bootstrap.ini) make up the brain of MDT. The rules control the Windows Deployment Wizard on the client and, for example, can provide the following settings to the machine being deployed:
- Computer name
- Domain to join, and organizational unit (OU) in Active Directory to hold the computer object
- Whether to enable BitLocker
- Regional settings
You can manage hundreds of settings in the rules. For more information, see the [Microsoft Deployment Toolkit resource center](/mem/configmgr/mdt/).
![figure 5.](../images/mdt-05-fig05.png)
Example of an MDT rule. In this example, the new computer name is being calculated based on PC- plus the first seven (Left) characters from the serial number
## Boot images
Boot images are the Windows Preinstallation Environment (Windows PE) images that are used to start the deployment. They can be started from a CD or DVD, an ISO file, a USB device, or over the network using a Pre-Boot Execution Environment (PXE) server. The boot images connect to the deployment share on the server and start the deployment.
## Operating systems
Using the Deployment Workbench, you import the operating systems you want to deploy. You can import either the full source (like the full Windows 10 DVD/ISO) or a custom image that you've created. The full-source operating systems are primarily used to create reference images; however, they also can be used for normal deployments.
## Applications
Using the Deployment Workbench, you also add the applications you want to deploy. MDT supports virtually every executable Windows file type. The file can be a standard .exe file with command-line switches for an unattended install, a Microsoft Windows Installer (MSI) package, a batch file, or a VBScript. In fact, it can be just about anything that can be executed unattended. MDT also supports the new Universal Windows apps.
## Driver repository
You also use the Deployment Workbench to import the drivers your hardware needs into a driver repository that lives on the server, not in the image.
## Packages
With the Deployment Workbench, you can add any Microsoft packages that you want to use. The most commonly added packages are language packs, and the Deployment Workbench Packages node works well for those packages. You also can add security and other updates this way. However, we generally recommend that you use Windows Server Update Services (WSUS) for operating system updates. The rare exceptions are critical hotfixes that aren't available via WSUS, packages for the boot image, or any other package that needs to be deployed before the WSUS update process starts.
## Task sequences
Task sequences are the heart and soul of the deployment solution. When creating a task sequence, you need to select a template. The templates are located in the Templates folder in the MDT installation directory, and they determine which default actions are present in the sequence.
You can think of a task sequence as a list of actions that need to be executed in a certain order. Each action can also have conditions. Some examples of actions are as follows:
- **Gather**: Reads configuration settings from the deployment server.
- **Format and Partition**: Creates the partition(s) and formats them.
- **Inject Drivers**: Finds out which drivers the machine needs and downloads them from the central driver repository.
- **Apply Operating System**: Applies the Windows image.
- **Windows Update**: Connects to a WSUS server and updates the machine.
## Task sequence templates
MDT comes with nine default task sequence templates. You can also create your own templates. As long as you store them in the Templates folder, they'll be available when you create a new task sequence.
- **Sysprep and Capture task sequence**: Used to run the System Preparation (Sysprep) tool and capture an image of a reference computer.
> [!NOTE]
> It's preferable to use a complete build and capture instead of the Sysprep and Capture task sequence. A complete build and capture can be automated, whereas Sysprep and Capture can't.
- **Standard Client task sequence**: The most frequently used task sequence. Used for creating reference images and for deploying clients in production.
- **Standard Client Replace task sequence**: Used to run User State Migration Tool (USMT) backup and the optional full Windows Imaging (WIM) backup action. Can also be used to do a secure wipe of a machine that is going to be decommissioned.
- **Custom task sequence**: As the name implies, a custom task sequence with only one default action (one Install Application action).
- **Standard Server task sequence**: The default task sequence for deploying operating system images to servers. The main difference between this template and the Standard Client task sequence template is that it doesn't contain any USMT actions because USMT isn't supported on servers.
- **Lite Touch OEM task sequence**: Used to preload operating systems images on the computer hard drive. Typically used by computer original equipment manufacturers (OEMs) but some enterprise organizations also use this feature.
- **Post OS Installation task sequence**: A task sequence prepared to run actions after the operating system has been deployed. Useful for server deployments but not often used for client deployments.
- **Deploy to VHD Client task sequence**: Similar to the Standard Client task sequence template but also creates a virtual hard disk (VHD) file on the target computer and deploys the image to the VHD file.
- **Deploy to VHD Server task sequence**: Same as the Deploy to VHD Client task sequence but for servers.
- **Standard Client Upgrade task sequence**: A simple task sequence template used to perform an in-place upgrade from Windows 7, Windows 8, or Windows 8.1 directly to Windows 10, automatically preserving existing data, settings, applications, and drivers.
## Selection profiles
Selection profiles, which are available in the Advanced Configuration node, provide a way to filter content in the Deployment Workbench. Selection profiles are used for several purposes in the Deployment Workbench and in Lite Touch deployments. For example, they can be used to:
- Control which drivers and packages are injected into the Lite Touch (and generic) boot images.
- Control which drivers are injected during the task sequence.
- Control what is included in any media that you create.
- Control what is replicated to other deployment shares.
- Filter which task sequences and applications are displayed in the Deployment Wizard.
## Logging
MDT uses many log files during operating system deployments. By default the logs are client side, but by configuring the deployment settings, you can have MDT store them on the server, as well.
> [!NOTE]
> The easiest way to view log files is to use Configuration Manager Trace (CMTrace). For more information, see [CMTrace](/mem/configmgr/core/support/cmtrace).
## Monitoring
On the deployment share, you also can enable monitoring. After you enable monitoring, you'll see all running deployments in the Monitor node in the Deployment Workbench.
## See next
- [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md)

293
windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md
View File

@ -1,293 +0,0 @@
---
title: Prepare for deployment with MDT (Windows 10)
description: This article will walk you through the steps necessary to create the server structure required to deploy the Windows 10 operating system using the Microsoft Deployment Toolkit (MDT).
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
ms.localizationpriority: medium
author: frankroj
ms.topic: article
ms.technology: itpro-deploy
ms.collection:
- highpri
- tier3
ms.date: 10/13/2023
---
# Prepare for deployment with MDT
**Applies to:**
- Windows 10
This article will walk you through the steps necessary to prepare your network and server infrastructure to deploy Windows 10 with the Microsoft Deployment Toolkit (MDT). It covers the installation of the necessary system prerequisites, the creation of shared folders and service accounts, and the configuration of security permissions in the file system and in Active Directory.
## Infrastructure
The procedures in this guide use the following names and infrastructure.
### Network and servers
For the purposes of this article, we'll use three server computers: **DC01**, **MDT01**, and **HV01**.
- All servers are running Windows Server 2019.
- You can use an earlier version of Windows Server with minor modifications to some procedures.
- **DC01** is a domain controller, DHCP server, and DNS server for **contoso.com**, representing the fictitious Contoso Corporation.
- **MDT01** is a domain member server in contoso.com with a data (D:) drive that can store at least 200 GB. MDT01 will host deployment shares and run the Windows Deployment Service. Optionally, MDT01 is also a WSUS server.
- A second MDT server (**MDT02**) configured identically to MDT01 is optionally used to [build a distributed environment](build-a-distributed-environment-for-windows-10-deployment.md) for Windows 10 deployment. This server is located on a different subnet than MDT01 and has a different default gateway.
- **HV01** is a Hyper-V host computer that is used to build a Windows 10 reference image.
- See [Hyper-V requirements](#hyper-v-requirements) below for more information about HV01.
### Client computers
Several client computers are referenced in this guide with hostnames of PC0001 to PC0007.
- **PC0001**: A computer running Windows 10 Enterprise x64, fully patched with the latest security updates, and configured as a member in the contoso.com domain.
- Client name: PC0001
- IP Address: DHCP
- **PC0002**: A computer running Windows 7 SP1 Enterprise x64, fully patched with the latest security updates, and configured as a member in the contoso.com domain. This computer is referenced during the migration scenarios.
- Client name: PC0002
- IP Address: DHCP
- **PC0003 - PC0007**: These are other client computers similar to PC0001 and PC0002 that are used in this guide and another guide for various scenarios. The device names are incremented for clarity within each scenario. For example, PC0003 and PC0004 are running Windows 7 just like PC0002, but are used for Configuration Manager refresh and replace scenarios, respectively.
### Storage requirements
MDT01 and HV01 should have the ability to store up to 200 GB of files on a data drive (D:). If you use a computer with a single system partition (C:), you'll need to adjust some procedures in this guide to specify the C: drive instead of the D: drive.
### Hyper-V requirements
If you don't have access to a Hyper-V server, you can install Hyper-V on a Windows 10 or Windows 8.1 computer temporarily to use for building reference images. For instructions on how to enable Hyper-V on Windows 10, see the [Verify support and install Hyper-V](../windows-10-poc.md#verify-support-and-install-hyper-v) section in the Windows 10 deployment test lab guide. This guide is a proof-of-concept guide that has detailed instructions for installing Hyper-V.
### Network requirements
All server and client computers referenced in this guide are on the same subnet. This isn't required, but each server and client computer must be able to connect to each other to share files, and to resolve all DNS names and Active Directory information for the contoso.com domain. Internet connectivity is also required to download OS and application updates.
### Domain credentials
The following generic credentials are used in this guide. You should replace these credentials as they appear in each procedure with your credentials.
- **Active Directory domain name**: contoso.com
- **Domain administrator username**: administrator
- **Domain administrator password**: pass@word1
### Organizational unit structure
The following OU structure is used in this guide. Instructions are provided [below](#create-the-ou-structure) to help you create the required OUs.
![figure 2.](../images/mdt-01-fig02.jpg)
## Install the Windows ADK
These steps assume that you have the MDT01 member server running and configured as a domain member server.
On **MDT01**:
Visit the [Download and install the Windows ADK](/windows-hardware/get-started/adk-install) page and download the following items to the **D:\\Downloads\\ADK** folder on MDT01 (you'll need to create this folder):
- [The Windows ADK for Windows 10](https://go.microsoft.com/fwlink/?linkid=2086042)
- [The Windows PE add-on for the ADK](https://go.microsoft.com/fwlink/?linkid=2087112)
- [The Windows System Image Manager (WSIM) 1903 update](https://go.microsoft.com/fwlink/?linkid=2095334)
- (Optional) [The MDT_KB4564442 patch for BIOS firmware](https://download.microsoft.com/download/3/0/6/306AC1B2-59BE-43B8-8C65-E141EF287A5E/KB4564442/MDT_KB4564442.exe)
- This patch is needed to resolve a bug that causes detection of BIOS-based machines as UEFI-based machines. If you have a UEFI deployment, you don't need this patch.
> [!TIP]
> You might need to temporarily disable IE Enhanced Security Configuration for administrators in order to download files from the Internet to the server. This setting can be disabled by using Server Manager (Local Server/Properties).
1. On **MDT01**, ensure that you're signed in as an administrator in the CONTOSO domain.
- For the purposes of this guide, we're using a Domain Admin account of **administrator** with a password of **pass@word1**. You can use your own administrator username and password as long as you properly adjust all steps in this guide that use these login credentials.
2. Start the **ADK Setup** (D:\\Downloads\\ADK\\adksetup.exe), select **Next** twice to accept the default installation parameters, select **Accept** to accept the license agreement, and then on the **Select the features you want to install** page accept the default list of features by clicking **Install**. This will install deployment tools and the USMT. Verify that the installation completes successfully before moving to the next step.
3. Start the **WinPE Setup** (D:\\Downloads\\ADK\\adkwinpesetup.exe), select **Next** twice to accept the default installation parameters, select **Accept** to accept the license agreement, and then on the **Select the features you want to install** page select **Install**. This will install Windows PE for x86, AMD64, ARM, and ARM64. Verify that the installation completes successfully before moving to the next step.
4. Extract the **WSIM 1903 update** (D:\\Downloads\ADK\\WSIM1903.zip) and then run the **UpdateWSIM.bat** file.
- You can confirm that the update is applied by viewing properties of the ImageCat.exe and ImgMgr.exe files at **C:\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Deployment Tools\\WSIM** and verifying that the **Details** tab displays a **File version** of **10.0.18362.144** or later.
5. If you downloaded the optional MDT_KB4564442 patch for BIOS based deployment, see [this support article](https://support.microsoft.com/topic/windows-10-deployments-fail-with-microsoft-deployment-toolkit-on-computers-with-bios-type-firmware-70557b0b-6be3-81d2-556f-b313e29e2cb7) for instructions on how to install the patch.
## Install and initialize Windows Deployment Services (WDS)
On **MDT01**:
1. Open an elevated Windows PowerShell prompt and enter the following command:
```powershell
Install-WindowsFeature -Name WDS -IncludeManagementTools
WDSUTIL.exe /Verbose /Progress /Initialize-Server /Server:MDT01 /RemInst:"D:\RemoteInstall"
WDSUTIL.exe /Set-Server /AnswerClients:All
```
## Optional: Install Windows Server Update Services (WSUS)
If you wish to use MDT as a WSUS server using the Windows Internal Database (WID), use the following command to install this service. Alternatively, change the WSUS server information in this guide to the WSUS server in your environment.
To install WSUS on MDT01, enter the following at an elevated Windows PowerShell prompt:
```powershell
Install-WindowsFeature -Name UpdateServices, UpdateServices-WidDB, UpdateServices-Services, UpdateServices-RSAT, UpdateServices-API, UpdateServices-UI
cd "C:\Program Files\Update Services\Tools"
.\wsusutil.exe postinstall CONTENT_DIR=C:\WSUS
```
> [!NOTE]
> To use the WSUS that you have installed on MDT01, you must also [configure Group Policy](../update/waas-manage-updates-wsus.md#configure-automatic-updates-and-update-service-location) on DC01 and perform the necessary post-installation configuration of WSUS on MDT01.
## Install MDT
> [!NOTE]
> MDT installation requires the following:
>
> - The Windows ADK for Windows 10 (installed in the previous procedure)
> - Windows PowerShell ([version 5.1](https://www.microsoft.com/download/details.aspx?id=54616) is recommended; enter `$host` to check)
> - Microsoft .NET Framework
On **MDT01**:
1. Visit the [MDT resource page](/mem/configmgr/mdt/) and select **Download MDT**.
2. Save the **MicrosoftDeploymentToolkit_x64.msi** file to the D:\\Downloads\\MDT folder on MDT01.
> [!NOTE]
> As of the publishing date for this guide, the current version of MDT is 8456 (6.3.8456.1000), but a later version will also work.
3. Install **MDT** (D:\\Downloads\\MDT\\MicrosoftDeploymentToolkit_x64.exe) with the default settings.
## Create the OU structure
Switch to **DC01** and perform the following procedures on **DC01**:
To create the OU structure, you can use the Active Directory Users and Computers console (dsa.msc), or you can use Windows PowerShell.
Copy the following list of OU names and paths into a CSV file and save it as `~\Setup\Scripts\oulist.csv`.
```csv
OUName,OUPath
Contoso,"DC=CONTOSO,DC=COM"
Accounts,"OU=Contoso,DC=CONTOSO,DC=COM"
Computers,"OU=Contoso,DC=CONTOSO,DC=COM"
Groups,"OU=Contoso,DC=CONTOSO,DC=COM"
Admins,"OU=Accounts,OU=Contoso,DC=CONTOSO,DC=COM"
Service Accounts,"OU=Accounts,OU=Contoso,DC=CONTOSO,DC=COM"
Users,"OU=Accounts,OU=Contoso,DC=CONTOSO,DC=COM"
Servers,"OU=Computers,OU=Contoso,DC=CONTOSO,DC=COM"
Workstations,"OU=Computers,OU=Contoso,DC=CONTOSO,DC=COM"
Security Groups,"OU=Groups,OU=Contoso,DC=CONTOSO,DC=COM"
```
Next, copy the following commands into a file and save it as `~\Setup\Scripts\ou.ps1`. Be sure that you're viewing file extensions and that you save the file with the `.ps1` extension.
```powershell
Import-CSV -Path $home\Setup\Scripts\oulist.csv | ForEach-Object {
New-ADOrganizationalUnit -Name $_.ouname -Path $_.oupath
Write-Host -ForegroundColor Green "OU $($_.ouname) is created in the location $($_.oupath)"
}
```
Lastly, open an elevated Windows PowerShell prompt on DC01 and run the `ou.ps1` script:
```powershell
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force
Set-Location $home\Setup\Scripts
.\ou.ps1
```
This will create an OU structure as shown below.
![OU structure.](../images/mdt-05-fig07.png)
To use the Active Directory Users and Computers console (instead of PowerShell):
On **DC01**:
1. Using the Active Directory Users and Computers console (dsa.msc), in the contoso.com domain level, create a top-level OU named **Contoso**.
2. In the **Contoso** OU, create the following OUs:
- Accounts
- Computers
- Groups
3. In the **Contoso / Accounts** OU, create the following underlying OUs:
- Admins
- Service Accounts
- Users
4. In the **Contoso / Computers** OU, create the following underlying OUs:
- Servers
- Workstations
5. In the **Contoso / Groups** OU, create the following OU:
- Security Groups
The final result of either method is shown below. The **MDT_BA** account will be created next.
## Create the MDT service account
When creating a reference image, you need an account for MDT. The MDT build account is used for Windows Preinstallation Environment (Windows PE) to connect to MDT01.
To create an MDT build account, open an elevated Windows PowerShell prompt on DC01 and enter the following (copy and paste the entire command, taking care to notice the scroll bar at the bottom). This command will create the MDT_BA user account and set the password to "pass@word1":
```powershell
New-ADUser -Name MDT_BA -UserPrincipalName MDT_BA -path "OU=Service Accounts,OU=Accounts,OU=Contoso,DC=CONTOSO,DC=COM" -Description "MDT Build Account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -PasswordNeverExpires $true -Enabled $true
```
If you have the Active Directory Users and Computers console open you can refresh the view and see this new account in the **Contoso\Accounts\Service Accounts** OU as shown in the screenshot above.
## Create and share the logs folder
By default MDT stores the log files locally on the client. In order to capture a reference image, you'll need to enable server-side logging and, to do that, you'll need to have a folder in which to store the logs. For more information, see [Create a Windows 10 reference image](create-a-windows-10-reference-image.md).
On **MDT01**:
1. Sign in as **CONTOSO\\administrator**.
2. Create and share the **D:\\Logs** folder by running the following commands in an elevated Windows PowerShell prompt:
```powershell
New-Item -Path D:\Logs -ItemType directory
New-SmbShare -Name Logs$ -Path D:\Logs -ChangeAccess EVERYONE
icacls D:\Logs /grant '"MDT_BA":(OI)(CI)(M)'
```
See the following example:
![Logs folder.](../images/mdt-05-fig08.png)
## Use Support Center OneTrace or CMTrace to read log files (optional)
The log files in MDT Lite Touch are formatted to be read by [Support Center OneTrace](/mem/configmgr/core/support/support-center-onetrace) or [CMTrace](/mem/configmgr/core/support/cmtrace).
Notepad can be used to read the log files (example below):
![figure 8.](../images/mdt-05-fig09.png)
However, Support Center OneTrace or CMTrace makes the logs much easier to read. See the same log file below, opened in CMTrace:
![figure 9.](../images/mdt-05-fig10.png)
Both Support Center OneTrace and CMTrace are available as part of Microsoft Configuration Manager.
## Next steps
When you've completed all the steps in this section to prepare for deployment, see [Create a Windows 10 reference image](create-a-windows-10-reference-image.md).
## Appendix
### Sample files
The following sample files are also available to help automate some MDT deployment tasks. This guide doesn't use these files, but they're made available here so you can see how some tasks can be automated with Windows PowerShell.
- [Set-OUPermissions.ps1](https://go.microsoft.com/fwlink/p/?LinkId=619362). This sample Windows PowerShell script creates a domain account and then configures OU permissions to allow the account to join machines to the domain in the specified OU.
- [MDTSample.zip](https://go.microsoft.com/fwlink/p/?LinkId=619363). This sample web service shows you how to configure a computer name dynamically using MDT.

121
windows/deployment/deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md
View File

@ -1,121 +0,0 @@
---
title: Refresh a Windows 7 computer with Windows 10 (Windows 10)
description: This article will show you how to use MDT Lite Touch Installation (LTI) to upgrade a Windows 7 computer to a Windows 10 computer using the computer refresh process.
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
ms.localizationpriority: medium
author: frankroj
ms.topic: article
ms.technology: itpro-deploy
ms.date: 11/28/2022
---
# Refresh a Windows 7 computer with Windows 10
**Applies to:**
- Windows 10
This article will show you how to use MDT Lite Touch Installation (LTI) to upgrade a Windows 7 computer to a Windows 10 computer using the online computer refresh process. The computer refresh scenario is a reinstallation of an updated operating system on the same computer. You can also use this procedure to reinstall the same OS version. In this article, the computer refresh will be done while the computer is online. MDT also supports an offline computer refresh. For more info on that scenario, see the USMTOfflineMigration property on the [MDT resource page](/mem/configmgr/mdt/).
For the purposes of this article, we'll use three computers: DC01, MDT01, and PC0001.
- DC01 is a domain controller for the contoso.com domain.
- MDT01 is domain member server that hosts your deployment share.
- PC0001 is a domain member computer running a previous version of Windows that is going to be refreshed to a new version of Windows 10, with data and settings restored. The example used here is a computer running Windows 7 SP1.
Both DC01 and MDT01 are running Windows Server 2019; however any supported version of Windows Server can be used. For more information on the setup for this article, see [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md).
![computers.](../images/mdt-04-fig01.png "Computers used in this topic")
The computers used in this article.
## The computer refresh process
A computer refresh isn't the same as an in-place upgrade because a computer refresh involves exporting user data and settings then wiping the device before installing a fresh OS and restoring the user's data and settings.
For a computer refresh with MDT, you use the User State Migration Tool (USMT), which is part of the Windows Assessment and Deployment Kit (ADK) for Windows 10, to migrate user data and settings. To complete a computer refresh, you will:
1. Back up data and settings locally, in a backup folder.
2. Wipe the partition, except for the backup folder.
3. Apply the new operating system image.
4. Install other applications.
5. Restore data and settings.
During the computer refresh, USMT uses a feature called Hard-Link Migration Store. When you use this feature, the files are linked in the file system, which allows for fast migration, even when there's many files.
> [!NOTE]
> In addition to the USMT backup, you can enable an optional full Windows Imaging (WIM) backup of the machine by configuring the MDT rules. If you do this, a .wim file is created in addition to the USMT backup. The .wim file contains the entire volume from the computer and helpdesk personnel can extract content from it if needed. Please note that this is a data WIM backup only. Using this backup to restore the entire computer is not a supported scenario.
### Multi-user migration
By default, ScanState in USMT backs up all profiles on the machine, including local computer profiles. If you have a computer that has been in your environment for a while, it likely has several domain-based profiles on it, including those of former users. You can limit which profiles are backed up by configuring command-line switches to ScanState (added as rules in MDT).
For example, the following line configures USMT to migrate only domain user profiles and not profiles from the local SAM account database: `ScanStateArgs=/ue:*\* /ui:CONTOSO\*`
> [!NOTE]
> You also can combine the preceding switches with the /uel switch, which excludes profiles that have not been accessed within a specific number of days. For example, adding /uel:60 will configure ScanState (or LoadState) not to include profiles that haven't been accessed for more than 60 days.
### Support for additional settings
In addition to the command-line switches that control which profiles to migrate, [XML templates](../usmt/understanding-migration-xml-files.md) control exactly what data is being migrated. You can control data within and outside the user profiles.
### Multicast
Multicast is a technology designed to optimize simultaneous deployment to multiple devices. If you have a limited number of simultaneous deployments, you should disable multicast which was [configured in a previous procedure](deploy-a-windows-10-image-using-mdt.md#set-up-mdt-for-multicast) in this guide. Disabling multicast will speed up deployment there are only a few computers. You'll need to update the deployment share after changing this setting.
## Refresh a Windows 7 SP1 client
In this section, we assume that you've already performed the prerequisite procedures in the following articles, so that you have a deployment share named **MDTProduction$** on MDT01:
- [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md)
- [Create a Windows 10 reference image](create-a-windows-10-reference-image.md)
- [Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md)
It's also assumed that you have a domain member client computer named PC0001 in your environment running Windows 7, 8.1 or 10 that is ready for a refresh to the latest version of Windows 10. For demonstration purposes, we'll be refreshing a Windows 7 SP1 PC to Windows 10, version 1909.
### Upgrade (refresh) a Windows 7 SP1 client
> [!IMPORTANT]
> Domain join details [specified in the deployment share rules](deploy-a-windows-10-image-using-mdt.md#configure-the-rules) will be used to rejoin the computer to the domain during the refresh process. If the Windows 7 client is domain-jonied in a different OU than the one specified by MachineObjectOU, the domain join process will initially fail and then retry without specifying an OU. If the domain account that is specified (ex: **MDT_JD**) has [permissions limited to a specific OU](deploy-a-windows-10-image-using-mdt.md#step-1-configure-active-directory-permissions) then the domain join will ultimately fail, the refresh process will proceed, and the client computer object will be orphaned in Active Directory. In the current guide, computer objects should be located in **Contoso** > **Computers** > **Workstations**. Use the Active Directory Users and Computers console to review the location of computer objects and move them if needed. To diagnose MDT domain join errors, see **ZTIDomainJoin.log** in the C:\Windows\Temp\DeploymentLogs directory on the client computer.
1. On PC0001, sign in as **contoso\\Administrator** and start the Lite Touch Deploy Wizard by opening **\\\\MDT01\\MDTProduction$\\Scripts\\Litetouch.vbs**.
2. Complete the deployment guide using the following settings:
- Select a task sequence to execute on this computer: Windows 10 Enterprise x64 RTM Custom Image
- **Computer name**: *\<default\>*
- **Specify where to save a complete computer backup**: Don't back up the existing computer
> [!NOTE]
> Skip this optional full WIM backup that we are choosing not to perform. The USMT backup will still run.
- **Select one or more applications to install**: Install - Adobe Reader
![Computer refresh.](../images/fig2-taskseq.png "Start the computer refresh")
3. Setup starts and performs the following actions:
- Backs up user settings and data using USMT.
- Installs the Windows 10 Enterprise x64 operating system.
- Installs any added applications.
- Updates the operating system using your local Windows Server Update Services (WSUS) server.
- Restores user settings and data using USMT.
4. You can monitor progress of the deployment using the deployment workbench on MDT01. See the following example:
![monitor deployment.](../images/monitor-pc0001.png)
5. After the refresh process completes, sign in to the Windows 10 computer and verify that user accounts, data and settings were migrated.
## Related articles
- [Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md)
- [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md)
- [Create a Windows 10 reference image](create-a-windows-10-reference-image.md)
- [Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md)
- [Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md)
- [Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md)
- [Configure MDT settings](configure-mdt-settings.md)

167
windows/deployment/deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md
View File

@ -1,167 +0,0 @@
---
title: Replace a Windows 7 computer with a Windows 10 computer (Windows 10)
description: In this article, you'll learn how to replace a Windows 7 device with a Windows 10 device.
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
ms.localizationpriority: medium
author: frankroj
ms.topic: article
ms.technology: itpro-deploy
ms.date: 11/28/2022
---
# Replace a Windows 7 computer with a Windows 10 computer
**Applies to:**
- Windows 10
A computer replace scenario for Windows 10 is similar to a computer refresh for Windows 10. However, because you're replacing a device, you can't store the backup on the old computer. Instead you need to store the backup to a location where the new computer can read it. The User State Migration Tool (USMT) will be used to back up and restore data and settings.
For the purposes of this article, we'll use four computers: DC01, MDT01, PC0002, and PC0007.
- DC01 is a domain controller for the contoso.com domain.
- MDT01 is domain member server that hosts your deployment share.
- PC0002 is an old computer running Windows 7 SP1 that will be replaced by PC0007.
- PC0007 is a new computer will have the Windows 10 OS installed prior to data from PC0002 being migrated. Both PC0002 and PC0007 are members of the contoso.com domain.
For more details on the setup for this article, see [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md).
![The computers used in this topic.](../images/mdt-03-fig01.png)
The computers used in this article.
>HV01 is also used in this topic to host the PC0007 virtual machine for demonstration purposes, however typically PC0007 is a physical computer.
## Prepare for the computer replace
To prepare for the computer replace, you need to create a folder in which to store the backup and a backup only task sequence to run on the old computer.
### Configure the rules on the Microsoft Deployment Toolkit (MDT) Production share
On **MDT01**:
1. Open the Deployment Workbench, under **Deployment Shares** right-click **MDT Production**, select **Properties**, and then select the **Rules** tab.
2. Change the **SkipUserData=YES** option to **NO**, and select **OK**.
3. Right-click on **MDT Production** and select **Update Deployment Share**. Then select **Next**, **Next**, and **Finish** to complete the Update Deployment Share Wizard with the default settings.
### Create and share the MigData folder
On **MDT01**:
1. Create and share the **D:\\MigData** folder by running the following three commands in an elevated Windows PowerShell prompt:
```powershell
New-Item -Path D:\MigData -ItemType directory
New-SmbShare -Name MigData$ -Path D:\MigData -ChangeAccess EVERYONE
icacls D:\MigData /grant '"MDT_BA":(OI)(CI)(M)'
```
### Create a backup only (replace) task sequence
1. In Deployment Workbench, under the **MDT Production** deployment share, select the **Task Sequences** node and create a new folder named **Other**.
2. Right-click the **Other** folder and select **New Task Sequence**. Use the following settings for the New Task Sequence Wizard:
- Task sequence ID: REPLACE-001
- Task sequence name: Backup Only Task Sequence
- Task sequence comments: Run USMT to back up user data and settings
- Template: Standard Client Replace Task Sequence
3. In the **Other** folder, double-click **Backup Only Task Sequence**, and then in the **Task Sequence** tab, review the sequence. Notice that it only contains a subset of the normal client task sequence actions.
![The Backup Only Task Sequence action list.](../images/mdt-03-fig02.png "The Backup Only Task Sequence action list")
The Backup Only Task Sequence action list.
## Perform the computer replace
During a computer replace, the following are the high-level steps that occur:
1. On the computer you're replacing, a special replace task sequence runs the USMT backup and, if you configured it, runs the optional full Windows Imaging (WIM) backup.
2. On the new computer, you perform a standard bare-metal deployment. At the end of the bare-metal deployment, the USMT backup from the old computer is restored.
### Run the replace task sequence
On **PC0002**:
1. Sign in as **CONTOSO\\Administrator** and verify that you have write access to the **\\\\MDT01\\MigData$** share.
2. Run **\\\\MDT01\\MDTProduction$\\Scripts\\LiteTouch.vbs**.
3. Complete the **Windows Deployment Wizard** using the following settings:
- **Select a task sequence to execute on this computer**: Backup Only Task Sequence
- **Specify where to save your data and settings**: Specify a location
- **Location**: \\\\MDT01\\MigData$\\PC0002
> [!NOTE]
> If you are replacing the computer at a remote site you should create the MigData folder on MDT02 and use that share instead.
- **Specify where to save a complete computer backup**: Don't back up the existing computer
The task sequence will now run USMT (Scanstate.exe) to capture user data and settings of the computer.
![The new task sequence.](../images/mdt-03-fig03.png "The new task sequence")
The new task sequence running the Capture User State action on PC0002.
4. On **MDT01**, verify that you have a USMT.MIG compressed backup file in the **D:\\MigData\\PC0002\\USMT** folder.
![The USMT backup.](../images/mdt-03-fig04.png "The USMT backup")
The USMT backup of PC0002.
### Deploy the replacement computer
To demonstrate deployment of the replacement computer, HV01 is used to host a virtual machine: PC0007.
On **HV01**:
1. Create a virtual machine with the following settings:
- **Name**: PC0007
- **Location**: C:\\VMs
- **Generation**: 2
- **Memory**: 2048 MB
- **Hard disk**: 60 GB (dynamic disk)
- Install an operating system from a network-based installation server
2. Start the PC0007 virtual machine, and press **Enter** to start the Pre-Boot Execution Environment (PXE) boot. The VM will now load the Windows PE boot image from MDT01 (or MDT02 if at a remote site).
![The initial PXE boot process.](../images/mdt-03-fig05.png "The initial PXE boot process")
The initial PXE boot process of PC0007.
3. After Windows Preinstallation Environment (Windows PE) has booted, complete the Windows Deployment Wizard using the following settings:
- Select a task sequence to execute on this computer:
- Windows 10 Enterprise x64 RTM Custom Image
- **Computer Name**: PC0007
- **Move Data and Settings**: Don't move user data and settings.
- **User Data (Restore)** > **Specify a location**: \\\\MDT01\\MigData$\\PC0002
- **Applications**: Adobe > Install - Adobe Reader
4. Setup now starts and does the following actions:
- Partitions and formats the disk.
- Installs the Windows 10 Enterprise operating system.
- Installs the application.
- Updates the operating system via your local Windows Server Update Services (WSUS) server.
- Restores the USMT backup from PC0002.
You can view progress of the process by clicking the Monitoring node in the Deployment Workbench on MDT01.
![Monitor progress.](../images/mdt-replace.png)
## Related articles
- [Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md)
- [Create a Windows 10 reference image](create-a-windows-10-reference-image.md)
- [Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md)
- [Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md)
- [Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md)
- [Configure MDT settings](configure-mdt-settings.md)

181
windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md
View File

@ -1,181 +0,0 @@
---
title: Set up MDT for BitLocker (Windows 10)
manager: aaroncz
ms.author: frankroj
description: Learn how to configure your environment for BitLocker, the disk volume encryption built into Windows 10 Enterprise and Windows 10 Pro, using MDT.
ms.prod: windows-client
ms.localizationpriority: medium
author: frankroj
ms.topic: article
ms.technology: itpro-deploy
ms.date: 11/28/2022
---
# Set up MDT for BitLocker
This article will show you how to configure your environment for BitLocker, the disk volume encryption built into Windows 10 Enterprise and Windows 10 Pro, using MDT. BitLocker in Windows 10 has two requirements in regard to an operating system deployment:
- A protector, which can either be stored in the Trusted Platform Module (TPM) chip, or stored as a password. Technically, you can also use a USB stick to store the protector, but it's not a practical approach as the USB stick can be lost or stolen. We, therefore, recommend that you instead use a TPM chip and/or a password.
- Multiple partitions on the hard drive.
To configure your environment for BitLocker, you'll need to do the following actions:
1. Configure Active Directory for BitLocker.
2. Download the various BitLocker scripts and tools.
3. Configure the operating system deployment task sequence for BitLocker.
4. Configure the rules (CustomSettings.ini) for BitLocker.
> [!NOTE]
> Even though it is not a BitLocker requirement, we recommend configuring BitLocker to store the recovery password in Active Directory. For more information about this feature, see [Backing Up BitLocker and TPM Recovery Information to AD DS](/windows/security/information-protection/tpm/backup-tpm-recovery-information-to-ad-ds).
>
> If you have access to Microsoft BitLocker Administration and Monitoring (MBAM), which is part of Microsoft Desktop Optimization Pack (MDOP), you have additional management features for BitLocker.
For the purposes of this article, we'll use DC01, a domain controller that is a member of the domain contoso.com for the fictitious Contoso Corporation. For more information on the setup for this article, see [Deploy Windows 10 with the Microsoft Deployment Toolkit](./prepare-for-windows-deployment-with-mdt.md).
## Configure Active Directory for BitLocker
To enable BitLocker to store the recovery key and TPM information in Active Directory, you need to create a Group Policy for it in Active Directory. For this section, we're running Windows Server 2012 R2, so you don't need to extend the Schema. You do, however, need to set the appropriate permissions in Active Directory.
> [!NOTE]
> Depending on the Active Directory Schema version, you might need to update the Schema before you can store BitLocker information in Active Directory.
In Windows Server version from 2008 R2 and later, you have access to the BitLocker Drive Encryption Administration Utilities features, which will help you manage BitLocker. When you install the features, the BitLocker Active Directory Recovery Password Viewer is included, and it extends Active Directory Users and Computers with BitLocker Recovery information.
![figure 2.](../images/mdt-09-fig02.png)
The BitLocker Recovery information on a computer object in the contoso.com domain.
### Add the BitLocker Drive Encryption Administration Utilities
The BitLocker Drive Encryption Administration Utilities are added as features via Server Manager (or Windows PowerShell):
1. On DC01, log on as **CONTOSO\\Administrator**, and, using Server Manager, select **Add roles and features**.
2. On the **Before you begin** page, select **Next**.
3. On the **Select installation type** page, select **Role-based or feature-based installation**, and select **Next**.
4. On the **Select destination server** page, select **DC01.contoso.com** and select **Next**.
5. On the **Select server roles** page, select **Next**.
6. On the **Select features** page, expand **Remote Server Administration Tools**, expand **Feature Administration Tools**, select the following features, and then select **Next**:
1. BitLocker Drive Encryption Administration Utilities
2. BitLocker Drive Encryption Tools
3. BitLocker Recovery Password Viewer
7. On the **Confirm installation selections** page, select **Install**, and then select **Close**.
![figure 3.](../images/mdt-09-fig03.png)
Selecting the BitLocker Drive Encryption Administration Utilities.
### Create the BitLocker Group Policy
Following these steps, you enable the backup of BitLocker and TPM recovery information to Active Directory. You also enable the policy for the TPM validation profile.
1. On DC01, using Group Policy Management, right-click the **Contoso** organizational unit (OU), and select **Create a GPO in this domain, and Link it here**.
2. Assign the name **BitLocker Policy** to the new Group Policy.
3. Expand the **Contoso** OU, right-click the **BitLocker Policy**, and select **Edit**. Configure the following policy settings found under **Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > **Operating System Drives**
1. Enable the **Choose how BitLocker-protected operating system drives can be recovered** policy, and configure the following settings:
- Allow data recovery agent (default)
- Save BitLocker recovery information to Active Directory Domain Services (default)
- Don't enable BitLocker until recovery information is stored in AD DS for operating system drives
2. Enable the **Configure TPM platform validation profile for BIOS-based firmware configurations** policy.
3. Enable the **Configure TPM platform validation profile for native UEFI firmware configurations** policy.
> [!NOTE]
> If you consistently get the error:
>
> **Windows BitLocker Drive Encryption Information. The system boot information has changed since BitLocker was enabled. You must supply a BitLocker recovery password to start this system.**
>
> after encrypting a computer with BitLocker, you might have to change the various **Configure TPM platform validation profile** Group Policies, as well. Whether or not you need to do this will depend on the hardware you are using.
### Set permissions in Active Directory for BitLocker
In addition to the Group Policy created previously, you need to configure permissions in Active Directory to be able to store the TPM recovery information. In these steps, we assume you've downloaded the [Add-TPMSelfWriteACE.vbs script](https://raw.githubusercontent.com/DeploymentArtist/DF4/master/BitLocker%20and%20TPM/Add-TPMSelfWriteACE.vbs) to C:\\Setup\\Scripts on DC01.
1. On DC01, start an elevated PowerShell prompt (run as Administrator).
2. Configure the permissions by running the following command:
```cmd
cscript.exe C:\Setup\Scripts\Add-TPMSelfWriteACE.vbs
```
![figure 4.](../images/mdt-09-fig04.png)
Running the Add-TPMSelfWriteACE.vbs script on DC01.
## Add BIOS configuration tools from Dell, HP, and Lenovo
If you want to automate enabling the TPM chip as part of the deployment process, you need to download the vendor tools and add them to your task sequences, either directly or in a script wrapper.
### Add tools from Dell
[Dell Command | Configure](https://www.dell.com/support/article/us/en/04/sln311302/dell-command-configure) provides a Command Line Interface and a Graphical User Interface.
### Add tools from HP
The HP tools are part of HP System Software Manager. The executable file from HP is named BiosConfigUtility.exe. This utility uses a configuration file for the BIOS settings. Here's a sample command to enable TPM and set a BIOS password using the BiosConfigUtility.exe tool:
```cmd
BIOSConfigUtility.EXE /SetConfig:TPMEnable.REPSET /NewAdminPassword:Password1234
```
And the sample content of the TPMEnable.REPSET file:
```txt
English
Activate Embedded Security On Next Boot
*Enable
Embedded Security Activation Policy
*No prompts
F1 to Boot
Allow user to reject
Embedded Security Device Availability
*Available
```
### Add tools from Lenovo
The Lenovo tools are a set of VBScripts available as part of the Lenovo BIOS Setup using Windows Management Instrumentation Deployment Guide. Lenovo also provides a separate download of the scripts. Here's a sample command to enable TPM using the Lenovo tools:
```cmd
cscript.exe SetConfig.vbs SecurityChip Active
```
## Configure the Windows 10 task sequence to enable BitLocker
When configuring a task sequence to run any BitLocker tool, either directly or using a custom script, it's helpful if you also add some logic to detect whether the BIOS is already configured on the machine. In the following task sequence, we're using a sample script (ZTICheckforTPM.wsf) from the Deployment Guys web page to check the status on the TPM chip. You can download this script from the Deployment Guys Blog post, [Check to see if the TPM is enabled](/archive/blogs/deploymentguys/check-to-see-if-the-tpm-is-enabled).
In the following task sequence, we added five actions:
- **Check TPM Status.** Runs the ZTICheckforTPM.wsf script to determine if TPM is enabled. Depending on the status, the script will set the TPMEnabled and TPMActivated properties to either true or false.
- **Configure BIOS for TPM.** Runs the vendor tools (in this case, HP, Dell, and Lenovo). To ensure this action is run only when necessary, add a condition so the action is run only when the TPM chip isn't already activated. Use the properties from the ZTICheckforTPM.wsf.
> [!NOTE]
> It is common for organizations to wrap these tools in scripts to get additional logging and error handling.
- **Restart computer.** Self-explanatory, reboots the computer.
- **Check TPM Status.** Runs the ZTICheckforTPM.wsf script one more time.
- **Enable BitLocker.** Runs the built-in action to activate BitLocker.
## Related articles
- [Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md)
- [Configure MDT for UserExit scripts](configure-mdt-for-userexit-scripts.md)
- [Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md)
- [Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md)
- [Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md)
- [Use web services in MDT](use-web-services-in-mdt.md)
- [Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt.md)

103
windows/deployment/deploy-windows-mdt/simulate-a-windows-10-deployment-in-a-test-environment.md
View File

@ -1,103 +0,0 @@
---
title: Simulate a Windows 10 deployment in a test environment (Windows 10)
description: This article will walk you through the process of creating a simulated environment on which to test your Windows 10 deployment using MDT.
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
ms.localizationpriority: medium
author: frankroj
ms.topic: article
ms.technology: itpro-deploy
ms.date: 11/28/2022
---
# Simulate a Windows 10 deployment in a test environment
This article will walk you through the process of creating a simulated environment on which to test your Windows 10 deployment using MDT. When working with advanced settings and rules, especially those like database calls, it's most efficient to be able to test the settings without having to run through a complete deployment. Luckily, MDT enables you to perform a simulated deployment by running the Gather process by itself. The simulation works best when you're using a domain-joined client.
## Test environment
- A Windows 10 client named **PC0001** will be used to simulate deployment. The client is joined to the contoso.com domain and has access to the Internet to required download tools and scripts.
- It's assumed that you've performed (at least) the following procedures so that you have an MDT service account and an MDT production deployment share:
- [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md)
- [Create a Windows 10 reference image](create-a-windows-10-reference-image.md)
- [Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md)
## Simulate deployment
On **PC0001**:
1. Sign as **contoso\\Administrator**.
2. Copy the following to a PowerShell script named gather.ps1 and copy it to a directory named **C:\MDT** on PC0001.
```powershell
# Check for elevation
If (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole(`
[Security.Principal.WindowsBuiltInRole] "Administrator"))
{
Write-Warning "Oupps, you need to run this script from an elevated PowerShell prompt!`nPlease start the PowerShell prompt as an Administrator and re-run the script."
Write-Warning "Aborting script..."
Break
}
cls
if (Test-Path -Path "C:\MININT") {Write-Host "C:\MININT exists, deleting...";Remove-Item C:\MININT -Recurse}
cscript.exe ZTIGather.wsf /debug:true
# Optional, comment out if you want the script to open the log in CMTrace
& "C:\MDT\CMTrace" C:\MININT\SMSOSD\OSDLOGS\ZTIGather.log
```
> [!NOTE]
> For more information about the Configuration Manager Trace (cmtrace.exe) tool, see [CMTrace](/mem/configmgr/core/support/cmtrace).
4. Using Local Users and Groups (lusrmgr.msc), add the **contoso\\MDT\_BA** user account to the local **Administrators** group.
5. Sign off, and then sign on to PC0001 as **contoso\\MDT\_BA**.
6. Open the **\\\\MDT01\\MDTProduction$\\Scripts** folder and copy the following files to **C:\\MDT**:
- ZTIDataAccess.vbs
- ZTIGather.wsf
- ZTIGather.xml
- ZTIUtility.vbs
7. From the **\\\\MDT01\\MDTProduction$\\Control** folder, copy the CustomSettings.ini file to **C:\\MDT**.
8. In the **C:\\MDT** folder, create a subfolder named **X64**.
9. From the **\\\\MDT01\\MDTProduction$\\Tools\\X64** folder, copy the Microsoft.BDD.Utility.dll file to **C:\\MDT\\X64**.
![files.](../images/mdt-09-fig06.png)
The C:\\MDT folder with the files added for the simulation environment.
10. Type the following at an elevated Windows PowerShell prompt:
```powershell
Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope Process -Force
Set-Location C:\MDT
.\Gather.ps1
```
When prompted, press **R** to run the gather script.
11. Review the ZTIGather.log in the **C:\\MININT\\SMSOSD\\OSDLOGS** folder using CMTrace.
> [!NOTE]
> Warnings or errors regarding the Wizard.hta are expected. If the log file looks okay, you're ready to try a real deployment.
![ztigather.](../images/mdt-09-fig07.png)
The ZTIGather.log file from PC0001.
## Related articles
- [Set up MDT for BitLocker](set-up-mdt-for-bitlocker.md)
- [Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md)
- [Configure MDT for UserExit scripts](configure-mdt-for-userexit-scripts.md)
- [Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md)
- [Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md)
- [Use web services in MDT](use-web-services-in-mdt.md)
- [Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt.md)

123
windows/deployment/deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md
View File

@ -1,123 +0,0 @@
---
title: Perform an in-place upgrade to Windows 10 with MDT (Windows 10)
description: The simplest path to upgrade PCs that are currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade.
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
ms.localizationpriority: medium
author: frankroj
ms.topic: article
ms.technology: itpro-deploy
ms.date: 11/28/2022
---
# Perform an in-place upgrade to Windows 10 with MDT
**Applies to:**
- Windows 10
The simplest path to upgrade PCs that are currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade.
> [!TIP]
> In-place upgrade is the preferred method to use when migrating from Windows 10 to a later release of Windows 10, and is also a preferred method for upgrading from Windows 7 or 8.1 if you do not plan to significantly change the device's configuration or applications. MDT includes an in-place upgrade task sequence template that makes the process really simple.
In-place upgrade differs from [computer refresh](refresh-a-windows-7-computer-with-windows-10.md) in that you can't use a custom image to perform the in-place upgrade. In this article, we'll add a default Windows 10 image to the production deployment share specifically to perform an in-place upgrade.
Three computers are used in this article: DC01, MDT01, and PC0002.
- DC01 is a domain controller for the contoso.com domain
- MDT01 is a domain member server
- PC0002 is a domain member computer running Windows 7 SP1, targeted for the Windows 10 upgrade
![computers.](../images/mdt-upgrade.png)
The computers used in this article.
> [!NOTE]
> For details about the setup for the procedures in this article, please see [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md).
>
>If you have already completed all the steps in [Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md), then you already have a production deployment share and you can skip to [Add Windows 10 Enterprise x64 (full source)](#add-windows-10-enterprise-x64-full-source).
## Create the MDT production deployment share
On **MDT01**:
1. Ensure you're signed on as **contoso\administrator**.
2. In the Deployment Workbench console, right-click **Deployment Shares** and select **New Deployment Share**.
3. On the **Path** page, in the **Deployment share path** text box, type **D:\\MDTProduction** and select **Next**.
4. On the **Share** page, in the **Share name** text box, type **MDTProduction$** and select **Next**.
5. On the **Descriptive Name** page, in the **Deployment share description** text box, type **MDT Production** and select **Next**.
6. On the **Options** page, accept the default settings and select **Next** twice, and then select **Finish**.
7. Using File Explorer, verify that you can access the **\\\\MDT01\\MDTProduction$** share.
## Add Windows 10 Enterprise x64 (full source)
> [!NOTE]
> If you have already have a Windows 10 [reference image](create-a-windows-10-reference-image.md) in the **MDT Build Lab** deployment share, you can use the deployment workbench to copy and paste this image from the MDT Build Lab share to the MDT Production share and skip the steps in this section.
On **MDT01**:
1. Sign in as contoso\\administrator and copy the content of a Windows 10 Enterprise x64 DVD/ISO to the **D:\\Downloads\\Windows 10 Enterprise x64** folder on MDT01, or just insert the DVD or mount an ISO on MDT01.
2. Using the Deployment Workbench, expand the **Deployment Shares** node, and then expand **MDT Production**.
3. Right-click the **Operating Systems** node, and create a new folder named **Windows 10**.
4. Expand the **Operating Systems** node, right-click the **Windows 10** folder, and select **Import Operating System**. Use the following settings for the Import Operating System Wizard:
- Full set of source files
- **Source directory**: (location of your source files)
- **Destination directory name**: `W10EX64RTM`
5. After adding the operating system, in the **Operating Systems / Windows 10** folder, double-click it and change the name to: **Windows 10 Enterprise x64 RTM Default Image**.
## Create a task sequence to upgrade to Windows 10 Enterprise
On **MDT01**:
1. Using the Deployment Workbench, select **Task Sequences** in the **MDT Production** node, then create a folder named **Windows 10**.
2. Right-click the new **Windows 10** folder and select **New Task Sequence**. Use the following settings for the **New Task Sequence Wizard**:
- **Task sequence ID**: W10-X64-UPG
- **Task sequence name**: Windows 10 Enterprise x64 RTM Upgrade
- **Template**: Standard Client Upgrade Task Sequence
- **Select OS**: Windows 10 Enterprise x64 RTM Default Image
- **Specify Product Key**: Don't specify a product key at this time
- **Organization**: Contoso
- **Admin Password**: Don't specify an Administrator password at this time
## Perform the Windows 10 upgrade
To initiate the in-place upgrade, perform the following steps on PC0002 (the device to be upgraded).
On **PC0002**:
1. Start the MDT deployment wizard by running the following command: **\\\\MDT01\\MDTProduction$\\Scripts\\LiteTouch.vbs**
2. Select the **Windows 10 Enterprise x64 RTM Upgrade** task sequence, and then select **Next**.
3. Select one or more applications to install (will appear if you use custom image): Install - Adobe Reader
4. On the **Ready** tab, select **Begin** to start the task sequence.
When the task sequence begins, it automatically initiates the in-place upgrade process by invoking the Windows setup program (Setup.exe) with the necessary command-line parameters to perform an automated upgrade, which preserves all data, settings, apps, and drivers.
![upgrade1.](../images/upgrademdt-fig5-winupgrade.png)
![upgrade2.](../images/mdt-upgrade-proc.png)
![upgrade3.](../images/mdt-post-upg.png)
After the task sequence completes, the computer will be fully upgraded to Windows 10.
## Related articles
- [Windows 10 deployment scenarios](../windows-10-deployment-scenarios.md)
- [Microsoft Deployment Toolkit downloads and resources](/mem/configmgr/mdt/)

212
windows/deployment/deploy-windows-mdt/use-orchestrator-runbooks-with-mdt.md
View File

@ -1,212 +0,0 @@
---
title: Use Orchestrator runbooks with MDT (Windows 10)
description: Learn how to integrate Microsoft System Center 2012 R2 Orchestrator with MDT to replace the existing web services that are used in deployment solutions.
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
ms.localizationpriority: medium
author: frankroj
ms.topic: article
ms.technology: itpro-deploy
ms.date: 11/28/2022
---
# Use Orchestrator runbooks with MDT
This article will show you how to integrate Microsoft System Center 2012 R2 Orchestrator with MDT to replace the existing web services that are used in deployment solutions.
MDT can integrate with System Center 2012 R2 Orchestrator, which is a component that ties the Microsoft System Center products together, as well as other products from both Microsoft and third-party vendors. The difference between using Orchestrator and "normal" web services, is that with Orchestrator you have a rich drag-and-drop style interface when building the solution, and little or no coding is required.
> [!NOTE]
> If you are licensed to use Orchestrator, we highly recommend that you start using it. To find out more about licensing options for System Center 2012 R2 and Orchestrator, visit the [System Center 2012 R2](https://go.microsoft.com/fwlink/p/?LinkId=619553) website.
## Orchestrator terminology
Before diving into the core details, here's a quick course in Orchestrator terminology:
- **Orchestrator Server**: This is a server that executes runbooks.
- **Runbooks**: A runbook is similar to a task sequence; it's a series of instructions based on conditions. Runbooks consist of workflow activities; an activity could be Copy File, Get User from Active Directory, or even Write to Database.
- **Orchestrator Designer**: This is where you build the runbooks. In brief, you do that by creating an empty runbook, dragging in the activities you need, and then connecting them in a workflow with conditions and subscriptions.
- **Subscriptions**: These are variables that come from an earlier activity in the runbook. So if you first execute an activity in which you type in a computer name, you can then subscribe to that value in the next activity. All these variables are accumulated during the execution of the runbook.
- **Orchestrator Console**: This is the Microsoft Silverlight-based web page you can use interactively to execute runbooks. The console listens to TCP port 81 by default.
- **Orchestrator web services**: These are the web services you use in the Microsoft Deployment Toolkit to execute runbooks during deployment. The web services listen to TCP port 82 by default.
- **Integration packs**: These provide additional workflow activities you can import to integrate with other products or solutions, like the rest of Active Directory, other System Center 2012 R2 products, or Microsoft Exchange Server, to name a few.
> [!NOTE]
> To find and download additional integration packs, see [Integration Packs for System Center 2012 - Orchestrator](/previous-versions/system-center/packs/hh295851(v=technet.10)).
## Create a sample runbook
This section assumes you have Orchestrator 2012 R2 installed on a server named OR01. In this section, you create a sample runbook, which is used to log some of the MDT deployment information into a text file on OR01.
1. On OR01, using File Explorer, create the **E:\\Logfile** folder, and grant Users modify permissions (NTFS).
2. In the **E:\\Logfile** folder, create the DeployLog.txt file.
> [!NOTE]
> Make sure File Explorer is configured to show known file extensions so the file isn't named DeployLog.txt.txt.
![figure 23.](../images/mdt-09-fig23.png)
Figure 23. The DeployLog.txt file.
3. Using System Center 2012 R2 Orchestrator Runbook Designer, in the **Runbooks** node, create the **1.0 MDT** folder.
![figure 24.](../images/mdt-09-fig24.png)
Figure 24. Folder created in the Runbooks node.
4. In the **Runbooks** node, right-click the **1.0 MDT** folder, and select **New / Runbook**.
5. On the ribbon bar, select **Check Out**.
6. Right-click the **New Runbook** label, select **Rename**, and assign the name **MDT Sample**.
7. Add (using a drag-and-drop operation) the following items from the **Activities** list to the middle pane:
- Runbook Control / Initialize Data
- Text File Management / Append Line
8. Connect **Initialize Data** to **Append Line**.
![figure 25.](../images/mdt-09-fig25.png)
Figure 25. Activities added and connected.
9. Right-click the **Initialize Data** activity, and select **Properties**
10. On **the Initialize Data Properties** page, select **Add**, change **Parameter 1** to **OSDComputerName**, and then select **Finish**.
![figure 26.](../images/mdt-09-fig26.png)
Figure 26. The Initialize Data Properties window.
11. Right-click the **Append Line** activity, and select **Properties**.
12. On the **Append Line Properties** page, in the **File** text box, type **E:\\Logfile\\DeployLog.txt**.
13. In the **File** encoding drop-down list, select **ASCII**.
14. In the **Append** area, right-click inside the **Text** text box and select **Expand**.
![figure 27.](../images/mdt-09-fig27.png)
Figure 27. Expanding the Text area.
15. In the blank text box, right-click and select **Subscribe / Published Data**.
![figure 28.](../images/mdt-09-fig28.png)
Figure 28. Subscribing to data.
16. In the **Published Data** window, select the **OSDComputerName** item, and select **OK**.
17. After the **{OSDComputerName from "Initialize Data"}** text, type in **has been deployed at** and, once again, right-click and select **Subscribe / Published Data**.
18. In the **Published Data** window, select the **Show common Published Data** check box, select the **Activity end time** item, and select **OK**.
![figure 29.](../images/mdt-09-fig29.png)
Figure 29. The expanded text box after all subscriptions have been added.
19. On the **Append Line Properties** page, select **Finish**.
## Test the demo MDT runbook
After the runbook is created, you're ready to test it.
1. On the ribbon bar, select **Runbook Tester**.
2. Select **Run**, and in the **Initialize Data Parameters** dialog box, use the following setting and then select **OK**:
- **OSDComputerName**: PC0010
3. Verify that all activities are green (for more information, see each target).
4. Close the **Runbook Tester**.
5. On the ribbon bar, select **Check In**.
![figure 30.](../images/mdt-09-fig30.png)
Figure 30. All tests completed.
## Use the MDT demo runbook from MDT
1. On MDT01, using the Deployment Workbench, in the MDT Production deployment share, select the **Task Sequences** node, and create a folder named **Orchestrator**.
2. Right-click the **Orchestrator** node, and select **New Task Sequence**. Use the following settings for the **New Task Sequence Wizard**:
- **Task sequence ID**: OR001
- **Task sequence name**: Orchestrator Sample
- **Task sequence comments**: *\<blank\>*
- **Template**: Custom Task Sequence
3. In the **Orchestrator** node, double-click the **Orchestrator Sample** task sequence, and then select the **Task Sequence** tab.
4. Remove the default **Application Install** action.
5. Add a **Gather** action and select the **Gather only local data (do not process rules)** option.
6. After the **Gather** action, add a **Set Task Sequence Variable** action with the following settings:
- **Name**: Set Task Sequence Variable
- **Task Sequence Variable**: OSDComputerName
- **Value**: %hostname%
7. After the **Set Task Sequence Variable** action, add a new **Execute Orchestrator Runbook** action with the following settings:
- **Orchestrator Server**: OR01.contoso.com
- Use **Browse** to select **1.0 MDT / MDT Sample**.
8. Select **OK**.
![figure 31.](../images/mdt-09-fig31.png)
Figure 31. The ready-made task sequence.
## Run the orchestrator sample task sequence
Since this task sequence just starts a runbook, you can test the task sequence on the PC0001 client that you used for the MDT simulation environment.
> [!NOTE]
> Make sure the account you're using has permissions to run runbooks on the Orchestrator server. For more information about runbook permissions, see [Runbook Permissions](/previous-versions/system-center/system-center-2012-R2/hh403774(v=sc.12)).
1. On PC0001, log on as **CONTOSO\\MDT\_BA**.
2. Using an elevated command prompt (run as Administrator), type the following command:
```cmd
cscript.exe \\MDT01\MDTProduction$\Scripts\Litetouch.vbs
```
3. Complete the **Windows Deployment Wizard** using the following information:
1. **Task Sequence**: Orchestrator Sample
2. **Credentials**:
- **User Name**: MDT\_BA
- **Password**: P@ssw0rd
- **Domain**: CONTOSO
4. Wait until the task sequence is completed and then verify that the DeployLog.txt file in the E:\\Logfile folder on OR01 was updated.
![figure 32.](../images/mdt-09-fig32.png)
Figure 32. The ready-made task sequence.
## Related articles
- [Set up MDT for BitLocker](set-up-mdt-for-bitlocker.md)
- [Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md)
- [Configure MDT for UserExit scripts](configure-mdt-for-userexit-scripts.md)
- [Simulate a Windows10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md)
- [Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md)
- [Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md)
- [Use web services in MDT](use-web-services-in-mdt.md)

99
windows/deployment/deploy-windows-mdt/use-the-mdt-database-to-stage-windows-10-deployment-information.md
View File

@ -1,99 +0,0 @@
---
title: Use MDT database to stage Windows 10 deployment info (Windows 10)
description: Learn how to use the MDT database to pre-stage information on your Windows 10 deployment in a Microsoft SQL Server 2012 SP1 Express database.
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
ms.localizationpriority: medium
author: frankroj
ms.topic: article
ms.technology: itpro-deploy
ms.date: 11/28/2022
---
# Use the MDT database to stage Windows 10 deployment information
This article is designed to teach you how to use the MDT database to pre-stage information on your Windows 10 deployment in a Microsoft SQL Server 2012 SP1 Express database, rather than include the information in a text file (CustomSettings.ini). You can use this process, for example, to add the client machines you want to deploy, specify their computer names and IP addresses, indicate applications to be deployed, and determine many more settings for the machines.
## Database prerequisites
MDT can use either SQL Server Express or full SQL Server. However, since the deployment database isn't large, even in large enterprise environments, we recommend using the free SQL Server 2012 SP1 Express database in your environment.
> [!NOTE]
> Be sure to enable Named Pipes when configuring the SQL Server 2012 SP1 Express database. Although it is a legacy protocol, Named Pipes has proven to work well when connecting from Windows Preinstallation Environment (Windows PE) to the SQL Server database.
## Create the deployment database
The MDT database is by default created and managed from the Deployment Workbench. In these steps, we assume you have installed SQL Server 2012 SP1 Express on MDT01.
> [!NOTE]
> Since SQL Server 2012 SP1 Express runs by default on a separate instance (SQLEXPRESS), the SQL Server Browser service must be running, and the firewall configured to allow traffic to it. Port 1433 TCP and port 1434 UDP need to be opened for inbound traffic on MDT01.
1. On MDT01, using Deployment Workbench, expand the MDT Production deployment share, expand **Advanced Configuration**, right-click **Database**, and select **New Database**.
2. In the New DB Wizard, on the **SQL Server Details** page, enter the following settings and select **Next**:
1. SQL Server Name: MDT01
2. Instance: SQLEXPRESS
3. Port: &lt;blank&gt;
4. Network Library: Named Pipes
3. On the **Database** page, select **Create a new database**; in the **Database** field, type **MDT** and select **Next**.
4. On the **SQL Share** page, in the **SQL Share** field, type **Logs$** and select **Next**. Select **Next** again and then select **Finish**.
![figure 8.](../images/mdt-09-fig08.png)
Figure 8. The MDT database added to MDT01.
## Configure database permissions
After creating the database, you need to assign permissions to it. In MDT, the account you used to run the deployment is used to access the database. In this environment, the network access account is MDT\_BA.
1. On MDT01, start SQL Server Management Studio.
2. In the **Connect to Server** dialog box, in the **Server name** list, select **MDT01\\SQLEXPRESS** and select **Connect**.
3. In the **Object Explorer** pane, expand the top-level **Security** node, right-click **Logins**, and select **New Login**.
![figure 9.](../images/mdt-09-fig09.png)
Figure 9. The top-level Security node.
4. On the **Login - New** page, next to the **Login** name field, select **Search**, and search for **CONTOSO\\MDT\_BA**. Then in the left pane, select **User Mapping**. Select the **MDT** database, and assign the following roles:
1. db\_datareader
2. db\_datawriter
3. public (default)
5. Select **OK**, and close SQL Server Management Studio.
![figure 10.](../images/mdt-09-fig10.png)
Figure 10. Creating the login and settings permissions to the MDT database.
## Create an entry in the database
To start using the database, you add a computer entry and assign a description and computer name. Use the computer's MAC Address as the identifier.
1. On MDT01, using the Deployment Workbench, in the MDT Production deployment share, expand **Advanced Configuration**, and expand **Database**.
2. Right-click **Computers**, select **New**, and add a computer entry with the following settings:
1. Description: New York Site - PC00075
2. MacAddress: &lt;PC00075 MAC Address in the 00:00:00:00:00:00 format&gt;
3. Details Tab / OSDComputerName: PC00075
![figure 11.](../images/mdt-09-fig11.png)
Figure 11. Adding the PC00075 computer to the database.
## Related articles
- [Set up MDT for BitLocker](set-up-mdt-for-bitlocker.md)
- [Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md)
- [Configure MDT for UserExit scripts](configure-mdt-for-userexit-scripts.md)
- [Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md)
- [Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md)
- [Use web services in MDT](use-web-services-in-mdt.md)
- [Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt.md)

146
windows/deployment/deploy-windows-mdt/use-web-services-in-mdt.md
View File

@ -1,146 +0,0 @@
---
title: Use web services in MDT (Windows 10)
description: Learn how to create a web service that generates computer names and then configure MDT to use that service during your Windows 10 deployment.
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
ms.localizationpriority: medium
author: frankroj
ms.topic: article
ms.technology: itpro-deploy
ms.date: 11/28/2022
---
# Use web services in MDT
In this article, you'll learn how to create a simple web service that generates computer names and then configure MDT to use that service during your Windows 10 deployment. Web services provide a powerful way to assign settings during a deployment. Web services are web applications that run code on the server side, and MDT has built-in functions to call these web services.
Using a web service in MDT is straightforward, but it does require that you've enabled the Web Server (IIS) role on the server. Developing web services involves some coding, but for most web services used with MDT, you can use the free Microsoft Visual Studio Express 2013 for Web.
## Create a sample web service
In these steps, we assume you have installed Microsoft Visual Studio Express 2013 for Web on PC0001 (the Windows 10 client) and downloaded the [MDT Sample Web Service](https://www.microsoft.com/download/details.aspx?id=42516) from the Microsoft Download Center and extracted it to C:\\Projects.
1. On PC0001, using Visual Studio Express 2013 for Web, open the C:\\Projects\\MDTSample\\ MDTSample.sln solution file.
2. On the ribbon bar, verify that Release is selected.
3. In the **Debug** menu, select the **Build MDTSample** action.
4. On MDT01, create a folder structure for **E:\\MDTSample\\bin**.
5. From PC0001, copy the C:\\Projects\\MDTSample\\obj\\Release\\MDTSample.dll file to the **E:\\MDTSample\\bin** folder on MDT01.
6. From PC0001, copy the following files from C:\\Projects\\MDTSample file to the **E:\\MDTSample** folder on MDT01:
- Web.config
- mdtsample.asmx
![figure 15.](../images/mdt-09-fig15.png)
Figure 15. The sample project in Microsoft Visual Studio Express 2013 for Web.
## Create an application pool for the web service
This section assumes that you've enabled the Web Server (IIS) role on MDT01.
1. On MDT01, using Server Manager, install the **IIS Management Console** role (available under Web Server (IIS) / Management Tools).
2. Using Internet Information Services (IIS) Manager, expand the **MDT01 (CONTOSO\\Administrator)** node. If prompted with the **Do you want to get started with Microsoft Web Platform?** question, select the **Do not show this message** check box and then select **No**.
3. Right-click **Application Pools**, select **Add Application Pool**, and configure the new application pool with the following settings:
- **Name**: MDTSample
- **.NET Framework version**: .NET Framework 4.0.30319
- **Manage pipeline mode**: Integrated
- Select the **Start application pool immediately** check box.
- Select **OK**.
![figure 16.](../images/mdt-09-fig16.png)
Figure 16. The new MDTSample application.
## Install the web service
1. On MDT01, using Internet Information Services (IIS) Manager, expand **Sites**, right-click **Default Web Site**, and select **Add Application**. Use the following settings for the application:
- **Alias**: MDTSample
- **Application pool**: MDTSample
- **Physical Path**: E:\\MDTSample
![figure 17.](../images/mdt-09-fig17.png)
Figure 17. Adding the MDTSample web application.
2. In the **Default Web Site** node, select the MDTSample web application, and in the right pane, double-click **Authentication**. Use the following settings for the **Authentication** dialog box:
- **Anonymous Authentication**: Enabled
- **ASP.NET Impersonation**: Disabled
![figure 18.](../images/mdt-09-fig18.png)
Figure 18. Configuring Authentication for the MDTSample web service.
## Test the web service in Internet Explorer
1. On PC0001, using Internet Explorer, navigate to: **`http://MDT01/MDTSample/mdtsample.asmx'**.
2. Select the **GetComputerName** link.
![figure 19.](../images/mdt-09-fig19.png)
Figure 19. The MDT Sample web service.
3. On the **GetComputerName** page, type in the following settings, and select **Invoke**:
- **Model**: Hewlett-Packard
- **SerialNumber**: 123456789
![figure 20.](../images/mdt-09-fig20.png)
Figure 20. The result from the MDT Sample web service.
## Test the web service in the MDT simulation environment
After verifying the web service using Internet Explorer, you're ready to do the same test in the MDT simulation environment.
1. On PC0001, edit the CustomSettings.ini file in the **C:\\MDT** folder to look like the following:
```ini
[Settings]
Priority=Default, GetComputerName
[Default]
OSInstall=YES
[GetComputerName]
WebService=http://mdt01/MDTSample/mdtsample.asmx/GetComputerName
Parameters=Model,SerialNumber
OSDComputerName=string
```
![figure 21.](../images/mdt-09-fig21.png)
Figure 21. The updated CustomSettings.ini file.
2. Save the CustomSettings.ini file.
3. Using an elevated Windows PowerShell prompt (run as Administrator), run the following commands. Press **Enter** after each command:
```powershell
Set-Location C:\MDT
.\Gather.ps1
```
4. Review the ZTIGather.log in the **C:\\MININT\\SMSOSD\\OSDLOGS** folder.
![figure 22.](../images/mdt-09-fig22.png)
Figure 22. The OSDCOMPUTERNAME value obtained from the web service.
## Related articles
- [Set up MDT for BitLocker](set-up-mdt-for-bitlocker.md)
- [Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md)
- [Configure MDT for UserExit scripts](configure-mdt-for-userexit-scripts.md)
- [Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md)
- [Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md)
- [Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md)
- [Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt.md)

668
windows/deployment/windows-10-poc-mdt.md
View File

@ -1,668 +0,0 @@
---
title: Step by step - Deploy Windows 10 in a test lab using MDT
description: In this article, you'll learn how to deploy Windows 10 in a test lab using Microsoft Deployment Toolkit (MDT).
ms.prod: windows-client
ms.localizationpriority: medium
ms.date: 11/23/2022
manager: aaroncz
ms.author: frankroj
author: frankroj
ms.topic: how-to
ms.technology: itpro-deploy
---
# Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit
*Applies to:*
- Windows 10
> [!IMPORTANT]
> This guide leverages the proof of concept (PoC) environment configured using procedures in the following guide:
>
> [Step by step guide: Configure a test lab to deploy Windows 10](windows-10-poc.md)
>
> Complete all steps in the prerequisite guide before starting this guide. This guide requires about 5 hours to complete, but can require less time or more time depending on the speed of the Hyper-V host. After completing the current guide, also see the companion guide:
>
> [Deploy Windows 10 in a test lab using Microsoft Configuration Manager](windows-10-poc-sc-config-mgr.md)
The PoC environment is a virtual network running on Hyper-V with three virtual machines (VMs):
- **DC1**: A contoso.com domain controller, DNS server, and DHCP server.
- **SRV1**: A dual-homed contoso.com domain member server, DNS server, and default gateway providing NAT service for the PoC network.
- **PC1**: A contoso.com member computer running Windows 7, Windows 8, or Windows 8.1 that has been shadow-copied from a physical computer on your corporate network.
This guide uses the Hyper-V server role. If you don't complete all steps in a single session, consider using [checkpoints](/virtualization/hyper-v-on-windows/user-guide/checkpoints) to pause, resume, or restart your work.
## In this guide
This guide provides instructions to install and configure the Microsoft Deployment Toolkit (MDT) to deploy a Windows 10 image.
Topics and procedures in this guide are summarized in the following table. An estimate of the time required to complete each procedure is also provided. Time required to complete procedures will vary depending on the resources available to the Hyper-V host and assigned to VMs, such as processor speed, memory allocation, disk speed, and network speed.
|Topic|Description|Time|
|--- |--- |--- |
|[About MDT](#about-mdt)|A high-level overview of the Microsoft Deployment Toolkit (MDT).|Informational|
|[Install MDT](#install-mdt)|Download and install MDT.|40 minutes|
|[Create a deployment share and reference image](#create-a-deployment-share-and-reference-image)|A reference image is created to serve as the template for deploying new images.|90 minutes|
|[Deploy a Windows 10 image using MDT](#deploy-a-windows-10-image-using-mdt)|The reference image is deployed in the PoC environment.|60 minutes|
|[Refresh a computer with Windows 10](#refresh-a-computer-with-windows-10)|Export user data from an existing client computer, wipe the computer, install a new operating system, and then restore user data and settings.|60 minutes|
|[Replace a computer with Windows 10](#replace-a-computer-with-windows-10)|Back up an existing client computer, then restore this backup to a new computer.|60 minutes|
|[Troubleshooting logs, events, and utilities](#troubleshooting-logs-events-and-utilities)|Log locations and troubleshooting hints.|Informational|
## About MDT
MDT performs deployments by using the Lite Touch Installation (LTI), Zero Touch Installation (ZTI), and User-Driven Installation (UDI) deployment methods.
- LTI is the deployment method used in the current guide, requiring only MDT and performed with a minimum amount of user interaction.
- ZTI is fully automated, requiring no user interaction and is performed using MDT and Microsoft Configuration Manager. After completing the steps in the current guide, see [Step by step: Deploy Windows 10 in a test lab using Microsoft Configuration Manager](windows-10-poc-sc-config-mgr.md) to use the ZTI deployment method in the PoC environment.
- UDI requires manual intervention to respond to installation prompts such as machine name, password and language settings. UDI requires MDT and Microsoft Configuration Manager.
## Install MDT
1. On SRV1, temporarily disable IE Enhanced Security Configuration for Administrators by typing the following commands at an elevated Windows PowerShell prompt:
```powershell
$AdminKey = "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}"
Set-ItemProperty -Path $AdminKey -Name "IsInstalled" -Value 0
Stop-Process -Name Explorer
```
1. Download and install the 64-bit version of [Microsoft Deployment Toolkit (MDT)](https://www.microsoft.com/download/details.aspx?id=54259) on SRV1 using the default options.
1. Download and install the latest [Windows Assessment and Deployment Kit (ADK)](/windows-hardware/get-started/adk-install) on SRV1 using the default installation settings. Installation might require several minutes to acquire all components.
1. If desired, re-enable IE Enhanced Security Configuration:
```powershell
Set-ItemProperty -Path $AdminKey -Name "IsInstalled" -Value 1
Stop-Process -Name Explorer
```
## Create a deployment share and reference image
A reference image serves as the foundation for Windows 10 devices in your organization.
1. In [Step by step guide: Configure a test lab to deploy Windows 10](windows-10-poc.md), the Windows 10 Enterprise .iso file was saved to the c:\VHD directory as **c:\VHD\w10-enterprise.iso**. The first step in creating a deployment share is to mount this file on SRV1. To mount the Windows 10 Enterprise DVD on SRV1, open an elevated Windows PowerShell prompt on the Hyper-V host computer and enter the following command:
```powershell
Set-VMDvdDrive -VMName SRV1 -Path c:\VHD\w10-enterprise.iso
```
2. On SRV1, verify that the Windows Enterprise installation DVD is mounted as drive letter D.
3. The Windows 10 Enterprise installation files will be used to create a deployment share on SRV1 using the MDT deployment workbench. To open the deployment workbench, select **Start**, type **deployment**, and then select **Deployment Workbench**.
4. To enable quick access to the application, right-click **Deployment Workbench** on the taskbar and then select **Pin this program to the taskbar**.
5. In the Deployment Workbench console, right-click **Deployment Shares** and select **New Deployment Share**.
6. Use the following settings for the New Deployment Share Wizard:
- Deployment share path: **C:\MDTBuildLab**<BR>
- Share name: **MDTBuildLab$**<BR>
- Deployment share description: **MDT build lab**<BR>
- Options: Select **Next** to accept the default<BR>
- Summary: Select **Next**<BR>
- Progress: settings will be applied<BR>
- Confirmation: Select **Finish**
7. Expand the **Deployment Shares** node, and then expand **MDT build lab**.
8. Right-click the **Operating Systems** node, and then select **New Folder**. Name the new folder **Windows 10**. Complete the wizard using default values and select **Finish**.
9. Right-click the **Windows 10** folder created in the previous step, and then select **Import Operating System**.
10. Use the following settings for the Import Operating System Wizard:
- OS Type: **Full set of source files**<BR>
- Source: **D:\\** <BR>
- Destination: **W10Ent_x64**<BR>
- Summary: Select **Next**
- Progress: wait for files to be copied
- Confirmation: Select **Finish**
For purposes of this test lab, we'll only add the prerequisite .NET Framework feature. Commercial applications (ex: Microsoft Office) won't be added to the deployment share. For information about adding applications, see the [Add applications](./deploy-windows-mdt/create-a-windows-10-reference-image.md#add-applications) section of the [Create a Windows 10 reference image](deploy-windows-mdt/create-a-windows-10-reference-image.md) article.
11. The next step is to create a task sequence to reference the operating system that was imported. To create a task sequence, right-click the **Task Sequences** node and then select **New Task Sequence**. Use the following settings for the New Task Sequence Wizard:
- Task sequence ID: **REFW10X64-001**<BR>
- Task sequence name: **Windows 10 Enterprise x64 Default Image** <BR>
- Task sequence comments: **Reference Build**<BR>
- Template: **Standard Client Task Sequence**
- Select OS: Select **Windows 10 Enterprise Evaluation in W10Ent_x64 install.wim**
- Specify Product Key: **Do not specify a product key at this time**
- Full Name: **Contoso**
- Organization: **Contoso**
- Internet Explorer home page: `http://www.contoso.com`
- Admin Password: **Do not specify an Administrator password at this time**
- Summary: Select **Next**
- Confirmation: Select **Finish**
12. Edit the task sequence to add the Microsoft NET Framework 3.5, which is required by many applications. To edit the task sequence, double-click **Windows 10 Enterprise x64 Default Image** that was created in the previous step.
13. Select the **Task Sequence** tab. Under **State Restore** select **Tattoo** to highlight it, then select **Add** and choose **New Group**.
14. On the Properties tab of the group that was created in the previous step, change the Name from **New Group** to **Custom Tasks (Pre-Windows Update)** and then select **Apply**. Select another location in the window to see the name change.
15. Select the **Custom Tasks (Pre-Windows Update)** group again, select **Add**, point to **Roles**, and then select **Install Roles and Features**.
16. Under **Select the roles and features that should be installed**, select **.NET Framework 3.5 (includes .NET 2.0 and 3.0)** and then select **Apply**.
17. Enable Windows Update in the task sequence by clicking the **Windows Update (Post-Application Installation)** step, clicking the **Options** tab, and clearing the **Disable this step** checkbox.
> [!NOTE]
> Since we are not installing applications in this test lab, there is no need to enable the Windows Update Pre-Application Installation step. However, you should enable this step if you are also installing applications.
18. Select **OK** to complete editing the task sequence.
19. The next step is to configure the MDT deployment share rules. To configure rules in the Deployment Workbench, right-click **MDT build lab (C:\MDTBuildLab)** and select **Properties**, and then select the **Rules** tab.
20. Replace the default rules with the following text:
```ini
[Settings]
Priority=Default
[Default]
_SMSTSORGNAME=Contoso
UserDataLocation=NONE
DoCapture=YES
OSInstall=Y
AdminPassword=pass@word1
TimeZoneName=Pacific Standard Time
OSDComputername=#Left("PC-%SerialNumber%",7)#
JoinWorkgroup=WORKGROUP
HideShell=YES
FinishAction=SHUTDOWN
DoNotCreateExtraPartition=YES
ApplyGPOPack=NO
SkipAdminPassword=YES
SkipProductKey=YES
SkipComputerName=YES
SkipDomainMembership=YES
SkipUserData=YES
SkipLocaleSelection=YES
SkipTaskSequence=NO
SkipTimeZone=YES
SkipApplications=YES
SkipBitLocker=YES
SkipSummary=YES
SkipRoles=YES
SkipCapture=NO
SkipFinalSummary=NO
```
21. Select **Apply** and then select **Edit Bootstrap.ini**. Replace the contents of the Bootstrap.ini file with the following text, and save the file:
```ini
[Settings]
Priority=Default
[Default]
DeployRoot=\\SRV1\MDTBuildLab$
UserDomain=CONTOSO
UserID=MDT_BA
UserPassword=pass@word1
SkipBDDWelcome=YES
```
22. Select **OK** to complete the configuration of the deployment share.
23. Right-click **MDT build lab (C:\MDTBuildLab)** and then select **Update Deployment Share**.
24. Accept all default values in the Update Deployment Share Wizard by clicking **Next** twice. The update process will take 5 to 10 minutes. When it has completed, select **Finish**.
25. Copy **c:\MDTBuildLab\Boot\LiteTouchPE_x86.iso** on SRV1 to the **c:\VHD** directory on the Hyper-V host computer. In MDT, the x86 boot image can deploy both x86 and x64 operating systems, except on computers based on Unified Extensible Firmware Interface (UEFI).
> [!TIP]
> To copy the file, right-click the **LiteTouchPE_x86.iso** file and click **Copy** on SRV1, then open the **c:\VHD** folder on the Hyper-V host, right-click inside the folder and click **Paste**.
26. Open a Windows PowerShell prompt on the Hyper-V host computer and enter the following commands:
```powershell
New-VM REFW10X64-001 -SwitchName poc-internal -NewVHDPath "c:\VHD\REFW10X64-001.vhdx" -NewVHDSizeBytes 60GB
Set-VMMemory REFW10X64-001 -DynamicMemoryEnabled $true -MinimumBytes 1024MB -MaximumBytes 1024MB -Buffer 20
Set-VMDvdDrive REFW10X64-001 -Path c:\VHD\LiteTouchPE_x86.iso
Start-VM REFW10X64-001
vmconnect localhost REFW10X64-001
```
The VM will require a few minutes to prepare devices and boot from the LiteTouchPE_x86.iso file.
27. In the Windows Deployment Wizard, select **Windows 10 Enterprise x64 Default Image**, and then select **Next**.
28. Accept the default values on the Capture Image page, and select **Next**. Operating system installation will complete after 5 to 10 minutes, and then the VM will reboot automatically. Allow the system to boot normally (don't press a key). The process is fully automated.
Additional system restarts will occur to complete updating and preparing the operating system. Setup will complete the following procedures:
- Install the Windows 10 Enterprise operating system.
- Install added applications, roles, and features.
- Update the operating system using Windows Update (or WSUS if optionally specified).
- Stage Windows PE on the local disk.
- Run System Preparation (Sysprep) and reboot into Windows PE.
- Capture the installation to a Windows Imaging (WIM) file.
- Turn off the virtual machine.<BR><BR>
This step requires from 30 minutes to 2 hours, depending on the speed of the Hyper-V host. After some time, you'll have a Windows 10 Enterprise x64 image that is fully patched and has run through Sysprep. The image is located in the C:\MDTBuildLab\Captures folder on your deployment server (SRV1). The file name is **REFW10X64-001.wim**.
## Deploy a Windows 10 image using MDT
This procedure will demonstrate how to deploy the reference image to the PoC environment using MDT.
1. On SRV1, open the MDT Deployment Workbench console, right-click **Deployment Shares**, and then select **New Deployment Share**. Use the following values in the New Deployment Share Wizard:
- **Deployment share path**: C:\MDTProd
- **Share name**: MDTProd$
- **Deployment share description**: MDT Production
- **Options**: accept the default
2. Select **Next**, verify the new deployment share was added successfully, then select **Finish**.
3. In the Deployment Workbench console, expand the MDT Production deployment share, right-click **Operating Systems**, and then select **New Folder**. Name the new folder **Windows 10** and complete the wizard using default values.
4. Right-click the **Windows 10** folder created in the previous step, and then select **Import Operating System**.
5. On the **OS Type** page, choose **Custom image file** and then select **Next**.
6. On the Image page, browse to the **C:\MDTBuildLab\Captures\REFW10X64-001.wim** file created in the previous procedure, select **Open**, and then select **Next**.
7. On the Setup page, select **Copy Windows 7, Windows Server 2008 R2, or later setup files from the specified path**.
8. Under **Setup source directory**, browse to **C:\MDTBuildLab\Operating Systems\W10Ent_x64** select **OK** and then select **Next**.
9. On the Destination page, accept the default Destination directory name of **REFW10X64-001**, select **Next** twice, wait for the import process to complete, and then select **Finish**.
10. In the **Operating Systems** > **Windows 10** node, double-click the operating system that was added to view its properties. Change the operating system name to **Windows 10 Enterprise x64 Custom Image** and then select **OK**. See the following example:
![custom image.](images/image.png)
### Create the deployment task sequence
1. Using the Deployment Workbench, right-click **Task Sequences** under the **MDT Production** node, select **New Folder** and create a folder with the name: **Windows 10**.
2. Right-click the **Windows 10** folder created in the previous step, and then select **New Task Sequence**. Use the following settings for the New Task Sequence Wizard:
- Task sequence ID: W10-X64-001
- Task sequence name: Windows 10 Enterprise x64 Custom Image
- Task sequence comments: Production Image
- Select Template: Standard Client Task Sequence
- Select OS: Windows 10 Enterprise x64 Custom Image
- Specify Product Key: Don't specify a product key at this time
- Full Name: Contoso
- Organization: Contoso
- Internet Explorer home page: `http://www.contoso.com`
- Admin Password: pass@word1
### Configure the MDT production deployment share
1. On SRV1, open an elevated Windows PowerShell prompt and enter the following commands:
```powershell
copy-item "C:\Program Files\Microsoft Deployment Toolkit\Templates\Bootstrap.ini" C:\MDTProd\Control\Bootstrap.ini -Force
copy-item "C:\Program Files\Microsoft Deployment Toolkit\Templates\CustomSettings.ini" C:\MDTProd\Control\CustomSettings.ini -Force
```
2. In the Deployment Workbench console on SRV1, right-click the **MDT Production** deployment share and then select **Properties**.
3. Select the **Rules** tab and replace the rules with the following text (don't select OK yet):
```ini
[Settings]
Priority=Default
[Default]
_SMSTSORGNAME=Contoso
OSInstall=YES
UserDataLocation=AUTO
TimeZoneName=Pacific Standard Time
OSDComputername=#Left("PC-%SerialNumber%",7)#
AdminPassword=pass@word1
JoinDomain=contoso.com
DomainAdmin=administrator
DomainAdminDomain=CONTOSO
DomainAdminPassword=pass@word1
ScanStateArgs=/ue:*\* /ui:CONTOSO\*
USMTMigFiles001=MigApp.xml
USMTMigFiles002=MigUser.xml
HideShell=YES
ApplyGPOPack=NO
SkipAppsOnUpgrade=NO
SkipAdminPassword=YES
SkipProductKey=YES
SkipComputerName=YES
SkipDomainMembership=YES
SkipUserData=YES
SkipLocaleSelection=YES
SkipTaskSequence=NO
SkipTimeZone=YES
SkipApplications=NO
SkipBitLocker=YES
SkipSummary=YES
SkipCapture=YES
SkipFinalSummary=NO
EventService=http://SRV1:9800
```
> [!NOTE]
> The contents of the Rules tab are added to c:\MDTProd\Control\CustomSettings.ini.
In this example, a **MachineObjectOU** entry isn't provided. Normally this entry describes the specific OU where new client computer objects are created in Active Directory. However, for the purposes of this test lab, clients are added to the default computers OU, which requires that this parameter be unspecified.
If desired, edit the following line to include or exclude other users when migrating settings. Currently, the command is set to user exclude (`ue`) all users except for CONTOSO users specified by the user include option (ui):
```cmd
ScanStateArgs=/ue:*\* /ui:CONTOSO\*
```
For example, to migrate **all** users on the computer, replace this line with the following line:
```cmd
ScanStateArgs=/all
```
For more information, see [ScanState Syntax](/windows/deployment/usmt/usmt-scanstate-syntax).
4. Select **Edit Bootstap.ini** and replace text in the file with the following text:
```ini
[Settings]
Priority=Default
[Default]
DeployRoot=\\SRV1\MDTProd$
UserDomain=CONTOSO
UserID=MDT_BA
UserPassword=pass@word1
SkipBDDWelcome=YES
```
5. Select **OK** when finished.
### Update the deployment share
1. Right-click the **MDT Production** deployment share and then select **Update Deployment Share**.
2. Use the default options for the Update Deployment Share Wizard. The update process requires 5 to 10 minutes to complete.
3. Select **Finish** when the update is complete.
### Enable deployment monitoring
1. In the Deployment Workbench console, right-click **MDT Production** and then select **Properties**.
2. On the **Monitoring** tab, select the **Enable monitoring for this deployment share** checkbox, and then select **OK**.
3. Verify the monitoring service is working as expected by opening the following link on SRV1: `http://localhost:9800/MDTMonitorEvent/`. If you don't see "**You have created a service**" at the top of the page, see [Troubleshooting MDT 2012 Monitoring](/archive/blogs/mniehaus/troubleshooting-mdt-2012-monitoring).
4. Close Internet Explorer.
### Configure Windows Deployment Services
1. Initialize Windows Deployment Services (WDS) by typing the following command at an elevated Windows PowerShell prompt on SRV1:
```cmd
WDSUTIL.exe /Verbose /Progress /Initialize-Server /Server:SRV1 /RemInst:"C:\RemoteInstall"
WDSUTIL.exe /Set-Server /AnswerClients:All
```
2. Select **Start**, type **Windows Deployment**, and then select **Windows Deployment Services**.
3. In the Windows Deployment Services console, expand **Servers**, expand **SRV1.contoso.com**, right-click **Boot Images**, and then select **Add Boot Image**.
4. Browse to the **C:\MDTProd\Boot\LiteTouchPE_x64.wim** file, select **Open**, select **Next**, and accept the defaults in the Add Image Wizard. Select **Finish** to complete adding a boot image.
### Deploy the client image
1. Before using WDS to deploy a client image, you must temporarily disable the external network adapter on SRV1. This configuration is just an artifact of the lab environment. In a typical deployment environment WDS wouldn't be installed on the default gateway.
> [!NOTE]
> Do not disable the *internal* network interface. To quickly view IP addresses and interface names configured on the VM, enter **`Get-NetIPAddress | ft interfacealias, ipaddress** in a PowerShell prompt.
Assuming the external interface is named "Ethernet 2", to disable the *external* interface on SRV1, open a Windows PowerShell prompt on SRV1 and enter the following command:
```powershell
Disable-NetAdapter "Ethernet 2" -Confirm:$false
```
>Wait until the disable-netadapter command completes before proceeding.
2. Next, switch to the Hyper-V host and open an elevated Windows PowerShell prompt. Create a generation 2 VM on the Hyper-V host that will load its OS using PXE. To create this VM, enter the following commands at an elevated Windows PowerShell prompt:
```powershell
New-VM -Name "PC2" -NewVHDPath "c:\vhd\pc2.vhdx" -NewVHDSizeBytes 60GB -SwitchName poc-internal -BootDevice NetworkAdapter -Generation 2
Set-VMMemory -VMName "PC2" -DynamicMemoryEnabled $true -MinimumBytes 720MB -MaximumBytes 2048MB -Buffer 20
```
Dynamic memory is configured on the VM to conserve resources. However, dynamic memory can cause memory allocation to be reduced below what is required to install an operating system. If memory is reduced below what is required, reset the VM and begin the OS installation task sequence immediately. The reset ensures the VM memory allocation isn't decreased too much while it's idle.
3. Start the new VM and connect to it:
```powershell
Start-VM PC2
vmconnect localhost PC2
```
4. When prompted, hit ENTER to start the network boot process.
5. In the Windows Deployment Wizard, choose the **Windows 10 Enterprise x64 Custom Image** and then select **Next**.
6. After MDT lite touch installation has started, be sure to re-enable the external network adapter on SRV1. Re-enabling the external network adapter is needed so the client can use Windows Update after operating system installation is complete. To re-enable the external network interface, open an elevated Windows PowerShell prompt on SRV1 and enter the following command:
```powershell
Enable-NetAdapter "Ethernet 2"
```
7. On SRV1, in the Deployment Workbench console, select on **Monitoring** and view the status of installation. Right-click **Monitoring** and select **Refresh** if no data is displayed.
8. OS installation requires about 10 minutes. When the installation is complete, the system will reboot automatically, configure devices, and install updates, requiring another 10-20 minutes. When the new client computer is finished updating, select **Finish**. You'll be automatically signed in to the local computer as administrator.
![finish.](images/deploy-finish.png)
This completes the demonstration of how to deploy a reference image to the network. To conserve resources, turn off the PC2 VM before starting the next section.
## Refresh a computer with Windows 10
This section will demonstrate how to export user data from an existing client computer, wipe the computer, install a new operating system, and then restore user data and settings. The scenario will use PC1, a computer that was cloned from a physical device to a VM, as described in [Step by step guide: Deploy Windows 10 in a test lab](windows-10-poc.md).
1. If the PC1 VM isn't already running, then start and connect to it:
```powershell
Start-VM PC1
vmconnect localhost PC1
```
2. Switch back to the Hyper-V host and create a checkpoint for the PC1 VM so that it can easily be reverted to its current state for troubleshooting purposes and performing additional scenarios. Checkpoints are also known as snapshots. To create a checkpoint for the PC1 VM, enter the following command at an elevated Windows PowerShell prompt on the Hyper-V host:
```powershell
Checkpoint-VM -Name PC1 -SnapshotName BeginState
```
3. Sign on to PC1 using the CONTOSO\Administrator account.
Specify **contoso\administrator** as the user name to ensure you don't sign on using the local administrator account. You must sign in with this account so that you have access to the deployment share.
4. Open an elevated command prompt on PC1 and enter the following command:
```cmd
cscript.exe \\SRV1\MDTProd$\Scripts\Litetouch.vbs
```
> [!NOTE]
> For more information on tools for viewing log files and to assist with troubleshooting, see [Configuration Manager Tools](/configmgr/core/support/tools).
5. Choose the **Windows 10 Enterprise x64 Custom Image** and then select **Next**.
6. Choose **Do not back up the existing computer** and select **Next**.
> [!NOTE]
> The USMT will still back up the computer.
7. Lite Touch Installation will perform the following actions:
- Back up user settings and data using USMT.
- Install the Windows 10 Enterprise X64 operating system.
- Update the operating system via Windows Update.
- Restore user settings and data using USMT.
You can review the progress of installation on SRV1 by clicking on the **Monitoring** node in the deployment workbench. When OS installation is complete, the computer will restart, set up devices, and configure settings.
8. Sign in with the CONTOSO\Administrator account and verify that all CONTOSO domain user accounts and data have been migrated to the new operating system, or other user accounts as specified [previously](#configure-the-mdt-production-deployment-share).
9. Create another checkpoint for the PC1 VM so that you can review results of the computer refresh later. To create a checkpoint, enter the following command at an elevated Windows PowerShell prompt on the Hyper-V host:
```powershell
Checkpoint-VM -Name PC1 -SnapshotName RefreshState
```
10. Restore the PC1 VM to its previous state in preparation for the replace procedure. To restore a checkpoint, enter the following command at an elevated Windows PowerShell prompt on the Hyper-V host:
```powershell
Restore-VMSnapshot -VMName PC1 -Name BeginState -Confirm:$false
Start-VM PC1
vmconnect localhost PC1
```
11. Sign in to PC1 using the contoso\administrator account.
## Replace a computer with Windows 10
At a high level, the computer replace process consists of:
- A special replace task sequence that runs the USMT backup and an optional full Windows Imaging (WIM) backup.<BR>
- A standard OS deployment on a new computer. At the end of the deployment, the USMT backup from the old computer is restored.
### Create a backup-only task sequence
1. On SRV1, in the deployment workbench console, right-click the MDT Production deployment share, select **Properties**, select the **Rules** tab, and change the line **SkipUserData=YES** to **SkipUserData=NO**.
2. Select **OK**, right-click **MDT Production**, select **Update Deployment Share** and accept the default options in the wizard to update the share.
3. enter the following commands at an elevated Windows PowerShell prompt on SRV1:
```powershell
New-Item -Path C:\MigData -ItemType directory
New-SmbShare -Name MigData$ -Path C:\MigData -ChangeAccess EVERYONE
icacls C:\MigData /grant '"contoso\administrator":(OI)(CI)(M)'
```
4. On SRV1 in the deployment workbench, under **MDT Production**, right-click the **Task Sequences** node, and select **New Folder**.
5. Name the new folder **Other**, and complete the wizard using default options.
6. Right-click the **Other** folder and then select **New Task Sequence**. Use the following values in the wizard:
- **Task sequence ID**: REPLACE-001
- **Task sequence name**: Backup Only Task Sequence
- **Task sequence comments**: Run USMT to back up user data and settings
- **Template**: Standard Client Replace Task Sequence (note: this template isn't the default template)
7. Accept defaults for the rest of the wizard and then select **Finish**. The replace task sequence will skip OS selection and settings.
8. Open the new task sequence that was created and review it. Note the enter of capture and backup tasks that are present. Select **OK** when you're finished reviewing the task sequence.
### Run the backup-only task sequence
1. If you aren't already signed on to PC1 as **contoso\administrator**, sign in using this account. To verify the currently signed in account, enter the following command at an elevated command prompt:
```cmd
whoami.exe
```
2. To ensure a clean environment before running the backup task sequence, enter the following commands at an elevated Windows PowerShell prompt on PC1:
```powershell
Remove-Item c:\minint -recurse
Remove-Item c:\_SMSTaskSequence -recurse
Restart-Computer
```
3. Sign in to PC1 using the contoso\administrator account, and then enter the following command at an elevated command prompt:
```cmd
cscript.exe \\SRV1\MDTProd$\Scripts\Litetouch.vbs
```
4. Complete the deployment wizard using the following settings:
- **Task Sequence**: Backup Only Task Sequence
- **User Data**: Specify a location: **\\\\SRV1\MigData$\PC1**
- **Computer Backup**: Don't back up the existing computer.
5. While the task sequence is running on PC1, open the deployment workbench console on SRV1 and select the **Monitoring* node. Press F5 to refresh the console, and view the status of current tasks.
6. On PC1, verify that **The user state capture was completed successfully** is displayed, and select **Finish** when the capture is complete.
7. On SRV1, verify that the file **USMT.MIG** was created in the **C:\MigData\PC1\USMT** directory. See the following example:
```cmd
dir C:\MigData\PC1\USMT
Directory: C:\MigData\PC1\USMT
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a--- 9/6/2016 11:34 AM 14248685 USMT.MIG
```
### Deploy PC3
1. On the Hyper-V host, enter the following commands at an elevated Windows PowerShell prompt:
```powershell
New-VM -Name "PC3" -NewVHDPath "c:\vhd\pc3.vhdx" -NewVHDSizeBytes 60GB -SwitchName poc-internal -BootDevice NetworkAdapter -Generation 2
Set-VMMemory -VMName "PC3" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes 2048MB -Buffer 20
```
2. Temporarily disable the external network adapter on SRV1 again, so that we can successfully boot PC3 from WDS. To disable the adapter, enter the following command at an elevated Windows PowerShell prompt on SRV1:
```powershell
Disable-NetAdapter "Ethernet 2" -Confirm:$false
```
As mentioned previously, ensure that you disable the **external** network adapter, and wait for the command to complete before proceeding.
3. Start and connect to PC3 by typing the following commands at an elevated Windows PowerShell prompt on the Hyper-V host:
```powershell
Start-VM PC3
vmconnect localhost PC3
```
4. When prompted, press ENTER for network boot.
5. On PC3, use the following settings for the Windows Deployment Wizard:
- **Task Sequence**: Windows 10 Enterprise x64 Custom Image
- **Move Data and Settings**: Don't move user data and settings
- **User Data (Restore)**: Specify a location: **\\\\SRV1\MigData$\PC1**
6. When OS installation has started on PC1, re-enable the external network adapter on SRV1 by typing the following command on SRV1:
```powershell
Enable-NetAdapter "Ethernet 2"
```
7. Setup will install the Windows 10 Enterprise operating system, update via Windows Update, and restore the user settings and data from PC1.
8. When PC3 has completed installing the OS, sign in to PC3 using the contoso\administrator account. When the PC completes updating, select **Finish**.
9. Verify that settings have been migrated from PC1. This completes demonstration of the replace procedure.
10. Shut down PC3 in preparation for the [next](windows-10-poc-sc-config-mgr.md) procedure.
## Troubleshooting logs, events, and utilities
Deployment logs are available on the client computer in the following locations:
- Before the image is applied: X:\MININT\SMSOSD\OSDLOGS
- After the system drive has been formatted: C:\MININT\SMSOSD\OSDLOGS
- After deployment: %WINDIR%\TEMP\DeploymentLogs
You can review WDS events in Event Viewer at: **Applications and Services Logs > Microsoft > Windows > Deployment-Services-Diagnostics**. By default, only the **Admin** and **Operational** logs are enabled. To enable other logs, right-click the log and then select **Enable Log**.
Also see [Resolve Windows upgrade errors](upgrade/resolve-windows-upgrade-errors.md) for detailed troubleshooting information.
## Related articles
[Microsoft Deployment Toolkit](/mem/configmgr/mdt/)
[Prepare for deployment with MDT](deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md)

4
windows/whats-new/TOC.yml
View File

@ -26,10 +26,6 @@
href: whats-new-windows-10-version-22H2.md
- name: What's new in Windows 10, version 21H2
href: whats-new-windows-10-version-21H2.md
- name: What's new in Windows 10, version 21H1
href: whats-new-windows-10-version-21H1.md
- name: What's new in Windows 10, version 20H2
href: whats-new-windows-10-version-20H2.md
- name: Windows commercial licensing overview
href: windows-licensing.md
- name: Deprecated and removed Windows features

BIN
windows/whats-new/images/1_AppBrowser.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 141 KiB

BIN
windows/whats-new/images/2_InstallWDAG.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 253 KiB

BIN
windows/whats-new/images/3_ChangeSettings.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 262 KiB

BIN
windows/whats-new/images/4_ViewSettings.jpg
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 121 KiB

BIN
windows/whats-new/images/Multi-app_kiosk_inFrame.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 890 KiB

BIN
windows/whats-new/images/Normal_inFrame.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 531 KiB

BIN
windows/whats-new/images/SingleApp_contosoHotel_inFrame@2x.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 879 KiB

BIN
windows/whats-new/images/beaming.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 550 KiB

BIN
windows/whats-new/images/kiosk-mode.PNG
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 61 KiB

BIN
windows/whats-new/images/system-guard.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 209 KiB

BIN
windows/whats-new/images/system-guard2.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 94 KiB

BIN
windows/whats-new/images/wcd-cleanpc.PNG
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 5.7 KiB

BIN
windows/whats-new/images/wcd-options.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 20 KiB

BIN
windows/whats-new/images/windows-11-whats-new/windows-11-taskbar-microsoft-teams.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 10 KiB

BIN
windows/whats-new/images/your-phone.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 2.6 MiB

355
windows/whats-new/whats-new-windows-10-version-1507-and-1511.md
View File

@ -1,355 +0,0 @@
---
title: What's new in Windows 10, versions 1507 and 1511 (Windows 10)
description: What's new in Windows 10 for Windows 10 (versions 1507 and 1511)?
ms.prod: windows-client
author: mestew
manager: aaroncz
ms.author: mstewart
ms.localizationpriority: medium
ms.topic: article
ROBOTS: NOINDEX
ms.technology: itpro-fundamentals
ms.date: 12/31/2017
---
# What's new in Windows 10, versions 1507 and 1511 for IT Pros
Below is a list of some of the new and updated features included in the initial release of Windows 10 (version 1507) and the Windows 10 update to version 1511.
>[!NOTE]
>For release dates and servicing options for each version, see [Windows 10 release information](https://technet.microsoft.com/windows/release-info).
## Deployment
### Provisioning devices using Windows Imaging and Configuration Designer (ICD)
With Windows 10, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image. Windows provisioning makes it easy for IT administrators to configure end-user devices without imaging. An IT administrator using Windows Provisioning can easily specify desired configuration and settings required to enroll the devices into management (through a wizard-driven user interface) and then apply that configuration to target devices in a matter of minutes. It's best suited for small- to medium-sized businesses with deployments that range from tens to a few hundred computers.
[Learn more about provisioning in Windows 10.](/windows/configuration/provisioning-packages/provisioning-packages)
## Security
### AppLocker
#### New AppLocker features in Windows 10, version 1507
- A new parameter was added to the [New-AppLockerPolicy](/powershell/module/applocker/new-applockerpolicy) Windows PowerShell cmdlet that lets you choose whether executable and DLL rule collections apply to non-interactive processes. To enable this parameter, set the **ServiceEnforcement** to **Enabled**.
- A new [AppLocker](/windows/client-management/mdm/applocker-csp) configuration service provider was added to allow you to enable AppLocker rules by using an MDM server.
[Learn how to manage AppLocker within your organization](/windows/device-security/applocker/applocker-overview).
### BitLocker
#### New BitLocker features in Windows 10, version 1511
- **XTS-AES encryption algorithm**. BitLocker now supports the XTS-AES encryption algorithm. XTS-AES provides extra protection from a class of attacks on encryption that rely on manipulating cipher text to cause predictable changes in plain text. BitLocker supports both 128-bit and 256-bit XTS-AES keys.
It provides the following benefits:
- The algorithm is FIPS-compliant.
- Easy to administer. You can use the BitLocker Wizard, manage-bde, Group Policy, MDM policy, Windows PowerShell, or WMI to manage it on devices in your organization.
> [!NOTE]
> Drives encrypted with XTS-AES will not be accessible on older version of Windows. This is only recommended for fixed and operating system drives. Removable drives should continue to use the AES-CBC 128-bit or AES-CBC 256-bit algorithms.
#### New BitLocker features in Windows 10, version 1507
<!-- The link in the first bullet below will need to be refreshed Jan/Feb 2017. -->
- **Encrypt and recover your device with Azure Active Directory**. In addition to using a Microsoft Account, automatic [Device Encryption](/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10#device-encryption) can now encrypt your devices that are joined to an Azure Active Directory domain. When the device is encrypted, the BitLocker recovery key is automatically escrowed to Azure Active Directory. This escrow will make it easier to recover your BitLocker key online.
- **DMA port protection**. You can use the [DataProtection/AllowDirectMemoryAccess](/windows/client-management/mdm/policy-configuration-service-provider#dataprotection-allowdirectmemoryaccess) MDM policy to block DMA ports when the device is starting up. Also, when a device is locked, all unused DMA ports are turned off, but any devices that are already plugged into a DMA port will continue to work. When the device is unlocked, all DMA ports are turned back on.
- **New Group Policy for configuring pre-boot recovery**. You can now configure the pre-boot recovery message and recover URL that is shown on the pre-boot recovery screen. For more info, see the [Configure pre-boot recovery message and URL](/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings#bkmk-configurepreboot) section in "BitLocker Group Policy settings."
[Learn how to deploy and manage BitLocker within your organization](/windows/device-security/bitlocker/bitlocker-overview).
### Credential Guard
#### New Credential Guard features in Windows 10, version 1511
- **Credential Manager support**. Credentials that are stored with Credential Manager, including domain credentials, are protected with Credential Guard with the following considerations:
- Credentials that are saved by the Remote Desktop Protocol can't be used. Employees in your organization can manually store credentials in Credential Manager as generic credentials.
- Applications that extract derived domain credentials using undocumented APIs from Credential Manager will no longer be able to use those saved derived credentials.
- You can't restore credentials using the Credential Manager control panel if the credentials were backed up from a PC that has Credential Guard turned on. If you need to back up your credentials, you must do this backup before you enable Credential Guard. Otherwise, you won't be able to restore those credentials.
- **Enable Credential Guard without UEFI lock**. You can enable Credential Guard by using the registry. This setting allows you to disable Credential Guard remotely. However, we recommend that Credential Guard is enabled with UEFI lock. You can do this configuration by using Group Policy.
- **CredSSP/TsPkg credential delegation**. CredSSP/TsPkg can't delegate default credentials when Credential Guard is enabled.
[Learn how to deploy and manage Credential Guard within your organization](/windows/access-protection/credential-guard/credential-guard).
### Easier certificate management
For Windows 10-based devices, you can use your MDM server to directly deploy client authentication certificates using Personal Information Exchange (PFX), in addition to enrolling using Simple Certificate Enrollment Protocol (SCEP), including certificates to enable Windows Hello for Business in your enterprise. You'll be able to use MDM to enroll, renew, and delete certificates.
### Microsoft Passport
In Windows 10, [Microsoft Passport](/windows/access-protection/hello-for-business/hello-identity-verification) replaces passwords with strong two-factor authentication that consists of an enrolled device and a Windows Hello (biometric) or PIN.
Microsoft Passport lets users authenticate to a Microsoft account, an Active Directory account, a Microsoft Azure Active Directory (AD) account, or non-Microsoft service that supports Fast ID Online (FIDO) authentication. After an initial two-step verification during Microsoft Passport enrollment, a Microsoft Passport is set up on the user's device and the user sets a gesture, which can be Windows Hello or a PIN. The user provides the gesture to verify identity; Windows then uses Microsoft Passport to authenticate users and help them to access protected resources and services.
### Security auditing
#### New Security auditing features in Windows 10, version 1511
- The [WindowsSecurityAuditing](/windows/client-management/mdm/windowssecurityauditing-csp) and [Reporting](/windows/client-management/mdm/reporting-csp) configuration service providers allow you to add security audit policies to mobile devices.
#### New features in Windows 10, version 1507
In Windows 10, security auditing has added some improvements:
- [New audit subcategories](#bkmk-auditsubcat)
- [More info added to existing audit events](#bkmk-moreinfo)
##### <a href="" id="bkmk-auditsubcat"></a>New audit subcategories
In Windows 10, two new audit subcategories were added to the Advanced Audit Policy Configuration to provide greater granularity in audit events:
- [Audit Group Membership](/windows/device-security/auditing/audit-group-membership) Found in the Logon/Logoff audit category, the Audit Group Membership subcategory allows you to audit the group membership information in a user's sign-in token. Events in this subcategory are generated when group memberships are enumerated or queried on the PC where the sign-in session was created. For an interactive logon, the security audit event is generated on the PC that the user logged on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the PC hosting the resource.
When this setting is configured, one or more security audit events are generated for each successful sign-in. You must also enable the **Audit Logon** setting under **Advanced Audit Policy Configuration\\System Audit Policies\\Logon/Logoff**. Multiple events are generated if the group membership information can't fit in a single security audit event.
- [Audit PNP Activity](/windows/security/threat-protection/auditing/audit-pnp-activity) Found in the Detailed Tracking category, the Audit PNP Activity subcategory allows you to audit when plug and play detects an external device.
Only Success audits are recorded for this category. If you don't configure this policy setting, no audit event is generated when an external device is detected by plug and play.
A PnP audit event can be used to track down changes in system hardware and will be logged on the PC where the change took place. A list of hardware vendor IDs are included in the event.
##### <a href="" id="bkmk-moreinfo"></a>More info added to existing audit events
With Windows 10, version 1507, we've added more info to existing audit events to make it easier for you to put together a full audit trail and come away with the information you need to protect your enterprise. Improvements were made to the following audit events:
- [Changed the kernel default audit policy](#bkmk-kdal)
- [Added a default process SACL to LSASS.exe](#bkmk-lsass)
- [Added new fields in the sign-in event](#bkmk-logon)
- [Added new fields in the process creation event](#bkmk-logon)
- [Added new Security Account Manager events](#bkmk-sam)
- [Added new BCD events](#bkmk-bcd)
- [Added new PNP events](#bkmk-pnp)
##### <a href="" id="bkmk-kdal"></a>Changed the kernel default audit policy
In previous releases, the kernel depended on the Local Security Authority (LSA) to retrieve info in some of its events. In Windows 10, the process creation events audit policy is automatically enabled until an actual audit policy is received from LSA. This setting results in better auditing of services that may start before LSA starts.
##### <a href="" id="bkmk-lsass"></a>Added a default process SACL to LSASS.exe
In Windows 10, a default process SACL was added to LSASS.exe to log processes attempting to access LSASS.exe. The SACL is `L"S:(AU;SAFA;0x0010;;;WD)"`. You can enable this process under **Advanced Audit Policy Configuration\\Object Access\\Audit Kernel Object**.
This process can help identify attacks that steal credentials from the memory of a process.
##### <a href="" id="bkmk-logon"></a>New fields in the sign-in event
The sign-in event ID 4624 has been updated to include more verbose information to make them easier to analyze. The following fields have been added to event 4624:
1. **MachineLogon** String: yes or no
If the account that logged into the PC is a computer account, this field will be yes. Otherwise, the field is no.
2. **ElevatedToken** String: yes or no
If an account signed in to the PC through the "administrative sign-in" method, this field will be yes. Otherwise, the field is no. Additionally, if this field is part of a split token, the linked sign-in ID (LSAP\_LOGON\_SESSION) will also be shown.
3. **TargetOutboundUserName** String
**TargetOutboundUserDomain** String
The username and domain of the identity that was created by the LogonUser method for outbound traffic.
4. **VirtualAccount** String: yes or no
If the account that logged into the PC is a virtual account, this field will be yes. Otherwise, the field is no.
5. **GroupMembership** String
A list of all of the groups in the user's token.
6. **RestrictedAdminMode** String: yes or no
If the user logs into the PC in restricted admin mode with Remote Desktop, this field will be yes.
For more information about restricted admin mode, see [Restricted Admin mode for RDP](/archive/blogs/kfalde/restricted-admin-mode-for-rdp-in-windows-8-1-2012-r2).
##### <a href="" id="bkmk-process"></a>New fields in the process creation event
The sign-in event ID 4688 has been updated to include more verbose information to make them easier to analyze. The following fields have been added to event 4688:
1. **TargetUserSid** String
The SID of the target principal.
2. **TargetUserName** String
The account name of the target user.
3. **TargetDomainName** String
The domain of the target user..
4. **TargetLogonId** String
The sign-in ID of the target user.
5. **ParentProcessName** String
The name of the creator process.
6. **ParentProcessId** String
A pointer to the actual parent process if it's different from the creator process.
##### <a href="" id="bkmk-sam"></a>New Security Account Manager events
In Windows 10, new SAM events were added to cover SAM APIs that perform read/query operations. In previous versions of Windows, only write operations were audited. The new events are event ID 4798 and event ID 4799. The following APIs are now audited:
- SamrEnumerateGroupsInDomain
- SamrEnumerateUsersInDomain
- SamrEnumerateAliasesInDomain
- SamrGetAliasMembership
- SamrLookupNamesInDomain
- SamrLookupIdsInDomain
- SamrQueryInformationUser
- SamrQueryInformationGroup
- SamrQueryInformationUserAlias
- SamrGetMembersInGroup
- SamrGetMembersInAlias
- SamrGetUserDomainPasswordInformation
##### <a href="" id="bkmk-bcd"></a>New BCD events
Event ID 4826 has been added to track the following changes to the Boot Configuration Database (BCD):
- DEP/NEX settings
- Test signing
- PCAT SB simulation
- Debug
- Boot debug
- Integrity Services
- Disable Winload debugging menu
##### <a href="" id="bkmk-pnp"></a>New PNP events
Event ID 6416 has been added to track when an external device is detected through Plug and Play. One important scenario is if an external device that contains malware is inserted into a high-value machine that doesnt expect this type of action, such as a domain controller.
[Learn how to manage your security audit policies within your organization](/windows/security/threat-protection/auditing/security-auditing-overview).
### Trusted Platform Module
#### New TPM features in Windows 10, version 1511
- Key Storage Providers (KSPs) and srvcrypt support elliptical curve cryptography (ECC).
#### New TPM features in Windows 10, version 1507
The following sections describe the new and changed functionality in the TPM for Windows 10:
- [Device health attestation](#bkmk-dha)
- [Microsoft Passport](/windows/access-protection/hello-for-business/hello-identity-verification) support
- [Device Guard](/windows/device-security/device-guard/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies) support
- [Credential Guard](/windows/access-protection/credential-guard/credential-guard) support
### <a href="" id="bkmk-dha"></a>Device health attestation
Device health attestation enables enterprises to establish trust based on hardware and software components of a managed device. With device health attestation, you can configure an MDM server to query a health attestation service that will allow or deny a managed device access to a secure resource.
Some things that you can check on the device are:
- Is Data Execution Prevention supported and enabled?
- Is BitLocker Drive Encryption supported and enabled?
- Is SecureBoot supported and enabled?
>[!NOTE]
>The device must be running Windows 10 and it must support at least TPM 2.0.
[Learn how to deploy and manage TPM within your organization](/windows/device-security/tpm//trusted-platform-module-overview).
### User Account Control
User Account Control (UAC) helps prevent malware from damaging a computer and helps organizations deploy a better-managed desktop environment.
You shouldn't turn off UAC because this setting isn't supportive of devices running Windows 10. If you do turn off UAC, all Universal Windows Platform apps stop working. You must always set the **HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA** registry value to 1. If you need to provide auto elevation for programmatic access or installation, you could set the **HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\ConsentPromptBehaviorAdmin** registry value to 0, which is the same as setting the UAC slider Never Notify. This setting isn't recommended for devices running Windows 10.
For more information about how to manage UAC, see [UAC Group Policy Settings and Registry Key Settings](/windows/access-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings).
In Windows 10, User Account Control has added some improvements.
#### New User Account Control features in Windows 10, version 1507
- **Integration with the Antimalware Scan Interface (AMSI)**. The [AMSI](/windows/win32/amsi/antimalware-scan-interface-portal) scans all UAC elevation requests for malware. If malware is detected, the admin privilege is blocked.
[Learn how to manage User Account Control within your organization](/windows/access-protection/user-account-control/user-account-control-overview).
### VPN profile options
Windows 10 provides a set of VPN features that both increase enterprise security and provide an improved user experience, including:
- Always-on auto connection behavior
- App=triggered VPN
- VPN traffic filters
- Lock down VPN
- Integration with Microsoft Passport for Work
[Learn more about the VPN options in Windows 10.](/windows/access-protection/vpn/vpn-profile-options)
## Management
Windows 10 provides mobile device management (MDM) capabilities for PCs, laptops, tablets, and phones that enable enterprise-level management of corporate-owned and personal devices.
### MDM support
MDM policies for Windows 10 align with the policies supported in Windows 8.1 and are expanded to address even more enterprise scenarios, such as managing multiple users who have Microsoft Azure Active Directory (Azure AD) accounts, full control over the Microsoft Store, VPN configuration, and more.
MDM support in Windows 10 is based on [Open Mobile Alliance (OMA)](https://go.microsoft.com/fwlink/p/?LinkId=533885) Device Management (DM) protocol 1.2.1 specification.
Corporate-owned devices can be enrolled automatically for enterprises using Azure AD. [Reference for Mobile device management for Windows 10](/windows/client-management/mdm/)
### Unenrollment
When a person leaves your organization and you unenroll the user account or device from management, the enterprise-controlled configurations and apps are removed from the device. You can unenroll the device remotely or the person can unenroll by manually removing the account from the device.
When a personal device is unenrolled, the user's data and apps are untouched, while enterprise information such as certificates, VPN profiles, and enterprise apps are removed.
### Infrastructure
Enterprises have the following identity and management choices.
| Area | Choices |
|---|---|
| Identity | Active Directory; Azure AD |
| Grouping | Domain join; Workgroup; Azure AD join |
| Device management | Group Policy; Microsoft Configuration Manager; Microsoft Intune; other MDM solutions; Exchange ActiveSync; Windows PowerShell; Windows Management Instrumentation (WMI) |
> [!NOTE]
> With the release of Windows Server 2012 R2, Network Access Protection (NAP) was deprecated and the NAP client has now been removed in Windows 10. For more information about support lifecycles, see [Microsoft Support Lifecycle](/lifecycle/).
### Device lockdown
Do you need a computer that can only do one thing? For example:
- A device in the lobby that customers can use to view your product catalog.
- A portable device that drivers can use to check a route on a map.
- A device that a temporary worker uses to enter data.
You can configure a persistent locked down state to [create a kiosk-type device](/windows/configuration/kiosk-methods). When the locked-down account is logged on, the device displays only the app that you select.
You can also [configure a lockdown state](/windows/configuration/lock-down-windows-10-to-specific-apps) that takes effect when a given user account logs on. The lockdown restricts the user to only the apps that you specify.
Lockdown settings can also be configured for device look and feel, such as a theme or a [custom layout on the Start screen](/windows/configuration/windows-10-start-layout-options-and-policies).
### Customized Start layout
A standard, customized Start layout can be useful on devices that are common to multiple users and devices that are locked down for specialized purposes. Starting in Windows 10, version 1511, administrators can configure a *partial* Start layout, which applies specified tile groups while allowing users to create and customize their own tile groups. Learn how to [customize and export Start layout](/windows/configuration/customize-and-export-start-layout).
Administrators can also use mobile device management (MDM) or Group Policy to disable the use of [Windows Spotlight on the lock screen](/windows/configuration/windows-spotlight).
### Microsoft Store for Business
**New in Windows 10, version 1511**
With the Microsoft Store for Business, organizations can make volume purchases of Windows apps. The Store for Business provides app purchases based on organizational identity, flexible distribution options, and the ability to reclaim or reuse licenses. Organizations can also use the Store for Business to create a private store for their employees that includes apps from the Store, as well private Line-of-Business (LOB) apps.
For more information, see [Microsoft Store for Business overview](/microsoft-store/windows-store-for-business-overview).
## Updates
Windows Update for Business enables information technology administrators to keep the Windows 10-based devices in their organization always up to date with the latest security defenses and Windows features by directly connecting these systems to Microsofts Windows Update service.
By using [Group Policy Objects](/previous-versions/cc498727(v=msdn.10)), Windows Update for Business is an easily established and implemented system that enables organizations and administrators to exercise control on how their Windows 10-based devices are updated, by allowing:
- **Deployment and validation groups**; where administrators can specify which devices go first in an update wave, and which devices will come later (to ensure any quality bars are met).
- **Peer-to-peer delivery**, which administrators can enable to make delivery of updates to branch offices and remote sites with limited bandwidth efficient.
- **Use with existing tools** such as Microsoft Intune and the [Enterprise Mobility Suite](/enterprise-mobility-security).
Together, these Windows Update for Business features help reduce device management costs, provide controls over update deployment, offer quicker access to security updates, and provide access to the latest innovations from Microsoft on an ongoing basis. Windows Update for Business is a free service for all Windows 10 Pro, Enterprise, and Education editions, and can be used independent of, or in conjunction with, existing device management solutions such as [Windows Server Update Services (WSUS)](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh852345(v=ws.11)) and [Microsoft Configuration Manager](/configmgr).
Learn more about [Windows Update for Business](/windows/deployment/update/waas-manage-updates-wufb).
For more information about updating Windows 10, see [Windows 10 servicing options for updates and upgrades](/windows/deployment/update/waas-servicing-strategy-windows-10-updates).
## Microsoft Edge
Microsoft Edge takes you beyond just browsing to actively engaging with the web through features like Web Note, Reading View, and Cortana.
- **Web Note.** Microsoft Edge lets you annotate, highlight, and call things out directly on webpages.
- **Reading view.** Microsoft Edge lets you enjoy and print online articles in a distraction-free layout that's optimized for your screen size. While in reading view, you can also save webpages or PDF files to your reading list, for later viewing.
- **Cortana.** Cortana is automatically enabled on Microsoft Edge. Microsoft Edge lets you highlight words for more info and gives you one-click access to things like restaurant reservations and reviews, without leaving the webpage.
- **Compatibility and security.** Microsoft Edge lets you continue to use IE11 for sites that are on your corporate intranet or that are included on your Enterprise Mode Site List. You must use IE11 to run older, less secure technology, such as ActiveX controls.
### Enterprise guidance
Microsoft Edge is the default browser experience for Windows 10. However, if you're running web apps that need ActiveX controls, we recommend that you continue to use Internet Explorer 11 for them. If you don't have IE11 installed anymore, you can download it from the Microsoft Store or from the [Internet Explorer 11 download page](https://go.microsoft.com/fwlink/p/?linkid=290956).
We also recommend that you upgrade to IE11 if you're running any earlier versions of Internet Explorer. IE11 is supported on Windows 7, Windows 8.1, and Windows 10. So any legacy apps that work with IE11 will continue to work even as you migrate to Windows 10.
[Learn more about using Microsoft Edge in the enterprise](/microsoft-edge/deploy/emie-to-improve-compatibility)
## Learn more
- [Windows 10 release information](https://technet.microsoft.com/windows/release-info)

156
windows/whats-new/whats-new-windows-10-version-1607.md
View File

@ -1,156 +0,0 @@
---
title: What's new in Windows 10, version 1607 (Windows 10)
description: What's new in Windows 10 for Windows 10 (version 1607)?
ms.prod: windows-client
ms.localizationpriority: medium
author: mestew
manager: aaroncz
ms.author: mstewart
ms.topic: article
ROBOTS: NOINDEX
ms.technology: itpro-fundamentals
ms.date: 12/31/2017
---
# What's new in Windows 10, version 1607 for IT Pros
Below is a list of some of the new and updated features in Windows 10, version 1607 (also known as the Anniversary Update).
>[!NOTE]
>For release dates and servicing options for each version, see [Windows 10 release information](https://technet.microsoft.com/windows/release-info).
## Deployment
### Windows Imaging and Configuration Designer (ICD)
In previous versions of the Windows 10 Assessment and Deployment Kit (ADK), you had to install more features for Windows ICD to run. Starting in version 1607, you can install just the configuration designer component independent of the rest of the imaging components. [Install the ADK.](https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit)
Windows ICD now includes simplified workflows for creating provisioning packages:
- [Simple provisioning to set up common settings for Active Directory-joined devices](/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment)
- [Advanced provisioning to deploy certificates and apps](/windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates)
- [School provisioning to set up classroom devices for Active Directory](/education/windows/set-up-students-pcs-to-join-domain)
[Learn more about using provisioning packages in Windows 10.](/windows/configuration/provisioning-packages/provisioning-packages)
### Windows Upgrade Readiness
Microsoft developed Upgrade Readiness in response to demand from enterprise customers looking for more direction and details about upgrading to Windows 10. Upgrade Readiness was built taking into account multiple channels of customer feedback, testing, and Microsofts experience upgrading millions of devices to Windows 10.
With Windows diagnostic data enabled, Upgrade Readiness collects system, application, and driver data for analysis. We then identify compatibility issues that can block an upgrade and suggest fixes when they're known to Microsoft.
Use Upgrade Readiness to get:
- A visual workflow that guides you from pilot to production
- Detailed computer and application inventory
- Powerful computer level search and drill-downs
- Guidance and insights into application and driver compatibility issues, with suggested fixes
- Data driven application rationalization tools
- Application usage information, allowing targeted validation; workflow to track validation progress and decisions
- Data export to commonly used software deployment tools
The Upgrade Readiness workflow steps you through the discovery and rationalization process until you have a list of computers that are upgrade-ready.
[Learn more about planning and managing Windows upgrades with Windows Upgrade Readiness.](/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness)
## Windows updates
Windows 10, version 1607, provides administrators with increased control over updates by changing the update deferral increment from weeks to days. Other changes:
- Quality Updates can be deferred up to 30 days and paused for 35 days
- Feature Updates can be deferred up to 180 days and paused for 60 days
- Update deferrals can be applied to both Current Branch (CB) and Current Branch for Business (CBB)
- Drivers can be excluded from updates
## Security
### Credential Guard and Device Guard
Isolated User Mode is now included with Hyper-V so you don't have to install it separately.
### Windows Hello for Business
When Windows 10 was first shipped, it included Microsoft Passport and Windows Hello, which worked together to provide multi-factor authentication. To simplify deployment and improve supportability, Microsoft has combined these technologies into a single solution under the Windows Hello name in Windows 10, version 1607. Customers who have already deployed Microsoft Passport for Work won't experience any change in functionality. Customers who have yet to evaluate Windows Hello will find it easier to deploy due to simplified policies, documentation, and semantics.
Other changes for Windows Hello in Windows 10, version 1607:
- Personal (Microsoft account) and corporate (Active Directory or Azure AD) accounts use a single container for keys.
- Group Policy settings for managing Windows Hello for Business are now available for both **User Configuration** and **Computer Configuration**.
- Beginning in version 1607, Windows Hello as a convenience PIN is disabled by default on all domain-joined computers. To enable a convenience PIN for Windows 10, version 1607, enable the Group Policy setting **Turn on convenience PIN sign-in**.
[Learn more about Windows Hello for Business.](/windows/access-protection/hello-for-business/hello-identity-verification)
### VPN
- The VPN client can integrate with the Conditional Access Framework, a cloud-based policy engine built into Azure Active Directory, to provide a device compliance option for remote clients.
- The VPN client can integrate with Windows Information Protection (WIP) policy to provide extra security. [Learn more about Windows Information Protection](/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip), previously known as Enterprise Data Protection.
- New VPNv2 configuration service provider (CSP) adds configuration settings. For details, see [What's new in MDM enrollment and management](/windows/client-management/mdm/new-in-windows-mdm-enrollment-management#whatsnew_1607)
- Microsoft Intune: *VPN* profile template includes support for native VPN plug-ins. For more information, see [Create VPN profiles to connect to VPN servers in Intune](/mem/intune/configuration/vpn-settings-configure).
### Windows Information Protection (WIP), formerly known as enterprise data protection (EDP)
With the increase of employee-owned devices in the enterprise, theres also an increasing risk of accidental data leak through apps and services, like email, social media, and the public cloud, which are outside of the enterprises control. For example, when an employee sends the latest engineering pictures from their personal email account, copies and pastes product info into a tweet, or saves an in-progress sales report to their public cloud storage.
Windows Information Protection (WIP) helps to protect against this potential data leakage without otherwise interfering with the employee experience. WIP also helps to protect enterprise apps and data against accidental data leak on enterprise-owned devices and personal devices that employees bring to work without requiring changes to your environment or other apps.
- [Create a Windows Information Protection (WIP) policy](/windows/security/information-protection/windows-information-protection/overview-create-wip-policy)
- [General guidance and best practices for Windows Information Protection (WIP)](/windows/security/information-protection/windows-information-protection/guidance-and-best-practices-wip)
[Learn more about Windows Information Protection (WIP)](/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip)
### Windows Defender
Several new features and management options have been added to Windows Defender in Windows 10, version 1607.
- [Windows Defender Offline in Windows 10](/microsoft-365/security/defender-endpoint/microsoft-defender-offline) can be run directly from within Windows, without having to create bootable media.
- [Use PowerShell cmdlets for Windows Defender](/microsoft-365/security/defender-endpoint/use-powershell-cmdlets-microsoft-defender-antivirus) to configure options and run scans.
- [Enable the Block at First Sight feature in Windows 10](/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus) to use the Windows Defender cloud for near-instant protection against new malware.
- [Configure enhanced notifications for Windows Defender in Windows 10](/microsoft-365/security/defender-endpoint/configure-notifications-microsoft-defender-antivirus) to see more information about threat detections and removal.
- [Run a Windows Defender scan from the command line](/microsoft-365/security/defender-endpoint/command-line-arguments-microsoft-defender-antivirus).
- [Detect and block Potentially Unwanted Applications with Windows Defender](/microsoft-365/security/defender-endpoint/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus) during download and install times.
### Microsoft Defender for Endpoint
With the growing threat from more sophisticated targeted attacks, a new security solution is imperative in securing an increasingly complex network ecosystem. Microsoft Defender for Endpoint is a security service, built into Windows 10 that enables enterprise customers detect, investigate, and respond to advanced threats on their networks.
[Learn more about Microsoft Defender for Endpoint](/windows/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection).
## Management
### Use Remote Desktop Connection for PCs joined to Azure Active Directory
From its release, Windows 10 has supported remote connections to PCs that are joined to Active Directory. Starting in Windows 10, version 1607, you can also connect to a remote PC that is joined to Azure Active Directory (Azure AD). [Learn about the requirements and supported configurations.](/windows/client-management/connect-to-remote-aadj-pc)
### Taskbar configuration
Enterprise administrators can add and remove pinned apps from the taskbar. Users can pin apps, unpin apps, and change the order of pinned apps on the taskbar after the enterprise configuration is applied. [Learn how to configure the taskbar.](/windows/configuration/windows-10-start-layout-options-and-policies)
### Mobile device management and configuration service providers (CSPs)
Numerous settings have been added to the Windows 10 CSPs to expand MDM capabilities for managing devices. To learn more about the specific changes in MDM policies for Windows 10, version 1607, see [What's new in MDM enrollment and management](/windows/client-management/mdm/new-in-windows-mdm-enrollment-management#whatsnew_1607).
### Shared PC mode
Windows 10, Version 1607, introduces shared PC mode, which optimizes Windows 10 for shared use scenarios, such as touchdown spaces in an enterprise and temporary customer use in retail. You can apply shared PC mode to Windows 10 Pro, Education, and Enterprise. [Learn how to set up a shared or guest PC.](/windows/configuration/set-up-shared-or-guest-pc)
### Application Virtualization (App-V) for Windows 10
Application Virtualization (App-V) enables organizations to deliver Win32 applications to users as virtual applications. Virtual applications are installed on centrally managed servers and delivered to users as a service in real time and on as as-needed basis. Users launch virtual applications from familiar access points, including the Microsoft Store, and interact with them as if they were installed locally.
With the release of Windows 10, version 1607, App-V is included with the Windows 10 for Enterprise edition. If you're new to Windows 10 and App-V or if you're upgrading from a previous version of App-V, youll need to download, activate, and install server- and client-side components to start delivering virtual applications to users.
[Learn how to deliver virtual applications with App-V.](/windows/application-management/app-v/appv-getting-started)
### User Experience Virtualization (UE-V) for Windows 10
Many users customize their settings for Windows and for specific applications. Customizable Windows settings include Microsoft Store appearance, language, background picture, font size, and accent colors. Customizable application settings include language, appearance, behavior, and user interface options.
With User Experience Virtualization (UE-V), you can capture user-customized Windows and application settings and store them on a centrally managed network file share. When users sign in, their personalized settings are applied to their work session, regardless of which device or virtual desktop infrastructure (VDI) sessions they sign in to.
With the release of Windows 10, version 1607, UE-V is included with the Windows 10 for Enterprise edition. If you're new to Windows 10 and UE-V or upgrading from a previous version of UE-V, youll need to download, activate, and install server- and client-side components to start synchronizing user-customized settings across devices.
[Learn how to synchronize user-customized settings with UE-V.](/windows/configuration/ue-v/uev-for-windows)
## Learn more
- [Windows 10 release information](https://technet.microsoft.com/windows/release-info)

313
windows/whats-new/whats-new-windows-10-version-1703.md
View File

@ -1,313 +0,0 @@
---
title: What's new in Windows 10, version 1703
description: New and updated features in Windows 10, version 1703 (also known as the Creators Updated).
ms.prod: windows-client
ms.localizationpriority: medium
author: mestew
manager: aaroncz
ms.author: mstewart
ms.topic: article
ROBOTS: NOINDEX
ms.technology: itpro-fundamentals
ms.date: 12/31/2017
---
# What's new in Windows 10, version 1703 for IT Pros
Below is a list of some of what's new in Information Technology (IT) pro features in Windows 10, version 1703 (also known as the Creators Update).
For more general info about Windows 10 features, see [Features available only on Windows 10](https://www.microsoft.com/windows/features). For info about previous versions of Windows 10, see [What's New in Windows 10](./index.yml). Also see this blog post: [Whats new for IT pros in the Windows 10 Creators Update}(https://blogs.technet.microsoft.com/windowsitpro/2017/04/05/whats-new-for-it-pros-in-the-windows-10-creators-update/).
>[!NOTE]
>Windows 10, version 1703 contains all fixes included in previous cumulative updates to Windows 10, version 1607. For info about each version, see [Windows 10 release information](https://technet.microsoft.com/windows/release-info). For a list of removed features, see [Features that are removed in Windows 10 Creators Update](removed-features.md).
## Configuration
### Windows Configuration Designer
Previously known as *Windows Imaging and Configuration Designer (ICD)*, the tool for creating provisioning packages is renamed **Windows Configuration Designer**. The new Windows Configuration Designer is available in [Microsoft Store](https://www.microsoft.com/store/apps/9nblggh4tx22) as an app. To run Windows Configuration Designer on earlier versions of Windows, you can still install Windows Configuration Designer from the [Windows Assessment and Deployment Kit (ADK)](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit).
Windows Configuration Designer in Windows 10, version 1703, includes several new wizards to make it easier to create provisioning packages.
![wizards for desktop, mobile, kiosk, Surface Hub.](images/wcd-options.png)
Both the desktop and kiosk wizards include an option to remove pre-installed software, based on the new [CleanPC configuration service provider (CSP)](/windows/client-management/mdm/cleanpc-csp).
![remove pre-installed software option.](images/wcd-cleanpc.png)
[Learn more about Windows Configuration Designer.](/windows/configuration/provisioning-packages/provisioning-packages)
### Azure Active Directory join in bulk
Using the new wizards in Windows Configuration Designer, you can [create provisioning packages to enroll devices in Azure Active Directory](/windows/configuration/provisioning-packages/provisioning-packages#configuration-designer-wizards). Azure AD join in bulk is available in the desktop, mobile, kiosk, and Surface Hub wizards.
### Windows Spotlight
The following new Group Policy and mobile device management (MDM) settings are added to help you configure Windows Spotlight user experiences:
- **Turn off the Windows Spotlight on Action Center**
- **Do not use diagnostic data for tailored experiences**
- **Turn off the Windows Welcome Experience**
[Learn more about Windows Spotlight.](/windows/configuration/windows-spotlight)
### Start and taskbar layout
Enterprises have been able to apply customized Start and taskbar layouts to devices running Windows 10 Enterprise and Education. In Windows 10, version 1703, customized Start and taskbar layout can also be applied to Windows 10 Pro.
Previously, the customized taskbar could only be deployed using Group Policy or provisioning packages. Windows 10, version 1703, adds support for customized taskbars to [MDM](/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management).
[More MDM policy settings are available for Start and taskbar layout](/windows/configuration/windows-10-start-layout-options-and-policies). New MDM policy settings include:
- Settings for the User tile: [**Start/HideUserTile**](/windows/client-management/mdm/policy-configuration-service-provider#start-hideusertile), [**Start/HideSwitchAccount**](/windows/client-management/mdm/policy-configuration-service-provider#start-hideswitchaccount), [**Start/HideSignOut**](/windows/client-management/mdm/policy-configuration-service-provider#start-hidesignout), [**Start/HideLock**](/windows/client-management/mdm/policy-configuration-service-provider#start-hidelock), and [**Start/HideChangeAccountSettings**](/windows/client-management/mdm/policy-configuration-service-provider#start-hidechangeaccountsettings)
- Settings for Power: [**Start/HidePowerButton**](/windows/client-management/mdm/policy-configuration-service-provider#start-hidepowerbutton), [**Start/HideHibernate**](/windows/client-management/mdm/policy-configuration-service-provider#start-hidehibernate), [**Start/HideRestart**](/windows/client-management/mdm/policy-configuration-service-provider#start-hiderestart), [**Start/HideShutDown**](/windows/client-management/mdm/policy-configuration-service-provider#start-hideshutdown), and [**Start/HideSleep**](/windows/client-management/mdm/policy-configuration-service-provider#start-hidesleep)
- Other new settings: [**Start/HideFrequentlyUsedApps**](/windows/client-management/mdm/policy-configuration-service-provider#start-hidefrequentlyusedapps), [**Start/HideRecentlyAddedApps**](/windows/client-management/mdm/policy-configuration-service-provider#start-hiderecentlyaddedapps), **AllowPinnedFolder**, **ImportEdgeAssets**, [**Start/HideRecentJumplists**](/windows/client-management/mdm/policy-configuration-service-provider#start-hiderecentjumplists), [**Start/NoPinningToTaskbar**](/windows/client-management/mdm/policy-configuration-service-provider#start-nopinningtotaskbar), [**Settings/PageVisibilityList**](/windows/client-management/mdm/policy-configuration-service-provider#settings-pagevisibilitylist), and [**Start/HideAppsList**](/windows/client-management/mdm/policy-configuration-service-provider#start-hideapplist).
### Cortana at work
Cortana is Microsofts personal digital assistant, who helps busy people get things done, even while at work. Cortana has powerful configuration options, optimized for your business. When your employees sign in with an Azure Active Directory (Azure AD) account, they can give Cortana access to their enterprise/work identity, while getting all the functionality Cortana provides to them outside of work.
Using Azure AD also means that you can remove an employees profile (for example, when an employee leaves your organization) while respecting Windows Information Protection (WIP) policies and ignoring enterprise content, such as emails, calendar items, and people lists that are marked as enterprise data.
For more info about Cortana at work, see [Cortana integration in your business or enterprise](/windows/configuration/cortana-at-work/cortana-at-work-overview)
## Deployment
### MBR2GPT.EXE
MBR2GPT.EXE is a new command-line tool available in Windows 10 version 1703 and later versions. MBR2GPT converts a disk from Master Boot Record (MBR) to GUID Partition Table (GPT) partition style without modifying or deleting data on the disk. The tool is designed to be run from a Windows Preinstallation Environment (Windows PE) command prompt, but can also be run from the full Windows 10 operating system (OS).
The GPT partition format is newer and enables the use of larger and more disk partitions. It also provides added data reliability, supports other partition types, and enables faster boot and shutdown speeds. If you convert the system disk on a computer from MBR to GPT, you must also configure the computer to boot in UEFI mode, so make sure that your device supports UEFI before attempting to convert the system disk.
Other security features of Windows 10 that are enabled when you boot in UEFI mode include: Secure Boot, Early Launch Anti-malware (ELAM) driver, Windows Trusted Boot, Measured Boot, Device Guard, Credential Guard, and BitLocker Network Unlock.
For details, see [MBR2GPT.EXE](/windows/deployment/mbr-to-gpt).
## Security
### Microsoft Defender for Endpoint
New features in Microsoft Defender for Endpoint for Windows 10, version 1703 include:
- **Detection**: Enhancements to the detection capabilities include:
- Improvements on OS memory and kernel sensors to enable detection of attackers who are using in-memory and kernel-level attacks
- Upgraded detections of ransomware and other advanced attacks
- Historical detection capability ensures new detection rules apply to up to six months of stored data to detect previous attacks that might not have been noticed
- **Investigation**: Enterprise customers can now take advantage of the entire Windows security stack with Microsoft Defender Antivirus detections and Device Guard blocks being surfaced in the Microsoft Defender for Endpoint portal. Other capabilities have been added to help you gain a holistic view on investigations.
Other investigation enhancements include:
- [Investigate a user account](/windows/threat-protection/windows-defender-atp/investigate-user-windows-defender-advanced-threat-protection) - Identify user accounts with the most active alerts and investigate cases of potential compromised credentials.
- [Alert process tree](/windows/threat-protection/windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection#alert-process-tree) - Aggregates multiple detections and related events into a single view to reduce case resolution time.
- [Pull alerts using REST API](/windows/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection) - Use REST API to pull alerts from Microsoft Defender for Endpoint.
- **Response**: When an attack is detected, security response teams can now take immediate action to contain a breach:
- [Take response actions on a machine](/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection) - Quickly respond to detected attacks by isolating machines or collecting an investigation package.
- [Take response actions on a file](/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection) - Quickly respond to detected attacks by stopping and quarantining files or blocking a file.
- **Other features**
- [Check sensor health state](/windows/threat-protection/windows-defender-atp/check-sensor-status-windows-defender-advanced-threat-protection) - Check an endpoint's ability to provide sensor data and communicate with the Microsoft Defender for Endpoint service and fix known issues.
You can read more about ransomware mitigations and detection capability in Microsoft Defender for Endpoint in the blog: [Averting ransomware epidemics in corporate networks with Microsoft Defender for Endpoint](https://blogs.technet.microsoft.com/mmpc/2017/01/30/averting-ransomware-epidemics-in-corporate-networks-with-windows-defender-atp/).
Get a quick, but in-depth overview of Microsoft Defender for Endpoint for Windows 10 and the new capabilities in Windows 10, version 1703 see [Microsoft Defender for Endpoint for Windows 10 Creators Update](/windows/deployment/deploy-whats-new).
### Microsoft Defender Antivirus
Windows Defender is now called Microsoft Defender Antivirus, and we've [increased the breadth of the documentation library for enterprise security admins](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows).
The new library includes information on:
- [Deploying and enabling AV protection](/microsoft-365/security/defender-endpoint/deploy-microsoft-defender-antivirus)
- [Managing updates](/microsoft-365/security/defender-endpoint/manage-updates-baselines-microsoft-defender-antivirus)
- [Reporting](/microsoft-365/security/defender-endpoint/report-monitor-microsoft-defender-antivirus)
- [Configuring features](/microsoft-365/security/defender-endpoint/configure-microsoft-defender-antivirus-features)
- [Troubleshooting](/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus)
Some of the highlights of the new library include:
- [Evaluation guide for Microsoft Defender AV](/microsoft-365/security/defender-endpoint/evaluate-microsoft-defender-antivirus)
- [Deployment guide for Microsoft Defender AV in a virtual desktop infrastructure environment](/microsoft-365/security/defender-endpoint/deployment-vdi-microsoft-defender-antivirus)
New features for Microsoft Defender AV in Windows 10, version 1703 include:
- [Updates to how the Block at First Sight feature can be configured](/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus)
- [The ability to specify the level of cloud-protection](/microsoft-365/security/defender-endpoint/specify-cloud-protection-level-microsoft-defender-antivirus)
- [Microsoft Defender Antivirus protection in the Windows Defender Security Center app](/microsoft-365/security/defender-endpoint/microsoft-defender-security-center-antivirus)
In Windows 10, version 1607, we [invested heavily in helping to protect against ransomware](https://blogs.windows.com/business/2016/11/11/defending-against-ransomware-with-windows-10-anniversary-update/#UJlHc6SZ2Zm44jCt.97), and we continue that investment in version 1703 with [updated behavior monitoring and always-on real-time protection](/microsoft-365/security/defender-endpoint/configure-real-time-protection-microsoft-defender-antivirus).
You can read more about ransomware mitigations and detection capability in Microsoft Defender AV in the [Microsoft Malware Protection Center blog](https://blogs.technet.microsoft.com/mmpc/category/research/ransomware/).
### Device Guard and Credential Guard
More security qualifications for Device Guard and Credential Guard help protect vulnerabilities in UEFI runtime.
For more information, see [Device Guard Requirements](/windows/device-security/device-guard/requirements-and-deployment-planning-guidelines-for-device-guard) and [Credential Guard Security Considerations](/windows/access-protection/credential-guard/credential-guard-requirements#security-considerations).
### Group Policy Security Options
The security setting [**Interactive logon: Display user information when the session is locked**](/windows/device-security/security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked) has been updated to work in conjunction with the **Privacy** setting in **Settings** > **Accounts** > **Sign-in options**.
A new security policy setting
[**Interactive logon: Don't display username at sign-in**](/windows/device-security/security-policy-settings/interactive-logon-dont-display-username-at-sign-in) has been introduced in Windows 10 version 1703. This security policy setting determines whether the username is displayed during sign-in. It works in conjunction with the **Privacy** setting in **Settings** > **Accounts** > **Sign-in options**. The setting only affects the **Other user** tile.
### Windows Hello for Business
You can now reset a forgotten PIN without deleting company managed data or apps on devices managed by [Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune).
For Windows desktops, users are able to reset a forgotten PIN through **Settings > Accounts > Sign-in options**.
For more details, check out [What if I forget my PIN?](/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset).
### Windows Information Protection (WIP) and Azure Active Directory (Azure AD)
Microsoft Intune helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your allowed apps, your WIP-protection level, and how to find enterprise data on the network. For more info, see [Create a Windows Information Protection (WIP) policy using Microsoft Intune](/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune) and [Associate and deploy your Windows Information Protection (WIP) and VPN policies by using Microsoft Intune](/windows/threat-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune).
You can also now collect your audit event logs by using the Reporting configuration service provider (CSP) or the Windows Event Forwarding (for Windows desktop domain-joined devices). For info, see the brand-new topic, [How to collect Windows Information Protection (WIP) audit event logs](/windows/threat-protection/windows-information-protection/collect-wip-audit-event-logs).
## Update
### Windows Update for Business
The pause feature has been changed, and now requires a start date to set up. Users are now able to pause through **Settings > Update & security > Windows Update > Advanced options** in case a policy hasn't been configured. We've also increased the pause limit on quality updates to 35 days. You can find more information on pause in [Pause Feature Updates](/windows/deployment/update/waas-configure-wufb#pause-feature-updates) and [Pause Quality Updates](/windows/deployment/update/waas-configure-wufb#pause-quality-updates).
Windows Update for Business managed devices are now able to defer feature update installation by up to 365 days (it used to be 180 days). In settings, users are able to select their branch readiness level and update deferral periods. See [Configure devices for Current Branch (CB) or Current Branch for Business (CBB)](/windows/deployment/update/waas-configure-wufb#configure-devices-for-current-branch-or-current-branch-for-business), [Configure when devices receive Feature Updates](/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-feature-updates) and [Configure when devices receive Quality Updates](/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-quality-updates) for details.
### Windows Insider for Business
We recently added the option to download Windows 10 Insider Preview builds using your corporate credentials in Azure Active Directory (Azure AD). By enrolling devices in Azure AD, you increase the visibility of feedback submitted by users in your organization, especially on features that support your specific business needs. For details, see [Windows Insider Program for Business](/windows-insider/business/register).
### Optimize update delivery
With changes delivered in Windows 10, version 1703, [express updates](/windows/deployment/do/waas-optimize-windows-10-updates#express-update-delivery) are now fully supported with Microsoft Configuration Manager, starting with version 1702 of Configuration Manager, and with other third-party updating and management products that [implement this new functionality](/windows-server/administration/windows-server-update-services/deploy/express-update-delivery-isv-support). This support is in addition to current Express support on Windows Update, Windows Update for Business and WSUS.
>[!NOTE]
> The above changes can be made available to Windows 10, version 1607, by installing the April 2017 cumulative update.
Delivery Optimization policies now enable you to configure more restrictions to have more control in various scenarios.
Added policies include:
- [Allow uploads while the device is on battery while under set Battery level](/windows/deployment/update/waas-delivery-optimization#allow-uploads-while-the-device-is-on-battery-while-under-set-battery-level)
- [Enable Peer Caching while the device connects via VPN](/windows/deployment/update/waas-delivery-optimization#enable-peer-caching-while-the-device-connects-via-vpn)
- [Minimum RAM (inclusive) allowed to use Peer Caching](/windows/deployment/update/waas-delivery-optimization#minimum-ram-allowed-to-use-peer-caching)
- [Minimum disk size allowed to use Peer Caching](/windows/deployment/update/waas-delivery-optimization#minimum-disk-size-allowed-to-use-peer-caching)
- [Minimum Peer Caching Content File Size](/windows/deployment/update/waas-delivery-optimization#minimum-peer-caching-content-file-size)
To check out all the details, see [Configure Delivery Optimization for Windows 10 updates](/windows/deployment/update/waas-delivery-optimization)
### Uninstalled in-box apps no longer automatically reinstall
Starting with Windows 10, version 1703, in-box apps that were uninstalled by the user won't automatically reinstall as part of the feature update installation process.
Additionally, apps de-provisioned by admins on Windows 10, version 1703 machines will stay de-provisioned after future feature update installations. This condition won't apply to the update from Windows 10, version 1607 (or earlier) to version 1703.
## Management
### New MDM capabilities
Windows 10, version 1703 adds many new [configuration service providers (CSPs)](/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers) that provide new capabilities for managing Windows 10 devices using MDM or provisioning packages. Among other things, these CSPs enable you to configure a few hundred of the most useful Group Policy settings via MDM - see [Policy CSP - ADMX-backed policies](/windows/client-management/mdm/policy-configuration-service-provider).
Some of the other new CSPs are:
- The [DynamicManagement CSP](/windows/client-management/mdm/dynamicmanagement-csp) allows you to manage devices differently depending on location, network, or time. For example, managed devices can have cameras disabled when at a work location, the cellular service can be disabled when outside the country/region to avoid roaming charges, or the wireless network can be disabled when the device isn't within the corporate building or campus. Once configured, these settings will be enforced even if the device cant reach the management server when the location or network changes. The Dynamic Management CSP enables configuration of policies that change how the device is managed in addition to setting the conditions on which the change occurs.
- The [CleanPC CSP](/windows/client-management/mdm/cleanpc-csp) allows removal of user-installed and pre-installed applications, with the option to persist user data.
- The [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp) is used to manage encryption of PCs and devices. For example, you can require storage card encryption on mobile devices, or require encryption for operating system drives.
- The [NetworkProxy CSP](/windows/client-management/mdm/networkproxy-csp) is used to configure a proxy server for ethernet and Wi-Fi connections.
- The [Office CSP](/windows/client-management/mdm/office-csp) enables a Microsoft Office client to be installed on a device via the Office Deployment Tool. For more information, see [Configuration options for the Office Deployment Tool](/deployoffice/office-deployment-tool-configuration-options).
- The [EnterpriseAppVManagement CSP](/windows/client-management/mdm/enterpriseappvmanagement-csp) is used to manage virtual applications in Windows 10 PCs (Enterprise and Education editions) and enables App-V sequenced apps to be streamed to PCs even when managed by MDM.
[Learn more about new MDM capabilities.](/windows/client-management/mdm/new-in-windows-mdm-enrollment-management#whatsnew10)
### Mobile application management support for Windows 10
The Windows version of mobile application management (MAM) is a lightweight solution for managing company data access and security on personal devices. MAM support is built into Windows on top of Windows Information Protection (WIP), starting in Windows 10, version 1703.
For more info, see [Implement server-side support for mobile application management on Windows](/windows/client-management/mdm/implement-server-side-mobile-application-management).
### MDM diagnostics
In Windows 10, version 1703, we continue our work to improve the diagnostic experience for modern management. By introducing auto-logging for mobile devices, Windows will automatically collect logs when encountering an error in MDM, eliminating the need to have always-on logging for memory-constrained devices. Additionally, we're introducing [Microsoft Message Analyzer](/message-analyzer/microsoft-message-analyzer-operating-guide) as an extra tool to help Support personnel quickly reduce issues to their root cause, while saving time and cost.
### Application Virtualization for Windows (App-V)
Previous versions of the Microsoft Application Virtualization Sequencer (App-V Sequencer) have required you to manually create your sequencing environment. Windows 10, version 1703 introduces two new PowerShell cmdlets, New-AppVSequencerVM and Connect-AppvSequencerVM, which automatically create your sequencing environment for you, including provisioning your virtual machine. Additionally, the App-V Sequencer has been updated to let you sequence or update multiple apps at the same time, while automatically capturing and storing your customizations as an App-V project template (.appvt) file, and letting you use PowerShell or Group Policy settings to automatically clean up your unpublished packages after a device restart.
For more info, see the following topics:
- [Automatically provision your sequencing environment using Microsoft Application Virtualization Sequencer (App-V Sequencer)](/windows/application-management/app-v/appv-auto-provision-a-vm)
- [Automatically sequence multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](/windows/application-management/app-v/appv-auto-batch-sequencing)
- [Automatically update multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](/windows/application-management/app-v/appv-auto-batch-updating)
- [Automatically clean up unpublished packages on the App-V client](/windows/application-management/app-v/appv-auto-clean-unpublished-packages)
### Windows diagnostic data
Learn more about the diagnostic data that's collected at the Basic level and some examples of the types of data that is collected at the Full level.
- [Windows 10, version 1703 basic level Windows diagnostic events and fields](/windows/configuration/basic-level-windows-diagnostic-events-and-fields-1703)
- [Windows 10, version 1703 Diagnostic Data](/windows/configuration/windows-diagnostic-data-1703)
### Group Policy spreadsheet
Learn about the new Group Policies that were added in Windows 10, version 1703.
- [Group Policy Settings Reference for Windows and Windows Server](https://www.microsoft.com/download/details.aspx?id=25250)
## Miracast on existing wireless network or LAN
In the Windows 10, version 1703, Microsoft has extended the ability to send a Miracast stream over a local network rather than over a direct wireless link. This functionality is based on the [Miracast over Infrastructure Connection Establishment Protocol (MS-MICE)](/openspecs/windows_protocols/ms-mice/9598ca72-d937-466c-95f6-70401bb10bdb).
Miracast over Infrastructure offers many benefits:
- Windows automatically detects when sending the video stream over this path is applicable.
- Windows will only choose this route if the connection is over Ethernet or a secure Wi-Fi network.
- Users don't have to change how they connect to a Miracast receiver. They use the same UX as for standard Miracast connections.
- No changes to current wireless drivers or PC hardware are required.
- It works well with older wireless hardware that isn't optimized for Miracast over Wi-Fi Direct.
- It uses an existing connection that reduces the time to connect and provides a stable stream.
### How it works
Users attempt to connect to a Miracast receiver as they did previously. When the list of Miracast receivers is populated, Windows 10 will identify that the receiver is capable of supporting a connection over the infrastructure. When the user selects a Miracast receiver, Windows 10 will attempt to resolve the device's hostname via standard DNS, and via multicast DNS (mDNS). If the name isn't resolvable via either DNS method, Windows 10 will fall back to establishing the Miracast session using the standard Wi-Fi direct connection.
### Enabling Miracast over Infrastructure
If you have a device that has been updated to Windows 10, version 1703, then you automatically have this new feature. To take advantage of it in your environment, you need to ensure the following requirements are true within your deployment:
- The device (PC or Surface Hub) needs to be running Windows 10, version 1703.
- A Windows PC or Surface Hub can act as a Miracast over Infrastructure *receiver*. A Windows device can act as a Miracast over Infrastructure *source*.
- As a Miracast receiver, the PC or Surface Hub must be connected to your enterprise network via either Ethernet or a secure Wi-Fi connection (for example, using either WPA2-PSK or WPA2-Enterprise security). If the Hub is connected to an open Wi-Fi connection, Miracast over Infrastructure will disable itself.
- As a Miracast source, the device must be connected to the same enterprise network via Ethernet or a secure Wi-Fi connection.
- The DNS Hostname (device name) of the device needs to be resolvable via your DNS servers. You can achieve this resolution by either allowing your device to register automatically via Dynamic DNS, or by manually creating an A or AAAA record for the device's hostname.
- Windows 10 PCs must be connected to the same enterprise network via Ethernet or a secure Wi-Fi connection.
It's important to note that Miracast over Infrastructure isn't a replacement for standard Miracast. Instead, the functionality is complementary, and provides an advantage to users who are part of the enterprise network. Users who are guests to a particular location and dont have access to the enterprise network will continue to connect using the Wi-Fi Direct connection method.
## New features in related products
The following new features aren't part of Windows 10, but help you make the most of it.
### Upgrade Readiness
Upgrade Readiness helps you ensure that applications and drivers are ready for a Windows 10 upgrade. The solution provides up-to-date application and driver inventory, information about known issues, troubleshooting guidance, and per-device readiness and tracking details. The Upgrade Readiness tool moved from public preview to general availability on March 2, 2017.
The development of Upgrade Readiness has been heavily influenced by input from the community the development of new features is ongoing. To begin using Upgrade Readiness, add it to an existing Operation Management Suite (OMS) workspace or sign up for a new OMS workspace with the Upgrade Readiness solution enabled.
For more information about Upgrade Readiness, see the following topics:
- [Windows Analytics blog](/archive/blogs/upgradeanalytics/)
- [Manage Windows upgrades with Upgrade Readiness](/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness)
### Update Compliance
Update Compliance helps you to keep Windows 10 devices in your organization secure and up-to-date.
Update Compliance is a solution built using OMS Log Analytics that provides information about installation status of monthly quality and feature updates. Details are provided about the deployment progress of existing updates and the status of future updates. Information is also provided about devices that might need attention to resolve issues.
For more information about Update Compliance, see [Monitor Windows Updates with Update Compliance](/windows/deployment/update/update-compliance-monitor).

152
windows/whats-new/whats-new-windows-10-version-1709.md
View File

@ -1,152 +0,0 @@
---
title: What's new in Windows 10, version 1709
description: New and updated features in Windows 10, version 1709 (also known as the Fall Creators Update).
ms.prod: windows-client
author: mestew
manager: aaroncz
ms.author: mstewart
ms.localizationpriority: medium
ms.topic: article
ROBOTS: NOINDEX
ms.technology: itpro-fundamentals
ms.date: 12/31/2017
---
# What's new in Windows 10, version 1709 for IT Pros
**Applies to**
- Windows 10, version 1709
Below is a list of some of the new and updated content that discusses IT Pro features in Windows 10, version 1709, also known as the Fall Creators Update. Windows 10, version 1709 also contains all features and fixes included in previous cumulative updates to Windows 10, version 1703.
A brief description of new or updated features in this version of Windows 10 is provided, with links to content with more detailed information. The following 3-minute video summarizes these features.
&nbsp;
> [!video https://www.microsoft.com/videoplayer/embed/43942201-bec9-4f8b-8ba7-2d9bfafa8bba?autoplay=false]
## Deployment
### Windows Autopilot
Windows Autopilot is a zero touch experience for deploying Windows 10 devices. Configuration profiles can now be applied at the hardware vendor with devices being shipped directly to employees. For more information, see [Overview of Windows Autopilot](/windows/deployment/windows-10-auto-pilot).
You can also apply an Autopilot deployment profile to your devices using Microsoft Store for Business. When people in your organization run the out-of-box experience on the device, the profile configures Windows based on the Autopilot deployment profile you applied to the device. For more information, see [Manage Windows device deployment with Windows Autopilot Deployment](/microsoft-store/add-profile-to-devices).
### Windows 10 Subscription Activation
Windows 10 Subscription Activation lets you deploy Windows 10 Enterprise in your organization with no keys and no reboots using a list of subscribed users. When a subscribed user signs in on their Windows 10 Pro device, features that are Enterprise-only are automatically enabled. For more information, see [Windows 10 Subscription Activation](/windows/deployment/windows-10-enterprise-subscription-activation).
### Autopilot Reset
IT Pros can use Autopilot Reset to quickly remove personal files, apps, and settings. A custom sign-in screen is available from the lock screen that enables you to apply original settings and management enrollment (Azure Active Directory and device management) so that devices are returned to a fully configured, known, IT-approved state and ready to use. For more information, see [Reset devices with Autopilot Reset](/education/windows/autopilot-reset).
## Update
### Windows Update for Business
Windows Update for Business now has more controls available to manage Windows Insider Program enrollment through policies. For more information, see [Manage Windows Insider Program flights](/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-windows-insider-preview-builds).
### Windows Insider Program for Business
You can now register your Azure AD domains to the Windows Insider Program. For more information, see [Windows Insider Program for Business](https://insider.windows.com/for-business).
## Administration
### Mobile Device Management (MDM)
MDM has been expanded to include domain joined devices with Azure Active Directory registration. Group Policy can be used with Active Directory-joined devices to trigger auto-enrollment to MDM. For more information, see [Enroll a Windows 10 device automatically using Group Policy](/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy).
Multiple new configuration items are also added. For more information, see [What's new in MDM enrollment and management](/windows/client-management/mdm/new-in-windows-mdm-enrollment-management#whatsnew1709).
## Application Management
### Mixed Reality Apps
This version of Windows 10 introduces [Windows Mixed Reality](https://blogs.windows.com/windowsexperience/2017/10/03/the-era-of-windows-mixed-reality-begins-october-17/). Organizations that use WSUS must take action to enable Windows Mixed Reality. You can also prohibit use of Windows Mixed Reality by blocking installation of the Mixed Reality Portal. For more information, see [Enable or block Windows Mixed Reality apps in the enterprise](/windows/application-management/manage-windows-mixed-reality).
## Configuration
### Kiosk Configuration
The AssignedAccess CSP has been expanded to make it easy for administrators to create kiosks that run more than one app. You can configure multi-app kiosks using a provisioning package. For more information, see [Create a Windows 10 kiosk that runs multiple apps](/windows/configuration/lock-down-windows-10-to-specific-apps).
## Security
>[!NOTE]
>Windows security features have been rebranded as Windows Defender security features, including Windows Defender Device Guard, Credential Guard, and Windows Defender Firewall.
**Windows security baselines** have been updated for Windows 10. A [security baseline](/windows/device-security/windows-security-baselines) is a group of Microsoft-recommended configuration settings and explains their security impact. For more information, and to download the Policy Analyzer tool, see [Microsoft Security Compliance Toolkit 1.0](/windows/device-security/security-compliance-toolkit-10).
### Microsoft Defender for Endpoint
Microsoft Defender for Endpoint has been expanded with powerful analytics, security stack integration, and centralized management for better detection, prevention, investigation, response, and management. For more information, see [View the Microsoft Defender for Endpoint Security analytics dashboard](/microsoft-365/security/defender-endpoint/tvm-microsoft-secure-score-devices).
### Windows Defender Application Guard
Windows Defender Application Guard hardens a favorite attacker entry-point by isolating malware and other threats away from your data, apps, and infrastructure. For more information, see [Windows Defender Application Guard overview](/windows/threat-protection/windows-defender-application-guard/wd-app-guard-overview).
### Windows Defender Exploit Guard
Window Defender Exploit Guard provides intrusion prevention capabilities to reduce the attack and exploit surface of applications. Exploit Guard has many of the threat mitigations that were available in Enhanced Mitigation Experience Toolkit (EMET) toolkit, a deprecated security download. These mitigations are now built into Windows and configurable with Exploit Guard. These mitigations include [Exploit protection](/microsoft-365/security/defender-endpoint/enable-exploit-protection), [Attack surface reduction protection](/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction), [Controlled folder access](/microsoft-365/security/defender-endpoint/evaluate-controlled-folder-access), and [Network protection](/microsoft-365/security/defender-endpoint/enable-network-protection).
### Windows Defender Device Guard
Configurable code integrity is being rebranded as Windows Defender Application Control. This rebranding is to help distinguish it as a standalone feature to control execution of applications. For more information about Device Guard, see Windows [Defender Device Guard deployment guide](/windows/device-security/device-guard/device-guard-deployment-guide).
### Windows Information Protection
Windows Information Protection is now designed to work with Microsoft Office and Azure Information Protection. For more information, see [Deploying and managing Windows Information Protection (WIP) with Azure Information Protection](https://myignite.microsoft.com/sessions/53660?source=sessions).
### Windows Hello
New features in Windows Hello enable a better device lock experience, using multifactor unlock with new location and user proximity signals. Using Bluetooth signals, you can configure your Windows 10 device to automatically lock when you walk away from it, or to prevent others from accessing the device when you aren't present. More details about this feature will be available soon. For general information, see [Windows Hello for Business](/windows/access-protection/hello-for-business/hello-identity-verification).
### BitLocker
The minimum PIN length is being changed from 6 to 4, with a default of 6. For more information, see [BitLocker Group Policy settings](/windows/device-security/bitlocker/bitlocker-group-policy-settings#bkmk-unlockpol3).
### Windows security baselines
Microsoft has released new [Windows security baselines](/windows/device-security/windows-security-baselines) for Windows Server and Windows 10. A security baseline is a group of Microsoft-recommended configuration settings with an explanation of their security impact. For more information, and to download the Policy Analyzer tool, see [Microsoft Security Compliance Toolkit 1.0](/windows/device-security/security-compliance-toolkit-10).
### SMBLoris vulnerability
An issue, known as _SMBLoris_, which could result in denial of service, has been addressed.
## Windows Analytics
### Upgrade Readiness
Upgrade Readiness provides insights into application and driver compatibility issues. New capabilities include better app coverage, post-upgrade health reports, and enhanced report filtering capabilities. For more information, see [Manage Windows upgrades with Upgrade Readiness](/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness).
### Update Compliance
New capabilities in Update Compliance let you monitor Windows Defender protection status, compare compliance with industry peers, and optimize bandwidth for deploying updates. For more information, see [Monitor Windows Updates and Microsoft Defender Antivirus with Update Compliance](/windows/deployment/update/update-compliance-monitor).
### Device Health
Maintaining devices is made easier with Device Health, a new, premium analytic tool that identifies devices and drivers that crash frequently and might need to be rebuilt or replaced. For more information, see [Monitor the health of devices with Device Health](/windows/deployment/update/device-health-monitor).
## Networking
### Network stack
Several network stack enhancements are available in this release. Some of these features were also available in Windows 10, version 1703. For more information, see [Core Network Stack Features in the Creators Update for Windows 10](https://blogs.technet.microsoft.com/networking/2017/07/13/core-network-stack-features-in-the-creators-update-for-windows-10/).
## See Also
[Windows 10 Features](https://www.microsoft.com/windows/features): Review general information about Windows 10 features.<br>
[What's New in Windows 10](./index.yml): See whats new in other versions of Windows 10.<br>
[What's new in Windows 10, version 1709](/windows-hardware/get-started/what-s-new-in-windows): See whats new in Windows 10 hardware.<br>
[Windows 10 Fall Creators Update Next Generation Security](https://www.youtube.com/watch?v=JDGMNFwyUg8): YouTube video about Microsoft Defender for Endpoint in Windows 10, version 1709.
[Threat protection on Windows 10](/windows/security/threat-protection/):Detects advanced attacks and data breaches, automates security incidents and improves security posture.<br>

233
windows/whats-new/whats-new-windows-10-version-1803.md
View File

@ -1,233 +0,0 @@
---
title: What's new in Windows 10, version 1803
description: New and updated features in Windows 10, version 1803 (also known as the Windows 10 April 2018 Update).
ms.prod: windows-client
author: mestew
manager: aaroncz
ms.author: mstewart
ms.localizationpriority: medium
ms.topic: article
ROBOTS: NOINDEX
ms.technology: itpro-fundamentals
ms.date: 12/31/2017
---
# What's new in Windows 10, version 1803 for IT Pros
**Applies to**
- Windows 10, version 1803
This article lists new and updated features and content that are of interest to IT Pros for Windows 10 version 1803, also known as the Windows 10 April 2018 Update. This update also contains all features and fixes included in previous cumulative updates to Windows 10, version 1709.
>If you are not an IT Pro, see the following topics for information about what's new in Windows 10, version 1803 in [hardware](/windows-hardware/get-started/what-s-new-in-windows), for [developers](/windows/uwp/whats-new/windows-10-build-17134), and for [consumers](https://blogs.windows.com/windowsexperience/2018/04/30/whats-new-in-the-windows-10-april-2018-update).
The following 3-minute video summarizes some of the new features that are available for IT Pros in this release.
> [!video https://www.microsoft.com/videoplayer/embed/RE21ada?autoplay=false]
## Deployment
### Windows Autopilot
[Windows Autopilot](/windows/deployment/windows-autopilot/windows-10-autopilot) provides a modern device lifecycle management service powered by the cloud that delivers a zero touch experience for deploying Windows 10.
With the help of Intune, Autopilot now enables locking the device during provisioning during the Windows Out Of Box Experience (OOBE) until policies and settings for the device get provisioned, thereby ensuring that by the time the user gets to the desktop, the device is secured and configured correctly.
Windows Autopilot is now available with Surface, Lenovo, and Dell. Other OEM partners such as HP, Toshiba, Panasonic, and Fujitsu will support Autopilot in coming months. Check back here later for more information.
### Windows 10 in S mode
Windows 10 in S mode is now available on both Windows 10 Home and Pro PCs, and commercial customers will be able to deploy Windows 10 Enterprise in S mode - by starting with Windows 10 Pro in S mode and then activating Windows 10 Enterprise on the computer.
Some additional information about Windows 10 in S mode:
- Microsoft-verified. All of your applications are verified by Microsoft for security and performance.
- Performance that lasts. Start-ups are quick, and S mode is built to keep them that way.
- Choice and flexibility. Save your files to your favorite cloud, like OneDrive or DropBox, and access them from any device you choose. Browse the Microsoft Store for thousands of apps.
- S mode, on a range of modern devices. Enjoy all the great Windows multi-tasking features, like snapping Windows, task view and virtual desktops on a range of S mode enabled devices.
If you want to switch out of S mode, you'll be able to do so at no charge, regardless of edition. Once you switch out of S mode, you can't switch back.
For more information, see [Windows 10 Pro/Enterprise in S mode](/windows/deployment/windows-10-pro-in-s-mode).
### Windows 10 kiosk and Kiosk Browser
With this release, you can easily deploy and manage kiosk devices with Microsoft Intune in single- and multiple-app scenarios. These scenarios include the new Kiosk Browser available from the Microsoft Store. Kiosk Browser is great for delivering a reliable and custom-tailored browsing experience for scenarios such as retail and signage. A summary of new features is below.
- Using Intune, you can deploy the Kiosk Browser from the Microsoft Store, configure start URL, allowed URLs, and enable/disable navigation buttons.
- Using Intune, you can deploy and configure shared devices and kiosks using assigned access to create a curated experience with the correct apps and configuration policies
- Support for multiple screens for digital signage use cases.
- The ability to ensure all MDM configurations are enforced on the device prior to entering assigned access using the Enrollment Status page.
- The ability to configure and run Shell Launcher in addition to existing UWP Store apps.
- A simplified process for creating and configuring an auto-logon kiosk account so that a public kiosk automatically enters a desired state after a reboot, a critical security requirement for public-facing use cases.
- For multi-user Firstline Worker kiosk devices, instead of specifying every user, its now possible to assign different assigned access configurations to Azure AD groups or Active Directory groups.
- To help with troubleshooting, you can now view error reports generated if an assigned access-configured app has issues.
For more information, see:
- [Making IT simpler with a modern workplace](https://www.microsoft.com/microsoft-365/blog/2018/04/27/making-it-simpler-with-a-modern-workplace/)
- [Simplifying kiosk management for IT with Windows 10](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Simplifying-kiosk-management-for-IT-with-Windows-10/ba-p/187691)
### Windows 10 Subscription Activation
With this release, Subscription Activation supports Inherited Activation. Inherited Activation allows Windows 10 virtual machines to inherit activation state from their Windows 10 host.
For more information, see [Windows 10 Subscription Activation](/windows/deployment/windows-10-enterprise-subscription-activation#inherited-activation).
### DISM
The following new DISM commands have been added to manage feature updates:
| Command | Description |
|---|---|
| `DISM /Online /Initiate-OSUninstall` | Initiates an OS uninstall to take the computer back to the previous installation of windows. |
| `DISM /Online /Remove-OSUninstall` | Removes the OS uninstall capability from the computer. |
| `DISM /Online /Get-OSUninstallWindow` | Displays the number of days after upgrade during which uninstall can be performed. |
| `DISM /Online /Set-OSUninstallWindow` | Sets the number of days after upgrade during which uninstall can be performed. |
For more information, see [DISM operating system uninstall command-line options](/windows-hardware/manufacture/desktop/dism-uninstallos-command-line-options).
### Windows Setup
You can now run your own custom actions or scripts in parallel with Windows Setup. Setup will also migrate your scripts to next feature release, so you only need to add them once.
Prerequisites:
- Windows 10, version 1803 or later.
- Windows 10 Enterprise or Pro
For more information, see [Run custom actions during feature update](/windows-hardware/manufacture/desktop/windows-setup-enable-custom-actions).
It's also now possible to run a script if the user rolls back their version of Windows using the PostRollback option:
`/PostRollback<location> [\setuprollback.cmd] [/postrollback {system / admin}]`
For more information, see [Windows Setup Command-Line Options](/windows-hardware/manufacture/desktop/windows-setup-command-line-options#21)
New command-line switches are also available to control BitLocker:
| Command | Description |
|---|---|
| `Setup.exe /BitLocker AlwaysSuspend` | Always suspend BitLocker during upgrade. |
| `Setup.exe /BitLocker TryKeepActive` | Enable upgrade without suspending BitLocker, but if upgrade doesn't work, then suspend BitLocker and complete the upgrade. |
| `Setup.exe /BitLocker ForceKeepActive` | Enable upgrade without suspending BitLocker, but if upgrade doesn't work, fail the upgrade. |
For more information, see [Windows Setup Command-Line Options](/windows-hardware/manufacture/desktop/windows-setup-command-line-options#33)
### SetupDiag
[SetupDiag](/windows/deployment/upgrade/setupdiag) is a new command-line tool that can help diagnose why a Windows 10 update failed.
SetupDiag works by searching Windows Setup log files. When log files are being searched, SetupDiag uses a set of rules to match known issues. In the current version of SetupDiag there are 26 rules contained in the rules.xml file, which is extracted when SetupDiag is run. The rules.xml file will be updated as new versions of SetupDiag are made available.
### Windows Update for Business
Windows Update for Business now provides greater control over updates, with the ability to pause and uninstall problematic updates using Intune. For more information, see [Manage software updates in Intune](/intune/windows-update-for-business-configure).
### Feature update improvements
Portions of the work done during the offline phases of a Windows update have been moved to the online phase. This migration has resulted in a significant reduction of offline time when installing updates. For more information, see [We're listening to you](https://insider.windows.com/en-us/articles/were-listening-to-you/).
## Configuration
### Co-management
**Intune** and **Microsoft Configuration Manager** policies have been added to enable hybrid Azure AD-joined authentication. Mobile Device Management (MDM) has added over 150 new policies and settings in this release, including the [MDMWinsOverGP](/windows/client-management/mdm/policy-csp-controlpolicyconflict) policy, to enable easier transition to cloud-based management.
For more information, see [What's New in MDM enrollment and management](/windows/client-management/mdm/new-in-windows-mdm-enrollment-management#whatsnew1803)
### OS uninstall period
The OS uninstall period is a length of time that users are given when they can optionally roll back a Windows 10 update. With this release, administrators can use Intune or [DISM](#dism) to customize the length of the OS uninstall period.
### Windows Hello for Business
[Windows Hello](/windows/security/identity-protection/hello-for-business/hello-overview) now supports FIDO 2.0 authentication for Azure AD Joined Windows 10 devices and has enhanced support for shared devices, as described in the [Kiosk configuration](#windows-10-kiosk-and-kiosk-browser) section.
- Windows Hello is now [password-less on S-mode](https://www.windowslatest.com/2018/02/12/microsoft-make-windows-10-password-less-platform/).
- Support for S/MIME with Windows Hello for Business and APIs for non-Microsoft identity lifecycle management solutions.
- Windows Hello is part of the account protection pillar in Windows Defender Security Center. Account Protection will encourage password users to set up Windows Hello Face, Fingerprint or PIN for faster sign-in, and will notify Dynamic lock users if Dynamic lock has stopped working because their phone or device Bluetooth is off.
- You can set up Windows Hello from lock screen for Microsoft accounts. Weve made it easier for Microsoft account users to set up Windows Hello on their devices for faster and more secure sign-in. Previously, you had to navigate deep into Settings to find Windows Hello. Now, you can set up Windows Hello Face, Fingerprint or PIN straight from your lock screen by clicking the Windows Hello tile under Sign-in options.
- New [public API](/uwp/api/windows.security.authentication.web.core.webauthenticationcoremanager.findallaccountsasync#Windows_Security_Authentication_Web_Core_WebAuthenticationCoreManager_FindAllAccountsAsync_Windows_Security_Credentials_WebAccountProvider_) for secondary account SSO for a particular identity provider.
- It's easier to set up Dynamic lock, and WD SC actionable alerts have been added when Dynamic lock stops working (ex: phone Bluetooth is off).
For more information, see: [Windows Hello and FIDO2 Security Keys enable secure and easy authentication for shared devices](https://blogs.windows.com/business/2018/04/17/windows-hello-fido2-security-keys/#OdKBg3pwJQcEKCbJ.97)
## Accessibility and Privacy
### Accessibility
"Out of box" accessibility is enhanced with auto-generated picture descriptions. For more information about accessibility, see [Accessibility information for IT Professionals](/windows/configuration/windows-accessibility-for-itpros). Also see the accessibility section in the [Whats new in the Windows 10 April 2018 Update](https://blogs.windows.com/windowsexperience/2018/04/30/whats-new-in-the-windows-10-april-2018-update/) blog post.
### Privacy
In the Feedback and Settings page under Privacy Settings, you can now delete the diagnostic data your device has sent to Microsoft. You can also view this diagnostic data using the [Diagnostic Data Viewer](/windows/configuration/diagnostic-data-viewer-overview) app.
## Security
### Security Baselines
The new [security baseline for Windows 10 version 1803](/windows/security/threat-protection/security-compliance-toolkit-10) has been published.
### Microsoft Defender Antivirus
Microsoft Defender Antivirus now shares detection status between Microsoft 365 services and interoperates with Microsoft Defender for Endpoint. Other policies have also been implemented to enhance cloud-based protection, and new channels are available for emergency protection. For more information, see [Virus and threat protection](/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection) and [Use next-gen technologies in Microsoft Defender Antivirus through cloud-delivered protection](/microsoft-365/security/defender-endpoint/cloud-protection-microsoft-defender-antivirus).
### Windows Defender Exploit Guard
Windows Defender Exploit Guard enhanced attack surface area reduction, extended support to Microsoft Office applications, and now supports Windows Server. [Virtualization-based Security](https://techcommunity.microsoft.com/t5/Windows-Insider-Program/Windows-Defender-System-Guard-Making-a-leap-forward-in-platform/m-p/167303) (VBS) and Hypervisor-protected code integrity (HVCI) can now be enabled across the Windows 10 ecosystem. These Exploit Guard features can now be enabled through the Windows Defender Security Center.
For more information, see [Reduce attack surfaces](/microsoft-365/security/defender-endpoint/attack-surface-reduction).
### Microsoft Defender for Endpoint
[Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/advanced-hunting-query-language) has been enhanced with many new capabilities. For more information, see the following topics:
- [Query data using Advanced hunting in Microsoft Defender for Endpoint](/microsoft-365/security/defender/advanced-hunting-query-language)
- [Use Automated investigations to investigate and remediate threats](/microsoft-365/security/defender-endpoint/automated-investigations)
- [Enable conditional access to better protect users, devices, and data](/microsoft-365/security/defender-endpoint/conditional-access)
Also see [New capabilities of Microsoft Defender for Endpoint further maximizing the effectiveness and robustness of endpoint security](https://blogs.windows.com/business/2018/04/17/new-capabilities-of-windows-defender-atp-further-maximizing-the-effectiveness-and-robustness-of-endpoint-security/#62FUJ3LuMXLQidVE.97).
### Windows Defender Application Guard
Windows Defender Application Guard has added support for Edge. For more information, see [System requirements for Windows Defender Application Guard](/windows/security/threat-protection/windows-defender-application-guard/reqs-wd-app-guard#software-requirements).
### Windows Defender Device Guard
Configurable code integrity is being rebranded as Windows Defender Application Control. This rebranding is to help distinguish it as a standalone feature to control execution of applications. For more information about Device Guard, see Windows [Defender Device Guard deployment guide](/windows/device-security/device-guard/device-guard-deployment-guide).
### Windows Information Protection
This release enables support for WIP with Files on Demand, allows file encryption while the file is open in another app, and improves performance. For more information, see [OneDrive Files On-Demand For The Enterprise](https://techcommunity.microsoft.com/t5/OneDrive-Blog/OneDrive-Files-On-Demand-For-The-Enterprise/ba-p/117234).
### Office 365 Ransomware Detection
For Office 365 Home and Office 365 Personal subscribers, Ransomware Detection notifies you when your OneDrive files have been attacked and guides you through the process of restoring your files. For more information, see [Ransomware detection and recovering your files](https://support.office.com/en-us/article/ransomware-detection-and-recovering-your-files-0d90ec50-6bfd-40f4-acc7-b8c12c73637f?ui=en-US&rs=en-US&ad=US).
## Windows Analytics
### Upgrade Readiness
Upgrade Readiness has added the ability to assess Spectre and Meltdown protections on your devices. This addition allows you to see if your devices have Windows OS and firmware updates with Spectre and Meltdown mitigations installed, as well as whether your antivirus client is compatible with these updates. For more information, see [Upgrade Readiness now helps assess Spectre and Meltdown protections](/archive/blogs/upgradeanalytics/upgrade-readiness-now-helps-assess-spectre-and-meltdown-protections).
### Update Compliance
Update Compliance has added Delivery Optimization to assess the bandwidth consumption of Windows Updates. For more information, see [Delivery Optimization in Update Compliance](/windows/deployment/update/update-compliance-delivery-optimization).
### Device Health
Device Healths new App Reliability reports enable you to see where app updates or configuration changes may be needed to reduce crashes. The Login Health reports reveal adoption, success rates, and errors for Windows Hello and for passwords—for a smooth migration to the password-less future. For more information, see [Using Device Health](/windows/deployment/update/device-health-using).
## Microsoft Edge
iOS and Android versions of Edge are now available. For more information, see [Microsoft Edge Tips](https://microsoftedgetips.microsoft.com/en-us?source=firstrunwip).
Support in [Windows Defender Application Guard](#windows-defender-application-guard) is also improved.
## See Also
- [Windows 10 Features](https://www.microsoft.com/windows/features): Review general information about Windows 10 features.
- [What's New in Windows 10](./index.yml): See whats new in other versions of Windows 10.
- [What's new in Windows 10, version 1709](/windows-hardware/get-started/what-s-new-in-windows): See whats new in Windows 10 hardware.
- [Windows 10 Fall Creators Update Next Generation Security](https://www.youtube.com/watch?v=JDGMNFwyUg8): YouTube video about Microsoft Defender for Endpoint in Windows 10, version 1709.

301
windows/whats-new/whats-new-windows-10-version-1809.md
View File

@ -1,301 +0,0 @@
---
title: What's new in Windows 10, version 1809
description: Learn about features for Windows 10, version 1809, including features and fixes included in previous cumulative updates to Windows 10, version 1803.
ms.prod: windows-client
author: mestew
manager: aaroncz
ms.author: mstewart
ms.localizationpriority: medium
ms.topic: article
ROBOTS: NOINDEX
ms.technology: itpro-fundamentals
ms.date: 01/31/2023
---
# What's new in Windows 10, version 1809 for IT Pros
>Applies To: Windows 10, version 1809
In this article, we describe new and updated features of interest to IT Pros for Windows 10, version 1809. This update also contains all features and fixes included in previous cumulative updates to Windows 10, version 1803.
<!---
The following 3-minute video summarizes some of the new features that are available for IT Pros in this release.
> [!video https://www.youtube.com/embed/hAva4B-wsVA]
--->
## Deployment
### Windows Autopilot self-deploying mode
Windows Autopilot self-deploying mode enables a zero touch device provisioning experience. Simply power on the device, plug it into the Ethernet, and the device is fully configured automatically by Windows Autopilot.
This self-deploying capability removes the current need to have an end user interact by pressing the “Next” button during the deployment process.
You can utilize Windows Autopilot self-deploying mode to register the device to an Azure Active Directory tenant, enroll in your organizations MDM provider, and provision policies and applications, all with no user authentication or user interaction required.
To learn more about Autopilot self-deploying mode and to see step-by-step instructions to perform such a deployment, [Windows Autopilot self-deploying mode](/windows/deployment/windows-autopilot/self-deploying).
### SetupDiag
[SetupDiag](/windows/deployment/upgrade/setupdiag) version 1.4 is released. SetupDiag is a standalone diagnostic tool that can be used to troubleshoot issues when a Windows 10 upgrade is unsuccessful.
## Security
Weve continued to work on the **Current threats** area in [Virus & threat protection](/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection), which now displays all threats that need action. You can quickly take action on threats from this screen:
> [!div class="mx-imgBorder"]
> ![Virus & threat protection settings.](images/virus-and-threat-protection.png "Virus & threat protection settings")
With controlled folder access, you can help prevent ransomware and other destructive malware from changing your personal files. In some cases, apps that you normally use might be blocked from making changes to common folders like **Documents** and **Pictures**. Weve made it easier for you to add apps that were recently blocked so you can keep using your device without turning off the feature altogether.
When an app is blocked, it will appear in a recently blocked apps list, which you can get to by clicking **Manage settings** under the **Ransomware protection** heading. Click **Allow an app through Controlled folder access**. After the prompt, click the **+** button and choose **Recently blocked apps**. Select any of the apps to add them to the allowed list. You can also browse for an app from this page.
We added a new assessment for the Windows time service to the **Device performance & health** section. If we detect that your devices time isn't properly synced with our time servers and the time-syncing service is disabled, well provide the option for you to turn it back on.
Were continuing to work on how other security apps youve installed show up in the **Windows Security** app. Theres a new page called **Security providers** that you can find in the **Settings** section of the app. Click **Manage providers** to see a list of all the other security providers (including antivirus, firewall, and web protection) that are running on your device. Here you can easily open the providers apps or get more information on how to resolve issues reported to you through **Windows Security**.
This functionality also means youll see more links to other security apps within **Windows Security**. For example, if you open the **Firewall & network protection** section, youll see the firewall apps that are running on your device under each firewall type, which includes domain, private, and public networks).
### BitLocker
#### Silent enforcement on fixed drives
Through a Modern Device Management (MDM) policy, BitLocker can be enabled silently for standard Azure Active Directory (AAD)-joined users. In Windows 10, version 1803 automatic BitLocker encryption was enabled for standard Azure AD users, but this effect of the encryption still required modern hardware that passed the Hardware Security Test Interface (HSTI). This new functionality enables BitLocker via policy even on devices that dont pass the HSTI.
This new functionality is an update to the [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp), which was introduced in Windows 10, version 1703, and used by Intune and others.
This feature will soon be enabled on Olympia Corp as an optional feature.
#### Delivering BitLocker policy to Autopilot devices during OOBE
You can choose which encryption algorithm to apply to BitLocker encryption capable devices, rather than automatically having those devices encrypt themselves with the default algorithm. This option allows the encryption algorithm (and other BitLocker policies that must be applied prior to encryption), to be delivered before BitLocker encryption begins.
For example, you can choose the XTS-AES 256 encryption algorithm, and have it applied to devices that would normally encrypt themselves automatically with the default XTS-AES 128 algorithm during OOBE.
To achieve this setting:
1. Configure the [encryption method settings](/intune/endpoint-protection-windows-10#windows-encryption) in the Windows 10 Endpoint Protection profile to the desired encryption algorithm.
2. [Assign the policy](/intune/device-profile-assign) to your Autopilot device group.
> [!IMPORTANT]
> The encryption policy must be assigned to **devices** in the group, not users.
3. Enable the Autopilot [Enrollment Status Page](/windows/deployment/windows-autopilot/enrollment-status) (ESP) for these devices.
> [!IMPORTANT]
> If the ESP is not enabled, the policy will not apply before encryption starts.
For more information, see [Setting the BitLocker encryption algorithm for Autopilot devices](/windows/deployment/windows-autopilot/bitlocker).
### Windows Defender Application Guard Improvements
Windows Defender Application Guard (WDAG) introduced a new user interface inside **Windows Security** in this release. Standalone users can now install and configure their Windows Defender Application Guard settings in Windows Security without needing to change registry key settings.
Additionally, users who are managed by enterprise policies will be able to check their settings to see what their administrators have configured for their machines to better understand the behavior of Windows Defender Application Guard. This new UI improves the overall experience for users while managing and checking their Windows Defender Application Guard settings. As long as devices meet the minimum requirements, these settings will appear in Windows Security. For more information, see [Windows Defender Application Guard inside Windows Security App](https://techcommunity.microsoft.com/t5/Windows-Insider-Program/test/m-p/214102#M1709).
To try this settings management, perform the following steps:
1. Go to **Windows Security** and select **App & browser control**.
2. Under **Isolated browsing**, select **Install Windows Defender Application Guard**, then install and restart the device.
3. Select **Change Application Guard** settings.
4. Configure or check Application Guard settings.
See the following example:
> [!div class="mx-imgBorder"]
> ![Security at a glance.](images/1_AppBrowser.png "app and browser control")
> [!div class="mx-imgBorder"]
> ![Isolated browser.](images/2_InstallWDAG.png "isolated browsing")
> [!div class="mx-imgBorder"]
> ![change WDAG settings.](images/3_ChangeSettings.png "change settings")
> [!div class="mx-imgBorder"]
> ![view WDAG settings.](images/4_ViewSettings.jpg "view settings")
### Windows Security Center
Windows Defender Security Center is now called **Windows Security Center**.
You can still get to the app in all the usual waysask Cortana to open Windows Security Center(WSC) or interact with the taskbar icon. WSC lets you manage all your security needs, including **Microsoft Defender Antivirus** and **Windows Defender Firewall**.
The WSC service now requires antivirus products to run as a protected process to register.Products that haven't yet implemented this execution won't appear in the Windows Security Center user interface, and Microsoft Defender Antivirus will remain enabled side-by-side with these products.
WSC now includes the Fluent Design System elements you know and love. Youll also notice weve adjusted the spacing and padding around the app. It will now dynamically size the categories on the main page if more room is needed for extra info. We also updated the title bar so that it will use your accent color if you've enabled that option in **Color Settings**.
![alt text.](images/defender.png "Windows Security Center")
### Windows Defender Firewall now supports Windows Subsystem for Linux (WSL) processes
You can add specific rules for a WSL process in Windows Defender Firewall, just as you would for any Windows process. Also, Windows Defender Firewall now supports notifications for WSL processes. For example, when a Linux tool wants to allow access to a port from the outside (like SSH or a web server like nginx), Windows Defender Firewall will prompt to allow access just like it would for a Windows process when the port starts accepting connections. This support was first introduced in [Build 17627](/windows/wsl/release-notes#build-17618-skip-ahead).
### Microsoft Edge Group Policies
We introduced new group policies and Modern Device Management settings to manage Microsoft Edge. The new policies include enabling and disabling full-screen mode, printing, favorites bar, and saving history; preventing certificate error overrides; configuring the Home button and startup options; setting the New Tab page and Home button URL, and managing extensions. Learn more about the [new Microsoft Edge policies](/microsoft-edge/deploy/change-history-for-microsoft-edge).
### Credential Guard is supported by default on 10S devices that are Azure Active Directory-joined
Credential Guard is a security service in Windows 10 built to protect Active Directory (AD) domain credentials so that they can't be stolen or misused by malware on a user's machine. It's designed to protect against well-known threats such as Pass-the-Hash and credential harvesting.
Credential Guard has always been an optional feature, but Windows 10-S turns on this functionality by default when the machine has been Azure Active Directory-joined. This functionality provides an added level of security when connecting to domain resources not normally present on 10-S devices. Credential Guard is available only to S-Mode devices or Enterprise and Education Editions.
### Windows 10 Pro S Mode requires a network connection
A network connection is now required to set up a new device. As a result, we removed the “skip for now” option in the network setup page in Out Of Box Experience (OOBE).
### Microsoft Defender for Endpoint
[Microsoft Defender for Endpoint](/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection) has been enhanced with many new capabilities. For more information, see the following topics:
- [Threat analytics](/windows/security/threat-protection/windows-defender-atp/threat-analytics)<br>
Threat Analytics is a set of interactive reports published by the Microsoft Defender for Endpoint research team as soon as emerging threats and outbreaks are identified. The reports help security operations teams assess impact on their environment and provide recommended actions to contain, increase organizational resilience, and prevent specific threats.
- [Custom detection](/microsoft-365/security/defender/custom-detections-overview)<br>
With custom detections, you can create custom queries to monitor events for any kind of behavior such as suspicious or emerging threats. This query creation can be done by using the power of Advanced hunting through the creation of custom detection rules.
- [Managed security service provider (MSSP) support](/windows/security/threat-protection/windows-defender-atp/mssp-support-windows-defender-advanced-threat-protection)<br>
Microsoft Defender for Endpoint adds support for this scenario by providing MSSP integration.
The integration will allow MSSPs to take the following actions:
Get access to MSSP customer's Windows Defender Security Center portal, fetch email notifications, and fetch alerts through security information and event management (SIEM) tools.
- [Integration with Azure Defender](/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection#integration-with-azure-security-center)<br>
Microsoft Defender for Endpoint integrates with Azure Defender to provide a comprehensive server protection solution. With this integration, Azure Defender can use the power of Microsoft Defender for Endpoint to provide improved threat detection for Windows Servers.
- [Integration with Microsoft Cloud App Security](/windows/security/threat-protection/windows-defender-atp/microsoft-cloud-app-security-integration)<br>
Microsoft Cloud App Security uses Microsoft Defender for Endpoint signals to allow direct visibility into cloud application usage including the use of unsupported cloud services (shadow IT) from all Microsoft Defender for Endpoint monitored machines.
- [Onboard Windows Server 2019](/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection#windows-server-version-1803-and-windows-server-2019) <br>
Microsoft Defender for Endpoint now adds support for Windows Server 2019. You'll be able to onboard Windows Server 2019 in the same method available for Windows 10 client machines.
- [Onboard previous versions of Windows](/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection)<br>
Onboard supported versions of Windows machines so that they can send sensor data to the Microsoft Defender for Endpoint sensor
## Cloud Clipboard
Cloud clipboard helps users copy content between devices. It also manages the clipboard history so that you can paste your old copied data. You can access it by using **Windows+V**. Set up Cloud clipboard:
1. Go to **Windows Settings** and select **Systems**.
2. On the left menu, click on **Clipboard**.
3. Turn on **Clipboard history**.
4. Turn on **Sync across devices**. Choose whether or not to automatically sync copied text across your devices.
## Kiosk setup experience
We introduced a simplified assigned access configuration experience in **Settings** that allows device administrators to easily set up a PC as a kiosk or digital sign. A wizard experience walks you through kiosk setup including creating a kiosk account that will automatically sign in when a device starts.
To use this feature, go to **Settings**, search for **assigned access**, and open the **Set up a kiosk** page.
![set up a kiosk.](images/kiosk-mode.png "set up a kiosk")
Microsoft Edge kiosk mode running in single-app assigned access has two kiosk types.
1. **Digital / Interactive signage** that displays a specific website full-screen and runs InPrivate mode.
2. **Public browsing** supports multi-tab browsing and runs InPrivate mode with minimal features available. Users can't minimize, close, or open new Microsoft Edge windows or customize them using Microsoft Edge Settings. Users can clear browsing data and downloads, and restart Microsoft Edge by clicking **End session**. Administrators can configure Microsoft Edge to restart after a period of inactivity.
![single app assigned access.](images/SingleApp_contosoHotel_inFrame@2x.png "single app assigned access")
Microsoft Edge kiosk mode running in multi-app assigned access has two kiosk types.
>[!NOTE]
>The following Microsoft Edge kiosk mode types cannot be set up using the new simplified assigned access configuration wizard in Windows 10 Settings.
**Public browsing** supports multi-tab browsing and runs InPrivate mode with minimal features available. In this configuration, Microsoft Edge can be one of many apps available. Users can close and open multiple InPrivate mode windows.
![multi-app assigned access.](images/Multi-app_kiosk_inFrame.png "multi-app assigned access")
**Normal mode** runs a full version of Microsoft Edge, although some features may not work depending on what apps are configured in assigned access. For example, if the Microsoft Store isn't set up, users can't get books.
![normal mode.](images/Normal_inFrame.png "normal mode")
Learn more about [Microsoft Edge kiosk mode](/microsoft-edge/deploy/microsoft-edge-kiosk-mode-deploy).
## Registry editor improvements
We added a dropdown that displays as you type to help complete the next part of the path. You can also press **Ctrl + Backspace** to delete the last word, and **Ctrl + Delete** to delete the next word.
![Registry editor dropdown.](images/regeditor.png "Registry editor dropdown")
## Faster sign-in to a Windows 10 shared pc
Do you have shared devices deployed in your work place? **Fast sign-in** enables users to sign in to a shared Windows 10 PC in a flash!
**To enable fast sign-in:**
1. Set up a shared or guest device with Windows 10, version 1809.
2. Set the Policy CSP, and the Authentication and EnableFastFirstSignIn policies to enable fast sign-in.
3. Sign-in to a shared PC with your account. You'll notice the difference!
![fast sign-in.](images/fastsignin.png "fast sign-in")
>[!NOTE]
>This is a private preview feature and therefore not meant or recommended for production purposes. This setting is not currently supported at this time.
## Web sign-in to Windows 10
>[!IMPORTANT]
>This is a private preview feature and therefore not meant or recommended for production purposes. This setting is not currently supported at this time.
Until now, Windows sign-in only supported the use of identities federated to ADFS or other providers that support the WS-Fed protocol. We're introducing **web sign-in**, a new way of signing into your Windows PC. Web sign-in enables Windows sign-in support for credentials not available on Windows. Web sign-in is restricted to only support Azure AD temporary access pass.
**To try out web sign-in:**
1. Azure AD Join your Windows 10 PC. (Web sign-in is only supported on Azure AD Joined PCs).
2. Set the Policy CSP, and the Authentication and EnableWebSignIn policies to enable web sign-in.
3. On the lock screen, select web sign-in under sign-in options.
4. Click the **Sign in** button to continue.
> [!div class="mx-imgBorder"]
> ![Web sign-in.](images/websignin.png "web sign-in")
>[!NOTE]
>This is a private preview feature and therefore not meant or recommended for production purposes.
## Your Phone app
Android phone users, you can finally stop emailing yourself photos. With Your Phone, you get instant access to your Androids most recent photos on your PC. Drag and drop a photo from your phone onto your PC, then you can copy, edit, or ink on the photo. Try it out by opening the **Your Phone** app. Youll receive a text with a link to download an app from Microsoft to your phone. Android 7.0+ devices with ethernet or Wi-Fi on unmetered networks are compatible with the **Your Phone** app. For PCs tied to the China region, **Your Phone** app services will be enabled in the future.
For iPhone users, **Your Phone** app also helps you to link your phone to your PC. Surf the web on your phone, then send the webpage instantly to your computer to continue what youre doing-read, watch, or browse-with all the benefits of a bigger screen.
:::image type="content" source="images/your-phone.png" alt-text="Your phone.":::
The desktop pin takes you directly to the **Your Phone** app for quicker access to your phones content. You can also go through the all apps list in Start, or use the Windows key and search for **Your Phone**.
## Wireless projection experience
One of the things weve heard from you is that its hard to know when youre wirelessly projecting and how to disconnect your session when started from file explorer or from an app. In Windows 10, version 1809, youll see a control banner at the top of your screen when youre in a session (just like you see when using remote desktop). The banner keeps you informed of the state of your connection, allows you to quickly disconnect or reconnect to the same sink, and allows you to tune the connection based on what you are doing. This tuning is done via **Settings**, which optimizes the screen-to-screen latency based on one of the three modes:
* Game mode minimizes the screen-to-screen latency to make gaming over a wireless connection possible
* Video mode increases the screen-to-screen latency to ensure the video on the large screen plays back smoothly
* Productivity modes strike a balance between game mode and video mode; the screen-to screen-latency is responsive enough that typing feels natural, while ensuring videos dont glitch as often.
![wireless projection banner.](images/beaming.png "wireless projection banner")
## Remote Desktop with Biometrics
Windows Hello for Business supports using a certificate deployed to a Windows Hello for Business container as a supplied credential to establish a remote desktop connection to a server or another device. This feature takes advantage of the redirected smart card capabilities of the remote desktop protocol.
Users using earlier versions of Windows 10 could authenticate to a remote desktop using Windows Hello for Business but were limited to using their PIN as their authentication gesture. Windows 10, version 1809 introduces the ability for users to authenticate to a remote desktop session using their Windows Hello for Business biometric gesture.
Azure Active Directory and Active Directory users using Windows Hello for Business in a certificate trust model, can use biometrics to authenticate to a remote desktop session.
To get started, sign into your device using Windows Hello for Business. Bring up **Remote Desktop Connection** (mstsc.exe), type the name of the device you want to connect to, and select **Connect**. Windows remembers that you signed using Windows Hello for Business, and automatically selects Windows Hello for Business to authenticate you to your RDP session. You can also select **More choices** to choose alternate credentials. Windows uses biometrics to authenticate the RDP session to the Windows device. You can continue to use Windows Hello for Business in the remote session, but in the remote session you must use the PIN.
See the following example:
![Enter your credentials for Windows Hello.](images/RDPwBioTime.png "Windows Hello")
![Remote Desktop Connection.](images/RDPwBio2.png "Windows Hello personal")
![Microsoft Hyper-V Server 2016.](images/hyper-v.png "Microsoft Hyper-V Server 2016")

148
windows/whats-new/whats-new-windows-10-version-1903.md
View File

@ -1,148 +0,0 @@
---
title: What's new in Windows 10, version 1903
description: New and updated features in Windows 10, version 1903 (also known as the Windows 10 May 2019 Update).
ms.prod: windows-client
author: mestew
ms.author: mstewart
manager: aaroncz
ms.localizationpriority: medium
ms.topic: article
ROBOTS: NOINDEX
ms.technology: itpro-fundamentals
ms.date: 11/17/2023
---
# What's new in Windows 10, version 1903 for IT Pros
**Applies to**
- Windows 10, version 1903.
This article lists new and updated features and content that are of interest to IT Pros for Windows 10 version 1903, also known as the Windows 10 May 2019 Update. This update also contains all features and fixes included in previous cumulative updates to Windows 10, version 1809.
>[!NOTE]
>
>New disk space requirement for Windows 10, version 1903 applies only to OEMs for the manufacture of new PCs. This new requirement does not apply to existing devices. PCs that don't meet new device disk space requirements will continue to receive updates and the 1903 update will require about the same amount of free disk space as previous updates. For more information, see [Reserved storage](#reserved-storage).
## Deployment
### Windows Autopilot
[Windows Autopilot](/windows/deployment/windows-autopilot/windows-autopilot) is a collection of technologies used to set up and pre-configure new devices, getting them ready for productive use. The following Windows Autopilot features are available in Windows 10, version 1903 and later:
- [Windows Autopilot for pre-provisioned deployment](/autopilot/pre-provision) is new in this version of Windows. Pre-provisioned deployment enables partners or IT staff to pre-provision devices so they're fully configured and business ready for your users.
- The Intune [enrollment status page](/intune/windows-enrollment-status) (ESP) now tracks Intune Management Extensions.
- [Cortana voiceover](/windows-hardware/customize/desktop/cortana-voice-support) and speech recognition during OOBE is disabled by default for all Windows 10 Pro Education, and Enterprise SKUs.
- Windows Autopilot is self-updating during OOBE. From Windows 10, version 1903 Autopilot functional and critical updates begin downloading automatically during OOBE.
- Windows Autopilot sets the [diagnostics data](/windows/privacy/windows-diagnostic-data) level to Full on Windows 10 version 1903 and later during OOBE.
### SetupDiag
[SetupDiag](/windows/deployment/upgrade/setupdiag) is a command-line tool that can help diagnose why a Windows 10 update failed. SetupDiag works by searching Windows Setup log files. When log files are being searched, SetupDiag uses a set of rules to match known issues. In the current version of SetupDiag there are 53 rules contained in the `rules.xml` file, which is extracted when SetupDiag is run. The `rules.xml` file are updated as new versions of SetupDiag are made available.
### Reserved storage
[**Reserved storage**](https://techcommunity.microsoft.com/t5/Storage-at-Microsoft/Windows-10-and-reserved-storage/ba-p/428327) sets aside disk space to be used by updates, apps, temporary files, and system caches. It improves the day-to-day function of your PC by ensuring critical OS functions always have access to disk space. Reserved storage is enabled automatically on new PCs with Windows 10, version 1903 or later pre-installed, and for clean installs. It isn't enabled when updating from a previous version of Windows 10.
## Servicing
- [**Delivery Optimization**](/windows/deployment/update/waas-delivery-optimization): Improved Peer Efficiency for enterprises and educational institutions with complex networks is enabled with [new policies](/windows/client-management/mdm/policy-csp-deliveryoptimization). These new policies now support Microsoft 365 Apps for enterprise updates and Intune content.
- [**Automatic Restart Sign-on (ARSO)**](/windows-server/identity/ad-ds/manage/component-updates/winlogon-automatic-restart-sign-on--arso-): Windows automatically signs in as the user and lock their device in order to complete the update. This automatic sign-in ensures that when the user returns and unlocks the device, the update is completed.
- [**Windows Update for Business**](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-Update-for-Business-and-the-retirement-of-SAC-T/ba-p/339523): There's now a single, common start date for phased deployments (no more SAC-T designation). In addition, there's a new notification and reboot scheduling experience for end users, the ability to enforce update installation and reboot deadlines, and the ability to provide end user control over reboots for a specific time period.
- **Update rollback improvements**: You can now automatically recover from startup failures by removing updates if the startup failure was introduced after the installation of recent driver or quality updates. When a device is unable to start up properly after the recent installation of Quality of driver updates, Windows will now automatically uninstall the updates to get the device backed up and run normally.
- **Pause updates**: The ability to pause updates for both feature and monthly updates is extended. This extension ability is for all editions of Windows 10, including Home. You can pause both feature and monthly updates for up to 35 days (seven days at a time, up to five times). Once the 35-day pause period is reached, the device needs to be updated before pausing again.
- **Improved update notifications**: When there's an update requiring you to restart your device, a colored dot appears on the Power button in the Start menu and on the Windows icon in your taskbar.
- **Intelligent active hours**: To further enhance active hours, users are now able to let Windows Update intelligently adjust active hours based on their device-specific usage patterns. You must enable the intelligent active hours feature for the system to predict device-specific usage patterns.
- **Improved update orchestration to improve system responsiveness**: This feature improves system performance by intelligently coordinating Windows updates and Microsoft Store updates, so they occur when users are away from their devices to minimize disruptions.
## Security
### Windows Information Protection
With this release, Microsoft Defender for Endpoint extends discovery and protection of sensitive information with [Auto Labeling](/windows/security/information-protection/windows-information-protection/how-wip-works-with-labels#how-wip-protects-automatically-classified-files).
### Security configuration framework
With this release of Windows 10, Microsoft is introducing a [new taxonomy for security configurations](https://github.com/microsoft/SecCon-Framework/blob/master/windows-security-configuration-framework.md), called the **SECCON framework**, comprised of 5 device security configurations.
### Security baseline for Windows 10 and Windows Server
The draft release of the [security configuration baseline settings](/archive/blogs/secguide/security-baseline-draft-for-windows-10-v1903-and-windows-server-v1903) for Windows 10, version 1903 and for Windows Server version 1903 is available.
### Intune security baselines
[Intune Security Baselines](/intune/security-baselines) (Preview): Now includes many settings supported by Intune that you can use to help secure and protect your users and devices. You can automatically set these settings to values recommended by security teams.
### Microsoft Defender for Endpoint
- [Attack surface area reduction](/windows/security/threat-protection/windows-defender-atp/overview-attack-surface-reduction) - IT admins can configure devices with advanced web protection that enables them to define allowlists and blocklists for specific URLs and IP addresses.
- [Next generation protection](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-in-windows-10) - Controls are extended to protection from ransomware, credential misuse, and attacks that are transmitted through removable storage.
- Integrity enforcement capabilities - Enable remote runtime attestation of Windows 10 platform.
- Tamper-proofing capabilities - Uses virtualization-based security to isolate critical Microsoft Defender for Endpoint security capabilities away from the OS and attackers.
- [Platform support](https://techcommunity.microsoft.com/t5/Windows-Defender-ATP/Protecting-Windows-Server-with-Windows-Defender-ATP/ba-p/267114) - In addition to Windows 10, Microsoft Defender for Endpoint's functionality are extended to support Windows 7 and Windows 8.1 clients, as well as macOS, Linux, and Windows Server with both its Endpoint Detection (EDR) and Endpoint Protection Platform (EPP) capabilities.
### Microsoft Defender for Endpoint next-gen protection technologies
- **Advanced machine learning**: Improved with advanced machine learning and AI models that enable it to protect against apex attackers using innovative vulnerability exploit techniques, tools and malware.
- **Emergency outbreak protection**: Provides emergency outbreak protection that automatically updates devices with new intelligence when a new outbreak is detected.
- **Certified ISO 27001 compliance**: Ensures that the cloud service is analyzed for threats, vulnerabilities and impacts, and that risk management and security controls are in place.
- **Geolocation support**: Support geolocation and sovereignty of sample data and configurable retention policies.
### Threat Protection
- [Windows Sandbox](https://techcommunity.microsoft.com/t5/Windows-Kernel-Internals/Windows-Sandbox/ba-p/301849): Isolated desktop environment where you can run untrusted software without the fear of lasting impact to your device.
- [Microphone privacy settings](https://support.microsoft.com/windows/windows-camera-microphone-and-privacy-a83257bc-e990-d54a-d212-b5e41beba857): A microphone icon appears in the notification area letting you see which apps are using your microphone.
- [Windows Defender Application Guard](/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview) enhancements:
- Standalone users can install and configure their Windows Defender Application Guard settings without needing to change Registry key settings. Enterprise users can check their settings to see what their administrators have configured for their machines to better understand the behavior.
- WDAG is now an extension in Google Chrome and Mozilla Firefox. Many users are in a hybrid browser environment, and would like to extend WDAGs browser isolation technology beyond Microsoft Edge. In the latest release, users can install the WDAG extension in their Chrome or Firefox browsers. This extension will redirect untrusted navigation to the WDAG Edge browser. There's also a companion app to enable this feature in the Microsoft Store. Users can quickly launch WDAG from their desktop using this app. This feature is also available in Windows 10, version 1803 or later with the latest updates.
To try this extension:
1. Configure WDAG policies on your device.
2. Go to the Chrome Web Store or Firefox Add-ons and search for Application Guard. Install the extension.
3. Follow any of the other configuration steps on the extension setup page.
4. Reboot the device.
5. Navigate to an untrusted site in Chrome and Firefox.
- WDAG allows dynamic navigation: Application Guard now allows users to navigate back to their default host browser from the WDAG Microsoft Edge. Previously, users browsing in WDAG Edge would see an error page when they try to go to a trusted site within the container browser. With this new feature, users are automatically redirected to their host default browser when they enter or select on a trusted site in WDAG Edge. This feature is also available in Windows 10, version 1803 or later with the latest updates.
- [Windows Defender Application Control (WDAC)](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control): In Windows 10, version 1903, Windows Defender Application Control has many new features that light up key scenarios and provide feature parity with AppLocker.
- [Multiple Policies](/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies): Windows Defender Application Control now supports multiple simultaneous code integrity policies for one device in order to enable the following scenarios:
1. Enforce and audit side-by-side.
1. Simpler targeting for policies with different scope/intent.
1. expanding a policy using a new supplemental policy.
- [Path-Based Rules](/windows/security/threat-protection/windows-defender-application-control/create-path-based-rules): The path condition identifies an app by its location in the file system of the computer or on the network instead of a signer or hash identifier. Additionally, Windows Defender Application Control has an option that allows admins to enforce at runtime that only code from paths that aren't user-writeable is executed. When code tries to execute at runtime, the directory is scanned and files are checked for write permissions for unknown admins. If a file is found to be user writeable, the system blocks the executable from running unless it receives authorization from a source other than a path rule, such as a signer or hash rule.
- This functionality brings WDAC to parity with AppLocker in terms of support for file path rules. WDAC improves upon the security of policies based on file path rules with the availability of the user-writability permission checks at runtime time. This capability isn't available with AppLocker.
- [Allow COM Object Registration](/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy): Previously, Windows Defender Application Control enforced a built-in allowlist for COM object registration. While this mechanism works for most common application usage scenarios, customers provided feedback that there are cases where more COM objects need to be allowed. The 1903 update to Windows 10 introduces the ability to specify allowed COM objects via their GUID in the WDAC policy.
#### System Guard
[System Guard](/windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows) has a new feature in this version of Windows called **SMM Firmware Measurement**. This feature is built on top of [System Guard Secure Launch](/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection) to check that the System Management Mode (SMM) firmware on the device is operating in a healthy manner. Specifically, OS memory and secrets are protected from SMM.
This new feature is displayed under the Device Security page with the string `Your device exceeds the requirements for enhanced hardware security` if configured properly:
![System Guard.](images/system-guard.png "SMM Firmware Measurement")
### Identity Protection
- [Windows Hello FIDO2 certification](https://fidoalliance.org/microsoft-achieves-fido2-certification-for-windows-hello/): Windows Hello is now a FIDO2 Certified authenticator and enables password-less sign-in for websites supporting FIDO2 authentication, such as Microsoft account and Microsoft Entra ID.
- [Streamlined Windows Hello PIN reset experience](/windows/security/identity-protection/hello-for-business/hello-videos#windows-hello-for-business-forgotten-pin-user-experience): Microsoft account users have a revamped Windows Hello PIN reset experience with the same look and feel as signing in on the web.
- Sign-in with [Password-less](/windows/security/identity-protection/hello-for-business/passwordless-strategy) Microsoft accounts: Sign in to Windows 10 with a phone number account. Then use Windows Hello for an even easier sign-in experience.
- [Remote Desktop with Biometrics](/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop#remote-desktop-with-biometrics): Microsoft Entra ID and Active Directory users using Windows Hello for Business can use biometrics to authenticate to a remote desktop session.
### Security management
- [Windows Defender Firewall now supports Windows Subsystem for Linux (WSL)](https://blogs.windows.com/windowsexperience/2018/04/19/announcing-windows-10-insider-preview-build-17650-for-skip-ahead/#II14f7VlSBcZ0Gs4.97): Lets you add rules for WSL process, just like for Windows processes.
- [Windows Security app](/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center) improvements now include Protection history, including detailed and easier to understand information about threats and available actions, Controlled Folder Access blocks are now in the Protection history, Windows Defender Offline Scanning tool actions, and any pending recommendations.
- [Tamper Protection](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection) lets you prevent others from tampering with important security features.
## Microsoft Edge
Several new features are coming in the next version of Microsoft Edge. For more information, see the [news from Build 2019](https://blogs.windows.com/msedgedev/2019/05/06/edge-chromium-build-2019-pwa-ie-mode-devtools/#2QJF4u970WjQ2Sv7.97).
## See Also
- [What's New in Windows Server, version 1903](/windows-server/get-started/whats-new-in-windows-server-1903-1909): New and updated features in Windows Server.
- [Windows 10 Features](https://www.microsoft.com/windows/features): Review general information about Windows 10 features.
- [What's New in Windows 10](./index.yml): See what's new in other versions of Windows 10.
- [What's new in Windows 10](/windows-hardware/get-started/what-s-new-in-windows): See what's new in Windows 10 hardware.
- [What's new in Windows 10 for developers](https://blogs.windows.com/buildingapps/2019/04/18/start-developing-on-windows-10-may-2019-update-today/#2Lp8FUFQ3Jm8KVcq.97): New and updated features in Windows 10 that are of interest to developers.

139
windows/whats-new/whats-new-windows-10-version-1909.md
View File

@ -1,139 +0,0 @@
---
title: What's new in Windows 10, version 1909
description: New and updated features in Windows 10, version 1909 (also known as the Windows 10 November 2019 Update).
ms.prod: windows-client
author: mestew
ms.author: mstewart
manager: aaroncz
ms.localizationpriority: medium
ms.topic: article
ROBOTS: NOINDEX
ms.technology: itpro-fundamentals
ms.date: 12/31/2017
---
# What's new in Windows 10, version 1909 for IT Pros
**Applies to**
- Windows 10, version 1909
This article lists new and updated features and content that are of interest to IT Pros for Windows 10, version 1909, also known as the Windows 10 November 2019 Update. This update also contains all features and fixes included in previous cumulative updates to Windows 10, version 1903.
## Servicing
Windows 10, version 1909 is a scoped set of features for select performance improvements, enterprise features and quality enhancements.
To deliver these updates in an optimal fashion, we're providing this feature update in a new way: using servicing technology. Users that are already running Windows 10, version 1903 (the May 2019 Update) will receive this update similar to how they receive monthly updates. If you're running version 1903, then updating to the new release will have a much faster update experience because the update will install like a monthly update.
If you're updating from an older version of Windows 10 (version 1809 or earlier), the process of updating to the current version will be the same as it has been for previous Windows 10 feature updates. For more information, see [Evolving Windows 10 servicing and quality: the next steps](https://blogs.windows.com/windowsexperience/2019/07/01/evolving-windows-10-servicing-and-quality-the-next-steps/#rl2G5ETPhkhMvDeX.97).
**Note**: Devices running the Enterprise, IoT Enterprise, or Education editions of Windows 10, version 1909 receive 30 months of support. For more information about the Windows servicing lifecycle, see the [Windows lifecycle fact sheet](/lifecycle/faq/windows).
### Windows Server Update Services (WSUS)
Pre-release Windows 10 feature updates are now available to IT administrators using WSUS. Microsoft Configuration Manager version 1906 or later is required. For more information, see [Publishing pre-release Windows 10 feature updates to WSUS](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Publishing-pre-release-Windows-10-feature-updates-to-WSUS/ba-p/845054).
The Windows 10, version 1909 enablement package will be available on WSUS as [KB4517245](https://support.microsoft.com/kb/4517245), which can be deployed on existing deployments of Windows 10, version 1903.
### Windows Update for Business
If you're using Windows Update for Business, you'll receive the Windows 10, version 1909 update in the same way that you have for prior feature updates, and as defined by your feature update deferral policy.
## Security
### Credential Guard
[Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard) is now available for ARM64 devices, for extra protection against credential theft for enterprises deploying ARM64 devices in their organizations, such as Surface Pro X.
### Microsoft BitLocker
BitLocker and Mobile Device Management (MDM) with Azure Active Directory work together to protect your devices from accidental password disclosure. Now, a new key-rolling feature securely rotates recovery passwords on MDM managed devices. The feature is activated whenever Microsoft Intune/MDM tools or a recovery password is used to unlock a BitLocker protected drive. As a result, the recovery password will be better protected when users manually unlock a BitLocker drive.
### Key-rolling and Key-rotation
Windows 10, version 1909 also includes two new features called **Key-rolling** and **Key-rotation** enables secure rolling of Recovery passwords on MDM managed Azure Active Directory devices on demand from Microsoft Intune/MDM tools or when a recovery password is used to unlock the BitLocker protected drive. This feature will help prevent accidental recovery password disclosure as part of manual BitLocker drive unlock by users.
### Transport Layer Security (TLS)
An experimental implementation of TLS 1.3 is included in Windows 10, version 1909. TLS 1.3 is disabled by default system wide. If you enable TLS 1.3 on a device for testing, then it can also be enabled in Internet Explorer 11.0 and Microsoft Edge by using Internet Options. For beta versions of Microsoft Edge on Chromium, TLS 1.3 isn't built on the Windows TLS stack, and is instead configured independently, using the **Edge://flags** dialog.
>[!NOTE]
>The experiental implementation of TLS 1.3 isn't supported. TLS 1.3 is only supported on Windows 11 and Server 2022. For more information, see [Protocols in TLS/SSL (Schannel SSP)](/windows/win32/secauthn/protocols-in-tls-ssl--schannel-ssp-).
## Virtualization
### Windows Sandbox
[Windows Sandbox](https://techcommunity.microsoft.com/t5/Windows-Kernel-Internals/Windows-Sandbox/ba-p/301849) is an isolated desktop environment where you can install software without the fear of lasting impact to your device. This feature is available in Windows 10, version 1903. In Windows 10, version 1909 you have even more control over the level of isolation.
## Windows Virtual Desktop
[Windows Virtual Desktop](/azure/virtual-desktop/overview) (WVD) is now generally available globally!
Windows Virtual Desktop is a comprehensive desktop and app virtualization service running in the cloud. It's the only virtual desktop infrastructure (VDI) that delivers simplified management, multi-session Windows 10, optimizations for Microsoft 365 Apps for enterprise, and support for Remote Desktop Services (RDS) environments. Deploy and scale your Windows desktops and apps on Azure in minutes, and get built-in security and compliance features. Windows Virtual Desktop requires a Microsoft E3 or E5 license, or a Microsoft 365 E3 or E5 license, and an Azure tenant.
## Deployment
### Microsoft Intune family of products
Configuration Manager, Intune, Desktop Analytics, Co-Management, and the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) are now part of the [Microsoft endpoint management services](/mem/endpoint-manager-overview). See the Nov. 4 2019 [announcement](https://www.microsoft.com/microsoft-365/blog/2019/11/04/use-the-power-of-cloud-intelligence-to-simplify-and-accelerate-it-and-the-move-to-a-modern-workplace/).
### Windows 10 Pro and Enterprise in S mode
You can now deploy and run traditional Win32 (desktop) apps without leaving the security of S mode by configuring the Windows 10 in S mode policy to support Win32 apps, and deploy them with Mobile Device Management (MDM) software such as Microsoft Intune. For more information, see [Allow Line-of-Business Win32 Apps on Intune-Managed S Mode Devices](/windows/security/threat-protection/windows-defender-application-control/lob-win32-apps-on-s).
### SetupDiag
[SetupDiag](/windows/deployment/upgrade/setupdiag) version 1.6.0.42 is available.
SetupDiag is a command-line tool that can help diagnose why a Windows 10 update failed. SetupDiag works by searching Windows Setup log files. When log files are being searched, SetupDiag uses a set of rules to match known issues. In the current version of SetupDiag there are 53 rules contained in the rules.xml file, which is extracted when SetupDiag is run. The rules.xml file will be updated as new versions of SetupDiag are made available.
### Windows Assessment and Deployment Toolkit (ADK)
A new [Windows ADK](/windows-hardware/get-started/adk-install) will **not be released** for Windows 10, version 1909. You can use the Windows ADK for Windows 10, version 1903 to deploy Windows 10, version 1909.
## Desktop Analytics
[Desktop Analytics](/configmgr/desktop-analytics/overview) is now generally available globally! Desktop Analytics is a cloud-connected service, integrated with Configuration Manager, which gives you data-driven insights to the management of your Windows endpoints. It provides insight and intelligence that you can use to make more informed decisions about the update readiness of your Windows endpoints. Desktop Analytics requires a Windows E3 or E5 license, or a Microsoft 365 E3 or E5 license.
## Microsoft Connected Cache
Together with Delivery Optimization, [Microsoft Connected Cache](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Introducing-Microsoft-Connected-Cache-Microsoft-s-cloud-managed/ba-p/963898) installed on Windows Server or Linux can seamlessly offload your traffic to local sources, caching content efficiently at the byte range level. Connected Cache is configured as a "configure once and forget it" solution that transparently caches content that your devices on your network need.
## Accessibility
This release adds the ability for Narrator and other assistive technologies to read and learn where the FN key is located on keyboards and what state it is in (locked versus unlocked).
## Processor requirements and enhancements
### Requirements
[Windows Processor Requirements](/windows-hardware/design/minimum/windows-processor-requirements) have been updated for this version of Windows.
### Favored CPU Core Optimization
This version of Windows 10 will include optimizations to how instructions are processed by the CPU in order to increase the performance and reliability of the operating system and its applications.
When a CPU is manufactured, not all of the cores are created equal. Some of the cores may have slightly different voltage and power characteristics that could allow them to get a "boost" in performance. These cores are called "favored cores" as they can offer better performance than the other cores on the die.
With Intel Turbo Boost Max Technology 3.0, an operating system will use information stored in the CPU to identify which cores are the fastest and then push more of the CPU intensive tasks to those cores. According to Intel, this technology "delivers more than 15% better single-threaded performance".
### Debugging
More debugging capabilities for newer Intel processors have been added in this release. These newly added capabilities are only relevant for hardware manufacturers.
### Efficiency
General battery life and power efficiency improvements for PCs with certain processors have been added in this release.
## See Also
[What's New in Windows Server](/windows-server/get-started/whats-new-in-windows-server): New and updated features in Windows Server.<br>
[Windows 10 Features](https://www.microsoft.com/windows/features): General information about Windows 10 features.<br>
[What's New in Windows 10](./index.yml): See what's new in other versions of Windows 10.<br>
[What Windows 10, version 1909 Means for Developers](https://blogs.windows.com/windowsdeveloper/2019/10/16/what-windows-10-version-1909-means-for-developers/): New and updated features in Windows 10 that are of interest to developers.<br>
[Features and functionality removed in Windows 10](removed-features.md): Removed features.<br>
[Windows 10 features we're no longer developing](deprecated-features.md): Features that aren't being developed.<br>
[How to get the Windows 10 November 2019 Update](https://aka.ms/how-to-get-1909): John Cable blog.<br>
[How to get Windows 10, Version 1909: Enablement Mechanics](https://aka.ms/1909mechanics): Mechanics blog.<br>
[What's new for IT pros in Windows 10, version 1909](https://aka.ms/whats-new-in-1909): Windows IT Pro blog.<br>

267
windows/whats-new/whats-new-windows-10-version-2004.md
View File

@ -1,267 +0,0 @@
---
title: What's new in Windows 10, version 2004
description: New and updated features in Windows 10, version 2004 (also known as the Windows 10 May 2020 Update).
ms.prod: windows-client
author: mestew
ms.author: mstewart
manager: aaroncz
ms.localizationpriority: medium
ms.topic: article
ROBOTS: NOINDEX
ms.technology: itpro-fundamentals
ms.date: 12/31/2017
---
# What's new in Windows 10, version 2004 for IT Pros
**Applies to**
- Windows 10, version 2004
This article lists new and updated features and content that are of interest to IT Pros for Windows 10, version 2004, also known as the Windows 10 May 2020 Update. This update also contains all features and fixes included in previous cumulative updates to Windows 10, version 1909.
To download and install Windows 10, version 2004, use Windows Update (**Settings > Update & Security > Windows Update**). For more information, see this [video](https://aka.ms/Windows-10-May-2020-Update).
> [!NOTE]
> The month indicator for this release is 04 instead of 03 to avoid confusion with Windows releases in the year 2003.
## Security
### Windows Hello
- Windows Hello is now supported as Fast Identity Online 2 (FIDO2) authenticator across all major browsers including Chrome and Firefox.
- You can now enable passwordless sign-in for Microsoft accounts on your Windows 10 device by going to **Settings > Accounts > Sign-in options**, and selecting **On** under **Make your device passwordless**. Enabling passwordless sign-in will switch all Microsoft accounts on your Windows 10 device to modern authentication with Windows Hello Face, Fingerprint, or PIN.
- Windows Hello PIN sign-in support is [added to Safe mode](/windows-insider/archive/new-in-20H1#windows-hello-pin-in-safe-mode-build-18995).
- Windows Hello for Business now has Hybrid Azure Active Directory support and phone number sign-in (Microsoft account). FIDO2 security key support is expanded to Azure Active Directory hybrid environments, enabling enterprises with hybrid environments to take advantage of [passwordless authentication](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). For more information, see [Expanding Azure Active Directory support for FIDO2 preview to hybrid environments](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/expanding-azure-active-directory-support-for-fido2-preview-to/ba-p/981894).
### Windows Defender System Guard
In this release, [Windows Defender System Guard](/windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows) enables an even *higher* level of [System Management Mode](/windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows#system-management-mode-smm-protection) (SMM) Firmware Protection that goes beyond checking the OS memory and secrets to other resources like registers and IO.
With this improvement, the OS can detect a higher level of SMM compliance, enabling devices to be even more hardened against SMM exploits and vulnerabilities. This feature is forward-looking and currently requires new hardware available soon.
![System Guard.](images/system-guard2.png)
### Windows Defender Application Guard
[Windows Defender Application Guard](/deployedge/microsoft-edge-security-windows-defender-application-guard) has been available for Chromium-based Edge since early 2020.
Note: [Application Guard for Office](https://support.office.com/article/application-guard-for-office-9e0fb9c2-ffad-43bf-8ba3-78f785fdba46) is coming soon.
## Deployment
### Windows Setup
Windows Setup [answer files](/windows-hardware/manufacture/desktop/update-windows-settings-and-scripts-create-your-own-answer-file-sxs) (unattend.xml) have [improved language handling](https://oofhours.com/2020/06/01/new-in-windows-10-2004-better-language-handling/).
Improvements in Windows Setup with this release also include:
- Reduced offline time during feature updates
- Improved controls for reserved storage
- Improved controls and diagnostics
- New recovery options
For more information, see Windows Setup enhancements in the [Windows IT Pro Blog](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/pilot-new-features-with-the-windows-insider-program-for-business/ba-p/1220464).
### SetupDiag
In Windows 10, version 2004, SetupDiag is now automatically installed.
[SetupDiag](/windows/deployment/upgrade/setupdiag) is a command-line tool that can help diagnose why a Windows 10 update failed. SetupDiag works by searching Windows Setup log files. When log files are being searched, SetupDiag uses a set of rules to match known issues.
During the upgrade process, Windows Setup will extract all its sources files to the **%SystemDrive%\$Windows.~bt\Sources** directory. With Windows 10, version 2004 and later, Windows Setup now also installs SetupDiag.exe to this directory. If there's an issue with the upgrade, SetupDiag is automatically run to determine the cause of the failure. If the upgrade process proceeds normally, this directory is moved under %SystemDrive%\Windows.Old for cleanup.
### Windows Autopilot
With this release, you can configure [Windows Autopilot user-driven](/windows/deployment/windows-autopilot/user-driven) Hybrid Azure Active Directory join with VPN support. This support is also backported to Windows 10, version 1909 and 1903.
If you configure the language settings in the Autopilot profile and the device is connected to Ethernet, all scenarios will now skip the language, locale, and keyboard pages. In previous versions, this skip was only supported with self-deploying profiles.
### Microsoft Configuration Manager
An in-place upgrade wizard is available in Configuration Manager. For more information, see [Simplifying Windows 10 deployment with Configuration Manager](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/simplifying-windows-10-deployment-with-configuration-manager/ba-p/1214364).
Also see [What's new in Microsoft Intune](/mem/intune/fundamentals/whats-new).
### Windows Assessment and Deployment Toolkit (ADK)
Download the Windows ADK and Windows PE add-on for Windows 10, version 2004 here: [Download and install the Windows ADK](/windows-hardware/get-started/adk-install).
For information about what's new in the ADK, see [What's new in the Windows ADK for Windows 10, version 2004](/windows-hardware/get-started/what-s-new-in-kits-and-tools#whats-new-in-the-windows-adk-for-windows-10-version-2004).
### Microsoft Deployment Toolkit (MDT)
MDT version 8456 supports Windows 10, version 2004, but there's currently an issue that causes MDT to incorrectly detect that UEFI is present. There's an [update available](https://support.microsoft.com/help/4564442/windows-10-deployments-fail-with-microsoft-deployment-toolkit) for MDT to address this issue.
For the latest information about MDT, see the [MDT release notes](/mem/configmgr/mdt/release-notes).
## Servicing
### Delivery Optimization
Windows PowerShell cmdlets have been improved:
- **Get-DeliveryOptimizationStatus** has added the **-PeerInfo** option for a real-time peek behind the scenes on peer-to-peer activity (for example the peer IP Address, bytes received / sent).
- **Get-DeliveryOptimizationLogAnalysis** is a new cmdlet that provides a summary of the activity in your DO log (# of downloads, downloads from peers, overall peer efficiency). Use the **-ListConnections** option to for in-depth look at peer-to-peer connections.
- **Enable-DeliveryOptimizationVerboseLogs** is a new cmdlet that enables a greater level of logging detail to help in troubleshooting.
Other improvements:
- Enterprise network [throttling is enhanced](/windows-insider/archive/new-in-20H1#new-download-throttling-options-for-delivery-optimization-build-18917) to optimize foreground vs. background throttling.
- Automatic cloud-based congestion detection is available for PCs with cloud service support.
The following [Delivery Optimization](/windows/deployment/update/waas-delivery-optimization) policies are removed in this release:
- Percentage of Maximum Download Bandwidth (DOPercentageMaxDownloadBandwidth)
- Reason: Replaced with separate policies for foreground and background.
- Max Upload Bandwidth (DOMaxUploadBandwidth)
- Reason: Impacts uploads to internet peers only, which isn't used in enterprises.
- Absolute max throttle (DOMaxDownloadBandwidth)
- Reason: Separated to foreground and background.
### Windows Update for Business
[Windows Update for Business](/windows/deployment/update/waas-manage-updates-wufb) enhancements in this release include:
- Intune console updates: target version is now available allowing you to specify which version of Windows 10 you want devices to move to. Additionally, this capability enables you to keep devices on their current version until they reach end of service. Check it out in Intune, also available as a Group Policy and Configuration Service Provider (CSP) policy.
- Validation improvements: To ensure devices and end users stay productive and protected, Microsoft uses safeguard holds to block devices from updating when there are known issues that would impact that device. Also, to better enable IT administrators to validate on the latest release, we've created a new policy that enables admins to opt devices out of the built-in safeguard holds.
- Update less: Last year, we [changed update installation policies](https://blogs.windows.com/windowsexperience/2019/04/04/improving-the-windows-10-update-experience-with-control-quality-and-transparency/#l2jH7KMkOkfcWdBs.97) for Windows 10 to only target devices running a feature update version that is nearing end of service. As a result, many devices are only updating once a year. To enable all devices to make the most of this policy change, and to prevent confusion, we have removed deferrals from the Windows Update settings **Advanced Options** page starting on Windows 10, version 2004. If you wish to continue using deferrals, you can use local Group Policy (**Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > Select when Preview builds and Feature Updates are received** or **Select when Quality Updates are received**). For more information about this change, see [Simplified Windows Update settings for end users](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/simplified-windows-update-settings-for-end-users/ba-p/1497215).
## Networking
### Wi-Fi 6 and WPA3
Windows now supports the latest Wi-Fi standards with [Wi-Fi 6 and WPA3](https://support.microsoft.com/help/4562575/windows-10-faster-more-secure-wifi). Wi-Fi 6 gives you better wireless coverage and performance with added security. WPA3 provides improved Wi-Fi security and secures open networks.
### TEAP
In this release, Tunnel Extensible Authentication Protocol (TEAP) has been added as an authentication method to allow chaining together multiple credentials into a single EAP transaction. TEAP networks can be configured by [enterprise policy](/openspecs/windows_protocols/ms-gpwl/94cf6896-c28e-4865-b12a-d83ee38cd3ea).
## Virtualization
### Windows Sandbox
[Windows Sandbox](https://techcommunity.microsoft.com/t5/Windows-Kernel-Internals/Windows-Sandbox/ba-p/301849) is an isolated desktop environment where you can install software without the fear of lasting impact to your device. This feature was released with Windows 10, version 1903. Windows 10, version 2004 includes bug fixes and enables even more control over configuration.
[Windows Sandbox configuration](/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file) includes:
- MappedFolders now supports a destination folder. Previously no destination could be specified, it was always mapped to the Sandbox desktop.
- AudioInput/VideoInput settings now enable you to share their host microphone or webcam with the Sandbox.
- ProtectedClient is a new security setting that runs the connection to the Sandbox with extra security settings enabled. This setting is disabled by default due to issues with copy & paste.
- PrinterRedirection: You can now enable and disable host printer sharing with the Sandbox.
- ClipboardRedirection: You can now enable and disable host clipboard sharing with the Sandbox.
- MemoryInMB adds the ability to specify the maximum memory usage of the Sandbox.
Windows Media Player is also added back to the Sandbox image in this release.
Windows Sandbox also has improved accessibility in this release, including:
- Microphone support is available.
- Added functionality to configure the audio input device via the Windows Sandbox config file.
- A Shift + Alt + PrintScreen key sequence that activates the ease of access dialog for enabling high contrast mode.
- A ctrl + alt + break key sequence that allows entering/exiting fullscreen mode.
### Windows Subsystem for Linux (WSL)
With this release, memory that is no longer in use in a Linux VM will be freed back to Windows. Previously, a WSL VM's memory could grow, but wouldn't shrink when no longer needed.
[WSL2](/windows/wsl/wsl2-index) support has been added for ARM64 devices if your device supports virtualization.
For a full list of updates to WSL, see the [WSL release notes](/windows/wsl/release-notes).
### Windows Virtual Desktop (WVD)
Windows 10 is an integral part of WVD, and several enhancements are available in the Spring 2020 update. Check out [Windows Virtual Desktop documentation](/azure/virtual-desktop/) for the latest and greatest information, and the [WVD Virtual Event from March](https://aka.ms/wvdvirtualevent).
## Microsoft Edge
Read about plans for the new Microsoft Edge and other innovations announced at [Build 2020](https://blogs.windows.com/msedgedev/2020/05/19/microsoft-edge-news-developers-build-2020/) and [What's new at Microsoft Edge Insider](https://www.microsoftedgeinsider.com/whats-new).
Also see information about the exciting new Edge browser [here](https://blogs.windows.com/windowsexperience/2020/01/15/new-year-new-browser-the-new-microsoft-edge-is-out-of-preview-and-now-available-for-download/).
## Application settings
This release enables explicit [Control over restarting apps at sign-in (Build 18965)](/windows-insider/archive/new-in-20H1#control-over-restarting-apps-at-sign-in-build-18965) that were open when you restart your PC.
## Windows Shell
Several enhancements to the Windows 10 user interface are implemented in this release:
### Cortana
[Cortana](https://www.microsoft.com/cortana) has been updated and enhanced in Windows 10, version 2004:
- Productivity: chat-based UI gives you the ability to [interact with Cortana using typed or spoken natural language queries](https://support.microsoft.com/help/4557165) to easily get information across Microsoft 365 and stay on track. Productivity focused capabilities such as finding people profiles, checking schedules, joining meetings, and adding to lists in Microsoft To Do are currently available to English speakers in the US.
- In the coming months, with regular app updates through the Microsoft Store, we'll enhance this experience to support wake word invocation and enable listening when you say "Cortana", offer more productivity capabilities such as surfacing relevant emails and documents to help you prepare for meetings, and expand supported capabilities for international users.
- Security: tightened access to Cortana so that you must be securely logged in with your work or school account or your Microsoft account before using Cortana. Because of this tightened access, some consumer skills including music, connected home, and third-party skills will no longer be available. Additionally, users [get cloud-based assistance services that meet Office 365's enterprise-level privacy, security, and compliance promises](/microsoft-365/admin/misc/cortana-integration) as set out in the Online Services Terms.
- Move the Cortana window: drag the Cortana window to a more convenient location on your desktop.
For updated information, see the [Microsoft 365 blog](https://aka.ms/CortanaUpdatesMay2020).
### Windows Search
Windows Search is improved in several ways. For more information, see [Supercharging Windows Search](https://aka.ms/AA8kllm).
### Virtual Desktops
There's a new [Update on Virtual Desktop renaming (Build 18975)](/windows-insider/archive/new-in-20H1#update-on-virtual-desktop-renaming-build-18975), where, instead of getting stuck with the system-issued names like Desktop 1, you can now rename your virtual desktops more freely.
### Bluetooth pairing
Pairing Bluetooth devices with your computer will occur through notifications, so you won't need to go to the Settings app to finish pairing. Other improvements include faster pairing and device name display. For more information, see [Improving your Bluetooth pairing experience](/windows-insider/archive/new-in-20h1#improving-your-bluetooth-pairing-experience-build-18985).
### Reset this PC
The 'reset this PC' recovery function now includes a [cloud download](/windows-insider/archive/new-in-20H1#reset-your-pc-from-the-cloud-build-18970) option.
### Task Manager
The following items are added to Task Manager in this release:
- GPU Temperature is available on the Performance tab for devices with a dedicated GPU card.
- Disk type is now [listed for each disk on the Performance tab](/windows-insider/archive/new-in-20H1#disk-type-now-visible-in-task-manager-performance-tab-build-18898).
## Graphics & display
### DirectX
[New DirectX 12 features](https://devblogs.microsoft.com/directx/dev-preview-of-new-directx-12-features/) are available in this release.
### 2-in-1 PCs
See [Introducing a new tablet experience for 2-in-1 convertible PCs! (Build 18970)](/windows-insider/archive/new-in-20H1#introducing-a-new-tablet-experience-for-2-in-1-convertible-pcs-build-18970) for details on a new tablet experience for two-in-one convertible PCs that is now available. The screen will be optimized for touch when you detach your two-in-one's keyboard, but you'll still keep the familiar look of your desktop without interruption.
### Specialized displays
With this update, devices running Windows 10 Enterprise or Windows 10 Pro for Workstations with multiple displays can be configured to prevent Windows from using a display, making it available for a specialized purpose.
Examples include:
- Fixed-function arcade & gaming such as cockpit, driving, flight, and military simulators
- Medical imaging devices with custom panels, such as grayscale X-ray displays
- Video walls like those displayed in Microsoft Store
- Dedicated video monitoring
- Monitor panel testing and validation
- Independent Hardware Vendor (IHV) driver testing and validation
To prevent Windows from using a display, choose Settings > Display and select Advanced display settings. Select a display to view or change, and then set the Remove display from desktop setting to On. The display will now be available for a specialized use.
## Desktop Analytics
[Desktop Analytics](/configmgr/desktop-analytics/overview) is a cloud-connected service, integrated with Configuration Manager that provides data-driven insights to the management of Windows endpoints in your organization. Desktop Analytics requires a Windows E3 or E5 license, or a Microsoft 365 E3 or E5 license.
For information about Desktop Analytics and this release of Windows 10, see [What's new in Desktop Analytics](/mem/configmgr/desktop-analytics/whats-new).
## See Also
- [What's new for IT pros in Windows 10, version 2004](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/what-s-new-for-it-pros-in-windows-10-version-2004/ba-p/1419764): Windows IT Pro blog.
- [What's new in the Windows 10 May 2020 Update](https://blogs.windows.com/windowsexperience/2020/05/27/whats-new-in-the-windows-10-may-2020-update/): Windows Insider blog.
- [What's New in Windows Server](/windows-server/get-started/whats-new-in-windows-server): New and updated features in Windows Server.
- [Windows 10 Features](https://www.microsoft.com/windows/features): General information about Windows 10 features.
- [What's New in Windows 10](./index.yml): See what's new in other versions of Windows 10.
- [Start developing on Windows 10, version 2004 today](https://blogs.windows.com/windowsdeveloper/2020/05/12/start-developing-on-windows-10-version-2004-today/): New and updated features in Windows 10 that are of interest to developers.
- [What's new for business in Windows 10 Insider Preview Builds](/windows-insider/Active-Dev-Branch): A preview of new features for businesses.
- [What's new in Windows 10, version 2004 - Windows Insiders](/windows-insider/archive/new-in-20h1): This list also includes consumer focused new features.
- [Features and functionality removed in Windows 10](removed-features.md): Removed features.
- [Windows 10 features we're no longer developing](deprecated-features.md): Features that aren't being developed.

152
windows/whats-new/whats-new-windows-10-version-20H2.md
View File

@ -1,152 +0,0 @@
---
title: What's new in Windows 10, version 20H2
description: New and updated features in Windows 10, version 20H2 (also known as the Windows 10 October 2020 Update).
ms.prod: windows-client
author: mestew
ms.author: mstewart
manager: aaroncz
ms.localizationpriority: high
ms.topic: article
ms.collection:
- highpri
- tier2
ms.technology: itpro-fundamentals
ms.date: 12/31/2017
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10, version 20H2</a>
---
# What's new in Windows 10, version 20H2 for IT Pros
This article lists new and updated features and content that is of interest to IT Pros for Windows 10, version 20H2, also known as the Windows 10 October 2020 Update. This update also contains all features and fixes included in previous cumulative updates to Windows 10, version 2004.
> [!NOTE]
> With this release and future releases, the Windows 10 release nomenclature is changing from a year and month pattern (YYMM) to a year and half-year pattern (YYH1, YYH2).
As with previous fall releases, Windows 10, version 20H2 is a scoped set of features for select performance improvements, enterprise features, and quality enhancements. As an [H2-targeted release](/lifecycle/faq/windows), 20H2 is serviced for 30 months from the release date for devices running Windows 10 Enterprise or Windows 10 Education editions.
To download and install Windows 10, version 20H2, use Windows Update (**Settings > Update & Security > Windows Update**).
## Microsoft Edge
This release automatically includes the new Chromium-based [Microsoft Edge](https://www.microsoft.com/edge/business) browser instead of the legacy version of Edge. For more information, see the [Microsoft Edge documentation](/microsoft-edge/).
## Servicing
### Windows Update
There are several changes that help improve the security of devices that scan Windows Server Update Services (WSUS) for updates. For more information, see [Changes to improve security for Windows devices scanning WSUS](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/changes-to-improve-security-for-windows-devices-scanning-wsus/ba-p/1645547).
Starting with Windows 10, version 20H2, LCUs and SSUs have been combined into a single cumulative monthly update, available via Microsoft Catalog or Windows Server Update Services. For more information, see [Simplifying on-premises deployment of servicing stack updates](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/simplifying-on-premises-deployment-of-servicing-stack-updates/ba-p/1646039).
## Deployment
New guidance is available to help prepare a [servicing strategy](/windows/deployment/update/waas-servicing-strategy-windows-10-updates) and move your devices to the latest version of Windows 10 quickly and as seamlessly as possible.
Activities are grouped into the following phases: **Plan** > **Prepare** > **Deploy**:
**Plan** your deployment by evaluating and understanding essential activities:
- Create a [phased deployment plan](/windows/deployment/update/create-deployment-plan)
- Assign [roles and responsibilities](/windows/deployment/update/plan-define-readiness#process-manager) within your organization
- Set [criteria](/windows/deployment/update/plan-define-readiness#set-criteria-for-rating-apps) to establish readiness for the upgrade process
- Evaluate your [infrastructure and tools](/windows/deployment/update/eval-infra-tools)
- Determine [readiness](/windows/deployment/update/plan-determine-app-readiness) for your business applications
- Create an effective, schedule-based [servicing strategy](/windows/deployment/update/plan-define-strategy)
**Prepare** your devices and environment for deployment by performing necessary actions:
- Update [infrastructure and tools](/windows/deployment/update/prepare-deploy-windows#prepare-infrastructure-and-environment)
- Ensure the needed [services](/windows/deployment/update/prepare-deploy-windows#prepare-applications-and-devices) are available
- Resolve issues with [unhealthy devices](/windows/deployment/update/prepare-deploy-windows#address-unhealthy-devices)
- Ensure that [users are ready](/windows/deployment/update/prepare-deploy-windows) for updates
**Deploy** and manage Windows 10 strategically in your organization:
- Use [Windows Autopilot](/mem/autopilot/windows-autopilot) to streamline the setup, configuration, and delivery of new devices
- Use [Configuration Manager](/windows/deployment/deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager) or [MDT](/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt) to deploy new devices and update existing devices
- Use [Windows Update for Business](/windows/deployment/update/waas-configure-wufb) with Group Policy to [customize update settings](/windows/deployment/update/waas-wufb-group-policy) for your devices
- [Deploy Windows updates](/windows/deployment/update/waas-manage-updates-wsus) with Windows Server Update Services (WSUS)
- Manage bandwidth for updates with [Delivery Optimization](/windows/deployment/update/waas-delivery-optimization)
- [Monitor Windows Updates](/windows/deployment/update/update-compliance-monitor) with Update Compliance
### Windows Autopilot
Enhancements to Windows Autopilot since the last release of Windows 10 include:
- [Windows Autopilot for HoloLens](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/windows-autopilot-for-hololens-2/ba-p/1371494): Set up HoloLens 2 devices with Windows Autopilot for HoloLens 2 self-deploying mode.
- [Windows Autopilot with co-management](/mem/configmgr/comanage/quickstart-autopilot): Co-management and Autopilot together can help you reduce cost and improve the end user experience.
- Enhancements to Windows Autopilot deployment reporting are in preview. In the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), select **Devices** > **Monitor** and scroll down to the **Enrollment** section. Select **Autopilot deployment (preview)**.
### Windows Assessment and Deployment Toolkit (ADK)
There's no new ADK for Windows 10, version 20H2. The ADK for Windows 10, version 2004 will also work with Windows 10, version 20H2. For more information, see [Download and install the Windows ADK](/windows-hardware/get-started/adk-install).
## Device management
Modern Device Management (MDM) policy is extended with new [Local Users and Groups settings](/windows/client-management/mdm/policy-csp-localusersandgroups) that match the options available for devices managed through Group Policy.
For more information about what's new in MDM, see [What's new in mobile device enrollment and management](/windows/client-management/mdm/new-in-windows-mdm-enrollment-management)
## Security
### Microsoft Defender for Endpoint
This release includes improved support for non-ASCII file paths for Microsoft Defender Advanced Threat Protection (ATP) Auto Incident Response (IR).
The [DisableAntiSpyware](/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware) parameter is deprecated in this release.
### Microsoft Defender Application Guard for Office
Microsoft Defender Application Guard now supports Office: With [Microsoft Defender Application Guard for Office](/microsoft-365/security/office-365-security/install-app-guard), you can launch untrusted Office documents (from outside the Enterprise) in an isolated container to prevent potentially malicious content from compromising your device.
### Windows Hello
With specialized hardware and software components available on devices shipping with Windows 10, version 20H2 configured out of factory, Windows Hello now offers added support for virtualization-based security with supporting fingerprint and face sensors. This feature isolates and secures a user's biometric authentication data.
## Virtualization
### Windows Sandbox
New policies for [Windows Sandbox](/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview) are available in this release. For more information, see [Policy CSP - WindowsSandbox](/windows/client-management/mdm/policy-csp-windowssandbox).
### Windows Virtual Desktop (WVD)
> **Note**: WVD is not tied directly to a Windows 10 release, but it is included here as an evolving capability of Windows.
New capabilities in WVD were announced at Ignite 2020. For more information, see [Announcing new management, security, and monitoring capabilities in Windows Virtual Desktop](https://aka.ms/wvd-ignite2020-blogpost).
In addition, [Windows Virtual Desktop is now generally available in the Azure Government cloud](https://azure.microsoft.com/updates/windows-virtual-desktop-is-now-generally-available-in-the-azure-government-cloud/).
## Windows Shell
Some enhancements to the Windows 10 user interface are implemented in this release:
- With this release, the solid color behind tiles on the Start menu is replaced with a partially transparent background. Tiles are also theme-aware.
- Icons on the Start menu no longer have a square outline around each icon.
- Notifications are slightly updated in appearance.
- You can now change the monitor refresh rate on advanced display settings.
- Alt+Tab now shows Edge browser tabs by default. You can edit this setting under **Settings** > **System** > **Multitasking**: **Alt+Tab**.
- The System control panel under System and Security has been updated to the Settings > About page. Links to Device Manager, Remote desktop, System protection, Advanced system settings, and Rename this PC are moved to the About page.
### 2-in-1 PCs
On a 2-in-1 device, Windows will now automatically switch to tablet mode when you detach the screen.
## Surface
Windows 10 Pro and Enterprise are now [available on Surface Hub 2](https://techcommunity.microsoft.com/t5/surface-it-pro-blog/announcing-the-availability-of-windows-10-pro-and-enterprise-on/ba-p/1624107). For more information, see [What's new in Surface Hub 2S for IT admins](/surface-hub/surface-hub-2s-whats-new).
## Desktop Analytics
[Desktop Analytics](/configmgr/desktop-analytics/overview) is a cloud-connected service, integrated with Configuration Manager that provides data-driven insights to the management of Windows endpoints in your organization. Desktop Analytics requires a Windows E3 or E5 license, or a Microsoft 365 E3 or E5 license.
For information about Desktop Analytics and this release of Windows 10, see [What's new in Desktop Analytics](/mem/configmgr/desktop-analytics/whats-new).
## See Also
[Whats new for IT pros in Windows 10, version 20H2](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/what-s-new-for-it-pros-in-windows-10-version-20h2/ba-p/1800132)<br>
[Get started with the October 2020 update to Windows 10](https://www.linkedin.com/learning/windows-10-october-2020-update-new-features-2/get-started-with-the-october-2020-update-to-windows-10)<br>
[Learn Windows 10 with the October 2020 Update](https://www.linkedin.com/learning/windows-10-october-2020-update-essential-training/learn-windows-10-with-the-october-2020-update)<br>
[What's New in Windows Server](/windows-server/get-started/whats-new-in-windows-server): New and updated features in Windows Server.<br>
[Windows 10 Features](https://www.microsoft.com/windows/features): General information about Windows 10 features.<br>
[What's New in Windows 10](./index.yml): See whats new in other versions of Windows 10.<br>
[Announcing more ways were making app development easier on Windows](https://blogs.windows.com/windowsdeveloper/2020/09/22/kevin-gallo-microsoft-ignite-2020/): Simplifying app development in Windows.<br>
[Features and functionality removed in Windows 10](removed-features.md): Removed features.<br>
[Windows 10 features we're no longer developing](deprecated-features.md): Features that aren't being developed.<br>

139
windows/whats-new/whats-new-windows-10-version-21H1.md
View File

@ -1,139 +0,0 @@
---
title: What's new in Windows 10, version 21H1
description: New and updated features in Windows 10, version 21H1 (also known as the Windows 10 May 2021 Update).
ms.prod: windows-client
author: mestew
ms.author: mstewart
manager: aaroncz
ms.localizationpriority: high
ms.topic: conceptual
ms.collection:
- highpri
- tier2
ms.technology: itpro-fundamentals
ms.date: 12/31/2017
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10, version 21H1</a>
---
# What's new in Windows 10, version 21H1 for IT Pros
This article lists new and updated features and content that is of interest to IT Pros for Windows 10, version 21H1, also known as the **Windows 10 May 2021 Update**. This update also contains all features and fixes included in previous cumulative updates to Windows 10, version 20H2.
Windows 10, version 21H1 is a scoped set of features for select performance improvements, enterprise features, and quality enhancements. As an [H1-targeted release](/lifecycle/faq/windows#what-is-the-servicing-timeline-for-a-version--feature-update--of-windows-10-), 21H1 is serviced for 18 months from the release date for devices running Windows 10 Enterprise or Windows 10 Education editions.
For details on how to update your device, or the devices in your organization, see [How to get the Windows 10 May 2021 Update](https://blogs.windows.com/windowsexperience/?p=175674). Devices running Windows 10, versions 2004 and 20H2, have the ability to update quickly to version 21H1 via an enablement package. For more information, see [Feature Update through Windows 10, version 21H1 Enablement Package](https://support.microsoft.com/help/5000736).
## Servicing
### Windows Update
Starting with Windows 10, version 20H2 and including this release, Latest Cumulative Updates (LCUs) and Servicing Stack Updates (SSUs) have been combined into a single cumulative monthly update, available via Microsoft Catalog or Windows Server Update Services. For more information, see [Simplifying on-premises deployment of servicing stack updates](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/simplifying-on-premises-deployment-of-servicing-stack-updates/ba-p/1646039).
Also see [What's next for Windows 10 updates](https://blogs.windows.com/windowsexperience/2020/06/16/whats-next-for-windows-10-updates/).
## Deployment
### Windows Autopilot
A new [resolved issues](/mem/autopilot/resolved-issues) article is available that includes several new fixes for Windows Autopilot deployment scenarios.
A new Intune remote action: **Collect diagnostics**, lets you collect the logs from corporate devices without interrupting or waiting for the end user. For more information, see [Collect diagnostics remote action](/mem/intune/fundamentals/whats-new#collect-diagnostics-remote-action).
Intune has also added capabilities to [Role-based access control](/mem/intune/fundamentals/whats-new#role-based-access-control) (RBAC) that can be used to further define profile settings for the Enrollment Status Page (ESP). For more information, see [Create Enrollment Status Page profile and assign to a group](/mem/intune/enrollment/windows-enrollment-status#create-enrollment-status-page-profile-and-assign-to-a-group).
For a full list of what's new in Microsoft Intune, see [What's new in Microsoft Intune](/mem/intune/fundamentals/whats-new).
### Windows Assessment and Deployment Toolkit (ADK)
There's no new ADK for Windows 10, version 21H1. The ADK for Windows 10, version 2004 will also work with Windows 10, version 21H1. For more information, see [Download and install the Windows ADK](/windows-hardware/get-started/adk-install).
## Device management
Windows Management Instrumentation (WMI) Group Policy Service (GPSVC) has a performance improvement to support remote work scenarios:
- An issue is fixed that caused changes by an Active Directory (AD) administrator to user or computer group memberships to propagate slowly. Although the access token eventually updates, these changes might not appear when the administrator uses gpresult /r or gpresult /h to create a report.
## Security
### Windows Defender Application Guard (WDAG)
WDAG performance is improved with optimized document opening times:
- An issue is fixed that could cause a one minute or more delay when you open a Microsoft Defender Application Guard (WDAG) Office document. This can occur when you try to open a file using a Universal Naming Convention (UNC) path or Server Message Block (SMB) share link.
- A memory issue is fixed that could cause a WDAG container to use almost 1 GB of working set memory when the container is idle.
- The performance of Robocopy is improved when copying files over 400 MB in size.
### Windows Hello
Windows Hello multi-camera support is added, allowing users to choose an external camera priority when both external and internal Windows Hello-capable cameras are present.
## Microsoft Edge
The new Chromium-based [Microsoft Edge](https://www.microsoft.com/edge/business) browser is included with this release. For more information about what's new in Edge, see the [Microsoft Edge insider](https://www.microsoftedgeinsider.com/whats-new).
## General fixes
For more information on the general fixes, see the [Windows Insider blog](https://blogs.windows.com/windows-insider/2021/02/17/releasing-windows-10-build-19042-844-20h2-to-beta-and-release-preview-channels/).
This release includes the following enhancements and issues fixed:
- a memory leak in Internet Explorer 11 that occurs when you use the Chinese language pack.
- COM+ callout policies that cause a deadlock in certain applications.
- an issue that prevents certain Win32 apps from opening as a different user when you use the runas
- unexpected screens during the Windows Out of Box Experience (OOBE).
- an issue that might cause a deadlock when a COM server delivers an event to multiple subscribers in parallel.
- an issue in Advanced display settings that shows the incorrect refresh rates available for high dynamic range (HDR) displays.
- an issue that might prevent certain CAD applications from opening if those applications rely on OpenGL.
- an issue that might cause video playback to flicker when rendering on certain low-latency capable monitors.
- an issue that sometimes prevents the input of strings into the Input Method Editor (IME).
- an issue that exhausts resources because Desktop Windows Manager (DWM) leaks handles and virtual memory in Remote Desktop sessions.
- a stop error that occurs at the start.
- an issue that might delay a Windows Hello for Business (WHfB) Certificate Trust deployment when you open the Settings-> Accounts-> Sign-in Options page.
- an issue that might prevent some keyboard keys from working, such as the home, Ctrl, or left arrow keys when you set the Japanese IME input mode to Kana.
- removed the history of previously used pictures from a user account profile.
- wrong language displayed on a console after you change the system locale.
- host process of Windows Remote Management (WinRM) can stop working when it formats messages from a PowerShell plugin.
- Windows Management Instrumentation (WMI) service caused a heap leak each time security settings are applied to WMI namespace permissions.
- screen rendering after opening games with certain hardware configurations.
- startup times for applications that have roaming settings when User Experience Virtualization (UE-V) is turned on.
- a principal in a trusted MIT realm fails to obtain a Kerberos service ticket from Active Directory domain controllers (DC). This occurs on devices that installed Windows Updates that contain CVE-2020-17049 protections and configured PerfromTicketSignature to 1 or higher. These updates were released between November 10, 2020 and December 8, 2020. Ticket acquisition also fails with the error, "KRB_GENERIC_ERROR", if callers submit a PAC-less Ticket Granting Ticket (TGT) as an evidence ticket without providing the USER_NO_AUTH_DATA_REQUIRED flag.
- high memory and CPU utilization in Microsoft Defender for Endpoint.
- We enhanced data loss prevention and insider risk management solution functionalities in Microsoft 365 endpoints.
- an error when you attempt to open an untrusted webpage using Microsoft Edge or open an untrusted Microsoft Office document. The error is, "WDAG Report - Container: Error: 0x80070003, Ext error: 0x00000001". This issue occurs after installing the .NET update KB4565627.
- an issue that prevents wevtutil from parsing an XML file.
- failure to report an error when the Elliptic Curve Digital Signature Algorithm (ECDSA) generates invalid keys of 163 bytes instead of 165 bytes.
- We added support for using the new Chromium-based Microsoft Edge as the assigned access single kiosk app. Now, you can also customize a breakout key sequence for single app kiosks. For more information, see Configure Microsoft Edge kiosk mode.
- User Datagram Protocol (UDP) broadcast packets that are larger than the maximum transmission unit (MTU). Devices that receive these packets discard them because the checksum isn't valid.
- the WinHTTP AutoProxy service doesn't comply with the value set for the maximum Time To Live (TTL) on the Proxy Auto-Configuration (PAC) file. This prevents the cached file from updating dynamically.
- We improved the ability of the WinHTTP Web Proxy Auto-Discovery Service to ignore invalid Web Proxy Auto-Discovery Protocol (WPAD) URLs that the Dynamic Host Configuration Protocol (DHCP) server returns.
- We displayed the proper Envelope media type as a selectable output paper type for Universal Print queues.
- We ended the display of a random paper size for a printer when it uses the Microsoft Internet Printing Protocol (IPP) Class Driver.
- We enabled Windows to retrieve updated printer capabilities to ensure that users have the proper set of selectable print options.
- We updated support for hole punch and stapling locations for print jobs with long edge first paper feed direction on certain printers.
- an issue that might cause the IKEEXT service to stop working intermittently.
- an issue that might prevent a Non-Volatile Memory Express (NVMe) device from entering the proper power state.
- an issue that might cause stop error 7E in sys on servers running the Network File System (NFS) service.
- an issue that prevents the User Profile Service from detecting a slow or a fast link reliably.
- an issue that causes contention for a metadata lock when using Work Folders.
- We added a new dfslogkey:<br>
Keypath: **HKEY_LOCAL_MACHINE/SOFTWARE/MICROSOFT/dfslog**<br>
The **RootShareAcquireSuccessEvent** field has the following possible values:
* Default value = 1; enables the log.
* Value other than 1; disables the log.
If this key doesn't exist, it will be created automatically.
To take effect, any change to **dfslog/RootShareAcquireSuccessEvent** in the registry requires that you restart the DFSN service.
- We updated the Open Mobile Alliance (OMA) Device Management (DM) sync protocol by adding a check-in reason for requests from the client to the server. The check-in reason will allow the mobile device management (MDM) service to make better decisions about sync sessions. With this change, the OMA-DM service must negotiate a protocol version of 4.0 with the Windows OMA-DM client.
- We turned off token binding by default in Windows Internet (WinINet).
- an issue that might prevent the correct Furigana characters from appearing in apps that automatically allow the input of Furigana characters. You might need to enter the Furigana characters manually. This issue occurs when using the Microsoft Japanese Input Method Editor (IME) to enter Kanji characters in these apps.
## See Also
[IT tools to support Windows 10, version 21H1](https://aka.ms/tools-for-21H1)<br>
[Introducing the next feature update to Windows 10, version 21H1](https://blogs.windows.com/windowsexperience/2021/02/17/introducing-the-next-feature-update-to-windows-10-version-21h1/): Windows Experience Blog.<br>
[What's New in Windows Server](/windows-server/get-started/whats-new-in-windows-server): New and updated features in Windows Server.<br>
[Windows 10 Features](https://www.microsoft.com/windows/features): General information about Windows 10 features.<br>
[What's New in Windows 10](./index.yml): See what's new in other versions of Windows 10.<br>
[Announcing more ways we're making app development easier on Windows](https://blogs.windows.com/windowsdeveloper/2020/09/22/kevin-gallo-microsoft-ignite-2020/): Simplifying app development in Windows.<br>
[Features and functionality removed in Windows 10](removed-features.md): Removed features.<br>
[Windows 10 features we're no longer developing](deprecated-features.md): Features that aren't being developed.<br>

49
windows/whats-new/windows-11-overview.md
View File

@ -1,11 +1,11 @@
---
title: Windows 11 overview for administrators
description: Learn more about Windows 11. Read about the features IT professionals and administrators should know about Windows 11, including security, using apps, using Android apps, the new desktop, and deploying and servicing PCs.
description: Learn more about Windows 11. Read about the features IT professionals and administrators should know about Windows 11, including security, apps, the new desktop, and deploying and servicing PCs.
manager: aaroncz
author: mestew
ms.author: mstewart
ms.prod: windows-client
ms.date: 09/20/2022
ms.date: 01/31/2024
ms.technology: itpro-fundamentals
ms.localizationpriority: medium
ms.topic: overview
@ -18,11 +18,11 @@ appliesto:
# Windows 11 overview
Windows 11 is the next client operating system, and includes features that organizations should know. Windows 11 is built on the same foundation as Windows 10. If you use Windows 10, then Windows 11 is a natural transition. It's an update to what you know, and what you're familiar with.
Windows 11 is a client operating system and includes features that organizations should know about. Windows 11 is built on the same foundation as Windows 10. If you use Windows 10, then Windows 11 is a natural transition. It's an update to what you know, and what you're familiar with.
It offers innovations focused on enhancing end-user productivity, and is designed to support today's hybrid work environment.
Windows 11 offers innovations focused on enhancing end-user productivity, and is designed to support today's hybrid work environment.
Your investments in update and device management are carried forward. For example, many of the same apps and tools can be used in Windows 11. Many of the same security settings and policies can be applied to Windows 11 devices, including PCs. You can use Windows Autopilot with a zero touch deployment to enroll your Windows devices in Microsoft Intune. You can also use newer features, such as Azure Virtual Desktop and Windows 365 on your Windows 11 devices.
Your investments in updates and device management are carried forward. For example, many of the same apps and tools can be used in Windows 11. Many of the same security settings and policies can be applied to Windows 11 devices, including PCs. You can use Windows Autopilot with a zero touch deployment to enroll your Windows devices in Microsoft Intune. You can also use newer features, such as Azure Virtual Desktop and Windows 365 on your Windows 11 devices.
This article lists what's new, and some of the features & improvements. For more information on what's new for OEMs, see [What's new in manufacturing, customization, and design](/windows-hardware/get-started/what-s-new-in-windows).
@ -46,13 +46,13 @@ The security and privacy features in Windows 11 are similar to Windows 10. Secur
- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint)
- [Enforce compliance for Microsoft Defender for Endpoint](/mem/intune/protect/advanced-threat-protection)
- The Application Security features help prevent unwanted or malicious code from running, isolate untrusted websites & untrusted Office files, protect against phishing or malware websites, and more.
- The application security features help prevent unwanted or malicious code from running, isolate untrusted websites & untrusted Office files, protect against phishing or malware websites, and more.
For more information, see [Windows application security](/windows/security/apps).
- **Windows Hello for Business** helps protect users and identities. It replaces passwords, and uses a PIN or biometric that stays locally on the device. Device manufacturers are including more secure hardware features, such as IR cameras and TPM chips. These features are used with Windows Hello for Business to help protect user identities on your organization devices.
As an admin, going passwordless help secures user identities. The Windows OS, Azure AD, and Intune work together to remove passwords, create more secure policies, and help enforce compliance.
As an admin, going passwordless help secures user identities. The Windows OS, Microsoft Entra ID, and Intune work together to remove passwords, create more secure policies, and help enforce compliance.
For more information, see:
@ -68,27 +68,20 @@ For more information on the security features you can configure, manage, and enf
For more information, see [What is Windows 365 Enterprise?](/windows-365/overview).
- **Microsoft Teams** is included with the OS, and is automatically available on the taskbar. Users select the chat icon, sign in with their personal Microsoft account, and start a call:
:::image type="content" source="./images/windows-11-whats-new/windows-11-taskbar-microsoft-teams.png" alt-text="On the Windows 11 taskbar, select the camera chat icon to start a Microsoft Teams call.":::
This version of Microsoft Teams is for personal accounts. For organization accounts, such as `user@contoso.com`, you can deploy the Microsoft Teams app using MDM policy, such as Intune. For more information, see:
- **Microsoft 365 Apps** can be installed on Windows 11 clients using the device management tools you're already familiar with:
- [What is Intune?](/mem/intune/fundamentals/what-is-intune)
- [Add Microsoft 365 apps to Windows 10 devices with Microsoft Intune](/mem/intune/apps/apps-add-office365)
- [Install Microsoft Teams using Microsoft Configuration Manager](/microsoftteams/msi-deployment)
- [What is Microsoft Configuration Manager?](/mem/configmgr/core/understand/introduction)
- [Deploy Microsoft 365 Apps with Microsoft Configuration Manager](/deployoffice/deploy-microsoft-365-apps-configuration-manager)
Users can manage preinstalled apps using the **Settings** app > **Apps** > **Apps & Features**. Admins can [create a policy that pins apps, or removes the default pinned apps from the Taskbar](/windows/configuration/customize-taskbar-windows-11).
- **Power Automate for desktop** is included with the OS. Your users can create flows with this low-code app to help them with everyday tasks. For example, users can create flows that save a message to OneNote, notify a team when there's a new Forms response, get notified when a file is added to SharePoint, and more.
- **Power Automate for desktop** allows your users to create flows in a low-code app to help them with everyday tasks. For example, users can create flows that save a message to OneNote, notify a team when there's a new Forms response, get notified when a file is added to SharePoint, and more.
For more information, see [Getting started with Power Automate in Windows 11](/power-automate/desktop-flows/getting-started-windows-11).
Users can manage preinstalled apps using the **Settings** app > **Apps** > **Apps & Features**.
## Customize the desktop experience
- **Snap Layouts, Snap Groups**: When you open an app, hover your mouse over the minimize/maximize option. When you do, you can select a different layout for the app:
- **Snap Layouts, Snap Groups**: When you open an app, hover your mouse over the minimize or maximize option. When you do, you can select a different layout for the app:
:::image type="content" source="./images/windows-11-whats-new/windows-11-snap-layouts.png" alt-text="In Windows 11, use the minimize or maximize button on an app to see the available snap layouts.":::
@ -125,7 +118,9 @@ For more information on the security features you can configure, manage, and enf
:::image type="content" source="./images/windows-11-whats-new/windows-11-taskbar-widgets.png" alt-text="On the Windows 11 taskbar, select the widgets icon to open and see the available widgets.":::
You can enable/disable this feature using the `Computer Configuration\Administrative Templates\Windows Components\widgets` Group Policy. You can also deploy a customized Taskbar to devices in your organization. For more information, see [Customize the Taskbar on Windows 11](/windows/configuration/customize-taskbar-windows-11).
You can enable or disable this feature using the following policy:
- **Group Policy**: Computer Configuration\Administrative Templates\Windows Components\widgets
- **MDM**: ./Device/Vendor/MSFT/Policy/Config/NewsAndInterests/[AllowNewsAndInterests](/windows/client-management/mdm/policy-csp-newsandinterests)
For information on the end-user experience, see [Stay up to date with widgets](https://support.microsoft.com/windows/stay-up-to-date-with-widgets-7ba79aaa-dac6-4687-b460-ad16a06be6e4).
@ -150,7 +145,7 @@ For more information on the security features you can configure, manage, and enf
- [Windows Subsystem for Android](https://support.microsoft.com/windows/abed2335-81bf-490a-92e5-fe01b66e5c48)
- [Windows Subsystem for Android developer information](/windows/android/wsa)
- Your Windows 10 apps will also work on Windows 11. **[App Assure](https://www.microsoft.com/fasttrack/microsoft-365/app-assure)** is also available if there are some issues.
- Your Windows 10 apps also work on Windows 11. **[App Assure](https://www.microsoft.com/fasttrack/microsoft-365/app-assure)** is also available if there are some issues.
You can continue to use **MSIX packages** for your UWP, Win32, WPF, and WinForm desktop application files. Continue to use **Windows Package Manager** to install Windows apps. You can create **Azure virtual desktops** that run Windows 11. Use **Azure Virtual desktop with MSIX app attach** to virtualize desktops and apps. For more information on these features, see [Overview of apps on Windows client devices](/windows/application-management/overview-windows-apps).
@ -164,7 +159,7 @@ For more information on the security features you can configure, manage, and enf
- **Windows Terminal app**: This app is included with the OS. On previous Windows versions, it's a separate download in the Microsoft Store. For more information, see [What is Windows Terminal?](/windows/terminal/).
This app combines Windows PowerShell, a command prompt, and Azure Cloud Shell all within the same terminal window. You don't need to open separate apps to use these command-line applications. It has tabs. And when you open a new tab, you can choose your command-line application:
This app combines Windows PowerShell, a command prompt, and Azure Cloud Shell all within the same terminal window. You don't need to open separate apps to use these command-line applications. It has tabs. When you open a new tab, you can choose your command-line application:
:::image type="content" source="./images/windows-11-whats-new/windows-terminal-app.png" alt-text="On Windows 11, open the Windows Terminal app to use Windows PowerShell, the command prompt, or Azure Cloud Shell to run commands.":::
@ -177,7 +172,7 @@ For more information on the security features you can configure, manage, and enf
- [Get updates for apps and games in Microsoft Store](https://support.microsoft.com/account-billing/get-updates-for-apps-and-games-in-microsoft-store-a1fe19c0-532d-ec47-7035-d1c5a1dd464f)
- [How to open Microsoft Store on Windows](https://support.microsoft.com/account-billing/how-to-open-microsoft-store-on-windows-10-e080b85a-7c9e-46a7-8d8b-3e9a42e32de6)
- The **Microsoft Edge** browser is included with the OS, and is the default browser. Internet Explorer (IE) isn't available in Windows 11. In Microsoft Edge, you can use IE Mode if a website needs Internet Explorer. Open Microsoft Edge, and enter `edge://settings/defaultBrowser` in the URL.
- The **Microsoft Edge** browser is included with the OS. Internet Explorer (IE) isn't available in Windows 11. In Microsoft Edge, you can use IE Mode if a website needs Internet Explorer. Open Microsoft Edge, and enter `edge://settings/defaultBrowser` in the URL.
To save system resources, Microsoft Edge uses sleeping tabs. Users can configure these settings, and more, in `edge://settings/system`.
@ -185,13 +180,13 @@ For more information on the security features you can configure, manage, and enf
## Deployment and servicing
- **Install Windows 11**: The same methods you use to install Windows 10 can also be used to install Windows 11. For example, you can deploy Windows to your devices using Windows Autopilot, Microsoft Deployment Toolkit (MDT), Configuration Manager, and more. Windows 11 will be delivered as an upgrade to eligible devices running Windows 10.
- **Install Windows 11**: The same methods you use to install Windows 10 can also be used to install Windows 11. For example, you can deploy Windows to your devices using Windows Autopilot, Configuration Manager, and other methods. Windows 11 is delivered as an upgrade to eligible devices running Windows 10.
For more information on getting started, see [Windows client deployment resources and documentation](/windows/deployment/) and [Plan for Windows 11](windows-11-plan.md).
For more information on the end-user experience, see [Ways to install Windows 11](https://support.microsoft.com/windows/e0edbbfb-cfc5-4011-868b-2ce77ac7c70e).
- **Windows Autopilot**: If you're purchasing new devices, you can use Windows Autopilot to set up and pre-configure the devices. When users get the device, they sign in with their organization account (`user@contoso.com`). In the background, Autopilot gets them ready for use, and deploys any apps or policies you set. You can also use Windows Autopilot to reset, repurpose, and recover devices. Autopilot offers zero touch deployment for admins.
- **Windows Autopilot**: If you're purchasing new devices, you can use Windows Autopilot to set up and preconfigure the devices. When users get the device, they sign in with their organization account (`user@contoso.com`). In the background, Autopilot gets them ready for use, and deploys any apps or policies you set. You can also use Windows Autopilot to reset, repurpose, and recover devices. Autopilot offers zero touch deployment for admins.
If you have a global or remote workforce, then Autopilot might be the right option to install the OS, and get it ready for use. For more information, see [Overview of Windows Autopilot](/mem/autopilot/windows-autopilot).
@ -201,7 +196,7 @@ For more information on the security features you can configure, manage, and enf
- **Windows Updates and Delivery optimization** helps manage updates, and manage features on your devices. Starting with Windows 11, the OS feature updates are installed annually. For more information on servicing channels, and what they are, see [Servicing channels](/windows/deployment/update/waas-overview#servicing-channels).
Like Windows 10, Windows 11 will receive monthly quality updates.
Like Windows 10, Windows 11 receives monthly quality updates.
You have options to install updates on your Windows devices, including Intune, Group Policy, Windows Server Update Services (WSUS), and more. For more information, see [Assign devices to servicing channels](/windows/deployment/update/waas-servicing-channels-windows-10-updates).
@ -216,7 +211,7 @@ For more information on the security features you can configure, manage, and enf
## Education and apps
Windows 11 SE is a new edition of Windows that's designed for education. It runs on low-cost devices, and runs essential apps, including Microsoft 365. For more information, see [Windows 11 SE for Education](/education/windows/windows-11-se-overview).
Windows 11 SE is a new edition of Windows designed for education. It runs on low-cost devices, and runs essential apps, including Microsoft 365. For more information, see [Windows 11 SE for Education](/education/windows/windows-11-se-overview).
## Next steps