**Important** Defines the root node for the DMSessionActions configuration service provider. Group settings per device management (DM) server. Each group of settings is distinguished by the Provider ID of the server. It must be the same DM server Provider ID value that was supplied through the w7 APPLICATION configuration service provider XML during the enrollment process. Only one enterprise management server is supported, which means there should be only one ProviderID node under NodeCache. Scope is dynamic. Supported operations are Get, Add, and Delete. Node for the custom configuration of alerts to be sent during MDM sync session. Required. Root node for URIs to be queried. Scope is dynamic. Supported operation is Get. Required. Information about each node is stored under NodeID as specified by the server. This value must not contain a comma. Scope is dynamic. Supported operations are Get, Add, and Delete. Required. The value is a complete OMA DM node URI. It can specify either an interior node or a leaf node in the device management tree. Scope is dynamic. Value type is string. Supported operations are Add, Get, Replace, and Delete. Node to query the custom alert per server configuration Value type is string. Supported operation is Get. Node for power-related configurations Maximum number of continuous skipped sync sessions when the device is in low-power state. Value type is integer. Supported operations are Add, Get, Replace, and Delete. Maximum time in minutes when the device can skip the check-in with the server if the device is in low-power state. Value type is integer. Supported operations are Add, Get, Replace, and Delete. The root node for the DynamicManagement configuration service provider. Boolean value for sending notification to the user of a context change. Default value is False. Supported operations are Get and Replace. Example to turn on NotificationsEnabled: A string containing the list of all active ContextIDs on the device. Delimeter is unicode character 0xF000.. Supported operation is Get. Node for context information. Supported operation is Get. Node created by the server to define a context. Maximum number of characters allowed is 38. Supported operations are Add, Get, and Delete. Signal Definition XML. Value type is string. Supported operations are Add, Get, Delete, and Replace. Settings that get applied when the Context is active. Value type is string. Supported operations are Add, Get, Delete, and Replace. Response from applying a Settings Pack that contains information on each individual action. Value type is string. Supported operation is Get. Reports status of the context. If there was a failure, SettingsPackResponse should be checked for what exactly failed. Value type is integer. Supported operation is Get. A value that determines how to handle conflict resolution of applying multiple contexts on the device. This value is required and must be distinct of other priorities. Value type is integer. Supported operations are Add, Get, Delete, and Replace. A Boolean value for sending an alert to the server when a context fails. Supported operations are Get and Replace. The root node for the EnterpriseAPN configuration service provider. Name of the connection as seen by Windows Connection Manager. Supported operations are Add, Get, Delete, and Replace. Enterprise APN name. Supported operations are Add, Get, Delete, and Replace. This value can be one of the following values: Supported operations are Add, Get, Delete, and Replace. Boolean value that indicates whether this APN should be requested as part of an LTE Attach. Default value is false. Supported operations are Add, Get, Delete, and Replace. GUID that defines the APN class to the modem. This GUID is the same as the OEMConnectionId in CM_CellularEntries CSP. Normally this setting isn't present. It's only required when IsAttachAPN is true and the attach APN isn't only used as the Internet APN. Supported operations are Add, Get, Delete, and Replace. Authentication type. This value can be one of the following values: Supported operations are Add, Get, Delete, and Replace. User name for use with PAP, CHAP, or MSCHAPv2 authentication. Supported operations are Add, Get, Delete, and Replace. Password corresponding to the username. Supported operations are Add, Get, Delete, and Replace. Integrated Circuit Card ID (ICCID) associated with the cellular connection profile. If this node isn't present, the connection is created on a single-slot device using the ICCID of the UICC and on a dual-slot device using the ICCID of the UICC that is active for data. Supported operations are Add, Get, Delete, and Replace. Added in Windows 10, version 1607. Boolean value that specifies whether the CM will automatically attempt to connect to the APN when a connection is available. The default value is true. Supported operations are Add, Get, Delete, and Replace. Added in Windows 10, version 1607. Boolean that specifies whether the connection is enabled. The default value is true. Supported operations are Add, Get, Delete, and Replace. Added in Windows 10, version 1703. Specifies whether the connection should be activated when the device is roaming. Valid values: Default is 1 (all roaming allowed). Value type is string. Supported operations are Add, Get, Delete, and Replace. Added in Windows 10, version 1607. Node that contains global settings. Added in Windows 10, version 1607. Boolean value that specifies whether the cellular UX will allow users to connect with other APNs other than the Enterprise APN. The default value is false. Supported operations are Get and Replace. Added in Windows 10, version 1607. Boolean that specifies whether the cellular UX will allow the user to view enterprise APNs. Only applicable if AllowUserControl is true. The default value is false. Supported operations are Get and Replace. Root node for the EnterpriseAppVManagement configuration service provider. Used to query App-V package information (post-publish). Used to query package information. Value is always "HostedInstall". Package ID of the published App-V package. Version ID of the published App-V package. Name specified in the published AppV package. Value type is string. Supported operation is Get. Version specified in the published AppV package. Value type is string. Supported operation is Get. Publisher as specified in the published asset information of the AppV package. Value type is string. Supported operation is Get. Local package path specified in the published asset information of the AppV package. Value type is string. Supported operation is Get. Date the app was installed, as specified in the published asset information of the AppV package. Value type is string. Supported operation is Get. Registered users for app, as specified in the published asset information of the AppV package. Value type is string. Supported operation is Get. Package ID of the published App-V package. Value type is string. Supported operation is Get. Version ID of the published App-V package. Value type is string. Supported operation is Get. Package URI of the published App-V package. Value type is string. Supported operation is Get. Used to monitor publishing operations on App-V. Used to monitor publishing status of last sync operation. Error code and error description of last sync operation. Value type is string. Supported operation is Get. Last sync error status. One of the following values may be returned: Value type is string. Supported operation is Get. Latest sync in-progress stage. One of the following values may be returned: Value type is string. Supported operation is Get. Latest sync state. One of the following values may be returned: Value type is string. Supported operation is Get. Used to perform App-V synchronization. Used to execute the App-V synchronization using the Publishing protocol. For more information about the protocol see [MS-VAPR]: Virtual Application Publishing and Reporting (App-V) Protocol. Supported operations are Get, Delete, and Execute. Used to set App-V Policy Configuration documents for publishing packages. ID for App-V Policy Configuration document for publishing packages (referenced in the Publishing protocol document). XML for App-V Policy Configuration documents for publishing packages. Value type is xml. Supported operations are Add, Get, Delete, and Replace. Root node for the Firewall configuration service provider. Interior node. Supported operation is Get. Interior node. Supported operations are Get. Integer value that contains the maximum policy version that the server host can accept. The version number is two octets in size. The lowest-order octet is the minor version; the second-to-lowest octet is the major version. This value isn't merged and is always a fixed value for a particular firewall and advanced security components software build. Value type in integer. Supported operation is Get. Integer value that contains a bitmask of the current enforced profiles that are maintained by the server firewall host. See FW_PROFILE_TYPE for the bitmasks that are used to identify profile types. This value is available only in the dynamic store; therefore, it's not merged and has no merge law. Value type in integer. Supported operation is Get. Boolean value. If false, the firewall performs stateful File Transfer Protocol (FTP) filtering to allow secondary connections. True means stateful FTP is disabled. The merge law for this option is to let "true" values win. Default value is false. Data type is bool. Supported operations are Add, Get, Replace, and Delete. This value configures the security association idle time, in seconds. Security associations are deleted after network traffic isn't seen for this specified period of time. The value is integer and MUST be in the range of 300 to 3,600 inclusive. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, use the local store value. Default value is 300. Value type is integer. Supported operations are Add, Get, Replace, and Delete. Specifies the preshared key encoding that is used. The value is integer and MUST be a valid value from the PRESHARED_KEY_ENCODING_VALUES enumeration. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, use the local store value. Default value is 1. Value type is integer. Supported operations are Add, Get, Replace, and Delete. This value configures IPsec exceptions. The value is integer and MUST be a combination of the valid flags that are defined in IPSEC_EXEMPT_VALUES; therefore, the maximum value MUST always be IPSEC_EXEMPT_MAX-1 for servers supporting a schema version of 0x0201 and IPSEC_EXEMPT_MAX_V2_0-1 for servers supporting a schema version of 0x0200. If the maximum value is exceeded when the method RRPC_FWSetGlobalConfig (Opnum 4) is called, the method returns ERROR_INVALID_PARAMETER. This error code is returned if no other preceding error is discovered. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, use the local store value. Default value is 0. Value type is integer. Supported operations are Add, Get, Replace, and Delete. This value specifies how certificate revocation list (CRL) verification is enforced. The value is integer and MUST be 0, 1, or 2. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, use the local store value. Valid valued: Default value is 0. Value type is integer. Supported operations are Add, Get, Replace, and Delete. This value contains the policy version of the policy store being managed. This value isn't merged and therefore, has no merge law. Value type is string. Supported operation is Get. This value contains the binary version of the structures and data types that are supported by the server. This value isn't merged. In addition, this value is always a fixed value for a specific firewall and advanced security component's software build. This value identifies a policy configuration option that is supported only on servers that have a schema version of 0x0201. Value type is string. Supported operation is Get. This value is bool used as an on/off switch. When this option is false (off), keying modules MUST ignore the entire authentication set if they don't support all of the authentication suites specified in the set. When this option is true (on), keying modules MUST ignore only the authentication suites that they don’t support. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used. Boolean value. Supported operations are Add, Get, Replace, and Delete. This value specifies how scaling for the software on the receive side is enabled for both the encrypted receive and clear text forward path for the IPsec tunnel gateway scenario. Use of this option also ensures that the packet order is preserved. The data type for this option value is integer and is a combination of flags. Valid values: Default value is 0. Value type is integer. Supported operations are Add, Get, Replace, and Delete. Interior node. Supported operation is Get. Interior node. Supported operation is Get. Interior node. Supported operation is Get. Boolean value for the firewall and advanced security enforcement. If this value is false, the server MUST NOT block any network traffic, regardless of other policy settings. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, the local store value is used. Default value is true. Value type is bool. Supported operations are Add, Get and Replace. Boolean value. When this option is false, the server operates in stealth mode. The firewall rules used to enforce stealth mode are implementation-specific. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, the local store value is used. Default value is false. Value type is bool. Supported operations are Add, Get and Replace. Boolean value. If this value is true and EnableFirewall is on, the server MUST block all incoming traffic regardless of other policy settings. The merge law for this option is to let "true" values win. Default value is false. Value type is bool. Supported operations are Get and Replace. Boolean value. If it's true, unicast responses to multicast broadcast traffic are blocked. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, the local store value is used. Default value is false. Value type is bool. Supported operations are Add, Get and Replace. Boolean value. If this value is false, the firewall MAY display a notification to the user when an application is blocked from listening on a port. If this value is on, the firewall MUST NOT display such a notification. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, the local store value is used. Default value is false. Value type is bool. Supported operations are Add, Get and Replace. Boolean value. If this value is false, authorized application firewall rules in the local store are ignored and not enforced. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, the local store value is used. Default value is true. Value type is bool. Supported operations are Add, Get and Replace. Boolean value. If this value is false, global port firewall rules in the local store are ignored and not enforced. The setting only has meaning if it's set or enumerated in the Group Policy store or if it's enumerated from the GroupPolicyRSoPStore. The merge law for this option is to let the value GroupPolicyRSoPStore win if it's configured; otherwise, the local store value is used. Default value is true. Value type is bool. Supported operations are Add, Get and Replace. Boolean value. If this value is false, firewall rules from the local store are ignored and not enforced. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. This value is valid for all schema versions. Default value is true. Value type is bool. Supported operations are Add, Get and Replace. Boolean value. If this value is false, connection security rules from the local store are ignored and not enforced, regardless of the schema version and connection security rule version. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. Default value is true. Value type is bool. Supported operations are Add, Get and Replace. This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, the local store value is used. DefaultOutboundAction will block all outbound traffic unless it's explicitly specified not to block. Default value is 0 (allow). Value type is integer. Supported operations are Add, Get and Replace. This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The merge law for this option is to let the value of the GroupPolicyRSoPStore.win if it's configured; otherwise, the local store value is used. Default value is 1 (block). Value type is integer. Supported operations are Add, Get and Replace. Boolean value. This option is ignored if DisableStealthMode is true. Otherwise, when this option is true, the firewall's stealth mode rules MUST NOT prevent the host computer from responding to unsolicited network traffic if that traffic is secured by IPsec. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, the local store value is used. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used. Default value is true. Value type is bool. Supported operations are Add, Get and Replace. A list of rules controlling traffic through the Windows Firewall. Each Rule ID is OR'ed. Within each rule ID each Filter type is AND'ed. Unique alpha numeric identifier for the rule. The rule name must not include a forward slash (/). Supported operations are Add, Get, Replace, and Delete. Rules that control connections for an app, program, or service. Specified based on the intersection of the following nodes: If not specified, the default is All. Supported operation is Get. This App/Id value represents the PackageFamilyName of the app. The PackageFamilyName is the unique name of a Microsoft Store application. Value type is string. Supported operations are Add, Get, Replace, and Delete. This App/Id value represents the full file path of the app. For example, C:\Windows\System\Notepad.exe. Value type is string. Supported operations are Add, Get, Replace, and Delete. Fully Qualified Binary Name Value type is string. Supported operations are Add, Get, Replace, and Delete. This parameter is a service name used in cases when a service, not an application, is sending or receiving traffic. Value type is string. Supported operations are Add, Get, Replace, and Delete. 0-255 number representing the ip protocol (TCP = 6, UDP = 17) If not specified, the default is All. Value type is integer. Supported operations are Add, Get, Replace, and Delete. Comma separated list of ranges. For example, 100-120,200,300-320. If not specified, the default is All. Value type is string. Supported operations are Add, Get, Replace, and Delete. Comma separated list of ranges, For example, 100-120,200,300-320. If not specified, the default is All. Value type is string. Supported operations are Add, Get, Replace, and Delete. Comma-separated list of local addresses covered by the rule. The default value is "*". Valid tokens include: If not specified, the default is All. Value type is string. Supported operations are Add, Get, Replace, and Delete. List of comma separated tokens specifying the remote addresses covered by the rule. The default value is "*". Valid tokens include: If not specified, the default is All. Value type is string. Supported operations are Add, Get, Replace, and Delete. The tokens "Intranet", "RmtIntranet", "Internet" and "Ply2Renders" are supported on Windows 10, version 1809, and later. Specifies the description of the rule. Value type is string. Supported operations are Add, Get, Replace, and Delete. Indicates whether the rule is enabled or disabled. If the rule must be enabled, this value must be set to true.
- If not specified - a new rule is enabled by default. Boolean value. Supported operations are Get and Replace. Specifies the profiles to which the rule belongs: Domain, Private, Public. . See FW_PROFILE_TYPE for the bitmasks that are used to identify profile types. If not specified, the default is All. Value type is integer. Supported operations are Get and Replace. Specifies the action for the rule. Supported operation is Get. Specifies the action the rule enforces. Supported values: If not specified, the default is allow. Value type is integer. Supported operations are Get and Replace. The rule is enabled based on the traffic direction as following. Supported values: Value type is string. Supported operations are Get and Replace. Comma separated list of interface types. Valid values: If not specified, the default is All. Value type is string. Supported operations are Get and Replace. Indicates whether edge traversal is enabled or disabled for this rule. The EdgeTraversal setting indicates that specific inbound traffic is allowed to tunnel through NATs and other edge devices using the Teredo tunneling technology. In order for this setting to work correctly, the application or service with the inbound firewall rule needs to support IPv6. The primary application of this setting allows listeners on the host to be globally addressable through a Teredo IPv6 address. New rules have the EdgeTraversal property disabled by default. Value type is bool. Supported operations are Add, Get, Replace, and Delete. Specifies the list of authorized local users for this rule. This list is a string in Security Descriptor Definition Language (SDDL) format. Value type is string. Supported operations are Add, Get, Replace, and Delete. Provides information about the specific version of the rule in deployment for monitoring purposes. Value type is string. Supported operation is Get. Name of the rule. Value type is string. Supported operations are Add, Get, Replace, and Delete. Root node for the Messaging configuration service provider. Turns on the "Text" auditing feature. The following list shows the supported values: Supported operations are Get and Replace. Node for auditing. Supported operation is Get. Node for messages. Supported operation is Get. The number of messages to return in the Data setting. The default is 100. Supported operations are Get and Replace. Retrieves messages whose revision ID is greater than RevisionId. Supported operations are Get and Replace. The JSON string of text messages on the device. Supported operations are Get and Replace. The supported operations are Add, Get, Delete, and Replace.
***Name*/AppPathNameMatchCondition**
- Specifies the name of an application to be used to match the network traffic, such as application.exe or %ProgramFiles%\application.exe.
+ Specifies the name of an application to be used to match the network traffic, such as `application.exe` or `%ProgramFiles%\application.exe`.
The data type is char.
@@ -111,7 +121,7 @@ NetworkQoSPolicy
The supported operations are Add, Get, Delete, and Replace.
***Name*/DSCPAction**
- The differentiated services code point (DSCP) value to apply to matching network traffic.
+ The Differentiated Services Code Point (DSCP) value to apply to matching network traffic.
Valid values are 0-63.
diff --git a/windows/client-management/mdm/nodecache-csp.md b/windows/client-management/mdm/nodecache-csp.md
index 039ac5d742..6509a63fd1 100644
--- a/windows/client-management/mdm/nodecache-csp.md
+++ b/windows/client-management/mdm/nodecache-csp.md
@@ -14,6 +14,15 @@ ms.date: 06/26/2017
# NodeCache CSP
+The table below shows the applicability of Windows:
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|Yes|Yes|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
The NodeCache configuration service provider is used to manage the client cache. This configuration service provider is to be used only by enterprise management servers. It provides a level of abstraction that decouples the management of the node list from a specific backing store. It synchronizes the client cache with the server side cache. It also provides an API for monitoring device-side cache changes.
@@ -72,7 +81,7 @@ NodeCache
Required. The root node for the NodeCache object. Supported operation is Get. This configuration service provider is used for enterprise device management only. This parameter's value is a predefined MIME type to identify this managed object in OMA DM syntax.
***ProviderID***
-Optional. Group settings per DM server. Each group of settings is distinguished by the server’s Provider ID. It should be the same DM server **PROVIDER-ID** value that was supplied through the [w7 APPLICATION configuration service provider](w7-application-csp.md) XML during the enrollment process. Only one enterprise management server is supported. That is, there should be only one *ProviderID* node under **NodeCache**. Scope is dynamic.
+Optional. Group settings per DM server. Each group of settings is distinguished by the server’s Provider ID. It should be the same DM server **PROVIDER-ID** value that was supplied through the [w7 APPLICATION configuration service provider](w7-application-csp.md) XML during the enrollment process. Only one enterprise management server is supported. That is, there should be only one **ProviderID** node under **NodeCache**. Scope is dynamic.
Supported operations are Get, Add, and Delete.
@@ -383,10 +392,11 @@ It represents this example:
The root node for the Reboot configuration service provider. The supported operation is Get. This node executes a reboot of the device. RebootNow triggers a reboot within 5 minutes to allow the user to wrap up any active work. The supported operations are Execute and Get. The supported operation is Get. This node will execute a reboot at a scheduled date and time. The date and time value is **ISO 8601**, and both the date and time are required.
-Example to configure: 2018-10-25T18:00:00 The supported operations are Get, Add, Replace, and Delete. The supported data type is "String". This node will execute a reboot each day at a scheduled time starting at the configured starting time and date. Setting a null (empty) date will delete the existing schedule. The date and time value is ISO8601, and both the date and time are required. The CSP will return the date time in the following format: 2018-06-29T10:00:00+01:00.
-Example to configure: 2018-10-25T18:00:00 The supported operations are Get, Add, Replace, and Delete. The supported data type is "String". The root node for the Surface Hub configuration service provider.
+The root node for the Surface Hub configuration service provider.
**DeviceAccount**
- Node for setting device account information. A device account is a Microsoft Exchange account that is connected with Skype for Business, which allows people to join scheduled meetings, make Skype for Business calls, and share content from the device. See the Surface Hub administrator guide for more information about setting up a device account.
+Node for setting device account information. A device account is a Microsoft Exchange account that is connected with Skype for Business, which allows people to join scheduled meetings, make Skype for Business calls, and share content from the device. See the Surface Hub administrator guide for more information about setting up a device account.
- To use a device account from Azure Active Directory
+To use a device account from Azure Active Directory
1. Set the UserPrincipalName (for Azure AD).
2. Set a valid Password.
@@ -89,7 +91,7 @@ SurfaceHub
> If the device cannot auto-discover the Exchange server and Session Initiation Protocol (SIP) address from this information, you should specify the ExchangeServer and SipAddress.
- Here's a SyncML example.
+Here's a SyncML example.
```xml
To use a device account from Active Directory
+To use a device account from Active Directory:
1. Set the DomainName.
2. Set the UserName.
@@ -147,207 +149,268 @@ SurfaceHub
4. Execute the ValidateAndCommit node.
**DeviceAccount/DomainName**
- Domain of the device account when you're using Active Directory. To use a device account from Active Directory, you should specify both DomainName and UserName for the device account.
- The data type is string. Supported operation is Get and Replace.
+Domain of the device account when you're using Active Directory. To use a device account from Active Directory, you should specify both DomainName and UserName for the device account.
+
+- The data type is string.
+- Supported operation is Get and Replace.
**DeviceAccount/UserName**
- Username of the device account when you're using Active Directory. To use a device account from Active Directory, you should specify both DomainName and UserName for the device account.
- The data type is string. Supported operation is Get and Replace.
+Username of the device account when you're using Active Directory. To use a device account from Active Directory, you should specify both DomainName and UserName for the device account.
+
+- The data type is string.
+- Supported operation is Get and Replace.
**DeviceAccount/UserPrincipalName**
- User principal name (UPN) of the device account. To use a device account from Azure Active Directory or a hybrid deployment, you should specify the UPN of the device account.
- The data type is string. Supported operation is Get and Replace.
+User principal name (UPN) of the device account. To use a device account from Azure Active Directory or a hybrid deployment, you should specify the UPN of the device account.
+
+- The data type is string.
+- Supported operation is Get and Replace.
**DeviceAccount/SipAddress**
- Session Initiation Protocol (SIP) address of the device account. Normally, the device will try to auto-discover the SIP. This field is only required if auto-discovery fails.
- The data type is string. Supported operation is Get and Replace.
+Session Initiation Protocol (SIP) address of the device account. Normally, the device will try to auto-discover the SIP. This field is only required if auto-discovery fails.
+
+- The data type is string.
+- Supported operation is Get and Replace.
**DeviceAccount/Password**
- Password for the device account.
- The data type is string. Supported operation is Get and Replace. The operation Get is allowed, but it will always return a blank.
+Password for the device account.
+
+- The data type is string.
+- Supported operation is Get and Replace. The operation Get is allowed, but it will always return a blank.
**DeviceAccount/ValidateAndCommit**
- This method validates the data provided and then commits the changes.
- The data type is string. Supported operation is Execute.
+This method validates the data provided and then commits the changes.
+
+- The data type is string.
+- Supported operation is Execute.
**DeviceAccount/Email**
- Email address of the device account.
- The data type is string.
+Email address of the device account. The data type is string.
-**DeviceAccount/PasswordRotationEnabled**
- Specifies whether automatic password rotation is enabled. If you enforce a password expiration policy on the device account, use this setting to allow the device to manage its own password by changing it frequently, without requiring you to manually update the account information when the password expires. You can reset the password at any time using Active Directory (or Azure AD).
+**DeviceAccount/
+PasswordRotationEnabled**
- Valid values:
+Specifies whether automatic password rotation is enabled. If you enforce a password expiration policy on the device account, use this setting to allow the device to manage its own password by changing it frequently, without requiring you to manually update the account information when the password expires. You can reset the password at any time using Active Directory (or Azure AD).
+
+Valid values:
- 0 - password rotation enabled
- 1 - disabled
- The data type is integer. Supported operation is Get and Replace.
+It performs the following:
+- The data type is integer.
+- Supported operation is Get and Replace.
**DeviceAccount/ExchangeServer**
- Exchange server of the device account. Normally, the device will try to auto-discover the Exchange server. This field is only required if auto-discovery fails.
- The data type is string. Supported operation is Get and Replace.
+Exchange server of the device account. Normally, the device will try to auto-discover the Exchange server. This field is only required if auto-discovery fails.
+
+- The data type is string.
+- Supported operation is Get and Replace.
**DeviceAccount/ExchangeModernAuthEnabled**
- Added in KB4598291 for Windows 10, version 20H2. Specifies whether Device Account calendar sync will attempt to use token-based Modern Authentication to connect to the Exchange Server. Default value is True.
- The data type is boolean. Supported operation is Get and Replace.
+Added in KB4598291 for Windows 10, version 20H2. Specifies, whether Device Account calendar sync will attempt to use token-based Modern Authentication to connect to the Exchange Server. Default value is True.
+
+- The data type is boolean.
+- Supported operation is Get and Replace.
**DeviceAccount/CalendarSyncEnabled**
- Specifies whether calendar sync and other Exchange server services is enabled.
- The data type is boolean. Supported operation is Get and Replace.
+Specifies, whether calendar sync and other Exchange server services is enabled.
+
+- The data type is boolean.
+- Supported operation is Get and Replace.
**DeviceAccount/ErrorContext**
If there's an error calling ValidateAndCommit, there's another context for that error in this node. Here are the possible error values:
-| ErrorContext value | Stage where error occurred | Description and suggestions |
+| **ErrorContext value** | **Stage where error occurred** | **Description and suggestions** |
| --- | --- | --- |
| 1 | Unknown | |
-| 2 | Populating account | Unable to retrieve account details using the username and password you provided. Node for maintenance schedule.
+Node for maintenance schedule.
**MaintenanceHoursSimple/Hours/StartTime**
- Specifies the start time for maintenance hours in minutes from midnight. For example, to set a 2:00 am start time, set this value to 120.
- The data type is integer. Supported operation is Get and Replace.
+Specifies the start time for maintenance hours in minutes from midnight. For example, to set a 2:00 am start time, set this value to 120.
+
+- The data type is integer.
+- Supported operation is Get and Replace.
**MaintenanceHoursSimple/Hours/Duration**
- Specifies the duration of maintenance window in minutes. For example, to set a 3-hour duration, set this value to 180.
- The data type is integer. Supported operation is Get and Replace.
+Specifies the duration of maintenance window in minutes. For example, to set a 3-hour duration, set this value to 180.
+
+- The data type is integer.
+- Supported operation is Get and Replace.
**InBoxApps**
- Node for the in-box app settings.
+
+Node for the in-box app settings.
**InBoxApps/SkypeForBusiness**
- Added in Windows 10, version 1703. Node for the Skype for Business settings.
+
+Added in Windows 10, version 1703. Node for the Skype for Business settings.
**InBoxApps/SkypeForBusiness/DomainName**
- Added in Windows 10, version 1703. Specifies the domain of the Skype for Business account when you're using Active Directory. For more information, see Set up Skype for Business Online.
- The data type is string. Supported operation is Get and Replace.
+Added in Windows 10, version 1703. Specifies the domain of the Skype for Business account when you're using Active Directory. For more information, see Set up Skype for Business Online.
+
+- The data type is string.
+- Supported operation is Get and Replace.
**InBoxApps/Welcome**
- Node for the welcome screen.
+Node for the welcome screen.
**InBoxApps/Welcome/AutoWakeScreen**
- Automatically turn on the screen using motion sensors.
- The data type is boolean. Supported operation is Get and Replace.
+Automatically turn on the screen using motion sensors.
+
+- The data type is boolean.
+- Supported operation is Get and Replace.
**InBoxApps/Welcome/CurrentBackgroundPath**
- Download location for image to be used as the background during user sessions and on the welcome screen. To set this location, specify an https URL to a 32-bit PNG file (only PNGs are supported for security reasons). If any certificate authorities need to be trusted in order to access the URL, ensure they're valid and installed on the Hub, otherwise it may not be able to load the image.
- The data type is string. Supported operation is Get and Replace.
+Download location for image, to be used as the background during user sessions and on the welcome screen. To set this location, specify an https URL to a 32-bit PNG file (only PNGs are supported for security reasons). If any certificate authorities need to be trusted in order to access the URL, ensure they're valid and installed on the Hub. Otherwise, it may not be able to load the image.
+
+- The data type is string.
+- Supported operation is Get and Replace.
**InBoxApps/Welcome/MeetingInfoOption**
- Meeting information displayed on the welcome screen.
- Valid values:
+Meeting information displayed on the welcome screen.
+
+Valid values:
- 0 - Organizer and time only
- 1 - Organizer, time, and subject. Subject is hidden in private meetings.
- The data type is integer. Supported operation is Get and Replace.
+It performs the following:
+- The data type is integer.
+- Supported operation is Get and Replace.
**InBoxApps/Whiteboard**
- Node for the Whiteboard app settings.
+
+Node for the Whiteboard app settings.
**InBoxApps/Whiteboard/SharingDisabled**
- Invitations to collaborate from the Whiteboard app aren't allowed.
- The data type is boolean. Supported operation is Get and Replace.
+Invitations to collaborate from the Whiteboard app aren't allowed.
+
+- The data type is boolean.
+- Supported operation is Get and Replace.
**InBoxApps/Whiteboard/SigninDisabled**
- Sign-ins from the Whiteboard app aren't allowed.
- The data type is boolean. Supported operation is Get and Replace.
+Sign-ins from the Whiteboard app aren't allowed.
+
+- The data type is boolean.
+- Supported operation is Get and Replace.
**InBoxApps/Whiteboard/TelemeteryDisabled**
- Telemetry collection from the Whiteboard app isn't allowed.
- The data type is boolean. Supported operation is Get and Replace.
+Telemetry collection from the Whiteboard app isn't allowed.
+
+- The data type is boolean.
+- Supported operation is Get and Replace.
**InBoxApps/WirelessProjection**
- Node for the wireless projector app settings.
+
+Node for the wireless projector app settings.
**InBoxApps/WirelessProjection/PINRequired**
- Users must enter a PIN to wirelessly project to the device.
- The data type is boolean. Supported operation is Get and Replace.
+Users must enter a PIN to wireless project to the device.
+
+- The data type is boolean.
+- Supported operation is Get and Replace.
**InBoxApps/WirelessProjection/Enabled**
- Enables wireless projection to the device.
- The data type is boolean. Supported operation is Get and Replace.
+Enables wireless projection to the device.
+
+- The data type is boolean.
+- Supported operation is Get and Replace.
**InBoxApps/WirelessProjection/Channel**
- Wireless channel to use for Miracast operation. The supported channels are defined by the Wi-Fi Alliance Wi-Fi Direct specification.
-|Compatibility|Values|
+Wireless channel to use for Miracast operation. The supported channels are defined by the Wi-Fi Alliance Wi-Fi Direct specification.
+
+|**Compatibility**|**Values**|
|--- |--- |
|Works with all Miracast senders in all regions|1, 3, 4, 5, 6, 7, 8, 9, 10, 11|
|Works with all 5ghz band Miracast senders in all regions|36, 40, 44, 48|
|Works with all 5ghz band Miracast senders in all regions except Japan|149, 153, 157, 161, 165|
+The default value is 255. Outside of regulatory concerns, if the channel is configured incorrectly, the driver will either not boot or will broadcast on the wrong channel (which senders won't be looking for).
- The default value is 255. Outside of regulatory concerns, if the channel is configured incorrectly the driver will either not boot, or will broadcast on the wrong channel (which senders won't be looking for).
-
- The data type is integer. Supported operation is Get and Replace.
+- The data type is integer.
+- Supported operation is Get and Replace.
**InBoxApps/Connect**
- Added in Windows 10, version 1703. Node for the Connect app.
+
+Added in Windows 10, version 1703. Node for the Connect app.
**InBoxApps/Connect/AutoLaunch**
- Added in Windows 10, version 1703. Specifies whether to automatically launch the Connect app whenever a projection is initiated.
- If this setting is true, the Connect app will be automatically launched. If false, the user will need to launch the Connect app manually from the Hub’s settings.
+Added in Windows 10, version 1703. Specifies, whether to automatically launch the Connect app whenever a projection is initiated.
- The data type is boolean. Supported operation is Get and Replace.
+If this setting is true, the Connect app will be automatically launched. If false, the user will need to launch the Connect app manually from the Hub’s settings.
+
+- The data type is boolean.
+- Supported operation is Get and Replace.
**Properties**
- Node for the device properties.
+
+Node for the device properties.
**Properties/FriendlyName**
- Friendly name of the device. Specifies the name that users see when they want to wirelessly project to the device.
- The data type is string. Supported operation is Get and Replace.
+Friendly name of the device. Specifies the name that users see when they want wireless project to the device.
+
+- The data type is string.
+- Supported operation is Get and Replace.
**Properties/DefaultVolume**
- Added in Windows 10, version 1703. Specifies the default volume value for a new session. Permitted values are 0-100. The default is 45.
- The data type is integer. Supported operation is Get and Replace.
+Added in Windows 10, version 1703. Specifies the default volume value for a new session. Permitted values are 0-100. The default is 45.
+
+- The data type is integer.
+- Supported operation is Get and Replace.
**Properties/DefaultAutomaticFraming**
- Added in KB5010415 for Windows 10, version 20H2. Specifies whether the Surface Hub 2 Smart Camera feature to automatically zoom and keep users centered in the video is enabled. Default value is True.
- The data type is boolean. Supported operation is Get and Replace.
+Added in KB5010415 for Windows 10, version 20H2. Specifies whether the Surface Hub 2 Smart Camera feature to automatically zoom and keep users centered in the video is enabled. Default value is True.
+
+- The data type is boolean.
+- Supported operation is Get and Replace.
**Properties/ScreenTimeout**
- Added in Windows 10, version 1703. Specifies the number of minutes until the Hub screen turns off.
- The following table shows the permitted values.
+Added in Windows 10, version 1703. Specifies the number of minutes until the Hub screen turns off.
-|Value|Description|
+The following table shows the permitted values.
+
+|**Value**|**Description**|
|--- |--- |
|0|Never time out|
|1|1 minute|
@@ -361,14 +424,17 @@ The data type is integer. Supported operation is Get.
|120|2 hours|
|240|4 hours|
- The data type is integer. Supported operation is Get and Replace.
+It performs the following:
+- The data type is integer.
+- Supported operation is Get and Replace.
**Properties/SessionTimeout**
- Added in Windows 10, version 1703. Specifies the number of minutes until the session times out.
- The following table shows the permitted values.
+Added in Windows 10, version 1703. Specifies the number of minutes until the session times out.
-|Value|Description|
+The following table shows the permitted values.
+
+|**Value**|**Description**|
|--- |--- |
|0|Never time out|
|1|1 minute (default)|
@@ -382,14 +448,17 @@ The data type is integer. Supported operation is Get.
|120|2 hours|
|240|4 hours|
- The data type is integer. Supported operation is Get and Replace.
+It performs the following:
+- The data type is integer.
+- Supported operation is Get and Replace.
**Properties/SleepTimeout**
- Added in Windows 10, version 1703. Specifies the number of minutes until the Hub enters sleep mode.
- The following table shows the permitted values.
+Added in Windows 10, version 1703. Specifies the number of minutes until the Hub enters sleep mode.
-|Value|Description|
+The following table shows the permitted values.
+
+|**Value**|**Description**|
|--- |--- |
|0|Never time out|
|1|1 minute|
@@ -403,61 +472,80 @@ The data type is integer. Supported operation is Get.
|120|2 hours|
|240|4 hours|
- The data type is integer. Supported operation is Get and Replace.
+It performs the following:
+- The data type is integer.
+- Supported operation is Get and Replace.
**Properties/SleepMode**
- Added in Windows 10, version 20H2. Specifies the type of sleep mode for the Surface Hub.
- Valid values:
+Added in Windows 10, version 20H2. Specifies the type of sleep mode for the Surface Hub.
+
+Valid values:
- 0 - Connected Standby (default)
- 1 - Hibernate
- The data type is integer. Supported operation is Get and Replace.
+It performs the following:
+- The data type is integer.
+- Supported operation is Get and Replace.
**Properties/AllowSessionResume**
- Added in Windows 10, version 1703. Specifies whether to allow the ability to resume a session when the session times out.
- If this setting is true, the "Resume Session" feature will be available on the welcome screen when the screen is idle. If false, once the screen idles, the session will be automatically cleaned up as if the “End Session" feature was initiated.
+Added in Windows 10, version 1703. Specifies whether to allow the ability to resume a session when the session times out.
- The data type is boolean. Supported operation is Get and Replace.
+If this setting is true, the "Resume Session" feature will be available on the welcome screen when the screen is idle. If false, once the screen idles, the session will be automatically cleaned up as if the “End Session" feature was initiated.
+
+- The data type is boolean.
+- Supported operation is Get and Replace.
**Properties/AllowAutoProxyAuth**
- Added in Windows 10, version 1703. Specifies whether to use the device account for proxy authentication.
- If this setting is true, the device account will be used for proxy authentication. If false, a separate account will be used.
+Added in Windows 10, version 1703. Specifies whether to use the device account for proxy authentication.
- The data type is boolean. Supported operation is Get and Replace.
+If this setting is true, the device account will be used for proxy authentication. If false, a separate account will be used.
+
+- The data type is boolean.
+- Supported operation is Get and Replace.
**Properties/ProxyServers**
- Added in KB4499162 for Windows 10, version 1703. Specifies FQDNs of proxy servers to provide device account credentials to before any user interaction (if AllowAutoProxyAuth is enabled). This FQDN is a semi-colon separated list of server names, without any extra prefixes (for example, https://).
- The data type is string. Supported operation is Get and Replace.
+Added in KB4499162 for Windows 10, version 1703. Specifies FQDNs of proxy servers to provide device account credentials to before any user interaction (if AllowAutoProxyAuth is enabled). This FQDN is a semi-colon separated list of server names, without any extra prefixes (for example, https://).
+
+- The data type is string.
+- Supported operation is Get and Replace.
**Properties/DisableSigninSuggestions**
- Added in Windows 10, version 1703. Specifies whether to disable auto-populating of the sign-in dialog with invitees from scheduled meetings.
- If this setting is true, the sign-in dialog won't be populated. If false, the dialog will auto-populate.
+Added in Windows 10, version 1703. Specifies whether to disable auto-populating of the sign-in dialog with invitees from scheduled meetings.
- The data type is boolean. Supported operation is Get and Replace.
+If this setting is true, the sign-in dialog won't be populated. If false, the dialog will auto-populate.
+
+- The data type is boolean.
+- Supported operation is Get and Replace.
**Properties/DoNotShowMyMeetingsAndFiles**
- Added in Windows 10, version 1703. Specifies whether to disable the "My meetings and files" feature in the Start menu, which shows the signed-in user's meetings and files from Office 365.
- If this setting is true, the “My meetings and files” feature won't be shown. When false, the “My meetings and files” feature will be shown.
+Added in Windows 10, version 1703. Specifies whether to disable the "My meetings and files" feature in the Start menu, which shows the signed-in user's meetings and files from Office 365.
- The data type is boolean. Supported operation is Get and Replace.
+If this setting is true, the “My meetings and files” feature won't be shown. When false, the “My meetings and files” feature will be shown.
+
+- The data type is boolean.
+- Supported operation is Get and Replace.
**MOMAgent**
- Node for the Microsoft Operations Management Suite.
+
+Node for the Microsoft Operations Management Suite.
**MOMAgent/WorkspaceID**
- GUID identifying the Microsoft Operations Management Suite workspace ID to collect the data. Set this GUID to an empty string to disable the MOM agent.
- The data type is string. Supported operation is Get and Replace.
+GUID identifying the Microsoft Operations Management Suite workspace ID to collect the data. Set this GUID to an empty string to disable the MOM agent.
-**MOMAgent/WorkspaceKey**
- Primary key for authenticating with the workspace.
+- The data type is string.
+- Supported operation is Get and Replace.
- The data type is string. Supported operation is Get and Replace. The Get operation is allowed, but it will always return an empty string.
+**MOMAgent/WorkspaceKey**
+Primary key for authenticating with the workspace.
+
+- The data type is string.
+- Supported operation is Get and Replace. The Get operation is allowed, but it will always return an empty string.
\ No newline at end of file
diff --git a/windows/client-management/mdm/tenantlockdown-csp.md b/windows/client-management/mdm/tenantlockdown-csp.md
index 6f4815ab07..61939e6c29 100644
--- a/windows/client-management/mdm/tenantlockdown-csp.md
+++ b/windows/client-management/mdm/tenantlockdown-csp.md
@@ -13,6 +13,16 @@ manager: dansimp
# TenantLockdown CSP
+The table below shows the applicability of Windows:
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. This CSP was added in Windows 10, version 1809.
@@ -28,16 +38,21 @@ TenantLockdown
----RequireNetworkInOOBE
```
**./Vendor/MSFT/TenantLockdown**
-The root node.
+The root node for the TenantLockdown configuration service provider.
**RequireNetworkInOOBE**
-Specifies whether to require a network connection during the out-of-box experience (OOBE) at first sign in.
+Specifies whether a network connection is required during the out-of-box experience (OOBE) at first logon.
When RequireNetworkInOOBE is true, when the device goes through OOBE at first sign in or after a reset, the user is required to choose a network before proceeding. There's no "skip for now" option.
-Value type is bool. Supported operations are Get and Replace.
+- Value type is bool.
+- Supported operations are Get and Replace.
-- True - Require network in OOBE
-- False - No network connection requirement in OOBE
+ - True - Require network in OOBE.
+ - False - No network connection requirement in OOBE.
-Example scenario: Henry is the IT admin at Contoso. He deploys 1000 devices successfully with RequireNetworkInOOBE set to true. When users accidentally or intentionally reset their device, they're required to connect to a network before they can proceed. Upon successful connection, users see the Contoso branded sign-in experience where they must use their Azure AD credentials. There's no option to skip the network connection and create a local account.
+Example scenario: Henry is the IT admin at Contoso. He deploys 1000 devices successfully with RequireNetworkInOOBE set to true. When users accidentally or intentionally reset their device, they are required to connect to a network before they can proceed. Upon successful connection, users see the Contoso branded sign-in experience where they must use their Azure AD credentials. There is no option to skip the network connection and create a local account.
+
+## Related topics
+
+[Configuration service provider reference](configuration-service-provider-reference.md)
diff --git a/windows/client-management/mdm/tenantlockdown-ddf.md b/windows/client-management/mdm/tenantlockdown-ddf.md
index af4f245a6e..e85778cb28 100644
--- a/windows/client-management/mdm/tenantlockdown-ddf.md
+++ b/windows/client-management/mdm/tenantlockdown-ddf.md
@@ -75,3 +75,7 @@ The XML below is for Windows 10, version 1809.
```
+
+## Related topics
+
+[TenantLockdown CSP](tenantlockdown-csp.md)
\ No newline at end of file
diff --git a/windows/client-management/mdm/toc.yml b/windows/client-management/mdm/toc.yml
index ee13358bb5..33c45dd2be 100644
--- a/windows/client-management/mdm/toc.yml
+++ b/windows/client-management/mdm/toc.yml
@@ -255,8 +255,6 @@ items:
items:
- name: EnterpriseAPN DDF
href: enterpriseapn-ddf.md
- - name: EnterpriseAppManagement CSP
- href: enterpriseappmanagement-csp.md
- name: EnterpriseAppVManagement CSP
href: enterpriseappvmanagement-csp.md
items:
@@ -296,11 +294,6 @@ items:
items:
- name: HealthAttestation DDF
href: healthattestation-ddf.md
- - name: Messaging CSP
- href: messaging-csp.md
- items:
- - name: Messaging DDF file
- href: messaging-ddf.md
- name: MultiSIM CSP
href: multisim-csp.md
items:
@@ -835,12 +828,8 @@ items:
href: policy-csp-windowssandbox.md
- name: WirelessDisplay
href: policy-csp-wirelessdisplay.md
- - name: PolicyManager CSP
- href: policymanager-csp.md
- name: Provisioning CSP
href: provisioning-csp.md
- - name: PROXY CSP
- href: proxy-csp.md
- name: PXLOGICAL CSP
href: pxlogical-csp.md
- name: Reboot CSP
@@ -853,11 +842,6 @@ items:
items:
- name: RemoteFind DDF file
href: remotefind-ddf-file.md
- - name: RemoteRing CSP
- href: remotering-csp.md
- items:
- - name: RemoteRing DDF file
- href: remotering-ddf-file.md
- name: RemoteWipe CSP
href: remotewipe-csp.md
items:
@@ -963,10 +947,10 @@ items:
items:
- name: WindowsAdvancedThreatProtection DDF file
href: windowsadvancedthreatprotection-ddf.md
- - name: WindowsAutoPilot CSP
+ - name: WindowsAutopilot CSP
href: windowsautopilot-csp.md
items:
- - name: WindowsAutoPilot DDF file
+ - name: WindowsAutopilot DDF file
href: windowsautopilot-ddf-file.md
- name: WindowsDefenderApplicationGuard CSP
href: windowsdefenderapplicationguard-csp.md
diff --git a/windows/client-management/mdm/tpmpolicy-csp.md b/windows/client-management/mdm/tpmpolicy-csp.md
index 0c7915fe7c..c4aa932cc0 100644
--- a/windows/client-management/mdm/tpmpolicy-csp.md
+++ b/windows/client-management/mdm/tpmpolicy-csp.md
@@ -13,10 +13,19 @@ manager: dansimp
# TPMPolicy CSP
+The table below shows the applicability of Windows:
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
The TPMPolicy configuration service provider (CSP) provides a mechanism to enable zero-exhaust configuration on a Windows device for TPM software components. Zero exhaust is defined as no network traffic (diagnostic data or otherwise, such as downloading background images, Windows Updates, and so on) from Windows and inbox applications to public IP addresses, unless directly intended by the user. This definition allows the enterprise admin to configure devices where no network communication is initiated by the system without explicit approval.
-The TPMPolicy CSP was added in Windows 10, version 1703.
+The TPMPolicy CSP was added in Windows 10, version 1703, and later.
The following example shows the TPMPolicy configuration service provider in tree format.
```
diff --git a/windows/client-management/mdm/uefi-csp.md b/windows/client-management/mdm/uefi-csp.md
index 8a3a6d1f58..174bdb6025 100644
--- a/windows/client-management/mdm/uefi-csp.md
+++ b/windows/client-management/mdm/uefi-csp.md
@@ -13,8 +13,17 @@ manager: dansimp
# UEFI CSP
+The table below shows the applicability of Windows:
-The UEFI configuration service provider (CSP) interfaces to UEFI's Device Firmware Configuration Interface (DFCI) to make BIOS configuration changes. This CSP was added in Windows 10, version 1809.
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+
+The UEFI configuration service provider (CSP) interfaces to UEFI's Device Firmware Configuration Interface (DFCI) to make BIOS configuration changes. This CSP was added in Windows 10, version 1809c, and later.
> [!NOTE]
> The UEFI CSP version published in Windows 10, version 1803 is replaced with this one (version 1809).
@@ -51,7 +60,7 @@ Uefi
```
The following list describes the characteristics and parameters.
-**./Vendor/MSFT/Uefi**
+**./Vendor/MSFT/UEFI**
Root node.
**DeviceIdentifier**
@@ -80,7 +89,7 @@ Retrieves the binary result package of the previous Identity/Apply operation.
Supported operation is Get.
**Permissions**
-Node for settings permission operations..
+Node for settings permission operations.
**Permissions/Current**
Retrieves XML from UEFI that describes the current UEFI settings permissions.
diff --git a/windows/client-management/mdm/unifiedwritefilter-csp.md b/windows/client-management/mdm/unifiedwritefilter-csp.md
index 1904740772..255dde3d19 100644
--- a/windows/client-management/mdm/unifiedwritefilter-csp.md
+++ b/windows/client-management/mdm/unifiedwritefilter-csp.md
@@ -14,6 +14,15 @@ ms.date: 06/26/2017
# UnifiedWriteFilter CSP
+The table below shows the applicability of Windows:
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
The UnifiedWriteFilter (UWF) configuration service provider enables the IT administrator to remotely manage the UWF to help protect physical storage media including any writable storage type.
@@ -315,7 +324,6 @@ Supported operations are Get and Execute.
## Related topics
-
[Configuration service provider reference](configuration-service-provider-reference.md)
diff --git a/windows/client-management/mdm/update-csp.md b/windows/client-management/mdm/update-csp.md
index c728cdb027..ec193e1117 100644
--- a/windows/client-management/mdm/update-csp.md
+++ b/windows/client-management/mdm/update-csp.md
@@ -14,6 +14,16 @@ ms.date: 02/23/2018
# Update CSP
+The table below shows the applicability of Windows:
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|Yes|Yes|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+
The Update configuration service provider enables IT administrators to manage and control the rollout of new updates.
> [!NOTE]
@@ -62,7 +72,7 @@ The following example shows the Update configuration service provider in tree fo
> [!NOTE]
> When the RequireUpdateApproval policy is set, the MDM uses the ApprovedUpdates list to pass the approved GUIDs. These GUIDs should be a subset of the InstallableUpdates list.
- The MDM must first present the EULA to IT and have them accept it before the update is approved. Failure to do this presentation is a breach of legal or contractual obligations. The EULAs can be obtained from the update metadata and have their own EULA ID. It's possible for multiple updates to share the same EULA. It's only necessary to approve the EULA once per EULA ID, not one per update.
+ The MDM must first present the EULA to IT and have them accept it before the update is approved. Failure to do this is a breach of legal or contractual obligations. The EULAs can be obtained from the update metadata and have their own EULA ID. It's possible for multiple updates to share the same EULA. It is only necessary to approve the EULA once per EULA ID, not one per update.
The update approval list enables IT to approve individual updates and update classifications. Auto-approval by update classifications allows IT to automatically approve Definition Updates (that is, updates to the virus and spyware definitions on devices) and Security Updates (that is, product-specific updates for security-related vulnerability). The update approval list doesn't support the uninstallation of updates by revoking approval of already installed updates. Updates are approved based on UpdateID, and an UpdateID only needs to be approved once. An update UpdateID and RevisionNumber are part of the UpdateIdentity type. An UpdateID can be associated to several UpdateIdentity GUIDs due to changes to the RevisionNumber setting. MDM services must synchronize the UpdateIdentity of an UpdateID based on the latest RevisionNumber to get the latest metadata for an update. However, update approval is based on UpdateID.
diff --git a/windows/client-management/mdm/vpnv2-csp.md b/windows/client-management/mdm/vpnv2-csp.md
index 07dbd492dc..94974cf502 100644
--- a/windows/client-management/mdm/vpnv2-csp.md
+++ b/windows/client-management/mdm/vpnv2-csp.md
@@ -14,6 +14,15 @@ ms.date: 09/21/2021
# VPNv2 CSP
+The table below shows the applicability of Windows:
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|Yes|Yes|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
The VPNv2 configuration service provider allows the mobile device management (MDM) server to configure the VPN profile of the device.
@@ -550,7 +559,7 @@ An optional flag to enable Always On mode. This flag will automatically connect
Preserving user Always On preference
-Windows has a feature to preserve a user’s AlwaysOn preference. If a user manually unchecks the “Connect automatically” checkbox, Windows will remember this user preference for this profile name by adding the profile name to the value AutoTriggerDisabledProfilesList.
+Windows has a feature to preserve a user’s AlwaysOn preference. If a user manually unchecks the “Connect automatically” checkbox, Windows will remember this user preference for this profile name by adding the profile name to the value AutoTriggerDisabledProfilesList.
Should a management tool remove/add the same profile name back and set AlwaysOn to true, Windows won't check the box if the profile name exists in the below registry value in order to preserve user preference.
Key: `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Config`
Value: AutoTriggerDisabledProfilesList
@@ -696,7 +705,7 @@ Supported operations include Get, Add, Replace, and Delete.
Reserved for future use.
**VPNv2/**ProfileName**/NativeProfile**
-Nodes under NativeProfile are required when using a Windows Inbox VPN Protocol (IKEv2, PPTP, L2TP).
+Nodes under NativeProfile are required when using a Windows Inbox VPN Protocol (IKEv2, PPTP, and L2TP).
**VPNv2/**ProfileName**/NativeProfile/Servers**
Required for native profiles. Public or routable IP address or DNS name for the VPN gateway. It can point to the external IP of a gateway or a virtual IP for a server farm. Examples, 208.147.66.130 or vpn.contoso.com.
diff --git a/windows/client-management/mdm/w4-application-csp.md b/windows/client-management/mdm/w4-application-csp.md
index fca8b3674b..bb90fb33e2 100644
--- a/windows/client-management/mdm/w4-application-csp.md
+++ b/windows/client-management/mdm/w4-application-csp.md
@@ -14,6 +14,15 @@ ms.date: 06/26/2017
# w4 APPLICATION CSP
+The table below shows the applicability of Windows:
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|Yes|Yes|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
Use an **APPLICATION** configuration service provider that has an APPID of w4 to configure Multimedia Messaging Service (MMS).
@@ -47,7 +56,7 @@ This parameter takes a string value. The possible values to configure the NAME p
- no value specified
> [!NOTE]
-> The APPLICATION/NAME value is displayed in the UI. The APPLICATION/NAME value might not be saved on the device. So after an upgrade, the MDM servers should resend APPLICATION/NAME to DMAcc.
+> The APPLICATION/NAME value is displayed in the UI. The APPLICATION/NAME value might not be saved on the device. Hence, after an upgrade, the MDM servers should resend APPLICATION/NAME to DMAcc.
If no value is specified, the registry location will default to ` The root node for the Windows Defender Advanced Threat Protection configuration service provider.
+The root node for the Windows Defender Advanced Threat Protection configuration service provider.
- Supported operation is Get.
+Supported operation is Get.
**Onboarding**
- Sets Windows Defender Advanced Threat Protection Onboarding blob and initiates onboarding to Windows Defender Advanced Threat Protection.
+Sets Windows Defender Advanced Threat Protection Onboarding blob and initiates onboarding to Windows Defender Advanced Threat Protection.
- The data type is a string.
+The data type is a string.
- Supported operations are Get and Replace.
+Supported operations are Get and Replace.
**HealthState**
- Node that represents the Windows Defender Advanced Threat Protection health state.
+Node that represents the Windows Defender Advanced Threat Protection health state.
**HealthState/LastConnected**
- Contains the timestamp of the last successful connection.
+Contains the timestamp of the last successful connection.
- Supported operation is Get.
+Supported operation is Get.
**HealthState/SenseIsRunning**
- Boolean value that identifies the Windows Defender Advanced Threat Protection Sense running state.
+Boolean value that identifies the Windows Defender Advanced Threat Protection Sense running state.
- The default value is false.
+The default value is false.
- Supported operation is Get.
+Supported operation is Get.
**HealthState/OnboardingState**
- Represents the onboarding state.
+Represents the onboarding state.
- Supported operation is Get.
+Supported operation is Get.
- The following list shows the supported values:
+The following list shows the supported values:
-- 0 (default) – Not onboarded.
-- 1 – Onboarded
+- 0 (default) – Not onboarded
+- 1 – Onboarded
**HealthState/OrgId**
- String that represents the OrgID.
+String that represents the OrgID.
- Supported operation is Get.
+Supported operation is Get.
**Configuration**
- Represents Windows Defender Advanced Threat Protection configuration.
+Represents Windows Defender Advanced Threat Protection configuration.
**Configuration/SampleSharing**
- Returns or sets the Windows Defender Advanced Threat Protection Sample Sharing configuration parameter.
+Returns or sets the Windows Defender Advanced Threat Protection Sample Sharing configuration parameter.
- The following list shows the supported values:
+The following list shows the supported values:
- 0 – None
- 1 (default)– All
- Supported operations are Get and Replace.
+Supported operations are Get and Replace.
**Configuration/TelemetryReportingFrequency**
- Added in Windows 10, version 1703. Returns or sets the Windows Defender Advanced Threat Protection diagnostic data reporting frequency.
+Added in Windows 10, version 1703. Returns or sets the Windows Defender Advanced Threat Protection diagnostic data reporting frequency.
- The following list shows the supported values:
+The following list shows the supported values:
-- 1 (default) – Normal
-- 2 - Expedite
+- 1 (default) – Normal
+- 2 - Expedite
- Supported operations are Get and Replace.
+Supported operations are Get and Replace.
**Offboarding**
- Sets the Windows Defender Advanced Threat Protection Offboarding blob and initiates offboarding to Windows Defender Advanced Threat Protection.
+Sets the Windows Defender Advanced Threat Protection Offboarding blob and initiates offboarding to Windows Defender Advanced Threat Protection.
- The data type is a string.
+The data type is a string.
- Supported operations are Get and Replace.
+Supported operations are Get and Replace.
**DeviceTagging**
- Added in Windows 10, version 1709. Represents Windows Defender Advanced Threat Protection configuration for managing role based access and device tagging.
+Added in Windows 10, version 1709. Represents Windows Defender Advanced Threat Protection configuration for managing role based access and device tagging.
- Supported operation is Get.
+Supported operation is Get.
**DeviceTagging/Group**
- Added in Windows 10, version 1709. Device group identifiers.
+Added in Windows 10, version 1709. Device group identifiers.
- The data type is a string.
+The data type is a string.
- Supported operations are Get and Replace.
+Supported operations are Get and Replace.
**DeviceTagging/Criticality**
- Added in Windows 10, version 1709. Asset criticality value. Supported values:
+Added in Windows 10, version 1709. Asset criticality value. Supported values:
- 0 - Normal
- 1 - Critical
- The data type is an integer.
+The data type is an integer.
- Supported operations are Get and Replace.
+Supported operations are Get and Replace.
## Examples
-
```xml
- The `https://www.emieposturl.com/api/records` example will only work if you’ve downloaded the sample discussed in the [Set up Enterprise Mode logging and data collection](set-up-enterprise-mode-logging-and-data-collection.md) topic. If you don’t have the sample, you won’t have the web API.
-- **Local network location (like, https://emieposturl/)**. IE sends a POST message to your specified local network location every time a change is made to Enterprise Mode from the **Tools** menu.
-- **Empty string**. If you leave the **Value data** box blank; your employees will be able to turn Enterprise Mode on and off from the **Tools** menu, but you won’t collect any logging data.
+- **URL location**, for example: `https://www.emieposturl.com/api/records` or `https://localhost:13000`. IE sends a POST message to the URL every time a change is made to Enterprise Mode from the **Tools** menu.
+
+ > [!Important]
+ > The `https://www.emieposturl.com/api/records` example will only work if you've downloaded the sample discussed in the [Set up Enterprise Mode logging and data collection](set-up-enterprise-mode-logging-and-data-collection.md) article. If you don't have the sample, you won't have the web API.
+
+- **Local network location**, for example: `https://emieposturl/`. IE sends a POST message to your specified local network location every time a change is made to Enterprise Mode from the **Tools** menu.
+
+- **Empty string**. If you leave the **Value data** box blank; your employees will be able to turn Enterprise Mode on and off from the **Tools** menu, but you won't collect any logging data.
For information about how to collect the data provided when your employees turn Enterprise Mode on or off from the **Tools** menu, see [Set up Enterprise Mode logging and data collection](set-up-enterprise-mode-logging-and-data-collection.md).
-
-
-
-
-
-
-
diff --git a/browsers/internet-explorer/internet-explorer.yml b/browsers/internet-explorer/internet-explorer.yml
index 27e231694f..17fad3f1dd 100644
--- a/browsers/internet-explorer/internet-explorer.yml
+++ b/browsers/internet-explorer/internet-explorer.yml
@@ -34,8 +34,6 @@ landingContent:
url: /lifecycle/faq/internet-explorer-microsoft-edge
- linkListType: download
links:
- - text: Download IE11 with Windows 10
- url: https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise
- text: Enterprise Mode Site List Manager (schema, v.2)
url: https://www.microsoft.com/download/details.aspx?id=49974
- text: Cumulative security updates for Internet Explorer 11
diff --git a/education/windows/windows-11-se-overview.md b/education/windows/windows-11-se-overview.md
index 445f9c1e89..be73736a92 100644
--- a/education/windows/windows-11-se-overview.md
+++ b/education/windows/windows-11-se-overview.md
@@ -38,37 +38,55 @@ Windows 11 SE is only available preinstalled on devices from OEMs. The OEM insta
Windows 11 SE comes with some preinstalled apps. The following apps can also run on Windows 11 SE, and are deployed using the [Intune for Education portal](https://intuneeducation.portal.azure.com). For more information, see [Manage devices running Windows 11 SE](/intune-education/windows-11-se-overview).
-| Application | Supported version | Vendor |
-| --- | --- | --- |
-|Blub Digital Portoflio |0.0.7.0 |bulb|
-|CA Secure Browser |14.0.0 |Cambium Development|
-|Cisco Umbrella |3.0.110.0 |Cisco|
-|Dragon Professional Individual |15.00.100 |Nuance Communications|
-|DRC INSIGHT Online Assessments |12.0.0.0 |DRC|
-|e-Speaking Voice and Speech recognition|4.4.0.8 |e-speaking|
-|Free NaturalReader |16.1.2 |Natural Soft|
-|GoGuardian |1.4.4 |GoGuardian|
-|Google Chrome |97.0.4692.71 |Google|
-|JAWS for Windows |2022.2112.24 |Freedom Scientific|
-|Kite Student Portal |8.0.1|Dynamic Learning Maps|
-|Kortext |2.3.418.0 |Kortext|
-|LanSchool |9.1.0.46 |Stoneware|
-|Lightspeed Smart Agent |1.9.1 |Lightspeed Systems|
-|Mozilla Firefox |96.0.2 |Mozilla|
-|NextUp Talker |1.0.49 |NextUp Technologies|
-|NonVisual Desktop Access |2021.3.1 |NV Access|
-|NWEA Secure Testing Browser |5.4.300.0 |NEWA|
-|Read&Write for Windows (US English) |12.0.60.0 |Texthelp Ltd.|
-|Safe Exam Broswer |3.3.1 |Safe Exam Broswer|
-|Secure Browser |4.8.3.376 |Questar, Inc|
-|SuperNova Magnifier & Screen Reader | 20.03 |Dolphin Computer Access|
-|SuperNova Magnifier & Speech | 20.03 |Dolphin Computer Access|
-|Respondus Lockdown Browser |2.0.8.03 |Respondus|
-|TestNav |1.10.2.0 |Pearson Education Inc|
-|SecureBrowser |14.0.0 |Cambium Development|
-|Zoom |5.9.1 (2581) |Zoom|
-|ZoomText Fusion |2022.2109.10 |Freedom Scientific|
-|ZoomText Magnifier/Reader |2022.2109.25 |Freedom Scientific|
+| Application | Supported version | App Type | Vendor |
+| --- | --- | --- | --- |
+|AirSecure |8.0.0 |Win32 |AIR|
+|Brave Browser |1.34.80|Win32 |Brave|
+|Bulb Digital Portfolio |0.0.7.0|Store|Bulb|
+|Cisco Umbrella |3.0.110.0 |Win32 |Cisco|
+|CKAuthenticator |3.6 |Win32 |Content Keeper|
+|Class Policy |114.0.0 |Win32 |Class Policy|
+|Classroom.cloud |1.40.0004 |Win32 |NetSupport|
+|CoGat Secure Browser |11.0.0.19 |Win32 |Riverside Insights|
+|Dragon Professional Individual |15.00.100 |Win32 |Nuance Communications|
+|DRC INSIGHT Online Assessments |12.0.0.0 |Store |Data recognition Corporation|
+|Duo from Cisco |2.25.0 |Win32 |Cisco|
+|e-Speaking Voice and Speech recognition |4.4.0.8 |Win32 |e-speaking|
+|eTests |4.0.25 |Win32 |CASAS|
+|FortiClient |7.0.1.0083 |Win32 |Fortinet|
+|Free NaturalReader |16.1.2 |Win32 |Natural Soft|
+|GoGuardian |1.4.4 |Win32 |GoGuardian|
+|Google Chrome |100.0.4896.127|Win32 |Google|
+|Illuminate Lockdown Browser |2.0.5 |Win32 |Illuminate Education|
+|Immunet |7.5.0.20795 |Win32 |Immunet|
+|JAWS for Windows |2022.2112.24 |Win32 |Freedom Scientific|
+|Kite Student Portal |8.0.1 |Win32 |Dynamic Learning Maps|
+|Kortext |2.3.433.0 |Store |Kortext|
+|Kurzweil 3000 Assistive Learning |20.13.0000 |Win32 |Kurzweil Educational Systems|
+|LanSchool |9.1.0.46 |Win32 |Stoneware|
+|Lightspeed Smart Agent |2.6.2 |Win32 |Lightspeed Systems|
+|Microsoft Connect |10.0.22000.1 |Store |Microsoft|
+|Mozilla Firefox |99.0.1 |Win32 |Mozilla|
+|NAPLAN |2.5.0 |Win32 |NAP|
+|NetSupport Manager |12.01.0011 |Win32 |NetSupport|
+|NetSupport Notify |5.10.1.215 |Win32 |NetSupport|
+|NetSupport School |14.00.0011 |Win32 |NetSupport|
+|NextUp Talker |1.0.49 |Win32 |NextUp Technologies|
+|NonVisual Desktop Access |2021.3.1 |Win32 |NV Access|
+|NWEA Secure Testing Browser |5.4.300.0 |Win32 |NWEA|
+|Pearson TestNav |1.10.2.0 |Win32 |Pearson|
+|Questar Secure Browser |4.8.3.376 |Win32 |Questar|
+|ReadAndWriteForWindows |12.0.60.0 |Win32 |Texthelp Ltd.|
+|Remote Help |3.8.0.12 |Win32 |Microsoft|
+|Respondus Lockdown Browser |2.0.8.05 |Win32 |Respondus|
+|Safe Exam Browser |3.3.2.413 |Win32 |Safe Exam Browser|
+|Secure Browser |14.0.0 |Win32 |Cambium Development|
+|Secure Browser |4.8.3.376 |Win32 |Questar, Inc|
+|SensoCloud test |2021.11.15.0 |Win32|Senso.Cloud|
+|SuperNova Magnifier & Screen Reader |21.02 |Win32 |Dolphin Computer Access|
+|Zoom |5.9.1 (2581)|Win32 |Zoom|
+|ZoomText Fusion |2022.2109.10|Win32 |Freedom Scientific|
+|ZoomText Magnifier/Reader |2022.2109.25|Win32 |Freedom Scientific|
### Enabled apps
diff --git a/images/compare-changes.png b/images/compare-changes.png
index 0d86db70f5..183953dc8a 100644
Binary files a/images/compare-changes.png and b/images/compare-changes.png differ
diff --git a/images/contribute-link.png b/images/contribute-link.png
index 4cf685e54e..742a6f53ef 100644
Binary files a/images/contribute-link.png and b/images/contribute-link.png differ
diff --git a/images/pencil-icon.png b/images/pencil-icon.png
index 82fe7852dd..f041c32229 100644
Binary files a/images/pencil-icon.png and b/images/pencil-icon.png differ
diff --git a/images/preview-changes.png b/images/preview-changes.png
index cb4ecab594..54761f44d2 100644
Binary files a/images/preview-changes.png and b/images/preview-changes.png differ
diff --git a/images/propose-changes.png b/images/propose-changes.png
new file mode 100644
index 0000000000..5c16f931fc
Binary files /dev/null and b/images/propose-changes.png differ
diff --git a/images/propose-file-change.png b/images/propose-file-change.png
deleted file mode 100644
index aedbc07b16..0000000000
Binary files a/images/propose-file-change.png and /dev/null differ
diff --git a/smb/cloud-mode-business-setup.md b/smb/cloud-mode-business-setup.md
index 7da2e85c29..729c76f598 100644
--- a/smb/cloud-mode-business-setup.md
+++ b/smb/cloud-mode-business-setup.md
@@ -574,7 +574,7 @@ See [Add users to Office 365](/microsoft-365/admin/add-users/add-users) to learn
To learn more about the services and tools mentioned in this walkthrough, and learn what other tasks you can do, follow these links:
- [Set up Office 365 for business](/microsoft-365/admin/setup)
- Common admin tasks in Office 365 including email and OneDrive in [Manage Office 365](/microsoft-365/admin/)
-- More info about managing devices, apps, data, troubleshooting, and more in the [/mem/intune/](/mem/intune/)
+- More info about managing devices, apps, data, troubleshooting, and more in the [Intune documentation](/mem/intune/)
- Learn more about Windows client in the [Windows client documentation for IT Pros](/windows/resources/).
- Info about distributing apps to your employees, managing apps, managing settings, and more in [Microsoft Store for Business](/microsoft-store/)
diff --git a/template.md b/template.md
new file mode 100644
index 0000000000..84c08cc7de
--- /dev/null
+++ b/template.md
@@ -0,0 +1,292 @@
+---
+title: # ARTICLE TITLE in 55 chars or less, most important for SEO. Best to match H1 and TOC, but doesn't have to.
+description: # A summary of the content. 75-300 characters. Used in site search. Sometimes used on a search engine results page for improved SEO. Always end with period.
+ms.date: mm/dd/yyyy
+ms.prod: windows
+ms.technology: windows #more to come...
+ms.topic: conceptual #reference troubleshooting how-to end-user-help overview (more in contrib guide)
+ms.localizationpriority: medium #high null
+author: # GitHub username (aczechowski)
+ms.author: # MS alias (aaroncz)
+ms.reviewer: # MS alias of feature PM, optional
+manager: # MS alias of manager (dougeby)
+ms.collection: # optional
+- # highpri - high priority, strategic, important, current, etc. articles
+- # openauth - the article is owned by PM or community for open authoring
+---
+
+# Metadata and Markdown Template
+
+_Applies to:_
+
+- Windows 11
+- Windows 10
+
+This docs.ms template contains examples of markdown syntax, and guidance on setting the metadata. It's available in the root directory of the Windows repository (`~\windows-docs-pr\template.md`).
+
+When you create a new markdown file article, **Save as** this template to a new file, fill out the metadata as specified below, set the H1 heading above (`#`) to the title of the article, and delete the template content.
+
+## Metadata
+
+The full metadata block is above the markdown between the `---` lines. For more information, see [Metadata attributes](https://review.docs.microsoft.com/en-us/help/contribute/metadata-attributes?branch=main) in the contributor guide. Some key notes:
+
+- You _must_ have a space between the colon (`:`) and the value for a metadata element.
+
+- Remove all metadata comments (`#`)
+
+- Colons in a value (like the title) break the metadata parser. In their place, use the HTML encoding `:` (for example, `title: Azure Rights Management: the basics`).
+
+- `title`: This title appears in search engine results and the browser tab.
+ - Don't end with a period.
+ - Use Microsoft style _sentence case_.
+ - The title can match the H1 heading (`#`) and the name in the toc.yml, but doesn't have to.
+ - It should be roughly 55 characters or less for best search engine optimization (SEO).
+
+- `description`: Summarize the content, shows in search engine results. 75-300 characters. Always end with a period.
+
+- `ms.date`: After you Save As this template to the target file, with the Docs Authoring Pack extension installed, right-click anywhere in the .md file to **Update `ms.date` metadata value** and save the file.
+
+- `author`: The author field contains the **Github username** of the author.
+ - This value is used in GitHub notifications, assignments, and other build automation in both the private and public repositories.
+ - It's also used to display the first (left-most) contributor in the published article.
+
+- `ms.author` & `manager`: Microsoft aliases. ms.author and author are typically the same.
+ - `ms.reviewer`: Optionally can specify the name of the PM associated with the article. Just for reference, not currently used by any automation.
+
+- `ms.prod`: Should always be `windows` for Windows content. (Some older articles still use `w10` and `w11`.)
+
+- `ms.technology`: Select one of the options based on the feature area. Currently the only option is `windows`.
+
+- `ms.topic`: Select one of the options based on the content type. This attribute is used in calculating content health (different content types are used differently by customers, so have different metrics).
+
+- `ms.localizationpriority`: **Medium** is the default, which is machine translation. For specific, high-priority content that requires human translation (extra cost), set this value to **high**. For any components that are only `en-us`, set this value to **null** for no localization.
+
+## Basic markdown and GFM
+
+All basic and Github-flavored markdown (GFM) is supported. For more information, see the following articles:
+
+- [Docs Markdown reference in the Contributor Guide](https://review.docs.microsoft.com/help/contribute/markdown-reference?branch=main)
+- [Baseline markdown syntax](https://daringfireball.net/projects/markdown/syntax)
+- [Github-flavored markdown (GFM) documentation](https://docs.github.com/github/writing-on-github/getting-started-with-writing-and-formatting-on-github/basic-writing-and-formatting-syntax)
+
+## Headings
+
+Examples of first- and second-level headings are above.
+
+There **must** be only one first-level heading (`#`, also known as H1) in your article, which is displayed as the published title at the top of the page.
+
+Second-level headings (`##`, also known as H2) generate the on-page TOC that appears in the **In this article** section beside or underneath the on-page title.
+
+Limit the length of second-level headings to avoid excessive line wraps.
+
+Make sure _all_ headings of any level have a unique name for the article. The build creates an anchor for all headings on the page using kebab formatting. For example, from the [Docs Markdown reference](https://review.docs.microsoft.com/help/contribute/markdown-reference?branch=main) article, the heading **Alerts (Note, Tip, Important, Caution, Warning)** becomes the anchor `#alerts-note-tip-important-caution-warning`. If there are duplicate headings, then the anchors don't behave properly. This behavior also applies when using include files, make sure the headings are unique across the main markdown file, and all include markdown files.
+
+Don't skip levels. For example, don't have an H3 (`###`) without a parent H2 (`##`).
+
+Configuration Manager content does use custom anchors in some articles. They're almost always prefixed with `bkmk_`, for example, `bkmk_client`. These anchors can help reduce the anchor size, but does require HTML code that may not always be supported by the docs build system. There's other functionality with the Docs Authoring Pack and the build validation that only works with native header anchors. Use custom anchors sparingly, and remove them in older articles when possible. When removing custom anchors, make sure to update all internal links from the old custom anchor to the native header kebab format.
+
+### Third-level heading
+
+Third-level headings (and beyond) can be any length, as they don't appear **In this article**.
+
+#### Fourth-level heading
+
+##### Fifth level heading
+
+## Text styling
+
+_Italics_ (a single asterisk (`*`) also works, but the underscore (`_`) helps differentiate with the double asterisk (`**`) for bold)
+
+**Bold**
+
+~~Strikethrough~~
+
+## Links
+
+> [!TIP]
+> Use the **Docs Authoring Pack** extension to easily add links!
+>
+> 1. **Alt** + **M** to open the Docs Authoring Pack menu.
+> 1. Select **Link** and then follow the prompts.
+>
+> It supports headings in the current and other files too! (Just not the custom `bkmk` anchors that are sometimes used in this content.)
+
+For more information, see [Add links to articles](https://review.docs.microsoft.com/help/contribute/links-how-to?branch=main) in the contributor guide.
+
+### Article in the same repo
+
+To link to an article in the same repo, use **file-relative links**. These links have the path to the target as relative to the current file, and always include the `.md` or `.yml` extension. For example, `[Windows client documentation for IT Pros](index.yml)`
+
+#### Link to headings
+
+To link to a heading _in the same markdown file_, add just the anchor as the link. It's either a custom HTML anchor (`#bkmk_client`) or the kebab case of the header. For example: `[Link to an article in the same repo](#article-in-the-same-repo)`. Kebab case is preferred over a custom anchor, as the build validates the link. Make sure headings aren't duplicated in the same article.
+
+To link to a heading _in a markdown file in the same repo_, use relative linking + hashtag linking. For example: `[Windows 11 availability](../whats-new/windows-11-plan.md#windows-11-availability)`
+
+### Another docs.ms article
+
+To link to another docs.ms article not in the same repo, use a **root-relative link**. This style supports the potential future use of the doc content in a separate disconnected environment, like for a high security government customer, which would have a different domain. For example, `[Public contributor guide](/contribute/additional-resources)`.
+
+### External URLs
+
+To link to an external file, use the full URL as the link. For example: `[Github](https://www.github.com)`
+
+- The link should always be **HTTPS**.
+- Remove any local from the URL, unless it doesn't work without it. Most all microsoft.com properties support language neutral URLs.
+
+### Example links
+
+If you need to provide an example of a URL in the article, enclose it in a code block. For example: `https://www.contoso.com`
+This style makes sure the URL is ignored during build validation and the broken links report.
+
+### Tips for links
+
+When your pull request runs, the build system validates all file-relative links and non-custom anchors. It will return a warning if it can't resolve a link.
+
+VSCode supports file-relative links and non-custom anchors, so you can easily navigate between pages, and test that links are valid.
+
+There's a broken link report that runs once a week in the build system, get the report from OPS.
+
+Don't use URL shorteners like `go.microsoft.com/fwlink` or `aka.ms`. Include the full URL to the target.
+
+For more information, see [Add links to articles](https://review.docs.microsoft.com/help/contribute/links-how-to?branch=main) in the contributor guide.
+
+## Lists
+
+### Ordered lists
+
+1. This list is ordered.
+1. This list is ordered.
+1. This list is ordered.
+1. This list is ordered.
+1. This list is ordered.
+
+You can explicitly number each line if needed, but this style lets the build autonumber it. This style is beneficial if you need to add or remove a step.
+
+#### Ordered list with an embedded list
+
+1. This list is ordered.
+1. This list is ordered.
+1. This list is ordered.
+1. This list is ordered.
+ 1. This list is embedded.
+ 1. This list is embedded.
+1. This list is ordered.
+1. This list is ordered.
+
+### Unordered Lists
+
+- This list is bulleted.
+- This list is bulleted.
+- This list is bulleted.
+- This list is bulleted.
+- This list is bulleted.
+
+#### Unordered list with embedded lists
+
+- This list is bulleted.
+- This list is bulleted.
+- This list is bulleted.
+ - This list is embedded.
+ - This list is embedded.
+- This list is bulleted.
+- This list is bulleted.
+ 1. This list is embedded and ordered.
+ 1. This list is embedded and ordered.
+- This list is bulleted.
+
+## Horizontal rule
+
+---
+
+## Tables
+
+| Tables | Are | Cool |
+| ------------- |:-------------:| -----:|
+| col 3 is | right-aligned | $1600 |
+| col 2 is | centered | $12 |
+| col 1 is default | left-aligned | $1 |
+
+The Docs Authoring Pack has features to manage markdown tables. Select the entire table, then right-click to see the options.
+
+## Code
+
+### Codeblock
+
+```json
+{
+ "aggregator": {
+ "batchSize": 1000,
+ flushTimeout": "00:00:30"
+ }
+}
+```
+
+### In-line code
+
+This sentence includes an example of `in-line code`.
+
+## Blockquote
+
+> The drought had lasted now for ten million years, and the reign of the terrible lizards had long since ended. Here on the Equator, in the continent which would one day be known as Africa, the battle for existence had reached a new climax of ferocity, and the victor was not yet in sight. In this barren and desiccated land, only the small or the swift or the fierce could flourish, or even hope to survive.
+
+## Images
+
+Use the Docs Authoring Pack menu to easily insert media.
+
+Always include alt text for accessibility, and always end it with a period.
+
+
+### Static Image
+
+:::image type="content" source="media/deploy1.png" alt-text="A graphic of a laptop as a suitcase.":::
+
+### Image with lightbox
+
+:::image type="content" source="media/deploy2.png" alt-text="A graphic of a computer with external monitor." lightbox="media/W10-WaaS-poster.PNG":::
+
+### Animated gif
+
+:::image type="content" source="media/docs-filter-toc.gif" alt-text="Animated gif of 'filter by title' option in the table of contents.":::
+
+### Linked Image
+
+[](https://azure.microsoft.com)
+
+## Alerts
+
+### Note
+
+> [!NOTE]
+> This is NOTE
+
+### Warning
+
+> [!WARNING]
+> This is WARNING
+
+### Tip
+
+> [!TIP]
+> This is TIP
+
+### Caution
+
+> [!CAUTION]
+> This is CAUTION
+
+### Important
+
+> [!IMPORTANT]
+> This is IMPORTANT
+
+## Videos
+
+### YouTube
+
+> [!VIDEO https://www.youtube.com/embed/rnhnZTrSZzI]
+
+## docs.ms extensions
+
+> [!div class="nextstepaction"]
+> [Next step action](/mem/configmgr)
diff --git a/windows/application-management/add-apps-and-features.md b/windows/application-management/add-apps-and-features.md
index ee87f2e5f5..9ee3c86345 100644
--- a/windows/application-management/add-apps-and-features.md
+++ b/windows/application-management/add-apps-and-features.md
@@ -2,9 +2,6 @@
title: Add or hide optional apps and features on Windows devices | Microsoft Docs
description: Learn how to add Windows 10 and Windows 11 optional features using the Apps & features page in the Settings app. Also see the group policy objects (GPO) and MDM policies that show or hide Apps and Windows Features in the Settings app. Use Windows PowerShell to show or hide specific features in Windows Features.
ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: article
ms.author: aaroncz
author: aczechowski
ms.localizationpriority: medium
diff --git a/windows/application-management/app-v/appv-about-appv.md b/windows/application-management/app-v/appv-about-appv.md
index 290b271595..ed4e23e340 100644
--- a/windows/application-management/app-v/appv-about-appv.md
+++ b/windows/application-management/app-v/appv-about-appv.md
@@ -2,9 +2,6 @@
title: What's new in App-V for Windows 10, version 1703 and earlier (Windows 10)
description: Information about what's new in App-V for Windows 10, version 1703 and earlier.
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 06/08/2018
ms.reviewer:
@@ -67,7 +64,7 @@ App-V supports System Center 2016 and System Center 2012 R2 Configuration Manage
-## Related topics
+## Related articles
* [Release Notes for App-V for Windows 10, version 1607](../app-v/appv-release-notes-for-appv-for-windows.md)
* [Release Notes for App-V for Windows 10, version 1703](../app-v/appv-release-notes-for-appv-for-windows-1703.md)
diff --git a/windows/application-management/app-v/appv-add-or-remove-an-administrator-with-the-management-console.md b/windows/application-management/app-v/appv-add-or-remove-an-administrator-with-the-management-console.md
index 4fa5f87a19..d49eb1249f 100644
--- a/windows/application-management/app-v/appv-add-or-remove-an-administrator-with-the-management-console.md
+++ b/windows/application-management/app-v/appv-add-or-remove-an-administrator-with-the-management-console.md
@@ -2,9 +2,6 @@
title: How to Add or Remove an Administrator by Using the Management Console (Windows 10/11)
description: Add or remove an administrator on the Microsoft Application Virtualization (App-V) server by using the Management Console.
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 06/08/2018
ms.reviewer:
@@ -33,6 +30,6 @@ Use the following procedures to add or remove an administrator on the Microsoft
-## Related topics
+## Related articles
* [Operations for App-V](appv-operations.md)
diff --git a/windows/application-management/app-v/appv-add-or-upgrade-packages-with-the-management-console.md b/windows/application-management/app-v/appv-add-or-upgrade-packages-with-the-management-console.md
index c4d52d6ce8..e0eb8f53de 100644
--- a/windows/application-management/app-v/appv-add-or-upgrade-packages-with-the-management-console.md
+++ b/windows/application-management/app-v/appv-add-or-upgrade-packages-with-the-management-console.md
@@ -2,9 +2,6 @@
title: How to Add or Upgrade Packages by Using the Management Console (Windows 10/11)
description: Add or upgrade packages on the Microsoft Application Virtualization (App-V) server by using the Management Console.
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 06/08/2018
ms.reviewer:
@@ -43,6 +40,6 @@ You can use the following procedure to add or upgrade a package to the App-V Man
-## Related topics
+## Related articles
* [Operations for App-V](appv-operations.md)
diff --git a/windows/application-management/app-v/appv-administering-appv-with-powershell.md b/windows/application-management/app-v/appv-administering-appv-with-powershell.md
index 5e78a6e878..03ad7e6238 100644
--- a/windows/application-management/app-v/appv-administering-appv-with-powershell.md
+++ b/windows/application-management/app-v/appv-administering-appv-with-powershell.md
@@ -2,9 +2,6 @@
title: Administering App-V by using Windows PowerShell (Windows 10/11)
description: Administer App-V by using Windows PowerShell and learn where to find more information about PowerShell for App-V.
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 06/08/2018
ms.reviewer:
@@ -52,6 +49,6 @@ The following table describes Windows PowerShell error handling for App-V.
-## Related topics
+## Related articles
* [Operations for App-V](appv-operations.md)
diff --git a/windows/application-management/app-v/appv-administering-virtual-applications-with-the-management-console.md b/windows/application-management/app-v/appv-administering-virtual-applications-with-the-management-console.md
index 78a01b2df0..bf7e7c0092 100644
--- a/windows/application-management/app-v/appv-administering-virtual-applications-with-the-management-console.md
+++ b/windows/application-management/app-v/appv-administering-virtual-applications-with-the-management-console.md
@@ -2,9 +2,6 @@
title: Administering App-V Virtual Applications by using the Management Console (Windows 10/11)
description: Administering App-V Virtual Applications by using the Management Console
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 06/08/2018
ms.reviewer:
diff --git a/windows/application-management/app-v/appv-allow-administrators-to-enable-connection-groups.md b/windows/application-management/app-v/appv-allow-administrators-to-enable-connection-groups.md
index 8229ce4e12..64361de362 100644
--- a/windows/application-management/app-v/appv-allow-administrators-to-enable-connection-groups.md
+++ b/windows/application-management/app-v/appv-allow-administrators-to-enable-connection-groups.md
@@ -2,9 +2,6 @@
title: Only Allow Admins to Enable Connection Groups (Windows 10/11)
description: Configure the App-V client so that only administrators, not users, can enable or disable connection groups.
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 06/08/2018
ms.reviewer:
@@ -32,6 +29,6 @@ Use one of the following methods to allow only administrators to enable or disab
-## Related topics
+## Related articles
- [Managing Connection Groups](appv-managing-connection-groups.md)
diff --git a/windows/application-management/app-v/appv-application-publishing-and-client-interaction.md b/windows/application-management/app-v/appv-application-publishing-and-client-interaction.md
index 6e37203bad..34b447c216 100644
--- a/windows/application-management/app-v/appv-application-publishing-and-client-interaction.md
+++ b/windows/application-management/app-v/appv-application-publishing-and-client-interaction.md
@@ -2,9 +2,6 @@
title: Application Publishing and Client Interaction (Windows 10/11)
description: Learn technical information about common App-V Client operations and their integration with the local operating system.
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 06/08/2018
ms.reviewer:
diff --git a/windows/application-management/app-v/appv-apply-the-deployment-configuration-file-with-powershell.md b/windows/application-management/app-v/appv-apply-the-deployment-configuration-file-with-powershell.md
index 961240387c..c8740e0295 100644
--- a/windows/application-management/app-v/appv-apply-the-deployment-configuration-file-with-powershell.md
+++ b/windows/application-management/app-v/appv-apply-the-deployment-configuration-file-with-powershell.md
@@ -2,9 +2,6 @@
title: Apply deployment config file via Windows PowerShell (Windows 10/11)
description: How to apply the deployment configuration file by using Windows PowerShell for Windows 10/11.
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 06/15/2018
ms.reviewer:
@@ -45,6 +42,6 @@ Add-AppVClientPackage -Path C:\Packages\Contoso\MyApp.appv -DynamicDeploymentCon
-## Related topics
+## Related articles
* [Operations for App-V](appv-operations.md)
diff --git a/windows/application-management/app-v/appv-apply-the-user-configuration-file-with-powershell.md b/windows/application-management/app-v/appv-apply-the-user-configuration-file-with-powershell.md
index 5f023014c9..be239ea61e 100644
--- a/windows/application-management/app-v/appv-apply-the-user-configuration-file-with-powershell.md
+++ b/windows/application-management/app-v/appv-apply-the-user-configuration-file-with-powershell.md
@@ -2,9 +2,6 @@
title: How to apply the user configuration file by using Windows PowerShell (Windows 10/11)
description: How to apply the user configuration file by using Windows PowerShell (Windows 10/11).
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 06/15/2018
ms.reviewer:
@@ -44,6 +41,6 @@ Here's how to specify a user-specific configuration file:
-## Related topics
+## Related articles
* [Operations for App-V](appv-operations.md)
diff --git a/windows/application-management/app-v/appv-auto-batch-sequencing.md b/windows/application-management/app-v/appv-auto-batch-sequencing.md
index 30dccb2ed4..dc1ca15097 100644
--- a/windows/application-management/app-v/appv-auto-batch-sequencing.md
+++ b/windows/application-management/app-v/appv-auto-batch-sequencing.md
@@ -2,9 +2,6 @@
title: Automatically sequence multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer) (Windows 10/11)
description: How to automatically sequence multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer).
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 04/18/2018
ms.reviewer:
@@ -93,7 +90,7 @@ There are three types of log files that occur when you sequence multiple apps at
- **New-BatchAppVSequencerPackages-report-<*time_stamp*>.txt**. Located in the **OutputPath** folder you specified earlier. This log contains info about the connections made to the VM, showing if there were any failures. Additionally, it briefly includes success or failure info for all of the apps.
- **Log.txt file**. Located in the **Output Package** folder. This file contains all code included in the NewAppVSequencerPackage cmdlet, including the allowed parameters.
-### Related topics
+### Related articles
- [Download the Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit)
- [How to install the App-V Sequencer](appv-install-the-sequencer.md)
diff --git a/windows/application-management/app-v/appv-auto-batch-updating.md b/windows/application-management/app-v/appv-auto-batch-updating.md
index 9273525175..7c980f474e 100644
--- a/windows/application-management/app-v/appv-auto-batch-updating.md
+++ b/windows/application-management/app-v/appv-auto-batch-updating.md
@@ -2,9 +2,6 @@
title: Automatically update multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer) (Windows 10/11)
description: How to automatically update multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer).
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 04/18/2018
ms.reviewer:
@@ -147,7 +144,7 @@ There are three types of log files that occur when you sequence multiple apps at
- **New-BatchAppVSequencerPackages-report-<*time_stamp*>.txt**. Located in the **OutputPath** folder you specified earlier. This log contains info about the connections made to the VM, showing if there were any failures. Additionally, it briefly includes success or failure info for all of the apps.
- **Log.txt file**. Located in the **Output Package** folder. This file contains all code included in the **NewAppVSequencerPackage** cmdlet, including the allowed parameters.
-### Related topics
+### Related articles
- [Download the Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit)
- [How to install the App-V Sequencer](appv-install-the-sequencer.md)
diff --git a/windows/application-management/app-v/appv-auto-clean-unpublished-packages.md b/windows/application-management/app-v/appv-auto-clean-unpublished-packages.md
index 0edc5463b0..cb417de5f7 100644
--- a/windows/application-management/app-v/appv-auto-clean-unpublished-packages.md
+++ b/windows/application-management/app-v/appv-auto-clean-unpublished-packages.md
@@ -2,16 +2,13 @@
title: Auto-remove unpublished packages on App-V client (Windows 10/11)
description: How to automatically clean up any unpublished packages on your App-V client devices.
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 06/15/2018
ms.reviewer:
manager: dougeby
ms.author: aaroncz
ms.topic: article
----
+---
# Automatically clean up unpublished packages on the App-V client
[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)]
@@ -59,7 +56,7 @@ Using Group Policy, you can turn on the **Enable automatic cleanup of unused App
-## Related topics
+## Related articles
- [Download the Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit)
- [Deploying App-V for Windows client](appv-deploying-appv.md)
diff --git a/windows/application-management/app-v/appv-auto-provision-a-vm.md b/windows/application-management/app-v/appv-auto-provision-a-vm.md
index a8a277b8de..90d51b1e29 100644
--- a/windows/application-management/app-v/appv-auto-provision-a-vm.md
+++ b/windows/application-management/app-v/appv-auto-provision-a-vm.md
@@ -2,9 +2,6 @@
title: Automatically provision your sequencing environment using Microsoft Application Virtualization Sequencer (App-V Sequencer) (Windows 10/11)
description: How to automatically provision your sequencing environment using Microsoft Application Virtualization Sequencer (App-V Sequencer) PowerShell cmdlet or the user interface.
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 04/18/2018
ms.reviewer:
@@ -122,7 +119,7 @@ After provisioning your sequencing environment, you must sequence your apps, eit
After you sequence your packages, you can automatically clean up any unpublished packages on the App-V client. To learn more, see [Automatically clean up unpublished packages on the App-V client](appv-auto-clean-unpublished-packages.md).
-### Related topics
+### Related articles
- [Download the **Convert-WindowsImage** tool](https://www.powershellgallery.com/packages/Convert-WindowsImage/10.0)
- [Download the Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit)
diff --git a/windows/application-management/app-v/appv-available-mdm-settings.md b/windows/application-management/app-v/appv-available-mdm-settings.md
index 0c7aeffe75..1cb2437d69 100644
--- a/windows/application-management/app-v/appv-available-mdm-settings.md
+++ b/windows/application-management/app-v/appv-available-mdm-settings.md
@@ -2,9 +2,6 @@
title: Available Mobile Device Management (MDM) settings for App-V (Windows 10/11)
description: Learn the available Mobile Device Management (MDM) settings you can use to configure App-V on Windows 10.
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 06/15/2018
ms.reviewer:
diff --git a/windows/application-management/app-v/appv-capacity-planning.md b/windows/application-management/app-v/appv-capacity-planning.md
index 8757a55bb9..969926e2ed 100644
--- a/windows/application-management/app-v/appv-capacity-planning.md
+++ b/windows/application-management/app-v/appv-capacity-planning.md
@@ -2,9 +2,6 @@
title: App-V Capacity Planning (Windows 10/11)
description: Use these recommendations as a baseline to help determine capacity planning information that is appropriate to your organization’s App-V infrastructure.
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 04/18/2018
ms.reviewer:
@@ -192,7 +189,7 @@ Although there are many fault-tolerance strategies and technologies you can use,
-## Related topics
+## Related articles
* [App-V supported configurations](appv-supported-configurations.md)
* [Planning for high availability with App-V](appv-planning-for-high-availability-with-appv.md)
diff --git a/windows/application-management/app-v/appv-client-configuration-settings.md b/windows/application-management/app-v/appv-client-configuration-settings.md
index 25ab412507..df718dd34c 100644
--- a/windows/application-management/app-v/appv-client-configuration-settings.md
+++ b/windows/application-management/app-v/appv-client-configuration-settings.md
@@ -2,9 +2,6 @@
title: About Client Configuration Settings (Windows 10/11)
description: Learn about the App-V client configuration settings and how to use Windows PowerShell to modify the client configuration settings.
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 04/18/2018
ms.reviewer:
diff --git a/windows/application-management/app-v/appv-configure-access-to-packages-with-the-management-console.md b/windows/application-management/app-v/appv-configure-access-to-packages-with-the-management-console.md
index 4496a174b1..e6df891618 100644
--- a/windows/application-management/app-v/appv-configure-access-to-packages-with-the-management-console.md
+++ b/windows/application-management/app-v/appv-configure-access-to-packages-with-the-management-console.md
@@ -2,9 +2,6 @@
title: How to configure access to packages by using the Management Console (Windows 10/11)
description: How to configure access to packages by using the App-V Management Console.
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 06/18/2018
ms.reviewer:
@@ -59,6 +56,6 @@ Use the following procedure to configure access to virtualized packages.
-## Related topics
+## Related articles
* [Operations for App-V](appv-operations.md)
diff --git a/windows/application-management/app-v/appv-configure-connection-groups-to-ignore-the-package-version.md b/windows/application-management/app-v/appv-configure-connection-groups-to-ignore-the-package-version.md
index 2d597185f7..fea49f61d9 100644
--- a/windows/application-management/app-v/appv-configure-connection-groups-to-ignore-the-package-version.md
+++ b/windows/application-management/app-v/appv-configure-connection-groups-to-ignore-the-package-version.md
@@ -2,9 +2,6 @@
title: How to make a connection group ignore the package version (Windows 10/11)
description: Learn how to make a connection group ignore the package version with the App-V Server Management Console.
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 06/18/2018
ms.reviewer:
@@ -64,6 +61,6 @@ For more information, see [How to manage App-V packages running on a stand-alone
-## Related topics
+## Related articles
- [Managing connection groups](appv-managing-connection-groups.md)
diff --git a/windows/application-management/app-v/appv-configure-the-client-to-receive-updates-from-the-publishing-server.md b/windows/application-management/app-v/appv-configure-the-client-to-receive-updates-from-the-publishing-server.md
index 6b86fc2b2e..049605ef02 100644
--- a/windows/application-management/app-v/appv-configure-the-client-to-receive-updates-from-the-publishing-server.md
+++ b/windows/application-management/app-v/appv-configure-the-client-to-receive-updates-from-the-publishing-server.md
@@ -2,9 +2,6 @@
title: How to configure the client to receive package and connection groups updates from the publishing server (Windows 10/11)
description: How to configure the client to receive package and connection groups updates from the publishing server.
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 06/25/2018
ms.reviewer:
@@ -12,6 +9,7 @@ manager: dougeby
ms.author: aaroncz
ms.topic: article
---
+
# How to configure the client to receive package and connection groups updates from the publishing server
[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)]
@@ -62,6 +60,6 @@ This article will tell you how to configure the App-V client to receive updates
-## Related topics
+## Related article
* [Operations for App-V](appv-operations.md)
diff --git a/windows/application-management/app-v/appv-connect-to-the-management-console.md b/windows/application-management/app-v/appv-connect-to-the-management-console.md
index 06de437d79..253636d464 100644
--- a/windows/application-management/app-v/appv-connect-to-the-management-console.md
+++ b/windows/application-management/app-v/appv-connect-to-the-management-console.md
@@ -2,9 +2,6 @@
title: How to connect to the Management Console (Windows 10/11)
description: In this article, learn the procedure for connecting to the App-V Management Console through your web browser.
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 06/25/2018
ms.reviewer:
@@ -12,6 +9,7 @@ manager: dougeby
ms.author: aaroncz
ms.topic: article
---
+
# How to connect to the Management Console
[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)]
@@ -28,6 +26,6 @@ Use the following procedure to connect to the App-V Management Console.
-## Related topics
+## Related articles
- [Operations for App-V](appv-operations.md)
diff --git a/windows/application-management/app-v/appv-connection-group-file.md b/windows/application-management/app-v/appv-connection-group-file.md
index 92dc7627d6..8ceb9b6c5f 100644
--- a/windows/application-management/app-v/appv-connection-group-file.md
+++ b/windows/application-management/app-v/appv-connection-group-file.md
@@ -2,9 +2,6 @@
title: About the connection group file (Windows 10/11)
description: A summary of what the connection group file is and how to configure it.
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 06/25/2018
ms.reviewer:
@@ -12,6 +9,7 @@ manager: dougeby
ms.author: aaroncz
ms.topic: article
---
+
# About the connection group file
[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)]
@@ -141,6 +139,6 @@ App-V supports the following application connection configurations.
-## Related topics
+## Related articles
- [Managing connection groups](appv-managing-connection-groups.md)
diff --git a/windows/application-management/app-v/appv-connection-group-virtual-environment.md b/windows/application-management/app-v/appv-connection-group-virtual-environment.md
index 1329a1cb1a..db04478772 100644
--- a/windows/application-management/app-v/appv-connection-group-virtual-environment.md
+++ b/windows/application-management/app-v/appv-connection-group-virtual-environment.md
@@ -2,9 +2,6 @@
title: About the connection group virtual environment (Windows 10/11)
description: Learn how the connection group virtual environment works and how package priority is determined.
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 06/25/2018
ms.reviewer:
@@ -81,6 +78,6 @@ When a virtualized application tries to find a specific file, App-V will search
-## Related topics
+## Related articles
- [Managing Connection Groups](appv-managing-connection-groups.md)
diff --git a/windows/application-management/app-v/appv-convert-a-package-created-in-a-previous-version-of-appv.md b/windows/application-management/app-v/appv-convert-a-package-created-in-a-previous-version-of-appv.md
index 9f0ed57692..1684f4c3f3 100644
--- a/windows/application-management/app-v/appv-convert-a-package-created-in-a-previous-version-of-appv.md
+++ b/windows/application-management/app-v/appv-convert-a-package-created-in-a-previous-version-of-appv.md
@@ -2,9 +2,6 @@
title: How to convert a package created in a previous version of App-V (Windows 10/11)
description: Use the package converter utility to convert a virtual application package created in a previous version of App-V.
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 07/10/2018
ms.reviewer:
@@ -89,6 +86,6 @@ The App-V package converter will save the App-V 4.6 installation root folder and
- Other functionality—Windows PowerShell has other built-in functionality for features such as aliases, lazy-binding, .NET Object, and many others. These features can help you create advanced scenarios for the Package Converter.
-## Related topics
+## Related articles
- [Operations for App-V](appv-operations.md)
diff --git a/windows/application-management/app-v/appv-create-a-connection-group-with-user-published-and-globally-published-packages.md b/windows/application-management/app-v/appv-create-a-connection-group-with-user-published-and-globally-published-packages.md
index 9e341e6f82..ee158c7267 100644
--- a/windows/application-management/app-v/appv-create-a-connection-group-with-user-published-and-globally-published-packages.md
+++ b/windows/application-management/app-v/appv-create-a-connection-group-with-user-published-and-globally-published-packages.md
@@ -2,9 +2,6 @@
title: How to create a connection croup with user-published and globally published packages (Windows 10/11)
description: How to create a connection croup with user-published and globally published packages.
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 07/10/2018
ms.reviewer:
@@ -62,6 +59,6 @@ Here are some important things to know before you get started:
-## Related topics
+## Related articles
- [Managing Connection Groups](appv-managing-connection-groups.md)
diff --git a/windows/application-management/app-v/appv-create-a-connection-group.md b/windows/application-management/app-v/appv-create-a-connection-group.md
index b4d48a6138..260369d8c3 100644
--- a/windows/application-management/app-v/appv-create-a-connection-group.md
+++ b/windows/application-management/app-v/appv-create-a-connection-group.md
@@ -2,9 +2,6 @@
title: How to create a connection group (Windows 10/11)
description: Learn how to create a connection group with the App-V Management Console and where to find information about managing connection groups.
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 07/10/2018
ms.reviewer:
@@ -45,7 +42,7 @@ When you place packages in a connection group, their package root paths merge. I
-## Related topics
+## Related articles
- [Operations for App-V](appv-operations.md)
- [Managing connection groups](appv-managing-connection-groups.md)
diff --git a/windows/application-management/app-v/appv-create-a-custom-configuration-file-with-the-management-console.md b/windows/application-management/app-v/appv-create-a-custom-configuration-file-with-the-management-console.md
index c8d9b25862..0190e974ef 100644
--- a/windows/application-management/app-v/appv-create-a-custom-configuration-file-with-the-management-console.md
+++ b/windows/application-management/app-v/appv-create-a-custom-configuration-file-with-the-management-console.md
@@ -2,9 +2,6 @@
title: How to create a custom configuration file by using the App-V Management Console (Windows 10/11)
description: How to create a custom configuration file by using the App-V Management Console.
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 07/10/2018
ms.reviewer:
@@ -12,6 +9,7 @@ manager: dougeby
ms.author: aaroncz
ms.topic: article
---
+
# How to create a custom configuration file by using the App-V Management Console
[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)]
@@ -34,6 +32,6 @@ You can create a dynamic user configuration file with the App-V Management Conso
> If you want to export a configuration while running on Windows Server, make sure to disable the IE Enhanced Security Configuration setting. If this setting is enalbed and set to block downloads, you won't be able to download anything from the App-V Server.
-## Related topics
+## Related articles
- [Operations for App-V](appv-operations.md)
diff --git a/windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md b/windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md
index 4a69807fe8..28482df125 100644
--- a/windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md
+++ b/windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md
@@ -2,9 +2,6 @@
title: How to create a package accelerator by using Windows PowerShell (Windows 10/11)
description: Learn how to create an App-v Package Accelerator by using Windows PowerShell. App-V Package Accelerators automatically sequence large, complex applications.
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 07/10/2018
ms.reviewer:
diff --git a/windows/application-management/app-v/appv-create-a-package-accelerator.md b/windows/application-management/app-v/appv-create-a-package-accelerator.md
index c424df0536..3f2be47130 100644
--- a/windows/application-management/app-v/appv-create-a-package-accelerator.md
+++ b/windows/application-management/app-v/appv-create-a-package-accelerator.md
@@ -2,9 +2,6 @@
title: How to create a package accelerator (Windows 10/11)
description: Learn how to create App-V Package Accelerators to automatically generate new virtual application packages.
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 07/10/2018
ms.reviewer:
@@ -12,6 +9,7 @@ manager: dougeby
ms.author: aaroncz
ms.topic: article
---
+
# How to create a package accelerator
[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)]
@@ -75,7 +73,7 @@ Use the following procedure to create a package accelerator.
-## Related topics
+## Related articles
- [Operations for App-V](appv-operations.md)
- [How to create a virtual application package using an App-V Package Accelerator](appv-create-a-virtual-application-package-package-accelerator.md)
diff --git a/windows/application-management/app-v/appv-create-a-virtual-application-package-package-accelerator.md b/windows/application-management/app-v/appv-create-a-virtual-application-package-package-accelerator.md
index d3785312ee..babfd64cfe 100644
--- a/windows/application-management/app-v/appv-create-a-virtual-application-package-package-accelerator.md
+++ b/windows/application-management/app-v/appv-create-a-virtual-application-package-package-accelerator.md
@@ -2,9 +2,6 @@
title: How to create a virtual application package using an App-V Package Accelerator (Windows 10/11)
description: How to create a virtual application package using an App-V Package Accelerator.
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 07/10/2018
ms.reviewer:
@@ -12,6 +9,7 @@ manager: dougeby
ms.author: aaroncz
ms.topic: article
---
+
# How to create a virtual application package using an App-V Package Accelerator
[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)]
@@ -75,6 +73,6 @@ Use the following procedure to create a virtual application package with the App
-## Related topics
+## Related articles
- [Operations for App-V](appv-operations.md)
diff --git a/windows/application-management/app-v/appv-create-and-use-a-project-template.md b/windows/application-management/app-v/appv-create-and-use-a-project-template.md
index 7bd90c04f0..32aca7fa5e 100644
--- a/windows/application-management/app-v/appv-create-and-use-a-project-template.md
+++ b/windows/application-management/app-v/appv-create-and-use-a-project-template.md
@@ -2,9 +2,6 @@
title: Create and apply an App-V project template to a sequenced App-V package (Windows 10/11)
description: Steps for how to create and apply an App-V project template (.appvt) to a sequenced App-V package.
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 07/10/2018
ms.reviewer:
@@ -12,6 +9,7 @@ manager: dougeby
ms.author: aaroncz
ms.topic: article
---
+
# Create and apply an App-V project template to a sequenced App-V package
[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)]
@@ -49,7 +47,7 @@ After creating the template, you can apply it to all of your new virtual app pac
3. Create your new virtual app package. The settings saved with your template are automatically applied.
-### Related topics
+### Related articles
- [Download the Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit)
- [How to install the App-V Sequencer](appv-install-the-sequencer.md)
diff --git a/windows/application-management/app-v/appv-creating-and-managing-virtualized-applications.md b/windows/application-management/app-v/appv-creating-and-managing-virtualized-applications.md
index b4a7f6d068..5dd5070e14 100644
--- a/windows/application-management/app-v/appv-creating-and-managing-virtualized-applications.md
+++ b/windows/application-management/app-v/appv-creating-and-managing-virtualized-applications.md
@@ -2,9 +2,6 @@
title: Creating and managing App-V virtualized applications (Windows 10/11)
description: Create and manage App-V virtualized applications to monitor and record the installation process for an application to be run as a virtualized application.
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 04/18/2018
ms.reviewer:
@@ -152,6 +149,6 @@ You can also find additional information about sequencing errors using the Windo
-## Related topics
+## Related articles
- [Operations for App-V](appv-operations.md)
diff --git a/windows/application-management/app-v/appv-customize-virtual-application-extensions-with-the-management-console.md b/windows/application-management/app-v/appv-customize-virtual-application-extensions-with-the-management-console.md
index 8e4c7d87d1..4b06455581 100644
--- a/windows/application-management/app-v/appv-customize-virtual-application-extensions-with-the-management-console.md
+++ b/windows/application-management/app-v/appv-customize-virtual-application-extensions-with-the-management-console.md
@@ -2,9 +2,6 @@
title: How to customize virtual application extensions for a specific AD group by using the Management Console (Windows 10/11)
description: How to customize virtual application extensions for a specific AD group by using the Management Console.
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 07/10/2018
ms.reviewer:
@@ -36,6 +33,6 @@ Use the following procedure to customize the virtual application extensions for
-## Related topics
+## Related articles
- [Operations for App-V](appv-operations.md)
diff --git a/windows/application-management/app-v/appv-delete-a-connection-group.md b/windows/application-management/app-v/appv-delete-a-connection-group.md
index 029f29e3c2..13a1040daf 100644
--- a/windows/application-management/app-v/appv-delete-a-connection-group.md
+++ b/windows/application-management/app-v/appv-delete-a-connection-group.md
@@ -2,9 +2,6 @@
title: How to delete a connection group (Windows 10/11)
description: Learn how to delete an existing App-V connection group in the App-V Management Console and where to find information about managing connection groups.
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 09/27/2018
ms.reviewer:
@@ -12,6 +9,7 @@ manager: dougeby
ms.author: aaroncz
ms.topic: article
---
+
# How to delete a connection group
[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)]
@@ -28,7 +26,7 @@ Use the following procedure to delete an existing App-V connection group.
-## Related topics
+## Related articles
- [Operations for App-V](appv-operations.md)
- [Managing connection groups](appv-managing-connection-groups.md)
diff --git a/windows/application-management/app-v/appv-delete-a-package-with-the-management-console.md b/windows/application-management/app-v/appv-delete-a-package-with-the-management-console.md
index ad05d36d3f..e4df263550 100644
--- a/windows/application-management/app-v/appv-delete-a-package-with-the-management-console.md
+++ b/windows/application-management/app-v/appv-delete-a-package-with-the-management-console.md
@@ -2,9 +2,6 @@
title: How to delete a package in the Management Console (Windows 10/11)
description: Learn how to delete a package in the App-V Management Console and where to find information about operations for App-V.
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 09/27/2018
ms.reviewer:
@@ -12,6 +9,7 @@ manager: dougeby
ms.author: aaroncz
ms.topic: article
---
+
# How to delete a package in the Management Console
[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)]
@@ -28,6 +26,6 @@ Use the following procedure to delete an App-V package.
-## Related topics
+## Related articles
- [Operations for App-V](appv-operations.md)
diff --git a/windows/application-management/app-v/appv-deploy-appv-databases-with-sql-scripts.md b/windows/application-management/app-v/appv-deploy-appv-databases-with-sql-scripts.md
index 453435774b..9c2e2e8c68 100644
--- a/windows/application-management/app-v/appv-deploy-appv-databases-with-sql-scripts.md
+++ b/windows/application-management/app-v/appv-deploy-appv-databases-with-sql-scripts.md
@@ -2,9 +2,6 @@
title: How to Deploy the App-V Databases by Using SQL Scripts (Windows 10/11)
description: Learn how to use SQL scripts to install the App-V databases and upgrade the App-V databases to a later version.
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 04/18/2018
ms.reviewer:
@@ -12,6 +9,7 @@ manager: dougeby
ms.author: aaroncz
ms.topic: article
---
+
# How to deploy the App-V databases by using SQL scripts
>Applies to: Windows Server 2016
@@ -182,7 +180,7 @@ Steps to install "AppVReporting" schema in SQL SERVER.
-## Related topics
+## Related articles
* [Deploying the App-V Server](appv-deploying-the-appv-server.md)
* [How to deploy the App-V Server](appv-deploy-the-appv-server.md)
diff --git a/windows/application-management/app-v/appv-deploy-appv-packages-with-electronic-software-distribution-solutions.md b/windows/application-management/app-v/appv-deploy-appv-packages-with-electronic-software-distribution-solutions.md
index 0100900c31..1c04491cc8 100644
--- a/windows/application-management/app-v/appv-deploy-appv-packages-with-electronic-software-distribution-solutions.md
+++ b/windows/application-management/app-v/appv-deploy-appv-packages-with-electronic-software-distribution-solutions.md
@@ -1,10 +1,7 @@
---
title: How to deploy App-V packages using electronic software distribution (Windows 10/11)
-description: Learn how use an electronic software distribution (ESD) system to deploy App-V virtual applications to App-V clients.
+description: Learn how to use an electronic software distribution (ESD) system to deploy App-V virtual applications to App-V clients.
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 09/27/2018
ms.reviewer:
@@ -12,6 +9,7 @@ manager: dougeby
ms.author: aaroncz
ms.topic: article
---
+
# How to deploy App-V packages using electronic software distribution
[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)]
@@ -44,6 +42,6 @@ Use one of the following methods to publish packages to App-V client computers w
-## Related topics
+## Related articles
- [Operations for App-V](appv-operations.md)
diff --git a/windows/application-management/app-v/appv-deploy-the-appv-server-with-a-script.md b/windows/application-management/app-v/appv-deploy-the-appv-server-with-a-script.md
index 644dd1343f..0025905016 100644
--- a/windows/application-management/app-v/appv-deploy-the-appv-server-with-a-script.md
+++ b/windows/application-management/app-v/appv-deploy-the-appv-server-with-a-script.md
@@ -2,9 +2,6 @@
title: How to Deploy the App-V Server Using a Script (Windows 10/11)
description: 'Learn how to deploy the App-V server by using a script (appv_server_setup.exe) from the command line.'
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 04/18/2018
ms.reviewer:
@@ -12,6 +9,7 @@ manager: dougeby
ms.author: aaroncz
ms.topic: article
---
+
# How to deploy the App-V server using a script
>Applies to: Windows Server 2016
@@ -521,6 +519,6 @@ To use a custom instance of Microsoft SQL Server, use these parameters:
-## Related topics
+## Related articles
* [Deploying the App-V Server](appv-deploying-the-appv-server.md)
diff --git a/windows/application-management/app-v/appv-deploy-the-appv-server.md b/windows/application-management/app-v/appv-deploy-the-appv-server.md
index 2008ff70ab..b054a15012 100644
--- a/windows/application-management/app-v/appv-deploy-the-appv-server.md
+++ b/windows/application-management/app-v/appv-deploy-the-appv-server.md
@@ -2,9 +2,6 @@
title: How to Deploy the App-V Server (Windows 10/11)
description: Use these instructions to deploy the Application Virtualization (App-V) Server in App-V for Windows 10/11.
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 04/18/2018
ms.reviewer:
@@ -12,6 +9,7 @@ manager: dougeby
ms.author: aaroncz
ms.topic: article
---
+
# How to Deploy the App-V Server (new installation)
>Applies to: Windows Server 2016
@@ -107,7 +105,7 @@ ms.topic: article
Example: `http://localhost:12345/console.html`. If the installation succeeded, the App-V Management console will display with no errors.
-## Related topics
+## Related articles
* [Deploying App-V](appv-deploying-appv.md)
* [How to install the management and reporting databases on separate computers from the management and reporting services](appv-install-the-management-and-reporting-databases-on-separate-computers.md)
diff --git a/windows/application-management/app-v/appv-deploying-appv.md b/windows/application-management/app-v/appv-deploying-appv.md
index f5b38832b7..8dbb0be4d1 100644
--- a/windows/application-management/app-v/appv-deploying-appv.md
+++ b/windows/application-management/app-v/appv-deploying-appv.md
@@ -2,9 +2,6 @@
title: Deploying App-V (Windows 10/11)
description: App-V supports several different deployment options. Learn how to complete App-V deployment at different stages in your App-V deployment.
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 04/18/2018
ms.reviewer:
@@ -12,11 +9,12 @@ manager: dougeby
ms.author: aaroncz
ms.topic: article
---
+
# Deploying App-V for Windows client
[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)]
-App-V supports several different deployment options. Review this topic for information about the tasks that you must complete at different stages in your deployment.
+App-V supports several different deployment options. Review this article for information about the tasks that you must complete at different stages in your deployment.
## App-V Deployment Information
diff --git a/windows/application-management/app-v/appv-deploying-microsoft-office-2010-wth-appv.md b/windows/application-management/app-v/appv-deploying-microsoft-office-2010-wth-appv.md
index 3b8a59633f..cf9b704fd3 100644
--- a/windows/application-management/app-v/appv-deploying-microsoft-office-2010-wth-appv.md
+++ b/windows/application-management/app-v/appv-deploying-microsoft-office-2010-wth-appv.md
@@ -2,9 +2,6 @@
title: Deploying Microsoft Office 2010 by Using App-V (Windows 10/11)
description: Create Office 2010 packages for Microsoft Application Virtualization (App-V) using the App-V Sequencer or the App-V Package Accelerator.
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 04/18/2018
ms.reviewer:
@@ -12,6 +9,7 @@ manager: dougeby
ms.author: aaroncz
ms.topic: article
---
+
# Deploying Microsoft Office 2010 by Using App-V
[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)]
diff --git a/windows/application-management/app-v/appv-deploying-microsoft-office-2013-with-appv.md b/windows/application-management/app-v/appv-deploying-microsoft-office-2013-with-appv.md
index d15ea0bd7c..3dff5e4e6f 100644
--- a/windows/application-management/app-v/appv-deploying-microsoft-office-2013-with-appv.md
+++ b/windows/application-management/app-v/appv-deploying-microsoft-office-2013-with-appv.md
@@ -2,9 +2,6 @@
title: Deploying Microsoft Office 2013 by Using App-V (Windows 10/11)
description: Use Application Virtualization (App-V) to deliver Microsoft Office 2013 as a virtualized application to computers in your organization.
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 04/18/2018
ms.reviewer:
@@ -12,6 +9,7 @@ manager: dougeby
ms.author: aaroncz
ms.topic: article
---
+
# Deploying Microsoft Office 2013 by Using App-V
[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)]
diff --git a/windows/application-management/app-v/appv-deploying-microsoft-office-2016-with-appv.md b/windows/application-management/app-v/appv-deploying-microsoft-office-2016-with-appv.md
index f00ec718f9..657f495e80 100644
--- a/windows/application-management/app-v/appv-deploying-microsoft-office-2016-with-appv.md
+++ b/windows/application-management/app-v/appv-deploying-microsoft-office-2016-with-appv.md
@@ -2,9 +2,6 @@
title: Deploying Microsoft Office 2016 by using App-V (Windows 10/11)
description: Use Application Virtualization (App-V) to deliver Microsoft Office 2016 as a virtualized application to computers in your organization.
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 04/18/2018
ms.reviewer:
@@ -12,6 +9,7 @@ manager: dougeby
ms.author: aaroncz
ms.topic: article
---
+
# Deploying Microsoft Office 2016 by using App-V
[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)]
@@ -375,7 +373,7 @@ The following table describes the requirements and options for deploying Visio 2
| How do I package and publish Visio 2016 and Project 2016 with Office? | You must include Visio 2016 and Project 2016 in the same package with Office.
If you're not deploying Office, you can create a package that contains Visio and/or Project, as long as you follow the packaging, publishing, and deployment requirements described in this topic. |
| How can I deploy Visio 2016 and Project 2016 to specific users? | Use one of the following methods:
**To create two different packages and deploy each one to a different group of users**:
Create and deploy the following packages:
- A package that contains only Office—deploy to computers whose users need only Office.
- A package that contains Office, Visio, and Project—deploy to computers whose users need all three applications.
**To create only one package for the whole organization, or to create a package intended for users who share computers**:
1. Create a package that contains Office, Visio, and Project.
2. Deploy the package to all users.
3. Use [AppLocker](/windows/security/threat-protection/applocker/applocker-overview) to prevent specific users from using Visio and Project. |
-## Related topics
+## Related articles
* [Deploying App-V for Windows client](appv-deploying-appv.md)
* [Deploying Microsoft Office 2013 by using App-V](appv-deploying-microsoft-office-2013-with-appv.md)
diff --git a/windows/application-management/app-v/appv-deploying-packages-with-electronic-software-distribution-solutions.md b/windows/application-management/app-v/appv-deploying-packages-with-electronic-software-distribution-solutions.md
index 9a36b51345..3611a2181c 100644
--- a/windows/application-management/app-v/appv-deploying-packages-with-electronic-software-distribution-solutions.md
+++ b/windows/application-management/app-v/appv-deploying-packages-with-electronic-software-distribution-solutions.md
@@ -2,9 +2,6 @@
title: Deploying App-V packages by using electronic software distribution (ESD)
description: Deploying App-V packages by using electronic software distribution (ESD)
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 09/27/2018
ms.reviewer:
@@ -12,6 +9,7 @@ manager: dougeby
ms.author: aaroncz
ms.topic: article
---
+
# Deploying App-V packages by using electronic software distribution (ESD)
[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)]
@@ -28,7 +26,7 @@ To learn more about how to deploy virtualized packages using an ESD, see [How to
To learn how to configure the App-V client to enable only administrators to publish and unpublish packages when you’re using an ESD, see [How to enable only administrators to publish packages by using an ESD](appv-enable-administrators-to-publish-packages-with-electronic-software-distribution-solutions.md).
-## Related topics
+## Related articles
- [App-V and Citrix integration](https://www.microsoft.com/download/details.aspx?id=40885)
- [Operations for App-V](appv-operations.md)
diff --git a/windows/application-management/app-v/appv-deploying-the-appv-sequencer-and-client.md b/windows/application-management/app-v/appv-deploying-the-appv-sequencer-and-client.md
index 0336c74412..f9634bb42c 100644
--- a/windows/application-management/app-v/appv-deploying-the-appv-sequencer-and-client.md
+++ b/windows/application-management/app-v/appv-deploying-the-appv-sequencer-and-client.md
@@ -2,9 +2,6 @@
title: Deploying the App-V Sequencer and configuring the client (Windows 10/11)
description: Learn how to deploy the App-V Sequencer and configure the client by using the ADMX template and Group Policy.
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 04/18/2018
ms.reviewer:
@@ -12,6 +9,7 @@ manager: dougeby
ms.author: aaroncz
ms.topic: article
---
+
# Deploying the App-V Sequencer and configuring the client
[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)]
diff --git a/windows/application-management/app-v/appv-deploying-the-appv-server.md b/windows/application-management/app-v/appv-deploying-the-appv-server.md
index 447af752a5..e425121b5a 100644
--- a/windows/application-management/app-v/appv-deploying-the-appv-server.md
+++ b/windows/application-management/app-v/appv-deploying-the-appv-server.md
@@ -2,9 +2,6 @@
title: Deploying the App-V Server (Windows 10/11)
description: Learn how to deploy the Application Virtualization (App-V) Server in App-V for Windows 10/11 by using different deployment configurations described in this article.
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 04/18/2018
ms.reviewer:
@@ -12,6 +9,7 @@ manager: dougeby
ms.author: aaroncz
ms.topic: article
---
+
# Deploying the App-V server
>Applies to: Windows Server 2016
diff --git a/windows/application-management/app-v/appv-deployment-checklist.md b/windows/application-management/app-v/appv-deployment-checklist.md
index 971998ee44..6daec0a802 100644
--- a/windows/application-management/app-v/appv-deployment-checklist.md
+++ b/windows/application-management/app-v/appv-deployment-checklist.md
@@ -2,9 +2,6 @@
title: App-V Deployment Checklist (Windows 10/11)
description: Use the App-V deployment checklist to understand the recommended steps and items to consider when deploying App-V features.
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 04/18/2018
ms.reviewer:
@@ -12,6 +9,7 @@ manager: dougeby
ms.author: aaroncz
ms.topic: article
---
+
# App-V Deployment Checklist
[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)]
@@ -31,6 +29,6 @@ This checklist outlines the recommended steps and items to consider when deployi
-## Related topics
+## Related articles
* [Deploying App-V](appv-deploying-appv.md)
diff --git a/windows/application-management/app-v/appv-dynamic-configuration.md b/windows/application-management/app-v/appv-dynamic-configuration.md
index 43866694ff..940ef0f90c 100644
--- a/windows/application-management/app-v/appv-dynamic-configuration.md
+++ b/windows/application-management/app-v/appv-dynamic-configuration.md
@@ -2,9 +2,6 @@
title: About App-V Dynamic Configuration (Windows 10/11)
description: Learn how to create or edit an existing Application Virtualization (App-V) dynamic configuration file.
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 09/27/2018
ms.reviewer:
@@ -12,6 +9,7 @@ manager: dougeby
ms.author: aaroncz
ms.topic: article
---
+
# About App-V dynamic configuration
[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)]
diff --git a/windows/application-management/app-v/appv-enable-reporting-on-the-appv-client-with-powershell.md b/windows/application-management/app-v/appv-enable-reporting-on-the-appv-client-with-powershell.md
index 46d4a0a4fe..7e4ecc2081 100644
--- a/windows/application-management/app-v/appv-enable-reporting-on-the-appv-client-with-powershell.md
+++ b/windows/application-management/app-v/appv-enable-reporting-on-the-appv-client-with-powershell.md
@@ -2,9 +2,6 @@
title: How to Enable Reporting on the App-V Client by Using Windows PowerShell (Windows 10/11)
description: How to Enable Reporting on the App-V Client by Using Windows PowerShell
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 04/19/2017
ms.reviewer:
@@ -12,6 +9,7 @@ manager: dougeby
ms.author: aaroncz
ms.topic: article
---
+
# How to Enable Reporting on the App-V Client by Using Windows PowerShell
[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)]
@@ -43,7 +41,7 @@ Use the following procedure to configure the App-V for reporting.
For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
-## Related topics
+## Related articles
[Administering App-V by Using Windows PowerShell](appv-administering-appv-with-powershell.md)
diff --git a/windows/application-management/app-v/appv-enable-the-app-v-desktop-client.md b/windows/application-management/app-v/appv-enable-the-app-v-desktop-client.md
index ac9ff40578..337a016044 100644
--- a/windows/application-management/app-v/appv-enable-the-app-v-desktop-client.md
+++ b/windows/application-management/app-v/appv-enable-the-app-v-desktop-client.md
@@ -2,9 +2,6 @@
title: Enable the App-V in-box client (Windows 10/11)
description: Learn how to enable the Microsoft Application Virtualization (App-V) in-box client installed with Windows 10/11.
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 04/18/2018
ms.reviewer:
@@ -12,6 +9,7 @@ manager: dougeby
ms.author: aaroncz
ms.topic: article
---
+
# Enable the App-V in-box client
[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)]
diff --git a/windows/application-management/app-v/appv-evaluating-appv.md b/windows/application-management/app-v/appv-evaluating-appv.md
index 964c753d27..0bfbdf81ed 100644
--- a/windows/application-management/app-v/appv-evaluating-appv.md
+++ b/windows/application-management/app-v/appv-evaluating-appv.md
@@ -2,9 +2,6 @@
title: Evaluating App-V (Windows 10/11)
description: Learn how to evaluate App-V for Windows 10/11 in a lab environment before deploying into a production environment.
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 04/19/2017
ms.reviewer:
@@ -12,7 +9,6 @@ manager: dougeby
ms.author: aaroncz
---
-
# Evaluating App-V
[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)]
@@ -20,7 +16,7 @@ ms.author: aaroncz
> [!NOTE]
> [!INCLUDE [Application Virtualization will be end of life in April 2026](../includes/app-v-end-life-statement.md)]
-Before you deploy App-V into a production environment, you should evaluate it in a lab environment. You can use the information in this topic to set up App-V in a lab environment for evaluation purposes only.
+Before you deploy App-V into a production environment, you should evaluate it in a lab environment. You can use the information in this article to set up App-V in a lab environment for evaluation purposes only.
## Configure lab computers for App-V Evaluation
@@ -51,6 +47,6 @@ Use the following links for more information about creating and managing virtual
- [How to Configure the Client to Receive Package and Connection Groups Updates From the Publishing Server](appv-configure-the-client-to-receive-updates-from-the-publishing-server.md)
-## Related topics
+## Related articles
- [Getting Started with App-V](appv-getting-started.md)
diff --git a/windows/application-management/app-v/appv-for-windows.md b/windows/application-management/app-v/appv-for-windows.md
index bc05a5d4aa..5218e5194d 100644
--- a/windows/application-management/app-v/appv-for-windows.md
+++ b/windows/application-management/app-v/appv-for-windows.md
@@ -1,10 +1,7 @@
---
title: Application Virtualization (App-V) (Windows 10/11)
-description: See various topics that can help you administer Application Virtualization (App-V) and its components.
+description: See various articles that can help you administer Application Virtualization (App-V) and its components.
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 09/27/2018
ms.reviewer:
@@ -12,6 +9,7 @@ manager: dougeby
ms.author: aaroncz
ms.topic: article
---
+
# Application Virtualization (App-V) for Windows client overview
[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)]
@@ -19,7 +17,7 @@ ms.topic: article
> [!NOTE]
> [!INCLUDE [Application Virtualization will be end of life in April 2026](../includes/app-v-end-life-statement.md)]
-The topics in this section provide information and instructions to help you administer App-V and its components. This information is for system administrators who manage large installations with many servers and clients, and for support personnel who interact directly with the computers or users.
+The articles in this section provide information and instructions to help you administer App-V and its components. This information is for system administrators who manage large installations with many servers and clients, and for support personnel who interact directly with the computers or users.
[Getting started with App-V](appv-getting-started.md)
diff --git a/windows/application-management/app-v/appv-getting-started.md b/windows/application-management/app-v/appv-getting-started.md
index 7fd466e9c5..813ac3e0df 100644
--- a/windows/application-management/app-v/appv-getting-started.md
+++ b/windows/application-management/app-v/appv-getting-started.md
@@ -2,9 +2,6 @@
title: Getting Started with App-V (Windows 10/11)
description: Get started with Microsoft Application Virtualization (App-V) for Windows 10/11. App-V for Windows client devices delivers Win32 applications to users as virtual applications.
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 04/18/2018
ms.reviewer:
@@ -12,6 +9,7 @@ manager: dougeby
ms.author: aaroncz
ms.topic: article
---
+
# Getting started with App-V for Windows client
[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)]
diff --git a/windows/application-management/app-v/appv-high-level-architecture.md b/windows/application-management/app-v/appv-high-level-architecture.md
index e9865ae8bb..beb7f72afc 100644
--- a/windows/application-management/app-v/appv-high-level-architecture.md
+++ b/windows/application-management/app-v/appv-high-level-architecture.md
@@ -2,9 +2,6 @@
title: High-level architecture for App-V (Windows 10/11)
description: Use the information in this article to simplify your Microsoft Application Virtualization (App-V) deployment.
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 04/18/2018
ms.reviewer:
@@ -12,6 +9,7 @@ manager: dougeby
ms.author: aaroncz
ms.topic: article
---
+
# High-level architecture for App-V
[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)]
@@ -32,6 +30,6 @@ A typical App-V implementation consists of the following elements.
>[!NOTE]
>If you are using App-V with electronic software distribution (ESD), you aren't required to use the App-V Management server. However, you can still use App-V's reporting and streaming functionality.
-## Related topics
+## Related articles
- [Getting Started with App-V](appv-getting-started.md)
diff --git a/windows/application-management/app-v/appv-install-the-appv-databases-and-convert-the-associated-security-identifiers-with-powershell.md b/windows/application-management/app-v/appv-install-the-appv-databases-and-convert-the-associated-security-identifiers-with-powershell.md
index ad8668ac96..7f3634d48b 100644
--- a/windows/application-management/app-v/appv-install-the-appv-databases-and-convert-the-associated-security-identifiers-with-powershell.md
+++ b/windows/application-management/app-v/appv-install-the-appv-databases-and-convert-the-associated-security-identifiers-with-powershell.md
@@ -2,9 +2,6 @@
title: How to Install the App-V Databases and Convert the Associated Security Identifiers by Using Windows PowerShell (Windows 10/11)
description: How to Install the App-V Databases and Convert the Associated Security Identifiers by Using Windows PowerShell
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 04/19/2017
ms.reviewer:
@@ -141,6 +138,6 @@ Before attempting this procedure, you should read and understand the information
For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
-## Related topics
+## Related articles
[Administering App-V by Using Windows PowerShell](appv-administering-appv-with-powershell.md)
diff --git a/windows/application-management/app-v/appv-install-the-management-and-reporting-databases-on-separate-computers.md b/windows/application-management/app-v/appv-install-the-management-and-reporting-databases-on-separate-computers.md
index 63b3cdcfd2..3f9382ed18 100644
--- a/windows/application-management/app-v/appv-install-the-management-and-reporting-databases-on-separate-computers.md
+++ b/windows/application-management/app-v/appv-install-the-management-and-reporting-databases-on-separate-computers.md
@@ -2,9 +2,6 @@
title: How to Install the Management and Reporting Databases on separate computers from the Management and Reporting Services (Windows 10/11)
description: How to install the Management and Reporting Databases on separate computers from the Management and Reporting Services.
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 04/18/2018
ms.reviewer:
@@ -12,6 +9,7 @@ manager: dougeby
ms.author: aaroncz
ms.topic: article
---
+
# How to Install the Management and Reporting Databases on separate computers from the Management and Reporting Services
>Applies to: Windows Server 2016
@@ -69,13 +67,13 @@ Use the following procedure to install the database server and management server
4. For each database, copy the scripts to a share and modify them following the instructions in the readme file.
> [!NOTE]
- >For more information about modifying the required SIDs contained in the scripts see, [How to Install the App-V Databases and Convert the Associated Security Identifiers by Using Windows PowerShell](appv-install-the-appv-databases-and-convert-the-associated-security-identifiers-with-powershell.md).
+ >For more information about modifying the required SIDs contained in the scripts, see, [How to Install the App-V Databases and Convert the Associated Security Identifiers by Using Windows PowerShell](appv-install-the-appv-databases-and-convert-the-associated-security-identifiers-with-powershell.md).
5. Run the scripts on the computer running Microsoft SQL Server.
-## Related topics
+## Related articles
* [Deploying App-V](appv-deploying-appv.md)
diff --git a/windows/application-management/app-v/appv-install-the-management-server-on-a-standalone-computer.md b/windows/application-management/app-v/appv-install-the-management-server-on-a-standalone-computer.md
index 6a735c487a..ce718b9ce8 100644
--- a/windows/application-management/app-v/appv-install-the-management-server-on-a-standalone-computer.md
+++ b/windows/application-management/app-v/appv-install-the-management-server-on-a-standalone-computer.md
@@ -2,9 +2,6 @@
title: How to install the Management Server on a Standalone Computer and Connect it to the Database (Windows 10/11)
description: How to install the Management Server on a Standalone Computer and Connect it to the Database
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 04/18/2018
ms.reviewer:
@@ -12,6 +9,7 @@ manager: dougeby
ms.author: aaroncz
ms.topic: article
---
+
# How to install the Management Server on a Standalone Computer and Connect it to the Database
>Applies to: Windows Server 2016
@@ -38,6 +36,6 @@ To install the management server on a standalone computer and connect it to the
-## Related topics
+## Related articles
* [Deploying App-V](appv-deploying-appv.md)
diff --git a/windows/application-management/app-v/appv-install-the-publishing-server-on-a-remote-computer.md b/windows/application-management/app-v/appv-install-the-publishing-server-on-a-remote-computer.md
index a5d761bf80..2217e93aab 100644
--- a/windows/application-management/app-v/appv-install-the-publishing-server-on-a-remote-computer.md
+++ b/windows/application-management/app-v/appv-install-the-publishing-server-on-a-remote-computer.md
@@ -2,9 +2,6 @@
title: Install the Publishing Server on a Remote Computer (Windows 10/11)
description: Use the procedures in this article to install the Microsoft Application Virtualization (App-V) publishing server on a separate computer.
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 04/18/2018
ms.reviewer:
@@ -12,6 +9,7 @@ manager: dougeby
ms.author: aaroncz
ms.topic: article
---
+
# How to install the publishing server on a remote computer
>Applies to: Windows Server 2016
@@ -60,6 +58,6 @@ Use the following procedure to install the publishing server on a separate compu
-## Related topics
+## Related articles
* [Deploying App-V](appv-deploying-appv.md)
diff --git a/windows/application-management/app-v/appv-install-the-reporting-server-on-a-standalone-computer.md b/windows/application-management/app-v/appv-install-the-reporting-server-on-a-standalone-computer.md
index 40d6a0906b..109695af22 100644
--- a/windows/application-management/app-v/appv-install-the-reporting-server-on-a-standalone-computer.md
+++ b/windows/application-management/app-v/appv-install-the-reporting-server-on-a-standalone-computer.md
@@ -2,9 +2,6 @@
title: How to install the Reporting Server on a standalone computer and connect it to the database (Windows 10/11)
description: How to install the App-V Reporting Server on a Standalone Computer and Connect it to the Database
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 04/18/2018
ms.reviewer:
@@ -12,6 +9,7 @@ manager: dougeby
ms.author: aaroncz
ms.topic: article
---
+
# How to install the reporting server on a standalone computer and connect it to the database
>Applies to: Windows Server 2016
@@ -42,7 +40,7 @@ Use the following procedure to install the reporting server on a standalone comp
-## Related topics
+## Related articles
* [About App-V reporting](appv-reporting.md)
* [Deploying App-V](appv-deploying-appv.md)
diff --git a/windows/application-management/app-v/appv-install-the-sequencer.md b/windows/application-management/app-v/appv-install-the-sequencer.md
index f53702ace1..c3f7e5871f 100644
--- a/windows/application-management/app-v/appv-install-the-sequencer.md
+++ b/windows/application-management/app-v/appv-install-the-sequencer.md
@@ -2,9 +2,6 @@
title: Install the App-V Sequencer (Windows 10/11)
description: Learn how to install the App-V Sequencer to convert Win32 applications into virtual packages for deployment to user devices.
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 04/18/2018
ms.reviewer:
@@ -12,6 +9,7 @@ manager: dougeby
ms.author: aaroncz
ms.topic: article
---
+
# Install the App-V Sequencer
[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)]
@@ -56,6 +54,6 @@ For more information regarding the sequencer installation, you can view the erro
-## Related topics
+## Related articles
* [Planning to deploy App-V](appv-planning-to-deploy-appv.md)
diff --git a/windows/application-management/app-v/appv-load-the-powershell-cmdlets-and-get-cmdlet-help.md b/windows/application-management/app-v/appv-load-the-powershell-cmdlets-and-get-cmdlet-help.md
index a6d176cee5..2f7f7198c4 100644
--- a/windows/application-management/app-v/appv-load-the-powershell-cmdlets-and-get-cmdlet-help.md
+++ b/windows/application-management/app-v/appv-load-the-powershell-cmdlets-and-get-cmdlet-help.md
@@ -2,9 +2,6 @@
title: How to Load the Windows PowerShell Cmdlets for App-V and Get Cmdlet Help (Windows 10/11)
description: How to Load the Windows PowerShell Cmdlets for App-V and Get Cmdlet Help
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 09/27/2018
ms.reviewer:
@@ -12,6 +9,7 @@ manager: dougeby
ms.author: aaroncz
ms.topic: article
---
+
# How to load the Windows PowerShell cmdlets for App-V and get cmdlet help
[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)]
diff --git a/windows/application-management/app-v/appv-maintaining-appv.md b/windows/application-management/app-v/appv-maintaining-appv.md
index f09e745825..4920d942b8 100644
--- a/windows/application-management/app-v/appv-maintaining-appv.md
+++ b/windows/application-management/app-v/appv-maintaining-appv.md
@@ -2,9 +2,6 @@
title: Maintaining App-V (Windows 10/11)
description: After you have deployed App-V for Windows 10/11, you can use the following information to maintain the App-V infrastructure.
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 09/27/2018
ms.reviewer:
@@ -12,6 +9,7 @@ manager: dougeby
ms.author: aaroncz
ms.topic: article
---
+
# Maintaining App-V
[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)]
diff --git a/windows/application-management/app-v/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md b/windows/application-management/app-v/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md
index 7a32f99f96..3530f44a72 100644
--- a/windows/application-management/app-v/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md
+++ b/windows/application-management/app-v/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md
@@ -2,9 +2,6 @@
title: How to Manage Connection Groups on a Stand-alone Computer by Using Windows PowerShell (Windows 10/11)
description: How to Manage Connection Groups on a Stand-alone Computer by Using Windows PowerShell
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 04/19/2017
ms.reviewer:
@@ -12,7 +9,6 @@ manager: dougeby
ms.author: aaroncz
---
-
# How to Manage Connection Groups on a Stand-alone Computer by Using Windows PowerShell
[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)]
@@ -21,7 +17,7 @@ An App-V connection group allows you to run all the virtual applications as a de
A connection group XML file defines the connection group for the App-V client. For information about the connection group XML file and how to configure it, see [About the Connection Group File](appv-connection-group-file.md).
-This topic explains the following procedures:
+This article explains the following procedures:
- [To add and publish the App-V packages in the connection group](#to-add-and-publish-the-app-v-packages-in-the-connection-group)
@@ -90,7 +86,7 @@ This topic explains the following procedures:
For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
-## Related topics
+## Related articles
[Operations for App-V](appv-operations.md)
diff --git a/windows/application-management/app-v/appv-managing-connection-groups.md b/windows/application-management/app-v/appv-managing-connection-groups.md
index a769395ffe..101a4319c9 100644
--- a/windows/application-management/app-v/appv-managing-connection-groups.md
+++ b/windows/application-management/app-v/appv-managing-connection-groups.md
@@ -2,9 +2,6 @@
title: Managing Connection Groups (Windows 10/11)
description: Connection groups can allow administrators to manage packages independently and avoid having to add the same application multiple times to a client computer.
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 04/19/2017
ms.reviewer:
@@ -12,7 +9,6 @@ manager: dougeby
ms.author: aaroncz
---
-
# Managing Connection Groups
[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)]
diff --git a/windows/application-management/app-v/appv-migrating-to-appv-from-a-previous-version.md b/windows/application-management/app-v/appv-migrating-to-appv-from-a-previous-version.md
index 45669bd33e..ffc314ab6a 100644
--- a/windows/application-management/app-v/appv-migrating-to-appv-from-a-previous-version.md
+++ b/windows/application-management/app-v/appv-migrating-to-appv-from-a-previous-version.md
@@ -2,9 +2,6 @@
title: Migrating to App-V from a Previous Version (Windows 10/11)
description: Learn how to migrate to Microsoft Application Virtualization (App-V) for Windows 10/11 from a previous version.
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 04/19/2017
ms.reviewer:
@@ -12,7 +9,6 @@ manager: dougeby
ms.author: aaroncz
---
-
# Migrating to App-V from previous versions
[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)]
@@ -119,7 +115,7 @@ There's no direct method to upgrade to a full App-V infrastructure. Use the info
|Review prerequisites.|[App-V Server prerequisite software](appv-prerequisites.md#app-v-server-prerequisite-software)|
|Enable the App-V client.|[Enable the App-V desktop client](appv-enable-the-app-v-desktop-client.md)|
|Install App-V Server.|[How to Deploy the App-V Server](appv-deploy-the-appv-server.md)|
-|Migrate existing packages.|See [Converting packages created using a prior version of App-V](#converting-packages-created-using-a-prior-version-of-app-v) earlier in this topic.|
+|Migrate existing packages.|See [Converting packages created using a prior version of App-V](#converting-packages-created-using-a-prior-version-of-app-v) earlier in this article.|
For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
diff --git a/windows/application-management/app-v/appv-modify-an-existing-virtual-application-package.md b/windows/application-management/app-v/appv-modify-an-existing-virtual-application-package.md
index 86dd8a2e20..73cca93a49 100644
--- a/windows/application-management/app-v/appv-modify-an-existing-virtual-application-package.md
+++ b/windows/application-management/app-v/appv-modify-an-existing-virtual-application-package.md
@@ -2,9 +2,6 @@
title: How to Modify an Existing Virtual Application Package (Windows 10/11)
description: Learn how to modify an existing virtual application package and add a new application to an existing virtual application package.
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 04/19/2017
ms.reviewer:
@@ -12,12 +9,11 @@ manager: dougeby
ms.author: aaroncz
---
-
# How to Modify an Existing Virtual Application Package
[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)]
-This topic explains how to:
+This article explains how to:
- [Update an application in an existing virtual application package](#update-an-application-in-an-existing-virtual-application-package)
@@ -151,6 +147,6 @@ This topic explains how to:
For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
-## Related topics
+## Related articles
[Operations for App-V](appv-operations.md)
diff --git a/windows/application-management/app-v/appv-modify-client-configuration-with-powershell.md b/windows/application-management/app-v/appv-modify-client-configuration-with-powershell.md
index e3d8c9c251..ed3b70bd54 100644
--- a/windows/application-management/app-v/appv-modify-client-configuration-with-powershell.md
+++ b/windows/application-management/app-v/appv-modify-client-configuration-with-powershell.md
@@ -2,9 +2,6 @@
title: How to Modify Client Configuration by Using Windows PowerShell (Windows 10/11)
description: Learn how to modify the Application Virtualization (App-V) client configuration by using Windows PowerShell.
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 04/19/2017
ms.reviewer:
@@ -12,7 +9,6 @@ manager: dougeby
ms.author: aaroncz
---
-
# How to Modify Client Configuration by Using Windows PowerShell
[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)]
@@ -34,6 +30,6 @@ Use the following procedure to configure the App-V client configuration.
For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
-## Related topics
+## Related articles
[Operations for App-V](appv-operations.md)
diff --git a/windows/application-management/app-v/appv-move-the-appv-server-to-another-computer.md b/windows/application-management/app-v/appv-move-the-appv-server-to-another-computer.md
index 011db77850..b54803c5c3 100644
--- a/windows/application-management/app-v/appv-move-the-appv-server-to-another-computer.md
+++ b/windows/application-management/app-v/appv-move-the-appv-server-to-another-computer.md
@@ -2,9 +2,6 @@
title: How to Move the App-V Server to Another Computer (Windows 10/11)
description: Learn how to create a new management server console in your environment and learn how to connect it to the App-V database.
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 04/19/2017
ms.reviewer:
@@ -12,7 +9,6 @@ manager: dougeby
ms.author: aaroncz
---
-
# How to move the App-V server to another computer
**Applies to**
@@ -33,6 +29,6 @@ Follow these steps to create a new management server console:
For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
-## Related topics
+## Related articles
[Operations for App-V](appv-operations.md)
diff --git a/windows/application-management/app-v/appv-operations.md b/windows/application-management/app-v/appv-operations.md
index 80ba2f4fbd..cc6eb653d1 100644
--- a/windows/application-management/app-v/appv-operations.md
+++ b/windows/application-management/app-v/appv-operations.md
@@ -2,9 +2,6 @@
title: Operations for App-V (Windows 10/11)
description: Learn about the various types of App-V administration and operating tasks that are typically performed by an administrator.
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 04/18/2018
ms.reviewer:
@@ -12,6 +9,7 @@ manager: dougeby
ms.author: aaroncz
ms.topic: article
---
+
# Operations for App-V
[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)]
diff --git a/windows/application-management/app-v/appv-performance-guidance.md b/windows/application-management/app-v/appv-performance-guidance.md
index ee185b6c84..16d57ffc8b 100644
--- a/windows/application-management/app-v/appv-performance-guidance.md
+++ b/windows/application-management/app-v/appv-performance-guidance.md
@@ -2,9 +2,6 @@
title: Performance Guidance for Application Virtualization (Windows 10/11)
description: Learn how to configure App-V for optimal performance, optimize virtual app packages, and provide a better user experience with RDS and VDI.
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 04/19/2017
ms.reviewer:
@@ -12,7 +9,6 @@ manager: dougeby
ms.author: aaroncz
---
-
# Performance Guidance for Application Virtualization
**Applies to**:
@@ -509,6 +505,6 @@ The following terms are used when describing concepts and actions related to App
For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
-## Related topics
+## Related articles
[Application Virtualization (App-V) overview](appv-for-windows.md)
diff --git a/windows/application-management/app-v/appv-planning-checklist.md b/windows/application-management/app-v/appv-planning-checklist.md
index 0f7bd36c74..4587de5ccf 100644
--- a/windows/application-management/app-v/appv-planning-checklist.md
+++ b/windows/application-management/app-v/appv-planning-checklist.md
@@ -2,9 +2,6 @@
title: App-V Planning Checklist (Windows 10/11)
description: Learn about the recommended steps and items to consider when planning an Application Virtualization (App-V) deployment.
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 04/18/2018
ms.reviewer:
@@ -12,6 +9,7 @@ manager: dougeby
ms.author: aaroncz
ms.topic: article
---
+
# App-V Planning Checklist
[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)]
@@ -34,6 +32,6 @@ This checklist can be used to help you plan for preparing your organization for
-## Related topics
+## Related articles
[Planning for App-V](appv-planning-for-appv.md)
diff --git a/windows/application-management/app-v/appv-planning-folder-redirection-with-appv.md b/windows/application-management/app-v/appv-planning-folder-redirection-with-appv.md
index a1adab31c4..7e5df34930 100644
--- a/windows/application-management/app-v/appv-planning-folder-redirection-with-appv.md
+++ b/windows/application-management/app-v/appv-planning-folder-redirection-with-appv.md
@@ -2,9 +2,6 @@
title: Planning to Use Folder Redirection with App-V (Windows 10/11)
description: Learn about folder redirection with App-V. Folder redirection enables users and administrators to redirect the path of a folder to a new location.
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 04/18/2018
ms.reviewer:
@@ -12,6 +9,7 @@ manager: dougeby
ms.author: aaroncz
ms.topic: article
---
+
# Planning to Use Folder Redirection with App-V
[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)]
diff --git a/windows/application-management/app-v/appv-planning-for-appv-server-deployment.md b/windows/application-management/app-v/appv-planning-for-appv-server-deployment.md
index 89fad53e83..bb8c0a834a 100644
--- a/windows/application-management/app-v/appv-planning-for-appv-server-deployment.md
+++ b/windows/application-management/app-v/appv-planning-for-appv-server-deployment.md
@@ -2,9 +2,6 @@
title: Planning for the App-V Server Deployment (Windows 10/11)
description: Learn what you need to know so you can plan for the Microsoft Application Virtualization (App-V) 5.1 server deployment.
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 04/18/2018
ms.reviewer:
@@ -12,6 +9,7 @@ manager: dougeby
ms.author: aaroncz
ms.topic: article
---
+
# Planning for the App-V server deployment
>Applies to: Windows Server 2016
@@ -57,7 +55,7 @@ The following table lists server-related protocols used by the App-V servers, an
-## Related topics
+## Related articles
* [Planning to deploy App-V](appv-planning-to-deploy-appv.md)
* [Deploying the App-V server](appv-deploying-the-appv-server.md)
diff --git a/windows/application-management/app-v/appv-planning-for-appv.md b/windows/application-management/app-v/appv-planning-for-appv.md
index a0802a654d..1436e5d26f 100644
--- a/windows/application-management/app-v/appv-planning-for-appv.md
+++ b/windows/application-management/app-v/appv-planning-for-appv.md
@@ -2,9 +2,6 @@
title: Planning for App-V (Windows 10/11)
description: Use the information in this article to plan to deploy App-V without disrupting your existing network or user experience.
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 04/18/2018
ms.reviewer:
@@ -12,6 +9,7 @@ manager: dougeby
ms.author: aaroncz
ms.topic: article
---
+
# Planning for App-V
[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)]
diff --git a/windows/application-management/app-v/appv-planning-for-high-availability-with-appv.md b/windows/application-management/app-v/appv-planning-for-high-availability-with-appv.md
index 770424df0f..b36e523319 100644
--- a/windows/application-management/app-v/appv-planning-for-high-availability-with-appv.md
+++ b/windows/application-management/app-v/appv-planning-for-high-availability-with-appv.md
@@ -2,9 +2,6 @@
title: Planning for High Availability with App-V Server
description: Learn what you need to know so you can plan for high availability with Application Virtualization (App-V) server.
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 04/18/2018
ms.reviewer:
@@ -12,6 +9,7 @@ manager: dougeby
ms.author: aaroncz
ms.topic: article
---
+
# Planning for high availability with App-V Server
[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)]
@@ -104,6 +102,6 @@ The App-V management server database supports deployments to computers running M
-## Related topics
+## Related articles
* [Planning to deploy App-V](appv-planning-to-deploy-appv.md)
diff --git a/windows/application-management/app-v/appv-planning-for-sequencer-and-client-deployment.md b/windows/application-management/app-v/appv-planning-for-sequencer-and-client-deployment.md
index 152049e1d7..f0cdc63ccc 100644
--- a/windows/application-management/app-v/appv-planning-for-sequencer-and-client-deployment.md
+++ b/windows/application-management/app-v/appv-planning-for-sequencer-and-client-deployment.md
@@ -2,9 +2,6 @@
title: Planning for the App-V Sequencer and Client Deployment (Windows 10/11)
description: Learn what you need to do to plan for the App-V Sequencer and Client deployment, and where to find additional information about the deployment process.
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 04/18/2018
ms.reviewer:
@@ -12,6 +9,7 @@ manager: dougeby
ms.author: aaroncz
ms.topic: article
---
+
# Planning for the App-V Sequencer and Client Deployment
[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)]
@@ -58,7 +56,7 @@ The following list displays some of the benefits of using App-V SCS:
* [Planning to deploy App-V](appv-planning-to-deploy-appv.md)
-## Related topics
+## Related articles
* [How to install the sequencer](appv-install-the-sequencer.md)
* [Enable the App-V desktop client](appv-enable-the-app-v-desktop-client.md)
diff --git a/windows/application-management/app-v/appv-planning-for-using-appv-with-office.md b/windows/application-management/app-v/appv-planning-for-using-appv-with-office.md
index 9256e08578..e6b05d14bb 100644
--- a/windows/application-management/app-v/appv-planning-for-using-appv-with-office.md
+++ b/windows/application-management/app-v/appv-planning-for-using-appv-with-office.md
@@ -2,9 +2,6 @@
title: Planning for Deploying App-V with Office (Windows 10/11)
description: Use the information in this article to plan how to deploy Office within Microsoft Application Virtualization (App-V).
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 04/18/2018
ms.reviewer:
@@ -12,6 +9,7 @@ manager: dougeby
ms.author: aaroncz
ms.topic: article
---
+
# Planning for deploying App-V with Office
[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)]
@@ -48,7 +46,7 @@ Before implementing Office coexistence, review the information in the following
|Office 2013|[How to use Office 2013 suites and programs (MSI deployment) on a computer running another version of Office](https://support.microsoft.com/kb/2784668)|
|Office 2010|How to use Office 2010 suites and programs on a computer running another version of Office](https://support.microsoft.com/kb/2121447)|
-Once you've reviewed the relevant guide, this topic will supplement what you've learned with information about Office coexistence that's more specific to App-V deployments.
+Once you've reviewed the relevant guide, this article will supplement what you've learned with information about Office coexistence that's more specific to App-V deployments.
### Supported Office coexistence scenarios
@@ -125,7 +123,7 @@ The Office 2013 or Office 2016 App-V package supports the following integration
|Primary Interop Assemblies|Support managed add-ins|
|Office Document Cache Handler|Allows Document Cache for Office applications|
|Outlook Protocol Search Handler|User can search in Outlook|
-|Active X Controls|For more information on ActiveX controls, refer to [ActiveX Control API Reference](
For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
-## Related topics
+## Related articles
[Operations for App-V](appv-operations.md)
diff --git a/windows/application-management/app-v/appv-release-notes-for-appv-for-windows-1703.md b/windows/application-management/app-v/appv-release-notes-for-appv-for-windows-1703.md
index 44a6c6ec5c..8ffcdfb10f 100644
--- a/windows/application-management/app-v/appv-release-notes-for-appv-for-windows-1703.md
+++ b/windows/application-management/app-v/appv-release-notes-for-appv-for-windows-1703.md
@@ -2,9 +2,6 @@
title: Release Notes for App-V for Windows 10 version 1703 (Windows 10/11)
description: A list of known issues and workarounds for App-V running on Windows 10 version 1703 and Windows 11.
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 04/19/2017
ms.reviewer:
@@ -12,7 +9,6 @@ manager: dougeby
ms.author: aaroncz
---
-
# Release Notes for App-V for Windows 10 version 1703 and later
[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)]
@@ -108,7 +104,7 @@ For information that can help with troubleshooting App-V for Windows client, see
For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
-## Related topics
+## Related articles
- [What's new in App-V for Windows client](appv-about-appv.md)
- [Release Notes for App-V for Windows 10, version 1607](appv-release-notes-for-appv-for-windows-1703.md)
diff --git a/windows/application-management/app-v/appv-release-notes-for-appv-for-windows.md b/windows/application-management/app-v/appv-release-notes-for-appv-for-windows.md
index 5d42b2690d..3cdbf4b20c 100644
--- a/windows/application-management/app-v/appv-release-notes-for-appv-for-windows.md
+++ b/windows/application-management/app-v/appv-release-notes-for-appv-for-windows.md
@@ -2,9 +2,6 @@
title: Release Notes for App-V for Windows 10, version 1607 (Windows 10)
description: A list of known issues and workarounds for App-V running on Windows 10, version 1607.
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 04/19/2017
ms.reviewer:
diff --git a/windows/application-management/app-v/appv-reporting.md b/windows/application-management/app-v/appv-reporting.md
index cee9484018..2ca67c8695 100644
--- a/windows/application-management/app-v/appv-reporting.md
+++ b/windows/application-management/app-v/appv-reporting.md
@@ -2,9 +2,6 @@
title: About App-V Reporting (Windows 10/11)
description: Learn how the App-V reporting feature collects information about computers running the App-V client and virtual application package usage.
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 04/16/2018
ms.reviewer:
@@ -12,6 +9,7 @@ manager: dougeby
ms.author: aaroncz
ms.topic: article
---
+
# About App-V reporting
[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)]
@@ -212,7 +210,7 @@ You should also ensure that the reporting server web service’s **Maximum Concu
-## Related topics
+## Related articles
* [Deploying the App-V server](appv-deploying-the-appv-server.md)
* [How to install the reporting server on a standalone computer and connect it to the database](appv-install-the-reporting-server-on-a-standalone-computer.md)
diff --git a/windows/application-management/app-v/appv-running-locally-installed-applications-inside-a-virtual-environment.md b/windows/application-management/app-v/appv-running-locally-installed-applications-inside-a-virtual-environment.md
index 8f37e1c8d1..3237fd2de8 100644
--- a/windows/application-management/app-v/appv-running-locally-installed-applications-inside-a-virtual-environment.md
+++ b/windows/application-management/app-v/appv-running-locally-installed-applications-inside-a-virtual-environment.md
@@ -2,9 +2,6 @@
title: Running a Locally Installed Application Inside a Virtual Environment with Virtualized Applications (Windows 10/11)
description: Running a Locally Installed Application Inside a Virtual Environment with Virtualized Applications
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 03/08/2018
ms.reviewer:
@@ -12,7 +9,6 @@ manager: dougeby
ms.author: aaroncz
---
-
# Running a Locally Installed Application Inside a Virtual Environment with Virtualized Applications
**Applies to**
@@ -135,7 +131,7 @@ If you don’t know the exact name of your package, use the command line `Get-Ap
This method lets you launch any command within the context of an App-V package, regardless of whether the package is currently running.
-## Related topics
+## Related articles
[Technical Reference for App-V](appv-technical-reference.md)
diff --git a/windows/application-management/app-v/appv-security-considerations.md b/windows/application-management/app-v/appv-security-considerations.md
index 4c9e36326a..5edc3a1207 100644
--- a/windows/application-management/app-v/appv-security-considerations.md
+++ b/windows/application-management/app-v/appv-security-considerations.md
@@ -2,9 +2,6 @@
title: App-V Security Considerations (Windows 10/11)
description: Learn about accounts and groups, log files, and other security-related considerations for Microsoft Application Virtualization (App-V).
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 04/16/2018
ms.reviewer:
@@ -12,11 +9,12 @@ manager: dougeby
ms.author: aaroncz
ms.topic: article
---
+
# App-V security considerations
[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)]
-This topic contains a brief overview of the accounts and groups, log files, and other security-related considerations for Microsoft Application Virtualization (App-V).
+This article contains a brief overview of the accounts and groups, log files, and other security-related considerations for Microsoft Application Virtualization (App-V).
>[!IMPORTANT]
>App-V isn't a security product and doesn't provide any guarantees for a secure environment.
@@ -70,6 +68,6 @@ The following information will help you plan how to ensure that virtualized pack
During App-V setup, setup log files are created in the **%temp%** folder of the installing user.
-## Related topics
+## Related articles
[Preparing Your Environment for App-V](appv-preparing-your-environment.md)
diff --git a/windows/application-management/app-v/appv-sequence-a-new-application.md b/windows/application-management/app-v/appv-sequence-a-new-application.md
index a373a054fb..5a9c710587 100644
--- a/windows/application-management/app-v/appv-sequence-a-new-application.md
+++ b/windows/application-management/app-v/appv-sequence-a-new-application.md
@@ -2,9 +2,6 @@
title: Manually sequence a new app using the Microsoft Application Virtualization Sequencer (App-V Sequencer) (Windows 10/11)
description: Learn how to manually sequence a new app by using the App-V Sequencer that's included with the Windows ADK.
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 04/16/2018
ms.reviewer:
@@ -12,6 +9,7 @@ manager: dougeby
ms.author: aaroncz
ms.topic: article
---
+
# Manually sequence a new app using the Microsoft Application Virtualization Sequencer (App-V Sequencer)
[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)]
@@ -212,7 +210,7 @@ Starting with Windows 10 version 1607, the App-V Sequencer is included with the
>After you have successfully created a virtual application package, you can't run the virtual application package on the computer that is running the sequencer.
-## Related topics
+## Related articles
- [Install the App-V Sequencer](appv-install-the-sequencer.md)
- [Operations for App-V](appv-operations.md)
diff --git a/windows/application-management/app-v/appv-sequence-a-package-with-powershell.md b/windows/application-management/app-v/appv-sequence-a-package-with-powershell.md
index 7bf6811af5..6b99b11b7d 100644
--- a/windows/application-management/app-v/appv-sequence-a-package-with-powershell.md
+++ b/windows/application-management/app-v/appv-sequence-a-package-with-powershell.md
@@ -2,9 +2,6 @@
title: How to sequence a package by using Windows PowerShell (Windows 10/11)
description: Learn how to sequence a new Microsoft Application Virtualization (App-V) package by using Windows PowerShell.
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 04/19/2017
ms.reviewer:
@@ -12,7 +9,6 @@ manager: dougeby
ms.author: aaroncz
---
-
# How to Sequence a Package by using Windows PowerShell
[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)]
@@ -25,7 +21,7 @@ Use the following procedure to create a new App-V package using Windows PowerShe
**To create a new virtual application by using Windows PowerShell**
-1. Install the App-V sequencer. For more information about installing the sequencer see [How to Install the Sequencer](appv-install-the-sequencer.md).
+1. Install the App-V sequencer. For more information about installing the sequencer, see [How to Install the Sequencer](appv-install-the-sequencer.md).
2. Click **Start** and type **Windows PowerShell**. Right-click **Windows PowerShell**, and select **Run as Administrator**.
@@ -67,7 +63,7 @@ Starting with Windows 10 version 1703, the `new-appvsequencerpackage` or the `up
> [!IMPORTANT]
> If you have an auto-saved template and you attempt to load another template through the _TemplateFilePath_ parameter, the customization value from the parameter will override the auto-saved template.
-## Related topics
+## Related articles
- [Administering App-V by using Windows PowerShell](appv-administering-appv-with-powershell.md)
diff --git a/windows/application-management/app-v/appv-supported-configurations.md b/windows/application-management/app-v/appv-supported-configurations.md
index 0214e455b2..071879bc7c 100644
--- a/windows/application-management/app-v/appv-supported-configurations.md
+++ b/windows/application-management/app-v/appv-supported-configurations.md
@@ -2,9 +2,6 @@
title: App-V Supported Configurations (Windows 10/11)
description: Learn the requirements to install and run App-V supported configurations in your Windows 10/11 environment.
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 04/16/2018
ms.reviewer:
@@ -12,6 +9,7 @@ manager: dougeby
ms.author: aaroncz
ms.topic: article
---
+
# App-V Supported Configurations
**Applies to**:
@@ -24,7 +22,7 @@ ms.topic: article
- Windows Server 2012
- Windows Server 2008 R2 (Extended Security Update)
-This topic specifies the requirements to install and run App-V in your Windows client environment. For information about prerequisite software such as the .NET Framework, see [App-V prerequisites](appv-prerequisites.md).
+This article specifies the requirements to install and run App-V in your Windows client environment. For information about prerequisite software such as the .NET Framework, see [App-V prerequisites](appv-prerequisites.md).
## App-V Server system requirements
@@ -123,7 +121,7 @@ See the Windows or Windows Server documentation for the hardware requirements.
The App-V client works with Configuration Manager versions starting with Technical Preview for System Center Configuration Manager, version 1606.
-## Related topics
+## Related articles
* [Planning to deploy App-V](appv-planning-to-deploy-appv.md)
* [App-V prerequisites](appv-prerequisites.md)
diff --git a/windows/application-management/app-v/appv-technical-reference.md b/windows/application-management/app-v/appv-technical-reference.md
index 36c6a128fb..786dc0acb1 100644
--- a/windows/application-management/app-v/appv-technical-reference.md
+++ b/windows/application-management/app-v/appv-technical-reference.md
@@ -2,9 +2,6 @@
title: Technical Reference for App-V (Windows 10/11)
description: Learn strategy and context for many performance optimization practices in this technical reference for Application Virtualization (App-V).
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 04/19/2017
ms.reviewer:
@@ -12,7 +9,6 @@ manager: dougeby
ms.author: aaroncz
---
-
# Technical Reference for App-V
[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)]
diff --git a/windows/application-management/app-v/appv-transfer-access-and-configurations-to-another-version-of-a-package-with-the-management-console.md b/windows/application-management/app-v/appv-transfer-access-and-configurations-to-another-version-of-a-package-with-the-management-console.md
index 69dd653179..54322edfa1 100644
--- a/windows/application-management/app-v/appv-transfer-access-and-configurations-to-another-version-of-a-package-with-the-management-console.md
+++ b/windows/application-management/app-v/appv-transfer-access-and-configurations-to-another-version-of-a-package-with-the-management-console.md
@@ -2,9 +2,6 @@
title: How to Transfer Access and Configurations to Another Version of a Package by Using the Management Console (Windows 10/11)
description: How to Transfer Access and Configurations to Another Version of a Package by Using the Management Console
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 04/19/2017
ms.reviewer:
@@ -12,7 +9,6 @@ manager: dougeby
ms.author: aaroncz
---
-
# How to Transfer Access and Configurations to Another Version of a Package by Using the Management Console
[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)]
@@ -33,6 +29,6 @@ Use the following procedure to transfer the access and default package configura
For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
-## Related topics
+## Related articles
[Operations for App-V](appv-operations.md)
diff --git a/windows/application-management/app-v/appv-troubleshooting.md b/windows/application-management/app-v/appv-troubleshooting.md
index f61d909a07..d5444ae7ab 100644
--- a/windows/application-management/app-v/appv-troubleshooting.md
+++ b/windows/application-management/app-v/appv-troubleshooting.md
@@ -1,10 +1,7 @@
---
title: Troubleshooting App-V (Windows 10/11)
-description: Learn how to find information about troubleshooting Application Virtualization (App-V) and information about other App-V topics.
+description: Learn how to find information about troubleshooting Application Virtualization (App-V) and information about other App-V articles.
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 04/19/2017
ms.reviewer:
@@ -12,7 +9,6 @@ manager: dougeby
ms.author: aaroncz
---
-
# Troubleshooting App-V
[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)]
diff --git a/windows/application-management/app-v/appv-upgrading-to-app-v-for-windows-10-from-an-existing-installation.md b/windows/application-management/app-v/appv-upgrading-to-app-v-for-windows-10-from-an-existing-installation.md
index 792fd16cb7..d8687a7cf5 100644
--- a/windows/application-management/app-v/appv-upgrading-to-app-v-for-windows-10-from-an-existing-installation.md
+++ b/windows/application-management/app-v/appv-upgrading-to-app-v-for-windows-10-from-an-existing-installation.md
@@ -2,9 +2,6 @@
title: Upgrading to App-V for Windows 10/11 from an existing installation (Windows 10/11)
description: Learn about upgrading to Application Virtualization (App-V) for Windows 10/11 from an existing installation.
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 04/19/2017
ms.reviewer:
diff --git a/windows/application-management/app-v/appv-using-the-client-management-console.md b/windows/application-management/app-v/appv-using-the-client-management-console.md
index 33d519b976..c7ece16ed1 100644
--- a/windows/application-management/app-v/appv-using-the-client-management-console.md
+++ b/windows/application-management/app-v/appv-using-the-client-management-console.md
@@ -2,9 +2,6 @@
title: Using the App-V Client Management Console (Windows 10/11)
description: Learn how to use the Application Virtualization (App-V) client management console to manage packages on the computer running the App-V client.
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 04/19/2017
ms.reviewer:
@@ -12,12 +9,11 @@ manager: dougeby
ms.author: aaroncz
---
-
# Using the App-V Client Management Console
[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)]
-This topic provides information about using the Application Virtualization (App-V) client management console to manage packages on the computer running the App-V client.
+This article provides information about using the Application Virtualization (App-V) client management console to manage packages on the computer running the App-V client.
## Options for managing the App-V client
@@ -60,6 +56,6 @@ The client management console contains the following described main tabs.
For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
-## Related topics
+## Related articles
[Operations for App-V](appv-operations.md)
diff --git a/windows/application-management/app-v/appv-view-and-configure-applications-and-default-virtual-application-extensions-with-the-management-console.md b/windows/application-management/app-v/appv-view-and-configure-applications-and-default-virtual-application-extensions-with-the-management-console.md
index 5c8b1a7cad..c3742fa2f9 100644
--- a/windows/application-management/app-v/appv-view-and-configure-applications-and-default-virtual-application-extensions-with-the-management-console.md
+++ b/windows/application-management/app-v/appv-view-and-configure-applications-and-default-virtual-application-extensions-with-the-management-console.md
@@ -2,9 +2,6 @@
title: How to View and Configure Applications and Default Virtual Application Extensions by Using the Management Console (Windows 10/11)
description: How to View and Configure Applications and Default Virtual Application Extensions by Using the Management Console
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 04/19/2017
ms.reviewer:
@@ -12,7 +9,6 @@ manager: dougeby
ms.author: aaroncz
---
-
# How to View and Configure Applications and Default Virtual Application Extensions by Using the Management Console
[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)]
@@ -37,6 +33,6 @@ Use the following procedure to view and configure default package extensions.
For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
-## Related topics
+## Related articles
[Operations for App-V](appv-operations.md)
diff --git a/windows/application-management/app-v/appv-viewing-appv-server-publishing-metadata.md b/windows/application-management/app-v/appv-viewing-appv-server-publishing-metadata.md
index ec8fc27864..b74ad51647 100644
--- a/windows/application-management/app-v/appv-viewing-appv-server-publishing-metadata.md
+++ b/windows/application-management/app-v/appv-viewing-appv-server-publishing-metadata.md
@@ -2,9 +2,6 @@
title: Viewing App-V Server Publishing Metadata (Windows 10/11)
description: Use this procedure to view App-V Server publishing metadata, which can help you resolve publishing-related issues.
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 04/19/2017
ms.reviewer:
@@ -12,7 +9,6 @@ manager: dougeby
ms.author: aaroncz
---
-
# Viewing App-V Server Publishing Metadata
**Applies to**
@@ -95,6 +91,6 @@ In your publishing metadata query, enter the string values that correspond to th
For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
-## Related topics
+## Related articles
[Technical Reference for App-V](appv-technical-reference.md)
diff --git a/windows/application-management/apps-in-windows-10.md b/windows/application-management/apps-in-windows-10.md
index 1e1bd53e0d..ba0a92dcf7 100644
--- a/windows/application-management/apps-in-windows-10.md
+++ b/windows/application-management/apps-in-windows-10.md
@@ -4,9 +4,6 @@ ms.reviewer:
manager: dougeby
description: Learn more and understand the different types of apps that run on Windows 10 and Windows 11. For example, learn more about UWP, WPF, Win32, and Windows Forms apps, including the best way to install these apps.
ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: mobile
ms.author: aaroncz
author: aczechowski
ms.localizationpriority: medium
diff --git a/windows/application-management/enterprise-background-activity-controls.md b/windows/application-management/enterprise-background-activity-controls.md
index b9d63a3d9c..d85b5ea89f 100644
--- a/windows/application-management/enterprise-background-activity-controls.md
+++ b/windows/application-management/enterprise-background-activity-controls.md
@@ -8,7 +8,6 @@ ms.reviewer:
manager: dougeby
ms.topic: article
ms.prod: w10
-keywords: windows 10, uwp, enterprise, background task, resources
---
# Remove background task resource restrictions
diff --git a/windows/application-management/includes/app-v-end-life-statement.md b/windows/application-management/includes/app-v-end-life-statement.md
index 477c2848c0..17dace9c69 100644
--- a/windows/application-management/includes/app-v-end-life-statement.md
+++ b/windows/application-management/includes/app-v-end-life-statement.md
@@ -3,7 +3,6 @@ author: aczechowski
ms.author: aaroncz
ms.date: 09/20/2021
ms.reviewer:
-audience: itpro
manager: dougeby
ms.prod: w10
ms.topic: include
diff --git a/windows/application-management/includes/applies-to-windows-client-versions.md b/windows/application-management/includes/applies-to-windows-client-versions.md
index 771c441905..7cb153ddb7 100644
--- a/windows/application-management/includes/applies-to-windows-client-versions.md
+++ b/windows/application-management/includes/applies-to-windows-client-versions.md
@@ -3,7 +3,6 @@ author: aczechowski
ms.author: aaroncz
ms.date: 09/28/2021
ms.reviewer:
-audience: itpro
manager: dougeby
ms.prod: w10
ms.topic: include
diff --git a/windows/application-management/manage-windows-mixed-reality.md b/windows/application-management/manage-windows-mixed-reality.md
index b602dd6fa0..122ffdd4f1 100644
--- a/windows/application-management/manage-windows-mixed-reality.md
+++ b/windows/application-management/manage-windows-mixed-reality.md
@@ -3,10 +3,7 @@ title: Enable or block Windows Mixed Reality apps in the enterprise (Windows 10/
description: Learn how to enable Windows Mixed Reality apps in WSUS or block the Windows Mixed Reality portal in enterprises.
ms.reviewer:
manager: dougeby
-keyboards: ["mr", "mr portal", "mixed reality portal", "mixed reality"]
ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
ms.localizationpriority: medium
author: aczechowski
ms.author: aaroncz
@@ -34,7 +31,7 @@ Organizations that use Windows Server Update Services (WSUS) must take action to
1. Download the FOD .cab file:
- [Windows 11, version 21H2](https://software-download.microsoft.com/download/sg/Microsoft-Windows-Holographic-Desktop-FOD-Package~31bf3856ad364e35~amd_64~~.cab)
- - [Windows 10, version 2004](https://software-download.microsoft.com/download/pr/6cf73b63/Microsoft-Windows-Holographic-Desktop-FOD-Package~31bf3856ad364e35~amd64~~.cab)
+ - [Windows 10, version 2004](https://software-static.download.prss.microsoft.com/pr/download/6cf73b63/Microsoft-Windows-Holographic-Desktop-FOD-Package~31bf3856ad364e35~amd64~~.cab)
- [Windows 10, version 1903 and 1909](https://software-download.microsoft.com/download/pr/Microsoft-Windows-Holographic-Desktop-FOD-Package-31bf3856ad364e35-amd64.cab)
- [Windows 10, version 1809](https://software-download.microsoft.com/download/pr/microsoft-windows-holographic-desktop-fod-package31bf3856ad364e35amd64_1.cab)
- [Windows 10, version 1803](https://download.microsoft.com/download/9/9/3/9934B163-FA01-4108-A38A-851B4ACD1244/Microsoft-Windows-Holographic-Desktop-FOD-Package~31bf3856ad364e35~amd64~~.cab)
@@ -102,6 +99,6 @@ In the following example, the **Id** can be any generated GUID and the **Name**
```
-## Related topics
+## Related articles
- [Mixed reality](https://developer.microsoft.com/windows/mixed-reality/mixed_reality)
diff --git a/windows/application-management/per-user-services-in-windows.md b/windows/application-management/per-user-services-in-windows.md
index 58a6ac7e49..4657bd8ea3 100644
--- a/windows/application-management/per-user-services-in-windows.md
+++ b/windows/application-management/per-user-services-in-windows.md
@@ -2,9 +2,6 @@
title: Per-user services in Windows 10 and Windows Server
description: Learn about per-user services, how to change the template service Startup Type, and manage per-user services through Group Policy and security templates.
ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: mobile
ms.author: aaroncz
author: aczechowski
ms.date: 09/14/2017
diff --git a/windows/application-management/private-app-repository-mdm-company-portal-windows-11.md b/windows/application-management/private-app-repository-mdm-company-portal-windows-11.md
index f41a49eb16..17fe815f82 100644
--- a/windows/application-management/private-app-repository-mdm-company-portal-windows-11.md
+++ b/windows/application-management/private-app-repository-mdm-company-portal-windows-11.md
@@ -1,14 +1,10 @@
---
title: Use the Company Portal app for your private app repo on Windows 11 devices | Microsoft Docs
description: Use the Company Portal app in Windows 11 devices to access the private app repository for your organization or company apps. Add apps to an MDM/MAM provider, and deploy the apps to Windows devices using policies. The Company Portal app replaces Microsoft Store for Business private store on Windows 11 devices.
-ms.assetid:
manager: dougeby
ms.author: aaroncz
ms.reviewer: amanh
ms.prod: w11
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: mobile
author: aczechowski
ms.date: 09/15/2021
ms.localizationpriority: medium
diff --git a/windows/application-management/provisioned-apps-windows-client-os.md b/windows/application-management/provisioned-apps-windows-client-os.md
index 67850b66e7..c155a0e790 100644
--- a/windows/application-management/provisioned-apps-windows-client-os.md
+++ b/windows/application-management/provisioned-apps-windows-client-os.md
@@ -4,9 +4,6 @@ ms.reviewer:
manager: dougeby
description: Use the Windows PowerShell Get-AppxProvisionedPackage command to get a list off the provisioned apps installed in Windows OS. See a list of some common provisioned apps installed a Windows Enterprise client computer or device, including Windows 10/11.
ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: mobile
ms.author: aaroncz
author: aczechowski
ms.localizationpriority: medium
diff --git a/windows/application-management/remove-provisioned-apps-during-update.md b/windows/application-management/remove-provisioned-apps-during-update.md
index 88a88de355..d05b8db3c7 100644
--- a/windows/application-management/remove-provisioned-apps-during-update.md
+++ b/windows/application-management/remove-provisioned-apps-during-update.md
@@ -2,8 +2,6 @@
title: How to keep apps removed from Windows 10 from returning during an update
description: How to keep provisioned apps that were removed from your machine from returning during an update.
ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.author: aaroncz
author: aczechowski
ms.date: 05/25/2018
diff --git a/windows/application-management/sideload-apps-in-windows-10.md b/windows/application-management/sideload-apps-in-windows-10.md
index b166f06efd..0e20c16ba3 100644
--- a/windows/application-management/sideload-apps-in-windows-10.md
+++ b/windows/application-management/sideload-apps-in-windows-10.md
@@ -1,14 +1,10 @@
---
title: Sideload LOB apps in Windows client OS | Microsoft Docs
description: Learn how to sideload line-of-business (LOB) apps in Windows client operating systems, including Windows 10/11. When you sideload an app, you deploy a signed app package to a device.
-ms.assetid: C46B27D0-375B-4F7A-800E-21595CF1D53D
ms.reviewer:
manager: dougeby
ms.author: aaroncz
ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: mobile
author: aczechowski
ms.localizationpriority: medium
---
diff --git a/windows/application-management/svchost-service-refactoring.md b/windows/application-management/svchost-service-refactoring.md
index 6158870fa4..7fe5fa1c05 100644
--- a/windows/application-management/svchost-service-refactoring.md
+++ b/windows/application-management/svchost-service-refactoring.md
@@ -2,9 +2,6 @@
title: Service Host service refactoring in Windows 10 version 1703
description: Learn about the SvcHost Service Refactoring introduced in Windows 10 version 1703.
ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: mobile
ms.author: aaroncz
author: aczechowski
ms.date: 07/20/2017
diff --git a/windows/application-management/system-apps-windows-client-os.md b/windows/application-management/system-apps-windows-client-os.md
index 5b41691ed9..89689b0d06 100644
--- a/windows/application-management/system-apps-windows-client-os.md
+++ b/windows/application-management/system-apps-windows-client-os.md
@@ -4,9 +4,6 @@ ms.reviewer:
manager: dougeby
description: Use the Windows PowerShell Get-AppxPackage command to get a list off the system apps installed in Windows OS. See a list of some common system apps installed a Windows Enterprise client computer or device, including Windows 10/11.
ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: mobile
ms.author: aaroncz
author: aczechowski
ms.localizationpriority: medium
diff --git a/windows/client-management/mdm/Language-pack-management-csp.md b/windows/client-management/mdm/Language-pack-management-csp.md
index 4c10dc0ad9..25a95f6c0b 100644
--- a/windows/client-management/mdm/Language-pack-management-csp.md
+++ b/windows/client-management/mdm/Language-pack-management-csp.md
@@ -13,6 +13,16 @@ ms.date: 06/22/2021
# Language Pack Management CSP
+The table below shows the applicability of Windows:
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|Yes|
+|Business|No|No|
+|Enterprise|No|Yes|
+|Education|No|Yes|
+
The Language Pack Management CSP allows a direct way to provision languages remotely in Windows. MDMs like Intune can use management commands remotely to devices to configure language-related settings for System and new users.
1. Enumerate installed languages and features with GET command on the "InstalledLanguages" node. Below are the samples:
@@ -81,3 +91,7 @@ The Language Pack Management CSP allows a direct way to provision languages remo
4. Get/Set System Preferred UI Language with GET or REPLACE command on the "SystemPreferredUILanguages" Node
**./Device/Vendor/MSFT/LanguagePackManagement/LanguageSettings/SystemPreferredUILanguages**
+
+## Related topics
+
+[Configuration service provider reference](configuration-service-provider-reference.md)
\ No newline at end of file
diff --git a/windows/client-management/mdm/accountmanagement-csp.md b/windows/client-management/mdm/accountmanagement-csp.md
index 7be2cf47f8..b55a87941f 100644
--- a/windows/client-management/mdm/accountmanagement-csp.md
+++ b/windows/client-management/mdm/accountmanagement-csp.md
@@ -13,7 +13,6 @@ manager: dansimp
# AccountManagement CSP
-
AccountManagement CSP is used to configure setting in the Account Manager service in Windows Holographic for Business edition. Added in Windows 10, version 1803.
> [!NOTE]
@@ -41,7 +40,9 @@ Interior node.
**UserProfileManagement/EnableProfileManager**
Enable profile lifetime management for shared or communal device scenarios. Default value is false.
-Supported operations are Add, Get, Replace, and Delete. Value type is bool.
+Supported operations are Add, Get, Replace, and Delete.
+
+Value type is bool.
**UserProfileManagement/DeletionPolicy**
Configures when profiles will be deleted. Default value is 1.
@@ -52,19 +53,29 @@ Valid values:
- 1 - delete at storage capacity threshold
- 2 - delete at both storage capacity threshold and profile inactivity threshold
-Supported operations are Add, Get, Replace, and Delete. Value type is integer.
+Supported operations are Add, Get, Replace, and Delete.
+
+Value type is integer.
**UserProfileManagement/StorageCapacityStartDeletion**
Start deleting profiles when available storage capacity falls below this threshold, given as percent of total storage available for profiles. Profiles that have been inactive the longest will be deleted first. Default value is 25.
-Supported operations are Add, Get, Replace, and Delete. Value type is integer.
+Supported operations are Add, Get, Replace, and Delete.
+
+Value type is integer.
**UserProfileManagement/StorageCapacityStopDeletion**
Stop deleting profiles when available storage capacity is brought up to this threshold, given as percent of total storage available for profiles. Default value is 50.
-Supported operations are Add, Get, Replace, and Delete. Value type is integer.
+Supported operations are Add, Get, Replace, and Delete.
+
+Value type is integer.
**UserProfileManagement/ProfileInactivityThreshold**
Start deleting profiles when they haven't been logged on during the specified period, given as number of days. Default value is 30.
Supported operations are Add, Get, Replace, and Delete. Value type is integer.
+
+## Related topics
+
+[Configuration service provider reference](configuration-service-provider-reference.md)
diff --git a/windows/client-management/mdm/accountmanagement-ddf.md b/windows/client-management/mdm/accountmanagement-ddf.md
index c4c26237bc..51380b7ed8 100644
--- a/windows/client-management/mdm/accountmanagement-ddf.md
+++ b/windows/client-management/mdm/accountmanagement-ddf.md
@@ -13,7 +13,6 @@ manager: dansimp
# AccountManagement DDF file
-
This topic shows the OMA DM device description framework (DDF) for the **AccountManagement** configuration service provider.
The XML below is for Windows 10, version 1803.
@@ -74,7 +73,7 @@ The XML below is for Windows 10, version 1803.
The product name is first part of the PackageFullName followed by the version number. In the Windows Camera example, the ProductName is Microsoft.WindowsCamera.|
+|PackageFullName|ProductName: The product name is first part of the PackageFullName followed by the version number. In the Windows Camera example, the ProductName is Microsoft.WindowsCamera.|
|Publisher|Publisher|
|Version|Version
The version can be used either in the HighSection or LowSection of the BinaryVersionRange.
HighSection defines the highest version number and LowSection defines the lowest version number that should be trusted. You can use a wildcard for both versions to make a version- independent rule. Using a wildcard for one of the values will provide higher than or lower than a specific version semantics.|
@@ -293,13 +303,13 @@ Here's an example AppLocker publisher rule:
You can get the publisher name and product name of apps using a web API.
-**To find publisher and product name for Microsoft apps in Microsoft Store for Business**
+**To find publisher and product name for Microsoft apps in Microsoft Store for Business:**
-1. Go to the Microsoft Store for Business website, and find your app. For example, Microsoft OneNote.
+1. Go to the Microsoft Store for Business website, and find your app. For example, Microsoft OneNote.
-2. Copy the ID value from the app URL. For example, Microsoft OneNote's ID URL is https://www.microsoft.com/store/apps/onenote/9wzdncrfhvjl, and you'd copy the ID value, **9wzdncrfhvjl**.
+2. Copy the ID value from the app URL. For example, Microsoft OneNote's ID URL is [https://www.microsoft.com/store/apps/onenote/9wzdncrfhvjl](https://www.microsoft.com/store/apps/onenote/9wzdncrfhvjl), and you'd copy the ID value: **9wzdncrfhvjl**.
-3. In your browser, run the Store for Business portal web API, to return a JavaScript Object Notation (JSON) file that includes the publisher and product name values.
+3. In your browser, run the Store for Business portal web API, to return a JavaScript Object Notation (JSON) file that includes the publisher and product name values.
Request URI:
@@ -359,17 +369,13 @@ The product name is first part of the PackageFullName followed by the version nu
| SettingsPagePhoneNfc | b0894dfd-4671-4bb9-bc17-a8b39947ffb6\_1.0.0.0\_neutral\_\_1prqnbg33c1tj | b0894dfd-4671-4bb9-bc17-a8b39947ffb6 |
-
## Inbox apps and components
-
The following list shows the apps that may be included in the inbox.
> [!NOTE]
> This list identifies system apps that ship as part of Windows that you can add to your AppLocker policy to ensure proper functioning of the operating system. If you decide to block some of these apps, we recommend a thorough testing before deploying to your production environment. Failure to do so may result in unexpected failures and can significantly degrade the user experience.
-
-
|App|Product ID|Product name|
|--- |--- |--- |
|3D Viewer|f41647c9-d567-4378-b2ab-7924e5a152f3|Microsoft.Microsoft3DViewer (Added in Windows 10, version 1703)|
@@ -1277,6 +1283,7 @@ The following example for Windows 10 Holographic for Business denies all apps an
```
## Recommended blocklist for Windows Information Protection
+
The following example for Windows 10, version 1607 denies known unenlightened Microsoft apps from accessing enterprise data as an allowed app. (An administrator might still use an exempt rule, instead.) This prevention ensures an administrator doesn't accidentally make these apps Windows Information Protection allowed, and avoid known compatibility issues related to automatic file encryption with these applications.
In this example, Contoso is the node name. We recommend using a GUID for this node.
@@ -1460,5 +1467,4 @@ In this example, Contoso is the node name. We recommend using a GUID for this no
## Related topics
-
[Configuration service provider reference](configuration-service-provider-reference.md)
diff --git a/windows/client-management/mdm/applocker-ddf-file.md b/windows/client-management/mdm/applocker-ddf-file.md
index 7bde68650f..2f322128e5 100644
--- a/windows/client-management/mdm/applocker-ddf-file.md
+++ b/windows/client-management/mdm/applocker-ddf-file.md
@@ -14,7 +14,6 @@ ms.date: 12/05/2017
# AppLocker DDF file
-
This topic shows the OMA DM device description framework (DDF) for the **AppLocker** configuration service provider. DDF files are used only with OMA DM provisioning XML.
Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
@@ -672,15 +671,4 @@ Looking for the DDF XML files? See [CSP DDF files download](configuration-servic
## Related topics
-
-[AppLocker configuration service provider](applocker-csp.md)
-
-
-
-
-
-
-
-
-
-
+[AppLocker configuration service provider](applocker-csp.md)
\ No newline at end of file
diff --git a/windows/client-management/mdm/assignedaccess-csp.md b/windows/client-management/mdm/assignedaccess-csp.md
index 0b28cf30d1..5f61ca771d 100644
--- a/windows/client-management/mdm/assignedaccess-csp.md
+++ b/windows/client-management/mdm/assignedaccess-csp.md
@@ -13,7 +13,17 @@ ms.date: 05/03/2022
# AssignedAccess CSP
-The AssignedAccess configuration service provider (CSP) is used to set the device to run in kiosk mode. Once the CSP has been executed, then the next user sign in that is associated with the kiosk mode puts the device into the kiosk mode running the application specified in the CSP configuration.
+The table below shows the applicability of Windows:
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+
+The AssignedAccess configuration service provider (CSP) is used to set the device to run in kiosk mode. Once the CSP has been executed, the next user login that is associated with the kiosk mode puts the device into the kiosk mode running the application specified in the CSP configuration.
For a step-by-step guide for setting up devices to run in kiosk mode, see [Set up a kiosk on Windows 10 Pro, Enterprise, or Education.](/windows/configuration/kiosk-single-app)
@@ -23,14 +33,14 @@ In Windows 10, version 1709, the AssignedAccess configuration service provider (
> You can only assign one single app kiosk profile to an individual user account on a device. The single app profile does not support domain groups.
> [!Note]
-> If the application calls KeyCredentialManager.IsSupportedAsync when it is running in assigned access mode and it returns false on the first run, invoke the settings screen and select a appropriate PIN to use with Windows Hello. This is the settings screen that is hidden by the application running in assigned access mode. You can only use Windows Hello if you first leave assigned access mode, select your convenience pin, and then go back into assigned access mode again.
+> If the application calls `KeyCredentialManager.IsSupportedAsync` when it is running in assigned access mode and it returns false on the first run, invoke the settings screen and select an appropriate PIN to use with Windows Hello. This is the settings screen that is hidden by the application running in assigned access mode. You can only use Windows Hello if you first leave assigned access mode, select your convenience pin, and then go back into assigned access mode again.
> [!Note]
> The AssignedAccess CSP is supported in Windows 10 Enterprise and Windows 10 Education. Starting from Windows 10, version 1709, it is supported in Windows 10 Pro and Windows 10 S. Starting from Windows 10, version 1803, it is also supported in Windows Holographic for Business edition.
The following example shows the AssignedAccess configuration service provider in tree format
-```
+```console
./Vendor/MSFT
AssignedAccess
----KioskModeApp
@@ -44,14 +54,14 @@ AssignedAccess
Root node for the CSP.
**./Device/Vendor/MSFT/AssignedAccess/KioskModeApp**
-A JSON string that contains the user account name and Application User Model ID (AUMID) of the Kiosk mode app. For more information about how to get the AUMID, see [Find the Application User Model ID of an installed app](/windows-hardware/customize/enterprise/find-the-application-user-model-id-of-an-installed-app).
+A JSON string that contains the user account name and Application User Model ID (AUMID) of the Kiosk mode app. For more information about how to get the AUMID, see [Find the Application User Model ID of an installed app](/windows/configuration/find-the-application-user-model-id-of-an-installed-app).
For more information, see [Set up a kiosk on Windows 10 Pro, Enterprise, or Education.](/windows/configuration/kiosk-single-app)
> [!Note]
-> In Windows 10, version 1803 the Configuration node introduces single app kiosk profile to replace KioskModeApp CSP node. KioskModeApp node will be deprecated soon, so you should use the single app kiosk profile in config xml for Configuration node to configure public-facing single app Kiosk.
+> In Windows 10, version 1803, the Configuration node introduces single app kiosk profile to replace KioskModeApp CSP node. KioskModeApp node will be deprecated soon, so you should use the single app kiosk profile in config xml for Configuration node to configure public-facing single app Kiosk.
>
-> Starting in Windows 10, version 1803 the KioskModeApp node becomes No-Op if Configuration node is configured on the device. That Add/Replace/Delete command on KioskModeApp node always returns SUCCESS to the MDM server if Configuration node is set, but the data of KioskModeApp will not take any effect on the device. Get command on KioskModeApp will return the configured JSON string even it’s not effective.
+> Starting in Windows 10, version 1803, the KioskModeApp node becomes No-Op if Configuration node is configured on the device. That Add/Replace/Delete command on KioskModeApp node always returns SUCCESS to the MDM server if Configuration node is set, but the data of KioskModeApp will not take any effect on the device. Get command on KioskModeApp will return the configured JSON string even it’s not effective.
> [!Note]
> You can't set both KioskModeApp and ShellLauncher at the same time on the device.
@@ -453,7 +463,7 @@ The schema below is for AssignedAccess Configuration up to Windows 10 20H2 relea
);
```
-Here's the schema for new features introduced in Windows 10 1809 release
+Here's the schema for new features introduced in Windows 10 1809 release:
```xml
@@ -500,6 +510,7 @@ Here's the schema for new features introduced in Windows 10 1809 release
```
Schema for Windows 10 prerelease
+
```xml
Desc.0409 with a value of "GPRS Connection" will force "GPRS Connection" to be displayed in the UI to represent this connection when the device is set to English language (language ID 0409). Descriptions for multiple languages may be provisioned using this mechanism, and the system will automatically switch among them if the user changes language preferences on the device. If no Desc parameter is provisioned for a given language, the system will default to the name used to create the entry.
+A parameter name in the format of Desc.langid will be used as the language-specific identifier for the specified entry. For example, a parameter defined as `Desc.0409` with a value of `"GPRS Connection"` will force "GPRS Connection" to be displayed in the UI to represent this connection when the device is set to English language (language ID 0409). Descriptions for multiple languages may be provisioned using this mechanism, and the system will automatically switch among them if the user changes language preferences on the device. If no **Desc** parameter is provisioned for a given language, the system will default to the name used to create the entry.
**Enabled**
Specifies if the connection is enabled.
@@ -131,7 +141,7 @@ Optional. Type: Int. This parameter specifies the roaming conditions under which
- 5 - Roaming only.
**OEMConnectionID**
-Optional. Type: GUID. Specifies a GUID to use to identify a specific connection in the modem. If a value isn't specified, the default value is 00000000-0000-0000-0000-000000000000. This parameter is only used on LTE devices.
+Optional. Type: GUID. Specifies a GUID that is used to identify a specific connection in the modem. If a value isn't specified, the default value is 00000000-0000-0000-0000-000000000000. This parameter is only used on LTE devices.
**ApnId**
Optional. Type: Int. Specifies the purpose of the APN. If a value isn't specified, the default value is "0" (none). This parameter is only used on LTE devices.
@@ -174,7 +184,7 @@ Optional. Type: Int. Specifies how long an on-demand connection can be unused be
> If tear-down/activation requests occur too frequently, this value should be set to greater than 5 seconds.
**SimIccId**
-For single SIM phones, this parm isOptional. However, it is highly recommended to include this value when creating future updates. For dual SIM phones, this parm is required. Type: String. Specifies the SIM ICCID that services the connection.
+For single SIM phones, this parm is Optional. However, it is highly recommended to include this value when creating future updates. For dual SIM phones, this parm is required. Type: String. Specifies the SIM ICCID that services the connection.
**PurposeGroups**
Required. Type: String. Specifies the purposes of the connection by a comma-separated list of GUIDs representing purpose values. The following purpose values are available:
@@ -271,17 +281,7 @@ The following table shows the Microsoft custom elements that this configuration
|Characteristic-query|Yes|
|Parm-query|Yes|
-
## Related topics
-
[Configuration service provider reference](configuration-service-provider-reference.md)
-
-
-
-
-
-
-
-
diff --git a/windows/client-management/mdm/cmpolicy-csp.md b/windows/client-management/mdm/cmpolicy-csp.md
index 333377d822..d1ce18151d 100644
--- a/windows/client-management/mdm/cmpolicy-csp.md
+++ b/windows/client-management/mdm/cmpolicy-csp.md
@@ -14,13 +14,21 @@ ms.date: 06/26/2017
# CMPolicy CSP
+The table below shows the applicability of Windows:
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|Yes|Yes|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
The CMPolicy configuration service provider defines rules that the Connection Manager uses to identify the correct connection for a connection request.
> [!NOTE]
> This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_NETWORKING\_ADMIN capabilities to be accessed from a network configuration application.
-
Each policy entry identifies one or more applications in combination with a host pattern. The policy entry is assigned a list of connection details that Connection Manager uses to satisfy connection requests matching the application and host patterns. CMPolicy configuration service provider can have multiple policies
**Policy Ordering**: There's no explicit ordering of policies. The general rule is that the most concrete or specific policy mappings take a higher precedence.
@@ -134,7 +142,6 @@ Specifies the type of connection being referenced. The following list describes
## OMA client provisioning examples
-
Adding an application-based mapping policy. In this example, the ConnectionId for type CMST\_CONNECTION\_NAME is set to the name of the connection (“GPRSConn1”) that is configured with the CM\_CellularEntries configuration service provider.
```xml
@@ -180,7 +187,9 @@ Adding an application-based mapping policy. In this example, the ConnectionId fo
```
-Adding a host-based mapping policy. In this example, the ConnectionId for type CMST\_CONNECTION\_NAME is set to the name of the connection (“GPRSConn1”) that is configured with the CM\_CellularEntries configuration service provider.
+Adding a host-based mapping policy:
+
+In this example, the ConnectionId for type CMST\_CONNECTION\_NAME is set to the name of the connection (“GPRSConn1”) that is configured with the CM\_CellularEntries configuration service provider.
```xml
@@ -1078,7 +1010,6 @@ You can download the DDF files for various CSPs from the links below:
## CSPs supported in HoloLens devices
-
The following list shows the CSPs supported in HoloLens devices:
| Configuration service provider | HoloLens (1st gen) Development Edition | HoloLens (1st gen) Commercial Suite | HoloLens 2 |
@@ -1163,7 +1094,6 @@ The following list shows the CSPs supported in HoloLens devices:
- [DiagnosticLog CSP](diagnosticlog-csp.md)
- [DMAcc CSP](dmacc-csp.md)
- [DMClient CSP](dmclient-csp.md)
-- [EnterpriseAppManagement CSP](enterpriseappmanagement-csp.md)
- [HealthAttestation CSP](healthattestation-csp.md)
- [NetworkProxy CSP](networkproxy-csp.md)
- [Policy CSP](policy-configuration-service-provider.md)
diff --git a/windows/client-management/mdm/customdeviceui-csp.md b/windows/client-management/mdm/customdeviceui-csp.md
index 1a0f77c9ed..ba7ddde489 100644
--- a/windows/client-management/mdm/customdeviceui-csp.md
+++ b/windows/client-management/mdm/customdeviceui-csp.md
@@ -42,7 +42,6 @@ Package Full Name of the application that needs to be launched in the background
## SyncML examples
-
**Set StartupAppID**
```xml
diff --git a/windows/client-management/mdm/defender-csp.md b/windows/client-management/mdm/defender-csp.md
index 22ee682cf2..24f01509db 100644
--- a/windows/client-management/mdm/defender-csp.md
+++ b/windows/client-management/mdm/defender-csp.md
@@ -15,6 +15,14 @@ ms.date: 02/22/2022
# Defender CSP
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|Yes|Yes|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+
> [!WARNING]
> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
@@ -355,7 +363,7 @@ Network Protection inspects DNS traffic that occurs over a UDP channel, to provi
**EnableNetworkProtection/DisableHttpParsing**
-Network Protection inspects HTTP traffic to see if a connection is being made to a malicious website, and to provide metadata to Behavior Monitoring. HTTP connections to malicious websites can also be blocked if -EnableNetworkProtection is set to enabled. HTTP inspection can be disabled by setting this value to "$true".
+Network Protection inspects HTTP traffic to see if a connection is being made to a malicious website, and to provide metadata to Behavior Monitoring. HTTP connections to malicious websites can also be blocked if Enable Network Protection is set to enabled. HTTP inspection can be disabled by setting this value to "$true".
- Type: Boolean
- Position: Named
@@ -365,7 +373,7 @@ Network Protection inspects HTTP traffic to see if a connection is being made to
**EnableNetworkProtection/DisableRdpParsing**
-Network Protection inspects RDP traffic so that it can block connections from known malicious hosts if -EnableNetworkProtection is set to be enabled, and to provide metadata to behavior monitoring. RDP inspection can be disabled by setting this value to "$true".
+Network Protection inspects RDP traffic so that it can block connections from known malicious hosts if Enable Network Protection is set to be enabled, and to provide metadata to behavior monitoring. RDP inspection can be disabled by setting this value to "$true".
- Type: Boolean
- Position: Named
@@ -375,7 +383,7 @@ Network Protection inspects RDP traffic so that it can block connections from kn
**EnableNetworkProtection/DisableSshParsing**
-Network Protection inspects SSH traffic, so that it can block connections from known malicious hosts. If -EnableNetworkProtection is set to be enabled, and to provide metadata to behavior monitoring. SSH inspection can be disabled by setting this value to "$true".
+Network Protection inspects SSH traffic, so that it can block connections from known malicious hosts. If Enable Network Protection is set to be enabled, and to provide metadata to behavior monitoring. SSH inspection can be disabled by setting this value to "$true".
- Type: Boolean
- Position: Named
@@ -385,7 +393,7 @@ Network Protection inspects SSH traffic, so that it can block connections from k
**EnableNetworkProtection/DisableTlsParsing**
-Network Protection inspects TLS traffic (also known as HTTPS traffic) to see if a connection is being made to a malicious website, and to provide metadata to Behavior Monitoring. TLS connections to malicious websites can also be blocked if -EnableNetworkProtection is set to enabled. HTTP inspection can be disabled by setting this value to "$true".
+Network Protection inspects TLS traffic (also known as HTTPS traffic) to see if a connection is being made to a malicious website, and to provide metadata to Behavior Monitoring. TLS connections to malicious websites can also be blocked if Enable Network Protection is set to enabled. HTTP inspection can be disabled by setting this value to "$true".
- Type: Boolean
- Position: Named
@@ -594,11 +602,13 @@ An interior node to group Windows Defender configuration information.
Supported operation is Get.
**Configuration/TamperProtection**
+
Tamper protection helps protect important security features from unwanted changes and interference. This protection includes real-time protection, behavior monitoring, and more. Accepts signed string to turn the feature on or off. Settings are configured with an MDM solution, such as Intune and is available in Windows 10 Enterprise E5 or equivalent subscriptions.
+
Send off blob to device to reset the tamper protection state before setting this configuration to "not configured" or "unassigned" in Intune.
-The data type is a Signed blob.
+The data type is a Signed BLOB.
Supported operations are Add, Delete, Get, Replace.
@@ -610,7 +620,7 @@ Intune tamper protection setting UX supports three states:
When enabled or disabled exists on the client and admin moves the setting to not configured, it won't have any impact on the device state. To change the state to either enabled or disabled would require to be set explicitly.
**Configuration/DisableLocalAdminMerge**
-This policy setting controls whether or not complex list settings configured by a local administrator are merged with managed settings. This setting applies to lists such as threats and exclusions.
+This policy setting controls whether or not complex list settings configured by a local administrator are merged with managed settings. This setting applies to lists such as threats and exclusion list.
If you disable or don't configure this setting, unique items defined in preference settings configured by the local administrator will be merged into the resulting effective policy. If conflicts occur, management settings will override preference settings.
@@ -630,6 +640,7 @@ Valid values are:
- 0 (default) – Disable.
**Configuration/HideExclusionsFromLocalAdmins**
+
This policy setting controls whether or not exclusions are visible to Local Admins. For end users (that aren't Local Admins) exclusions aren't visible, whether or not this setting is enabled.
If you disable or don't configure this setting, Local Admins will be able to see exclusions in the Windows Security App, in the registry, and via PowerShell.
@@ -639,22 +650,23 @@ If you enable this setting, Local Admins will no longer be able to see the exclu
> [!NOTE]
> Applying this setting won't remove exclusions, it will only prevent them from being visible to Local Admins. This is reflected in **Get-MpPreference**.
-Supported OS versions: Windows 10
+Supported OS versions: Windows 10
The data type is integer.
-Supported operations are Add, Delete, Get, Replace.
+Supported operations are Add, Delete, Get, and Replace.
Valid values are:
- 1 – Enable.
- 0 (default) – Disable.
**Configuration/DisableCpuThrottleOnIdleScans**
+
Indicates whether the CPU will be throttled for scheduled scans while the device is idle. This feature is enabled by default and won't throttle the CPU for scheduled scans performed when the device is otherwise idle, regardless of what ScanAvgCPULoadFactor is set to. For all other scheduled scans, this flag will have no impact and normal throttling will occur.
The data type is integer.
-Supported operations are Add, Delete, Get, Replace.
+Supported operations are Add, Delete, Get, and Replace.
Valid values are:
- 1 (default) – Enable.
@@ -665,7 +677,7 @@ Allow managed devices to update through metered connections. Data charges may ap
The data type is integer.
-Supported operations are Add, Delete, Get, Replace.
+Supported operations are Add, Delete, Get, and Replace.
Valid values are:
- 1 – Enable.
@@ -676,7 +688,7 @@ This settings controls whether Network Protection is allowed to be configured in
The data type is integer.
-Supported operations are Add, Delete, Get, Replace.
+Supported operations are Add, Delete, Get, and Replace.
Valid values are:
- 1 – Enable.
@@ -687,7 +699,7 @@ Allows an administrator to explicitly disable network packet inspection made by
The data type is string.
-Supported operations are Add, Delete, Get, Replace.
+Supported operations are Add, Delete, Get, and Replace.
**Configuration/EnableFileHashComputation**
Enables or disables file hash computation feature.
@@ -695,7 +707,7 @@ When this feature is enabled, Windows Defender will compute hashes for files it
The data type is integer.
-Supported operations are Add, Delete, Get, Replace.
+Supported operations are Add, Delete, Get, and Replace.
Valid values are:
- 1 – Enable.
@@ -706,7 +718,7 @@ The support log location setting allows the administrator to specify where the M
Data type is string.
-Supported operations are Add, Delete, Get, Replace.
+Supported operations are Add, Delete, Get, and Replace.
Intune Support log location setting UX supports three states:
@@ -714,7 +726,7 @@ Intune Support log location setting UX supports three states:
- 1 - Enabled. Enables the Support log location feature. Requires admin to set custom file path.
- 0 - Disabled. Turns off the Support log location feature.
-When enabled or disabled exists on the client and admin moves the setting to be configured not , it won't have any impact on the device state. To change the state to either enabled or disabled would require to be set explicitly.
+When enabled or disabled exists on the client and admin moves the setting to not configured, it won't have any impact on the device state. To change the state to either enabled or disabled would require to be set explicitly.
More details:
@@ -738,7 +750,7 @@ If you disable or don't configure this policy, the device will stay up to date a
The data type is integer.
-Supported operations are Add, Delete, Get, Replace.
+Supported operations are Add, Delete, Get, and Replace.
Valid values are:
- 0: Not configured (Default)
@@ -771,7 +783,7 @@ If you disable or don't configure this policy, the device will stay up to date a
The data type is integer.
-Supported operations are Add, Delete, Get, Replace.
+Supported operations are Add, Delete, Get, and Replace.
Valid values are:
- 0: Not configured (Default)
@@ -796,7 +808,7 @@ Current Channel (Broad): Devices will be offered updates only after the gradual
If you disable or don't configure this policy, the device will stay up to date automatically during the daily release cycle. Suitable for most devices.
The data type is integer.
-Supported operations are Add, Delete, Get, Replace.
+Supported operations are Add, Delete, Get, and Replace.
Valid Values are:
- 0: Not configured (Default)
@@ -819,7 +831,7 @@ If you disable or don't configure this policy, the device will remain in Current
The data type is integer.
-Supported operations are Add, Delete, Get, Replace.
+Supported operations are Add, Delete, Get, and Replace.
Valid values are:
- 1 – Enabled.
diff --git a/windows/client-management/mdm/devdetail-csp.md b/windows/client-management/mdm/devdetail-csp.md
index 7a1c219d01..11a1e2668d 100644
--- a/windows/client-management/mdm/devdetail-csp.md
+++ b/windows/client-management/mdm/devdetail-csp.md
@@ -14,6 +14,15 @@ ms.date: 03/27/2020
# DevDetail CSP
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|Yes|Yes|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+
+
The DevDetail configuration service provider handles the management object that provides device-specific parameters to the OMA DM server. These device parameters can be queried by servers using OMA DM commands. They aren't sent from the client to the server automatically.
> [!NOTE]
diff --git a/windows/client-management/mdm/devicemanageability-csp.md b/windows/client-management/mdm/devicemanageability-csp.md
index 9768af70a3..a932bc0ed7 100644
--- a/windows/client-management/mdm/devicemanageability-csp.md
+++ b/windows/client-management/mdm/devicemanageability-csp.md
@@ -1,6 +1,6 @@
---
title: DeviceManageability CSP
-description: The DeviceManageability configuration service provider (CSP) is used to retrieve general information about MDM configuration capabilities on the device.
+description: Learn how the DeviceManageability configuration service provider (CSP) is used to retrieve general information about MDM configuration capabilities on the device.
ms.assetid: FE563221-D5B5-4EFD-9B60-44FE4066B0D2
ms.reviewer:
manager: dansimp
@@ -14,6 +14,15 @@ ms.date: 11/01/2017
# DeviceManageability CSP
+The table below shows the applicability of Windows:
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|Yes|Yes|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
The DeviceManageability configuration service provider (CSP) is used to retrieve the general information about MDM configuration capabilities on the device. This CSP was added in Windows 10, version 1607.
@@ -30,6 +39,7 @@ DeviceManageability
------------ConfigInfo (Added in Windows 10, version 1709)
------------EnrollmentInfo (Added in Windows 10, version 1709)
```
+
**./Device/Vendor/MSFT/DeviceManageability**
Root node to group information about runtime MDM configuration capability on the target device.
@@ -50,14 +60,20 @@ Added in Windows 10, version 1709. Configuration information string value set by
ConfigInfo value can only be set by the provider that owns the ProviderID. The value is readable by other config sources.
-Data type is string. Supported operations are Add, Get, Delete, and Replace.
+Data type is string.
+
+Supported operations are Add, Get, Delete, and Replace.
**Provider/_ProviderID_/EnrollmentInfo**
Added in Windows 10, version 1709. Enrollment information string value set by the configuration source and sent during MDM enrollment. It's readable by MDM server during sync session.
-Data type is string. Supported operations are Add, Get, Delete, and Replace.
-
-
+Data type is string.
+
+Supported operations are Add, Get, Delete, and Replace.
+
+## Related topics
+
+[Configuration service provider reference](configuration-service-provider-reference.md)
diff --git a/windows/client-management/mdm/devicestatus-csp.md b/windows/client-management/mdm/devicestatus-csp.md
index 17cb3d7424..3f04f4495f 100644
--- a/windows/client-management/mdm/devicestatus-csp.md
+++ b/windows/client-management/mdm/devicestatus-csp.md
@@ -1,6 +1,6 @@
---
title: DeviceStatus CSP
-description: The DeviceStatus configuration service provider keeps track of device inventory and queries the compliance state of devices within the enterprise.
+description: Learn how the DeviceStatus configuration service provider keeps track of device inventory and queries the compliance state of devices within the enterprise.
ms.assetid: 039B2010-9290-4A6E-B77B-B2469B482360
ms.reviewer:
manager: dansimp
@@ -14,6 +14,15 @@ ms.date: 06/25/2021
# DeviceStatus CSP
+The table below shows the applicability of Windows:
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|Yes|Yes|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
The DeviceStatus configuration service provider is used by the enterprise to keep track of device inventory and query the state of compliance of these devices with their enterprise policies.
@@ -63,15 +72,16 @@ DeviceStatus
--------VirtualizationBasedSecurityStatus
--------LsaCfgCredGuardStatus
```
+
**DeviceStatus**
The root node for the DeviceStatus configuration service provider.
**DeviceStatus/SecureBootState**
Indicates whether secure boot is enabled. The value is one of the following values:
-- 0 - Not supported
-- 1 - Enabled
-- 2 - Disabled
+- 0 - Not supported
+- 1 - Enabled
+- 2 - Disabled
Supported operation is Get.
@@ -138,9 +148,9 @@ Supported operation is Get.
**DeviceStatus/NetworkIdentifiers/*MacAddress*/Type**
Type of network connection. The value is one of the following values:
-- 2 - WLAN (or other Wireless interface)
-- 1 - LAN (or other Wired interface)
-- 0 - Unknown
+- 2 - WLAN (or other Wireless interface)
+- 1 - LAN (or other Wired interface)
+- 0 - Unknown
Supported operation is Get.
@@ -150,8 +160,8 @@ Node for the compliance query.
**DeviceStatus/Compliance/EncryptionCompliance**
Boolean value that indicates compliance with the enterprise encryption policy for OS (system) drives. The value is one of the following values:
-- 0 - Not encrypted
-- 1 - Encrypted
+- 0 - Not encrypted
+- 1 - Encrypted
Supported operation is Get.
@@ -179,8 +189,9 @@ Supported operation is Get.
Added in Windows, version 1803. Read only node that specifies the device mode.
Valid values:
-- 0 - The device is in standard configuration
-- 1 - The device is in S mode configuration
+
+- 0 - The device is in standard configuration.
+- 1 - The device is in S mode configuration.
Supported operation is Get.
@@ -194,15 +205,16 @@ Added in Windows, version 1607. Integer that specifies the status of the antivi
Valid values:
-- 0 - The security software reports that it isn't the most recent version.
-- 1 (default) - The security software reports that it's the most recent version.
-- 2 – Not applicable. This value is returned for devices like the phone that don't have an antivirus (where the API doesn’t exist.)
+- 0 - The security software reports that it isn't the most recent version.
+- 1 (default) - The security software reports that it's the most recent version.
+- 2 – Not applicable. It is returned for devices like the phone that don't have an antivirus (where the API doesn’t exist.)
Supported operation is Get.
If more than one antivirus provider is active, this node returns:
-- 1 – If every active antivirus provider has a valid signature status.
-- 0 – If any of the active antivirus providers has an invalid signature status.
+
+- 1 – If every active antivirus provider has a valid signature status.
+- 0 – If any of the active antivirus providers has an invalid signature status.
This node also returns 0 when no antivirus provider is active.
@@ -211,38 +223,39 @@ Added in Windows, version 1607. Integer that specifies the status of the antivi
Valid values:
-- 0 – Antivirus is on and monitoring.
-- 1 – Antivirus is disabled.
-- 2 – Antivirus isn't monitoring the device/PC or some options have been turned off.
-- 3 (default) – Antivirus is temporarily not completely monitoring the device/PC.
-- 4 – Antivirus not applicable for this device. This value is returned for devices like the phone that don't have an antivirus (where the API doesn’t exist.)
+- 0 – Antivirus is on and monitoring.
+- 1 – Antivirus is disabled.
+- 2 – Antivirus isn't monitoring the device/PC or some options have been turned off.
+- 3 (default) – Antivirus is temporarily not completely monitoring the device/PC.
+- 4 – Antivirus not applicable for this device. This value is returned for devices like the phone that don't have an antivirus (where the API doesn’t exist.)
Supported operation is Get.
**DeviceStatus/Antispyware**
-Added in Windows, version 1607. Node for the antispyware query.
+Added in Windows, version 1607. Node for the anti-spyware query.
Supported operation is Get.
**DeviceStatus/Antispyware/SignatureStatus**
-Added in Windows, version 1607. Integer that specifies the status of the antispyware signature.
+Added in Windows, version 1607. Integer that specifies the status of the anti-spyware signature.
Valid values:
-- 0 - The security software reports that it isn't the most recent version.
-- 1 - The security software reports that it's the most recent version.
-- 2 - Not applicable. This value is returned for devices like the phone that don't have an antivirus (where the API doesn’t exist.)
+- 0 - The security software reports that it isn't the most recent version.
+- 1 - The security software reports that it's the most recent version.
+- 2 - Not applicable. This value is returned for devices like the phone that don't have an antivirus (where the API doesn’t exist.)
Supported operation is Get.
-If more than one antispyware provider is active, this node returns:
-- 1 – If every active antispyware provider has a valid signature status.
-- 0 – If any of the active antispyware providers has an invalid signature status.
+If more than one anti-spyware provider is active, this node returns:
-This node also returns 0 when no antispyware provider is active.
+- 1 – If every active anti-spyware provider has a valid signature status.
+- 0 – If any of the active anti-spyware providers has an invalid signature status.
+
+This node also returns 0 when no anti-spyware provider is active.
**DeviceStatus/Antispyware/Status**
-Added in Windows, version 1607. Integer that specifies the status of the antispyware.
+Added in Windows, version 1607. Integer that specifies the status of the anti-spyware.
Valid values:
@@ -263,11 +276,11 @@ Added in Windows, version 1607. Integer that specifies the status of the firewa
Valid values:
-- 0 – Firewall is on and monitoring.
-- 1 – Firewall has been disabled.
-- 2 – Firewall isn't monitoring all networks or some rules have been turned off.
-- 3 (default) – Firewall is temporarily not monitoring all networks.
-- 4 – Not applicable. This value is returned for devices like the phone that don't have an antivirus (where the API doesn’t exist.)
+- 0 – Firewall is on and monitoring.
+- 1 – Firewall has been disabled.
+- 2 – Firewall isn't monitoring all networks or some rules have been turned off.
+- 3 (default) – Firewall is temporarily not monitoring all networks.
+- 4 – Not applicable. This value is returned for devices like the phone that don't have an antivirus (where the API doesn’t exist.)
Supported operation is Get.
@@ -327,15 +340,15 @@ Added in Windows, version 1709. Virtualization-based security hardware requirem
Supported operation is Get.
**DeviceStatus/DeviceGuard/VirtualizationBasedSecurityStatus**
-Added in Windows, version 1709. Virtualization-based security status. Value is one of the following values:
+Added in Windows, version 1709. Virtualization-based security status. Value is one of the following:
+
- 0 - Running
- 1 - Reboot required
- 2 - 64-bit architecture required
- 3 - Not licensed
- 4 - Not configured
- 5 - System doesn't meet hardware requirements
-- 42 – Other. Event logs in Microsoft-Windows-DeviceGuard have more details
-
+- 42 – Other. Event logs in Microsoft-Windows-DeviceGuard have more details.
Supported operation is Get.
@@ -346,7 +359,10 @@ Added in Windows, version 1709. Local System Authority (LSA) credential guard s
- 1 - Reboot required
- 2 - Not licensed for Credential Guard
- 3 - Not configured
-- 4 - VBS not running
-
+- 4 - VBS not running
Supported operation is Get.
+
+## Related topics
+
+[Configuration service provider reference](configuration-service-provider-reference.md)
diff --git a/windows/client-management/mdm/devinfo-csp.md b/windows/client-management/mdm/devinfo-csp.md
index ef7c93a036..e5dc49d8ee 100644
--- a/windows/client-management/mdm/devinfo-csp.md
+++ b/windows/client-management/mdm/devinfo-csp.md
@@ -14,17 +14,25 @@ ms.date: 06/26/2017
# DevInfo CSP
+The table below shows the applicability of Windows:
-The DevInfo configuration service provider handles the managed object that provides device information to the OMA DM server. This device information is automatically sent to the OMA DM server at the beginning of each OMA DM session.
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|Yes|Yes|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+
+The DevInfo configuration service provider handles the managed object, which provides device information to the OMA DM server. This device information is automatically sent to the OMA DM server at the beginning of each OMA DM session.
> [!NOTE]
> This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_DEVICE\_MANAGEMENT\_ADMIN capabilities to be accessed from a network configuration application.
-
-
For the DevInfo CSP, you can't use the Replace command unless the node already exists.
-The following example shows the DevInfo configuration service provider management object in tree format as used by OMA Device Management. The OMA Client provisioning protocol isn't supported by this configuration service provider.
+The following shows the DevInfo configuration service provider management object in tree format as used by OMA Device Management. The OMA Client provisioning protocol isn't supported by this configuration service provider.
+
```
.
DevInfo
@@ -34,6 +42,7 @@ DevInfo
----DmV
----Lang
```
+
**DevId**
Required. Returns an application-specific global unique device identifier by default.
@@ -41,25 +50,22 @@ Supported operation is Get.
The **UseHWDevID** parm of the [DMAcc configuration service provider](dmacc-csp.md) or DMS configuration service provider can be used to modify the return value to instead return a hardware device ID as follows:
-- For GSM phones, the IMEI is returned.
-
-- For CDMA phones, the MEID is returned.
-
-- For dual SIM phones, this value is retrieved from the UICC of the primary data line.
-
-- For Windows 10 for desktop editions (Home, Pro, Enterprise, and Education), it returns an application specific global unique identifier (GUID) irrespective of the value of UseHWDevID.
+- For GSM phones, the IMEI is returned.
+- For CDMA phones, the MEID is returned.
+- For dual SIM phones, this value is retrieved from the UICC of the primary data line.
+- For Windows 10 for desktop editions (Home, Pro, Enterprise, and Education), it returns an application specific global unique identifier (GUID) irrespective of the value of UseHWDevID.
**Man**
Required. Returns the name of the OEM. For Windows 10 for desktop editions, it returns the SystemManufacturer as defined in HKEY\_LOCAL\_MACHINE\\HARDWARE\\DESCRIPTION\\System\\BIOS\\SystemManufacturer.
-If no name is found, the value returned is "Unknown".
+If no name is found, this returns to "Unknown".
Supported operation is Get.
**Mod**
-Required. Returns the name of the hardware device model as specified by the mobile operator. For Windows 10 for desktop editions, it returns the SystemProductName as defined in HKEY\_LOCAL\_MACHINE\\HARDWARE\\DESCRIPTION\\System\\BIOS\\SystemProductName.
+Required. Returns the name of the hardware device model as specified by the mobile operator. For Windows 10/Windows 11 desktop editions, it returns the SystemProductName as defined in HKEY\_LOCAL\_MACHINE\\HARDWARE\\DESCRIPTION\\System\\BIOS\\SystemProductName.
-If no name is found, the value returned is "Unknown".
+If no name is found, this returns to "Unknown".
Supported operation is Get.
@@ -75,15 +81,4 @@ Supported operation is Get.
## Related topics
-
[Configuration service provider reference](configuration-service-provider-reference.md)
-
-
-
-
-
-
-
-
-
-
diff --git a/windows/client-management/mdm/diagnosticlog-csp.md b/windows/client-management/mdm/diagnosticlog-csp.md
index ded51dd0fa..6476b2d5e2 100644
--- a/windows/client-management/mdm/diagnosticlog-csp.md
+++ b/windows/client-management/mdm/diagnosticlog-csp.md
@@ -14,6 +14,16 @@ ms.date: 11/19/2019
# DiagnosticLog CSP
+The table below shows the applicability of Windows:
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|Yes|Yes|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+
The DiagnosticLog configuration service provider (CSP) provides the following feature areas:
- [DiagnosticArchive area](#diagnosticarchive-area). Capture and upload event logs, log files, and registry values for troubleshooting.
- [Policy area](#policy-area). Configure Windows event log policies, such as maximum log size.
@@ -68,7 +78,9 @@ Rest of the nodes in the DiagnosticLog CSP are described within their respective
## DiagnosticArchive area
-The DiagnosticArchive functionality within the DiagnosticLog CSP is used to trigger devices to gather troubleshooting data into a zip archive file and upload that archive to cloud storage. DiagnosticArchive is designed for ad-hoc troubleshooting scenarios, such as an IT admin investigating an app installation failure using a collection of event log events, registry values, and app or OS log files.
+The DiagnosticArchive functionality within the DiagnosticLog CSP is used to trigger devices to gather troubleshooting data into a zip archive file and upload that archive to cloud storage.
+
+DiagnosticArchive is designed for ad-hoc troubleshooting scenarios, such as an IT admin investigating an app installation failure using a collection of event log events, registry values, and app or OS log files.
> [!NOTE]
> DiagnosticArchive is a "break glass" backstop option for device troubleshooting. Diagnostic data such as log files can grow to many gigabytes. Gathering, transferring, and storing large amounts of data may burden the user's device, the network and cloud storage. Management servers invoking DiagnosticArchive must take care to minimize data gathering frequency and scope.
@@ -90,7 +102,7 @@ The data type is string.
Expected value:
Set and Execute are functionality equivalent, and each accepts a `Collection` XML snippet (as a string) describing what data to gather and where to upload it. The results are zipped and uploaded to the specified SasUrl. The zipped filename format is "DiagLogs-{ComputerName}-YYYYMMDDTHHMMSSZ.zip".
-With Windows 10 KB5011543, Windows 11 KB5011563 we have added support for an additional element which will determine whether the output file generated by the CSP is a flattened folder structure, instead of having individual folders for each directive in the XML.
+With Windows 10 KB5011543, Windows 11 KB5011563, we have added support for an extra element that will determine whether the output file generated by the CSP is a flattened folder structure, instead of having individual folders for each directive in the XML.
The following example shows a `Collection` XML:
@@ -110,13 +122,15 @@ The following example shows a `Collection` XML:
```
+
The XML should include the following elements within the `Collection` element:
-**ID**
+**ID**:
The ID value uniquely identifies this data-gathering request. To avoid accidental repetition of data gathering, the CSP ignores subsequent Set or Execute invocations with the same ID value. The CSP expects the value to be populated when the request is received, so it must be generated by the IT admin or the management server.
**SasUrl**
The SasUrl value is the target URI to which the CSP uploads the zip file containing the gathered data. It's the responsibility of the management server to provision storage in such a way that the storage server accepts the device's HTTP PUT to this URL. For example, the device management service could:
+
- Provision cloud storage reachable by the target device, such as a Microsoft Azure blob storage container
- Generate a Shared Access Signature URL granting the possessor (the target device) time-limited write access to the storage container
- Pass this value to the CSP on the target device through the `Collection` XML as the `SasUrl` value.
@@ -132,7 +146,7 @@ The SasUrl value is the target URI to which the CSP uploads the zip file contain
- **Events**
- Exports all events from the named Windows event log.
- Expected input value: A named event log channel such as "Application" or "Microsoft-Windows-DeviceGuard/Operational".
- - Output format: Creates a .evtx file.
+ - Output format: Creates an .evtx file.
- **Commands**
- This directive type allows the execution of specific commands such as ipconfig.exe. Note that DiagnosticArchive and the Commands directives aren't a general-purpose scripting platform. These commands are allowed in the DiagnosticArchive context to handle cases where critical device information may not be available through existing log files.
@@ -183,7 +197,6 @@ The SasUrl value is the target URI to which the CSP uploads the zip file contain
- Flattens folder structure, instead of having individual folders for each directive in the XML.
- The value “Flattened” is the only supported value for the OutputFileFormat. If the OutputFileFormat is absent in the XML, or if explicitly set to something other than Flattened, it will leave the file structure in old structure.
-
**DiagnosticArchive/ArchiveResults**
Added in version 1.4 of the CSP in Windows 10, version 1903. This policy setting displays the results of the last archive run.
@@ -191,7 +204,7 @@ The supported operation is Get.
The data type is string.
-A Get to the above URI will return the results of the data gathering for the last diagnostics request. For the example above it returns:
+A Get to the above URI will return the results of the data gathering for the last diagnostics request. For the example above:
``` xml
-
+- 0 - Disallowed
+- 1 - Allowed
+- 2 - DomesticRoaming
+- 3 - UseOnlyForDomesticRoaming
+- 4 - UseOnlyForNonDomesticRoaming
+- 5 - UseOnlyForRoaming
-
-
-
-
+- 0x00 indicates that all queuing is to be disabled
+- 0x01 specifies that inbound encrypted packets are to be queued
+- 0x02 specifies that packets are to be queued after decryption is performed for forwarding
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+**Accounts/DomainNamesForEmailSync**
+
+
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+
+
+
+
+The following list shows the supported values:
+
+
+
+
+
+
## Related topics
-[Policy CSP](policy-configuration-service-provider.md)
\ No newline at end of file
+[Policy CSP](policy-configuration-service-provider.md)
+
diff --git a/windows/client-management/mdm/policy-csp-audit.md b/windows/client-management/mdm/policy-csp-audit.md
index 6960e68f36..1ac68b444f 100644
--- a/windows/client-management/mdm/policy-csp-audit.md
+++ b/windows/client-management/mdm/policy-csp-audit.md
@@ -1714,7 +1714,7 @@ The following are the supported values:
-This policy setting allows you to audit events generated when encryption or decryption requests are made to the Data Protection application interface (DPAPI). DPAPI is used to protect secret information such as stored password and key information. For more information about DPAPI, see https://go.microsoft.com/fwlink/?LinkId=121720.
+This policy setting allows you to audit events generated when encryption or decryption requests are made to the Data Protection application interface (DPAPI). DPAPI is used to protect secret information such as stored password and key information. For more information about DPAPI, see [How to use Data Protection](/dotnet/standard/security/how-to-use-data-protection).
If you configure this policy setting, an audit event is generated when an encryption or decryption request is made to DPAPI. Success audits record successful requests and Failure audits record unsuccessful requests.
If you don't configure this policy setting, no audit event is generated when an encryption or decryption request is made to DPAPI.
@@ -2862,7 +2862,7 @@ If you don't configure this policy setting, no audit event is generated when an
> [!Note]
> Only the System Access Control List (SACL) for SAM_SERVER can be modified.
-Volume: High on domain controllers. For information about reducing the number of events generated in this subcategory, see [article 841001 in the Microsoft Knowledge Base](https://go.microsoft.com/fwlink/?LinkId=121698).
+Volume: High on domain controllers. For more information about reducing the number of events generated by auditing the access of global system objects, see [Audit the access of global system objects](/windows/security/threat-protection/security-policy-settings/audit-audit-the-access-of-global-system-objects).
diff --git a/windows/client-management/mdm/policy-csp-controlpolicyconflict.md b/windows/client-management/mdm/policy-csp-controlpolicyconflict.md
index e66ffbee8b..522b144fb4 100644
--- a/windows/client-management/mdm/policy-csp-controlpolicyconflict.md
+++ b/windows/client-management/mdm/policy-csp-controlpolicyconflict.md
@@ -32,6 +32,14 @@ manager: dansimp
**ControlPolicyConflict/MDMWinsOverGP**
+> [!NOTE]
+> This setting doesn't apply to the following types of group policies:
+>
+> - If they don't map to an MDM policy. For example, firewall policies and account lockout policies.
+> - If they aren't defined by an ADMX. For example, Password policy - minimum password age.
+> - If they're in the Windows Update category.
+> - If they have list entries. For example, the Microsoft Edge CookiesAllowedForUrls policy.
+
|Edition|Windows 10|Windows 11|
@@ -58,9 +66,6 @@ manager: dansimp
This policy allows the IT admin to control which policy will be used whenever both the MDM policy and its equivalent Group Policy (GP) are set on the device.
-> [!NOTE]
-> MDMWinsOverGP only applies to policies in Policy CSP. MDM policies win over Group Policies where applicable; not all Group Policies are available via MDM or CSP. It does not apply to other MDM settings with equivalent GP settings that are defined in other CSPs.
-
This policy is used to ensure that MDM policy wins over GP when policy is configured on MDM channel. The default value is 0. The MDM policies in Policy CSP will behave as described if this policy value is set 1.
> [!NOTE]
diff --git a/windows/client-management/mdm/policy-csp-defender.md b/windows/client-management/mdm/policy-csp-defender.md
index 7a37cafe94..3cd97e7de1 100644
--- a/windows/client-management/mdm/policy-csp-defender.md
+++ b/windows/client-management/mdm/policy-csp-defender.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.technology: windows
author: dansimp
ms.localizationpriority: medium
-ms.date: 12/29/2021
+ms.date: 05/12/2022
ms.reviewer:
manager: dansimp
ms.collection: highpri
@@ -863,7 +863,7 @@ ADMX Info:
> This policy is only enforced in Windows 10 for desktop.
-This policy setting enables setting the state (Block/Audit/Off) for each Attack surface reduction (Azure Site Recovery) rule. Each ASR rule listed can be set to one of the following states (Block/Audit/Off). The ASR rule ID and state should be added under the Options for this setting. Each entry must be listed as a name value pair. The name defines a valid ASR rule ID, while the value contains the status ID indicating the status of the rule.
+This policy setting enables setting the state (Block/Audit/Off) for each attack surface reduction (ASR) rule. Each ASR rule listed can be set to one of the following states (Block/Audit/Off). The ASR rule ID and state should be added under the Options for this setting. Each entry must be listed as a name value pair. The name defines a valid ASR rule ID, while the value contains the status ID indicating the status of the rule.
For more information about ASR rule ID and status ID, see [Enable Attack Surface Reduction](/windows/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction).
diff --git a/windows/client-management/mdm/policy-csp-devicelock.md b/windows/client-management/mdm/policy-csp-devicelock.md
index 17f1c7e4b9..398e28de31 100644
--- a/windows/client-management/mdm/policy-csp-devicelock.md
+++ b/windows/client-management/mdm/policy-csp-devicelock.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.technology: windows
author: dansimp
ms.localizationpriority: medium
-ms.date: 05/09/2022
+ms.date: 05/16/2022
ms.reviewer:
manager: dansimp
---
@@ -73,7 +73,7 @@ manager: dansimp
> [!Important]
-> The DeviceLock CSP utilizes the [Exchange ActiveSync Policy Engine](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)). When password length and complexity rules are applied, all the local user and administrator accounts are marked to change their password at the next sign in to ensure complexity requirements are met. For additional information, see [Password length and complexity supported by account types](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)#password-length-and-complexity-supported-by-account-types)).
+> The DeviceLock CSP utilizes the [Exchange ActiveSync Policy Engine](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)). When password length and complexity rules are applied, all the local user and administrator accounts are marked to change their password at the next sign in to ensure complexity requirements are met. For additional information, see [Password length and complexity supported by account types](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)#password-length-and-complexity-supported-by-account-types).
**DeviceLock/AllowIdleReturnWithoutPassword**
diff --git a/windows/client-management/mdm/policy-csp-fileexplorer.md b/windows/client-management/mdm/policy-csp-fileexplorer.md
index 3599a3ce1a..ae91c0694e 100644
--- a/windows/client-management/mdm/policy-csp-fileexplorer.md
+++ b/windows/client-management/mdm/policy-csp-fileexplorer.md
@@ -28,15 +28,129 @@ manager: dansimp
## FileExplorer policies
+
+
+
+
+**FileExplorer/AllowOptionToShowNetwork**
+
+
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+
+This policy allows the user with an option to show the network folder when restricted.
+
+
+
+
+The following list shows the supported values:
+
+- 0 - Disabled
+- 1 (default) - Enabled
+
+
+
+
+ADMX Info:
+- GP Friendly name: *Allow the user the option to show Network folder when restricted*
+- GP name: *AllowOptionToShowNetwork*
+- GP path: *File Explorer*
+- GP ADMX file name: *Explorer.admx*
+
+
+
+
+
+
+
+**FileExplorer/AllowOptionToShowThisPC**
+
+
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+
+This policy allows the user with an option to show this PC location when restricted.
+
+
+
+
+The following list shows the supported values:
+
+- 0 - Disabled
+- 1 (default) - Enabled
+
+
+
+
+ADMX Info:
+- GP Friendly name: *Allow the user the option to show Network folder when restricted*
+- GP name: *AllowOptionToShowThisPC*
+- GP path: *File Explorer*
+- GP ADMX file name: *Explorer.admx*
+
+
+
+
@@ -109,6 +223,8 @@ ADMX Info:
Disabling heap termination on corruption can allow certain legacy plug-in applications to function without terminating Explorer immediately, although Explorer may still terminate unexpectedly later.
+
+
ADMX Info:
- GP Friendly name: *Turn off heap termination on corruption*
@@ -120,5 +236,114 @@ ADMX Info:
+
+**FileExplorer/SetAllowedFolderLocations**
+
+
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+
+
+This policy configures the folders that the user can enumerate and access in the File Explorer.
+
+
+
+
+The following list shows the supported values:
+
+- 0: All folders
+- 15:Desktop, Documents, Pictures, and Downloads
+- 31:Desktop, Documents, Pictures, Downloads, and Network
+- 47:This PC (local drive), [Desktop, Documents, Pictures], and Downloads
+- 63:This PC, [Desktop, Documents, Pictures], Downloads, and Network
+
+
+
+
+ADMX Info:
+- GP Friendly name: *Configure which folders the user can enumerate and access to in File Explorer*
+- GP name: *SetAllowedFolderLocations*
+- GP path: *File Explorer*
+- GP ADMX file name: *Explorer.admx*
+
+
+
+
+
+
+
+**FileExplorer/SetAllowedStorageLocations**
+
+
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+
+
+This policy configures the folders that the user can enumerate and access in the File Explorer.
+
+
+
+
+The following list shows the supported values:
+
+- 0: all storage locations
+- 1: Removable Drives
+- 2: Sync roots
+- 3: Removable Drives, Sync roots, local drive
+
+
+
+
+ADMX Info:
+- GP Friendly name: *Configure which folders the user can enumerate and access to in File Explorer*
+- GP name: *SetAllowedStorageLocations*
+- GP path: *File Explorer*
+- GP ADMX file name: *Explorer.admx*
+
+
+
+
+
+
diff --git a/windows/client-management/mdm/policy-csp-search.md b/windows/client-management/mdm/policy-csp-search.md
index b56f078278..68fdb085a9 100644
--- a/windows/client-management/mdm/policy-csp-search.md
+++ b/windows/client-management/mdm/policy-csp-search.md
@@ -14,7 +14,6 @@ manager: dansimp
# Policy CSP - Search
-
@@ -57,6 +56,9 @@ manager: dansimp
+
+**Search/DisableSearch**
+
+
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|Yes|
+|Business|No|Yes|
+|Enterprise|No|Yes|
+|Education|No|Yes|
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+This policy setting completely disables Search UI and all its entry points such as keyboard shortcuts and touch-pad gestures.
+
+It removes the Search button from the Taskbar and the corresponding option in the Settings. It also disables type-to-search in the Start menu and removes the Start menu's search box.
+
+
+
+ADMX Info:
+
+- GP Friendly name: *Fully disable Search UI*
+- GP name: *DisableSearch*
+- GP path: *Windows Components/Search*
+- GP ADMX file name: *Search.admx*
+
+
+
+The following list shows the supported values:
+
+- 0 (default) – Do not disable search.
+- 1 – Disable search.
+
+
+
+
+
+
**Search/DoNotUseWebResults**
@@ -761,7 +814,7 @@ The following list shows the supported values:
-If enabled, clients will be unable to query this computer's index remotely. Thus, when they're browsing network shares that are stored on this computer, they won't search them using the index. If disabled, client search requests will use this computer's index..
+If enabled, clients will be unable to query this computer's index remotely. Thus, when they are browsing network shares that are stored on this computer, they will not search them using the index. If disabled, client search requests will use this computer's index.
diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md
index fbc41ad17a..9985a58d5c 100644
--- a/windows/client-management/mdm/policy-csp-update.md
+++ b/windows/client-management/mdm/policy-csp-update.md
@@ -411,7 +411,7 @@ Enables the IT admin to manage automatic update behavior to scan, download, and
Supported operations are Get and Replace.
-If the policy isn't configured, end-users get the default behavior (Auto install and restart).
+If the policy isn't configured, end-users get the default behavior (Auto download and install).
@@ -426,13 +426,13 @@ ADMX Info:
The following list shows the supported values:
-- 0 - Notify the user before downloading the update. This policy is used by the enterprise who wants to enable the end users to manage data usage. With these option users are notified when there are updates that apply to the device and are ready for download. Users can download and install the updates from the Windows Update control panel.
-- 1 - Auto install the update and then notify the user to schedule a device restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device isn't in use and isn't running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates immediately. If the installation requires a restart, the end user is prompted to schedule the restart time. The end user has up to seven days to schedule the restart and after that, a restart of the device is forced. Enabling the end user to control the start time reduces the risk of accidental data loss caused by applications that don't shut down properly on restart. For more information, see [Automatic maintenance](/windows/win32/taskschd/task-maintenence).
-- 2 (default) - Auto install and restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device isn't in use and isn't running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device isn't actively being used. Automatic restarting when a device isn't being used is the default behavior for unmanaged devices. Devices are updated quickly, but it increases the risk of accidental data loss caused by an application that doesn't shut down properly on restart. For more information, see [Automatic maintenance](/windows/win32/taskschd/task-maintenence).
-- 3 - Auto install and restart at a specified time. The IT specifies the installation day and time. If no day and time are specified, the default is 3 AM daily. Automatic installation happens at this time and device restart happens after a 15-minute countdown. If the user is logged in when Windows is ready to restart, the user can interrupt the 15-minute countdown to delay the restart.
-- 4 - Auto install and restart without end-user control. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device isn't in use and isn't running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device isn't actively being used. This setting option also sets the end-user control panel to read-only.
-- 5 - Turn off automatic updates.
-
+- 0: Notify the user before downloading the update. This policy is used by the enterprise who wants to enable the end users to manage data usage. With this option, users are notified when there are updates that apply to the device and are ready for download. Users can download and install the updates from the Windows Update control panel.
+- 1: Auto install the update and then notify the user to schedule a device restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device isn't in use and isn't running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates immediately. If the installation requires a restart, the end user is prompted to schedule the restart. The end user has up to seven days to schedule the restart and after that, a restart of the device is forced. Enabling the end user to control the start time reduces the risk of accidental data loss caused by applications that don't shut down properly on restart. For more information, see [Automatic maintenance](/windows/win32/taskschd/task-maintenence).
+- 2: Auto install and restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device isn't in use and isn't running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update installs updates right away. If a restart is required, then the device is automatically restarted when the device isn't actively being used. This behavior is the default for unmanaged devices. Devices are updated quickly, but it increases the risk of accidental data loss caused by an application that doesn't shut down properly on restart. For more information, see [Automatic maintenance](/windows/win32/taskschd/task-maintenence).
+- 3: Auto install and restart at a specified time. You specify the installation day and time. If no day and time is specified, the default is 3 AM daily. Automatic installation happens at this time and device restart happens after a 15-minute countdown. If the user is signed in when Windows is ready to restart, the user can interrupt the 15-minute countdown to delay the restart.
+- 4: Auto install and restart at a specified time. You specify the installation day and time. If no day and time is specified, the default is 3 AM daily. Automatic installation happens at this time and device restart happens after a 15-minute countdown. If the user is signed in when Windows is ready to restart, the user can interrupt the 15-minute countdown to delay the restart. This option is the same as `3`, but restricts end user controls on the settings page.
+- 5: Turn off automatic updates.
+- 6 (default): Updates automatically download and install at an optimal time determined by the device. Restart occurs outside of active hours until the deadline is reached, if configured.
> [!IMPORTANT]
> This option should be used only for systems under regulatory compliance, as you won't get security updates as well.
diff --git a/windows/client-management/mdm/policymanager-csp.md b/windows/client-management/mdm/policymanager-csp.md
deleted file mode 100644
index ecef629054..0000000000
--- a/windows/client-management/mdm/policymanager-csp.md
+++ /dev/null
@@ -1,29 +0,0 @@
----
-title: PolicyManager CSP
-description: Learn how PolicyManager CSP is deprecated. For Windows 10 devices you should use Policy CSP, which replaces PolicyManager CSP.
-ms.assetid: 048427b1-6024-4660-8660-bd91c583f7f9
-ms.reviewer:
-manager: dansimp
-ms.author: dansimp
-ms.topic: article
-ms.prod: w10
-ms.technology: windows
-author: dansimp
-ms.date: 06/28/2017
----
-
-# PolicyManager CSP
-
-PolicyManager CSP is deprecated. Use [Policy CSP](policy-configuration-service-provider.md) instead.
-
-
-
-## Related articles
-
-[Policy CSP](policy-configuration-service-provider.md)
-
-[Configuration service provider reference](configuration-service-provider-reference.md)
diff --git a/windows/client-management/mdm/provisioning-csp.md b/windows/client-management/mdm/provisioning-csp.md
index 6e19fc3072..70d22a6a7b 100644
--- a/windows/client-management/mdm/provisioning-csp.md
+++ b/windows/client-management/mdm/provisioning-csp.md
@@ -14,6 +14,15 @@ ms.date: 06/26/2017
# Provisioning CSP
+The table below shows the applicability of Windows:
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|Yes|Yes|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
The Provisioning configuration service provider is used for bulk user enrollment to an MDM service.
diff --git a/windows/client-management/mdm/proxy-csp.md b/windows/client-management/mdm/proxy-csp.md
deleted file mode 100644
index 33a8847c7f..0000000000
--- a/windows/client-management/mdm/proxy-csp.md
+++ /dev/null
@@ -1,127 +0,0 @@
----
-title: PROXY CSP
-description: Learn how the PROXY configuration service provider (CSP) is used to configure proxy connections.
-ms.assetid: 9904d44c-4a1e-4ae7-a6c7-5dba06cb16ce
-ms.reviewer:
-manager: dansimp
-ms.author: dansimp
-ms.topic: article
-ms.prod: w10
-ms.technology: windows
-author: dansimp
-ms.date: 06/26/2017
----
-
-# PROXY CSP
-
-
-The PROXY configuration service provider is used to configure proxy connections.
-
-> [!NOTE]
-> Use [CM\_ProxyEntries CSP](cm-proxyentries-csp.md) instead of PROXY CSP, which will be deprecated in a future release.
-
-This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_NETWORKING\_ADMIN capabilities to be accessed from a network configuration application.
-
-For the PROXY CSP, you can't use the Replace command unless the node already exists.
-
-The following example shows the PROXY configuration service provider management object in tree format as used by OMA DM. The OMA Client Provisioning protocol isn't supported by this configuration service provider.
-
-```
-./Vendor/MSFT/Proxy
-----*
---------ProxyId
---------Name
---------AddrType
---------Addr
---------AddrFQDN
---------ConRefs
-------------*
-----------------ConRef
---------Domains
-------------*
-----------------DomainName
---------Ports
-------------*
-----------------PortNbr
-----------------Services
---------------------*
-------------------------ServiceName
---------ProxyType
---------ProxyParams
-------------WAP
-----------------Trust
-----------------PushEnabled
---------Ext
-------------Microsoft
-----------------Guid
-```
-
-**./Vendor/MSFT/Proxy**
-Root node for the proxy connection.
-
-***ProxyName***
-Defines the name of a proxy connection.
-
-It's recommended that this element name is specified as a numbered node beginning at zero. For example, to provision two proxy connections, use "PROXY0" and "PROXY1" as the element names. Any unique name can be used if desired (such as "GPRS-NAP"), but no spaces may appear in the name (use %20 instead).
-
-The addition, update, and deletion of this subtree of nodes have to be specified in a single atomic transaction.
-
-***ProxyName*/PROXYID**
-Specifies the unique identifier of the proxy connection.
-
-***ProxyName*/NAME**
-Specifies the user-friendly name of the proxy connection.
-
-***ProxyName*/ADDR**
-Specifies the address of the proxy server.
-
-This value may be the network name of the server, or any other string (such as an IP address) used to uniquely identify the proxy connection.
-
-***ProxyName*/ADDRTYPE**
-Specifies the type of address used to identify the proxy server.
-
-The valid values are IPV4, IPV6, E164, ALPHA.
-
-***ProxyName*/PROXYTYPE**
-Specifies the type of proxy connection.
-
-Depending on the ProxyID, the valid values are ISA, WAP, SOCKS, or NULL.
-
-***ProxyName*/Ports**
-Node for port information.
-
-***ProxyName*/Ports/_PortName_**
-Defines the name of a port.
-
-It's recommended that this element name is specified as a numbered node beginning at zero. For example, to provision two ports, use "PORT0" and "PORT1" as the element names.
-
-***ProxyName*/Ports/*PortName*/PortNbr**
-Specifies the port number to be associated with the parent port.
-
-***ProxyName*/Ports/*PortName*/Services**
-Node for services information.
-
-***ProxyName*/Ports/Services/_ServiceName_**
-Defines the name of a service.
-
-It's recommended that this element name is specified as a numbered node beginning at zero. For example, to provision two services, use "SERVICE0" and "SERVICE1" as the element names.
-
-***ProxyName*/Ports/Services/*ServiceName*/ServiceName**
-Specifies the protocol to be associated with the parent port.
-
-One commonly used value is "HTTP".
-
-***ProxyName*/ConRefs**
-Node for connection reference information
-
-***ProxyName*/ConRefs/_ConRefName_**
-Defines the name of a connection reference.
-
-It's recommended that this element name is specified as a numbered node beginning at zero. For example, to provision two connection references, use "CONREF0" and "CONREF1" as the element names.
-
-***ProxyName*/ConRefs/*ConRefName*/ConRef**
-Specifies one single connectivity object associated with the proxy connection.
-
-## Related topics
-
-[Configuration service provider reference](configuration-service-provider-reference.md)
diff --git a/windows/client-management/mdm/pxlogical-csp.md b/windows/client-management/mdm/pxlogical-csp.md
index cc8752d76b..6401374804 100644
--- a/windows/client-management/mdm/pxlogical-csp.md
+++ b/windows/client-management/mdm/pxlogical-csp.md
@@ -14,7 +14,6 @@ ms.date: 06/26/2017
# PXLOGICAL configuration service provider
-
The PXLOGICAL configuration service provider is used to add, remove, or modify WAP logical and physical proxies by using WAP or the standard Windows techniques.
> [!NOTE]
diff --git a/windows/client-management/mdm/reboot-csp.md b/windows/client-management/mdm/reboot-csp.md
index 95d4d915de..7403425b15 100644
--- a/windows/client-management/mdm/reboot-csp.md
+++ b/windows/client-management/mdm/reboot-csp.md
@@ -14,10 +14,20 @@ ms.date: 06/26/2017
# Reboot CSP
+The table below shows the applicability of Windows:
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
The Reboot configuration service provider is used to configure reboot settings.
The following shows the Reboot configuration service provider management objects in tree format as used by Open Mobile Alliance Device Management (OMA DM), OMA Client Provisioning, and Enterprise DM.
+
```
./Device/Vendor/MSFT
Reboot
@@ -26,41 +36,44 @@ Reboot
--------Single
--------DailyRecurrent
```
-**./Vendor/MSFT/Reboot**
-
Messages assigned this role indicate that the device knows the address to the Push Proxy Gateway.|
|SECROLE_ANY_PUSH_SOURCE|4096|Push Router.
Messages received by the push router will be assigned to this role.|
-
-
## OMA Client Provisioning examples
-
Setting a security policy:
```xml
@@ -150,7 +153,6 @@ Querying a security policy:
## OMA DM examples
-
Setting a security policy:
```xml
@@ -195,7 +197,6 @@ Querying a security policy:
## Microsoft Custom Elements
-
The following table shows the Microsoft custom elements that this Configuration Service Provider supports for OMA Client Provisioning.
|Elements|Available|
@@ -203,9 +204,6 @@ The following table shows the Microsoft custom elements that this Configuration
|parm-query|Yes|
|noparm|Yes. If this element is used, then the policy is set to 0 by default (corresponding to the most restrictive of policy values).|
-
-
## Related topics
-
[Configuration service provider reference](configuration-service-provider-reference.md)
diff --git a/windows/client-management/mdm/sharedpc-csp.md b/windows/client-management/mdm/sharedpc-csp.md
index 7f8d360143..c3018f398a 100644
--- a/windows/client-management/mdm/sharedpc-csp.md
+++ b/windows/client-management/mdm/sharedpc-csp.md
@@ -14,6 +14,15 @@ ms.date: 01/16/2019
# SharedPC CSP
+The table below shows the applicability of Windows:
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
The SharedPC configuration service provider is used to configure settings for Shared PC usage.
@@ -57,7 +66,9 @@ A boolean value that specifies whether the policies for education environment ar
The supported operations are Add, Get, Replace, and Delete.
-The default value changed to false in Windows 10, version 1703. The default value is Not Configured and this node needs to be configured independent of EnableSharedPCMode. In Windows 10, version 1607, the value is set to True and the education environment is automatically configured when SharedPC mode is configured.
+The default value changed to false in Windows 10, version 1703. The default value is Not Configured and this node needs to be configured independent of EnableSharedPCMode.
+
+In Windows 10, version 1607, the value is set to True and the education environment is automatically configured when SharedPC mode is configured.
**SetPowerPolicies**
Optional. A boolean value that specifies that the power policies should be set when configuring SharedPC mode.
@@ -140,9 +151,9 @@ For Windows 10, version 1607, here's the list shows the supported values:
For Windows 10, version 1703, here's the list of supported values:
-- 0 - Delete immediately
-- 1 - Delete at disk space threshold
-- 2 - Delete at disk space threshold and inactive threshold
+- 0 - Delete immediately.
+- 1 - Delete at disk space threshold.
+- 2 - Delete at disk space threshold and inactive threshold.
The default value is Not Configured. Its value in the SharedPC provisioning package is 1 or 2.
@@ -181,7 +192,8 @@ The default value is Not Configured and behavior is no such restriction applied.
**KioskModeAUMID**
Added in Windows 10, version 1703. Specifies the AUMID of the app to use with assigned access. This node is optional.
-Value type is string. Supported operations are Add, Get, Replace, and Delete.
+- Value type is string.
+- Supported operations are Add, Get, Replace, and Delete.
> [!NOTE]
> If used, this value must set before the action on the **EnableSharedPCMode** node is taken.
@@ -197,7 +209,9 @@ Value type is string. Supported operations are Add, Get, Replace, and Delete.
**InactiveThreshold**
Added in Windows 10, version 1703. Accounts will start being deleted when they haven't been logged on during the specified period, given as number of days.
-The default value is Not Configured. Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+- The default value is Not Configured.
+- Value type is integer.
+- Supported operations are Add, Get, Replace, and Delete.
The default in the SharedPC provisioning package is 30.
@@ -207,13 +221,14 @@ Added in Windows 10, version 1703. Maximum size of the paging file in MB. Applie
> [!NOTE]
> If used, this value must set before the action on the **EnableSharedPCMode** node is taken.
-Default value is Not Configured. Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+- Default value is Not Configured.
+- Value type is integer.
+- Supported operations are Add, Get, Replace, and Delete.
The default in the SharedPC provisioning package is 1024.
## Related topics
-
[Configuration service provider reference](configuration-service-provider-reference.md)
diff --git a/windows/client-management/mdm/sharedpc-ddf-file.md b/windows/client-management/mdm/sharedpc-ddf-file.md
index 362f24ac59..81facaf312 100644
--- a/windows/client-management/mdm/sharedpc-ddf-file.md
+++ b/windows/client-management/mdm/sharedpc-ddf-file.md
@@ -14,7 +14,6 @@ ms.date: 12/05/2017
# SharedPC DDF file
-
This topic shows the OMA DM device description framework (DDF) for the **SharedPC** configuration service provider. DDF files are used only with OMA DM provisioning XML.
Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
@@ -176,7 +175,7 @@ The XML below is the DDF for Windows 10, version 1703.
-For Azure AD accounts, ensure that UserPrincipalName and Password are valid.
-For AD accounts, ensure that DomainName, UserName, and Password are valid.
-Ensure that the specified account has an Exchange server mailbox. |
+| 2 | Populating account | Unable to retrieve account details using the username and password you provided.
For Azure AD accounts, ensure that UserPrincipalName and Password are valid.
For AD accounts, ensure that DomainName, UserName, and Password are valid.
Ensure that the specified account has an Exchange server mailbox. |
| 3 | Populating Exchange server address | Unable to auto-discover your Exchange server address. Try to manually specify the Exchange server address using the ExchangeServer field. |
-| 4 | Validating Exchange server address | Unable to validate the Exchange server address. Ensure that the ExchangeServer field is valid. |
+| 4 | Validating Exchange server address | Unable to validate the Exchange server address. Ensure the ExchangeServer field is valid. |
| 5 | Saving account information | Unable to save account details to the system. |
-| 6 | Validating EAS policies | The device account uses an unsupported EAS policy. Make sure the EAS policy is configured correctly according to the admin guide. |
+| 6 | Validating EAS policies | The device account uses an unsupported EAS policy. Ensure the EAS policy is configured correctly according to the admin guide. |
-The data type is integer. Supported operation is Get.
+It performs the following:
+- The data type is integer.
+- Supported operation is Get.
**MaintenanceHoursSimple/Hours**
-
-
Specifying the guest option will add the **Guest** option to the sign-in screen and enable anonymous guest access to the PC.
- **Only guest** allows anyone to use the PC as a local standard (non-admin) account.
- **Domain-joined only** allows users to sign in with an Active Directory or Azure AD account.
- **Domain-joined and guest** allows users to sign in with an Active Directory, Azure AD, or local standard account. |
-| AccountManagement: DeletionPolicy | - **Delete immediately** will delete the account on sign-out.
- **Delete at disk space threshold** will start deleting accounts when available disk space falls below the threshold you set for **DiskLevelDeletion**, and it will stop deleting accounts when the available disk space reaches the threshold you set for **DiskLevelCaching**. Accounts are deleted in order of oldest accessed to most recently accessed.
Example: The caching number is 50 and the deletion number is 25. Accounts will be cached while the free disk space is above 25%. When the free disk space is less than 25% (the deletion number) at a maintenance period, accounts will be deleted (oldest last used first) until the free disk space is above 50% (the caching number). Accounts will be deleted immediately at sign off of an account if free space is under the deletion threshold and disk space is very low, regardless if the PC is actively in use or not.
- **Delete at disk space threshold and inactive threshold** will apply the same disk space checks as noted above, but also delete accounts if they have not signed in within the number of days specified by **InactiveThreshold** |
+| AccountManagement: DeletionPolicy | - **Delete immediately** will delete the account on sign-out.
- **Delete at disk space threshold** will start deleting accounts when available disk space falls below the threshold you set for **DiskLevelDeletion**, and it will stop deleting accounts when the available disk space reaches the threshold you set for **DiskLevelCaching**. Accounts are deleted in order of oldest accessed to most recently accessed.
Example: The caching number is 50 and the deletion number is 25. Accounts will be cached while the free disk space is above 25%. When the free disk space is less than 25% (the deletion number) at a maintenance period, accounts will be deleted (oldest last used first) until the free disk space is above 50% (the caching number). Accounts will be deleted immediately at sign-off of an account if free space is under the deletion threshold and disk space is very low, regardless if the PC is actively in use or not.
- **Delete at disk space threshold and inactive threshold** will apply the same disk space checks as noted above, but also delete accounts if they have not signed in within the number of days specified by **InactiveThreshold** |
| AccountManagement: DiskLevelCaching | If you set **DeletionPolicy** to **Delete at disk space threshold**, set the percent of total disk space to be used as the disk space threshold for account caching. |
| AccountManagement: DiskLevelDeletion | If you set **DeletionPolicy** to **Delete at disk space threshold**, set the percent of total disk space to be used as the disk space threshold for account deletion. |
| AccountManagement: InactiveThreshold | If you set **DeletionPolicy** to **Delete at disk space threshold and inactive threshold**, set the number of days after which an account that has not signed in will be deleted. |
@@ -85,7 +85,7 @@ Shared PC mode exposes a set of customizations to tailor the behavior to your re
You can configure Windows to be in shared PC mode in a couple different ways:
-- Mobile device management (MDM): Shared PC mode is enabled by the [SharedPC configuration service provider (CSP)](/windows/client-management/mdm/sharedpc-csp). To setup a shared device policy for Windows client in Intune, complete the following steps:
+- Mobile device management (MDM): Shared PC mode is enabled by the [SharedPC configuration service provider (CSP)](/windows/client-management/mdm/sharedpc-csp). To set up a shared device policy for Windows client in Intune, complete the following steps:
1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
@@ -185,30 +185,7 @@ You can configure Windows to be in shared PC mode in a couple different ways:
### Apply the provisioning package
-You can apply the provisioning package to a PC during initial setup or to a PC that has already been set up.
-
-**During initial setup**
-
-1. Start with a PC on the setup screen.
-
- 
-
-2. Insert the USB drive. If nothing happens when you insert the USB drive, press the Windows key five times.
-
- - If there is only one provisioning package on the USB drive, the provisioning package is applied.
-
- - If there is more than one provisioning package on the USB drive, the **Set up device?** message displays. Click **Set up**, and select the provisioning package that you want to install.
-
- 
-
-3. Complete the setup process.
-
-
-**After setup**
-
-On a desktop computer, navigate to **Settings** > **Accounts** > **Work access** > **Add or remove a management package** > **Add a package**, and selects the package to install.
-
-
+Provisioning packages can be applied to a device during initial setup (out-of-box experience or "OOBE") and after ("runtime"). For more information, see [Apply a provisioning package](./provisioning-packages/provisioning-apply-package.md).
> [!NOTE]
> If you apply the setup file to a computer that has already been set up, existing accounts and data might be lost.
@@ -217,7 +194,7 @@ On a desktop computer, navigate to **Settings** > **Accounts** > **Work ac
* We recommend no local admin accounts on the PC to improve the reliability and security of the PC.
-* When a PC is set up in shared PC mode with the default deletion policy, accounts will be cached automatically until disk space is low. Then, accounts will be deleted to reclaim disk space. This account management happens automatically. Both Azure AD and Active Directory domain accounts are managed in this way. Any accounts created through **Guest** and **Kiosk** will be deleted automatically at sign out.
+* When a PC is set up in shared PC mode with the default deletion policy, accounts will be cached automatically until disk space is low. Then, accounts will be deleted to reclaim disk space. This account management happens automatically. Both Azure AD and Active Directory domain accounts are managed in this way. Any accounts created through **Guest** and **Kiosk** will be deleted automatically at sign-out.
* On a Windows PC joined to Azure Active Directory:
* By default, the account that joined the PC to Azure AD will have an admin account on that PC. Global administrators for the Azure AD domain will also have admin accounts on the PC.
* With Azure AD Premium, you can specify which accounts have admin accounts on a PC using the **Additional administrators on Azure AD Joined devices** setting on the Azure portal.
diff --git a/windows/configuration/windows-10-accessibility-for-ITPros.md b/windows/configuration/windows-10-accessibility-for-ITPros.md
index d2a8850284..2bbae9dfc2 100644
--- a/windows/configuration/windows-10-accessibility-for-ITPros.md
+++ b/windows/configuration/windows-10-accessibility-for-ITPros.md
@@ -89,3 +89,5 @@ This topic helps IT administrators learn about built-in accessibility features,
[Inclusive Design](https://www.microsoft.com/design/inclusive)
+[Accessibility guide for Microsoft 365 Apps](/deployoffice/accessibility-guide)
+
diff --git a/windows/deployment/do/images/imcc02.png b/windows/deployment/do/images/imcc02.png
index 351dad7325..151fa69ed7 100644
Binary files a/windows/deployment/do/images/imcc02.png and b/windows/deployment/do/images/imcc02.png differ
diff --git a/windows/deployment/do/images/imcc10.png b/windows/deployment/do/images/imcc10.png
index e5da041358..53d2773ce6 100644
Binary files a/windows/deployment/do/images/imcc10.png and b/windows/deployment/do/images/imcc10.png differ
diff --git a/windows/deployment/do/images/imcc11.png b/windows/deployment/do/images/imcc11.png
index 9ffaac6072..bf45500aba 100644
Binary files a/windows/deployment/do/images/imcc11.png and b/windows/deployment/do/images/imcc11.png differ
diff --git a/windows/deployment/do/images/imcc12.png b/windows/deployment/do/images/imcc12.png
index fcb5d40a45..d776cb5913 100644
Binary files a/windows/deployment/do/images/imcc12.png and b/windows/deployment/do/images/imcc12.png differ
diff --git a/windows/deployment/do/images/imcc13.png b/windows/deployment/do/images/imcc13.png
index 3d2a566c8b..feee2d0e9c 100644
Binary files a/windows/deployment/do/images/imcc13.png and b/windows/deployment/do/images/imcc13.png differ
diff --git a/windows/deployment/do/images/imcc14.png b/windows/deployment/do/images/imcc14.png
index 627d496b4c..59dc405046 100644
Binary files a/windows/deployment/do/images/imcc14.png and b/windows/deployment/do/images/imcc14.png differ
diff --git a/windows/deployment/do/images/imcc17.png b/windows/deployment/do/images/imcc17.png
index ac6b5be124..f6b0ffcad7 100644
Binary files a/windows/deployment/do/images/imcc17.png and b/windows/deployment/do/images/imcc17.png differ
diff --git a/windows/deployment/do/images/imcc18.png b/windows/deployment/do/images/imcc18.png
index aa818361eb..5b89bfe31a 100644
Binary files a/windows/deployment/do/images/imcc18.png and b/windows/deployment/do/images/imcc18.png differ
diff --git a/windows/deployment/do/images/imcc19.png b/windows/deployment/do/images/imcc19.png
index 2a70b46b11..ead9d1c383 100644
Binary files a/windows/deployment/do/images/imcc19.png and b/windows/deployment/do/images/imcc19.png differ
diff --git a/windows/deployment/do/images/imcc26.png b/windows/deployment/do/images/imcc26.png
index c46a7e6363..b64e3849dc 100644
Binary files a/windows/deployment/do/images/imcc26.png and b/windows/deployment/do/images/imcc26.png differ
diff --git a/windows/deployment/do/images/imcc27.png b/windows/deployment/do/images/imcc27.png
index 01076b3ae5..c37713364f 100644
Binary files a/windows/deployment/do/images/imcc27.png and b/windows/deployment/do/images/imcc27.png differ
diff --git a/windows/deployment/do/images/imcc28.png b/windows/deployment/do/images/imcc28.png
index a7aa7eecd7..cc99b61638 100644
Binary files a/windows/deployment/do/images/imcc28.png and b/windows/deployment/do/images/imcc28.png differ
diff --git a/windows/deployment/do/images/imcc29.png b/windows/deployment/do/images/imcc29.png
deleted file mode 100644
index 2291487e5b..0000000000
Binary files a/windows/deployment/do/images/imcc29.png and /dev/null differ
diff --git a/windows/deployment/do/images/imcc30.png b/windows/deployment/do/images/imcc30.png
index 8cabce52c8..42301d5c4c 100644
Binary files a/windows/deployment/do/images/imcc30.png and b/windows/deployment/do/images/imcc30.png differ
diff --git a/windows/deployment/do/images/imcc54.png b/windows/deployment/do/images/imcc54.png
new file mode 100644
index 0000000000..c40ab0c5c9
Binary files /dev/null and b/windows/deployment/do/images/imcc54.png differ
diff --git a/windows/deployment/do/images/imcc55.PNG b/windows/deployment/do/images/imcc55.PNG
new file mode 100644
index 0000000000..2875d4d56e
Binary files /dev/null and b/windows/deployment/do/images/imcc55.PNG differ
diff --git a/windows/deployment/do/mcc-isp.md b/windows/deployment/do/mcc-isp.md
index dd4a7afbbc..458c5af1b4 100644
--- a/windows/deployment/do/mcc-isp.md
+++ b/windows/deployment/do/mcc-isp.md
@@ -1,593 +1,740 @@
---
title: Microsoft Connected Cache for Internet Service Providers (ISPs)
-manager: dougeby
description: Details on Microsoft Connected Cache (MCC) for Internet Service Providers (ISPs).
-keywords: updates, downloads, network, bandwidth
ms.prod: w10
-ms.mktglfcycl: deploy
-audience: itpro
-author: carmenf
+ms.technology: windows
ms.localizationpriority: medium
-ms.author: carmenf
+author: amymzhou
+ms.author: aaroncz
+ms.reviewer: carmenf
+manager: dougeby
ms.collection: M365-modern-desktop
-ms.topic: article
+ms.topic: how-to
+ms.date: 05/20/2022
---
# Microsoft Connected Cache for Internet Service Providers (ISPs)
-**Applies to**
+_Applies to_
-- Windows 10
+- Windows 10
- Windows 11
## Overview
> [!IMPORTANT]
-> Microsoft Connected Cache is currently a private preview feature. During this phase we invite customers to take part in early access for testing purposes. This phase does not include formal support, and should not be used for production workloads. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
+> Microsoft Connected Cache is currently a private preview feature. During this phase we invite customers to take part in early access for testing purposes. This phase doesn't include formal support. Instead, you'll be working directly with the product team to provide feedback on Microsoft Connected Cache. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
-Microsoft Connected Cache (MCC) preview is a software-only caching solution that delivers Microsoft content within Enterprise networks. MCC can be deployed to as many physical servers or VMs as needed, and is managed from a cloud portal. Microsoft cloud services handle routing of consumer devices to the cache server for content downloads.
+Microsoft Connected Cache (MCC) preview is a software-only caching solution that delivers Microsoft content within operator networks. MCC can be deployed to as many physical servers or VMs as needed and is managed from a cloud portal. Microsoft cloud services handle routing of consumer devices to the cache server for content downloads.
-Microsoft Connected Cache is a Hybrid (mix of on-prem and cloud resources) solution composed of a Docker compatible Linux container deployed to your server and a cloud management portal. Microsoft chose Azure IoT Edge (more information on IoT Edge [in the appendix](#iot-edge-runtime)) as a secure and reliable control plane, and even though your scenario is not related to IoT, Azure IoT Edge is our secure Linux container deployment and management infrastructure. Azure IoT Edge consists of three components that the Microsoft Connected Cache infrastructure will utilize:
-
-1. A cloud-based interface that enables secure, remote installation, monitoring, and management of MCC nodes.
-2. A runtime that securely manages the modules deployed to each device.
-3. Modules/containers that run the MCC functionality on your device.
+Microsoft Connected Cache is a hybrid application, in that it's a mix of on-premises and cloud resources. It's composed of a Docker-compatible Linux container deployed to your server and a cloud management portal. Microsoft chose Azure IoT Edge as a secure and reliable control plane. For more information on IoT Edge, see the [Appendix](#appendix). Even though your scenario isn't related to IoT, Azure IoT Edge is our secure Linux container deployment and management infrastructure.
## How MCC works
-The following steps describe how MCC is provisioned and used.
+:::image type="content" source="images/imcc01.png" alt-text="Data flow diagram of how Microsoft Connected Cache works." lightbox="images/imcc01.png":::
-1. The Azure Management Portal used to create and manage MCC nodes.
-2. The MCC container is deployed and provisioned to the server.
-3. The Azure Management Portal is used to configure Microsoft Delivery Optimization Services to route traffic to the MCC server by providing two pieces of information:
- - The publicly accessible IPv4 address of the server hosting the MCC container.
- - The CIDR blocks that represent the client IP address space, which should be routed to the MCC node.
-4. Microsoft end-user devices periodically connect with Microsoft Delivery Optimization Services, and the services match the IP address of the client with the IP address of the corresponding MCC node.
-5. Microsoft end-user devices make the range requests for content from the MCC node.
-6. An MCC node pulls content from the CDN, seeds its local cache stored on disk, and delivers the content to the client.
-7. Subsequent requests from end-user devices for content will now come from cache.
-8. If the MCC node is unavailable, the client will pull content from CDN to ensure uninterrupted service for your subscribers.
+The following steps describe how MCC is provisioned and used:
- 
+1. The Azure Management Portal is used to create and manage MCC nodes.
-## ISP Requirements for MCC
+2. A shell script is used to provision the server and deploy the MCC application.
-1. **Azure subscription**: The MCC management portal is hosted within Azure, and is used to create the Connected Cache Azure resource and IoT Hub resource. Both are free services.
+3. A combination of the Azure Management Portal and shell script is used to configure Microsoft Delivery Optimization Services to route traffic to the MCC server.
- Your Azure subscription ID is first used to provision MCC services, and enable access to the preview. The MCC server requirement for an Azure subscription will cost you nothing. If you don't have an Azure subscription already, you can create an Azure [Pay-As-You-Go](https://azure.microsoft.com/offers/ms-azr-0003p/) account which requires a credit card for verification purposes. For more information, see the [Azure Free Account FAQ](https://azure.microsoft.com/free/free-account-faq/).
+ - The publicly accessible IPv4 address of the server is configured on the portal.
- The resources used for the preview, and in the future when this product is ready for production, will be completely free to you - like other caching solutions.
-
- > [!NOTE]
- > If you request Exchange or Public peering in the future, business email addresses must be used to register ASN's, because Microsoft does not accept gmail or other non-business email addresses.
+ - **Manual Routing:** Providing the CIDR blocks that represent the client IP address space, which should be routed to the MCC node.
-2. **Hardware to host MCC**: The recommended configuration will serve approximately 35,000 consumer devices, downloading a 2GB payload in 24-hour timeframe at a sustained rate of 6.5 Gbps.
+ - **BGP Routing:** A shell script is used to initiate a peering session with a router in the operator network, and the operator initiates a session with the MCC node.
+
+ > [!NOTE]
+ > Only IPv4 addresses are supported at this time. Entering IPv6 addresses will result in an error.
+
+4. Microsoft end-user devices (clients) periodically connect with Microsoft Delivery Optimization Services, and the services match the IP address of the client with the IP address of the corresponding MCC node.
+
+5. Microsoft clients make the range requests for content from the MCC node.
+
+6. A MCC node gets content from the CDN, seeds its local cache stored on disk, and delivers the content to the client.
+
+7. Subsequent requests from end-user devices for content will be served from cache.
+
+8. If the MCC node is unavailable, the client gets content from the CDN to ensure uninterrupted service for your subscribers.
+
+## ISP requirements for MCC
+
+### Azure subscription
+
+The MCC management portal is hosted within Azure. It's used to create the Connected Cache Azure resource and IoT Hub resource. Both are _free_ services.
+
+> [!NOTE]
+> If you request Exchange or Public peering in the future, business email addresses must be used to register ASNs. Microsoft doesn't accept Gmail or other non-business email addresses.
+
+Your Azure subscription ID is first used to provision MCC services and enable access to the preview. The MCC server requirement for an Azure subscription will cost you nothing. If you don't have an Azure subscription already, you can create an Azure [Pay-As-You-Go](https://azure.microsoft.com/offers/ms-azr-0003p/) account, which requires a credit card for verification purposes. For more information, see the [Azure free account FAQ](https://azure.microsoft.com/free/free-account-faq/). _Don't submit a trial subscription_ as you'll lose access to your Azure resources after the trial period ends.
+
+The resources used for the preview, and in the future when this product is ready for production, will be free to you - like other caching solutions.
+
+> [!IMPORTANT]
+> To join the Microsoft Connected Cache private preview, provide your Azure subscription ID by filling out [this survey](https://aka.ms/MCCForISPSurvey).
+
+### Hardware to host the MCC
+
+This recommended configuration can egress at a rate of 9 Gbps with a 10 Gbps NIC.
+
+#### Disk requirements
-Disk requirements:
- SSDs are recommended due to improved cache read speeds of SSD, compared to HDD.
- Using multiple disks is recommended to improve cache performance.
- RAID disk configurations are discouraged because cache performance will be impacted. If you're using RAID disk configurations, ensure striping.
- The maximum number of disks supported is 10.
-NIC requirements:
-- Multiple NICs on a single MCC instance are not supported.
-- 10Gbps NIC is the minimum speed recommended, but any NIC is supported.
+#### NIC requirements
+
+- Multiple NICs on a single MCC instance are supported using a _link aggregated_ configuration.
+- 10 Gbps NIC is the minimum speed recommended, but any NIC is supported.
### Sizing recommendations
+The MCC module is optimized for Ubuntu 20.04 LTS. Install Ubuntu 20.04 LTS on a physical server or VM of your choice. The following recommended configuration can egress at a rate of 9 Gbps with a 10 Gbps NIC.
+
| Component | Minimum | Recommended |
| -- | --- | --- |
| OS | Ubuntu 20.04 LTS VM or physical server | Ubuntu 20.04 LTS VM or physical server (preferred) |
| NIC | 10 Gbps| at least 10 Gbps |
-| Disk | SSD
1 drive
2TB each |SSD
2-4 drives
at least 2TB each |
-| Memory | 8GB | 32GB or greater |
+| Disk | SSD
1 drive
2 TB each |SSD
2-4 drives
at least 2 TB each |
+| Memory | 8 GB | 32 GB or greater |
| Cores | 4 | 8 or more |
## Steps to deploy MCC
To deploy MCC:
-1. [Provide Microsoft with the Azure subscription ID](#provide-microsoft-with-the-azure-subscription-id)
+1. [Provide Microsoft with your Azure subscription ID](#provide-microsoft-with-your-azure-subscription-id)
2. [Create the MCC Resource in Azure](#create-the-mcc-resource-in-azure)
-3. [Create an MCC Node](#create-an-mcc-node-in-azure): IP address space approval information is required for this step.
-4. [Edit Cache Node Information](#edit-cache-node-information)
-5. [Set up your server](#set-up-a-server-with-sr-or-an-ubuntu)
-6. [Install MCC on a physical server or VM](#install-mcc)
-7. [Verify proper functioning MCC server](#verify-proper-functioning-mcc-server)
-8. [Review the MCC summary report](#verify-server-side)
-9. [Review common issues](#common-issues) if needed.
+3. [Create a Cache Node](#create-a-mcc-node-in-azure)
+4. [Configure Cache Node Routing](#edit-cache-node-information)
+5. [Install MCC on a physical server or VM](#install-mcc)
+6. [Verify properly functioning MCC server](#verify-properly-functioning-mcc-server)
+7. [Review common issues if needed](#common-issues)
-For questions regarding these instructions contact [msconnectedcache@microsoft.com](mailto:msconnectedcache@microsoft.com)
+For questions regarding these instructions, contact [msconnectedcache@microsoft.com](mailto:msconnectedcache@microsoft.com).
-## Provide Microsoft with the Azure Subscription ID
+## Provide Microsoft with your Azure subscription ID
-As part of the MCC preview onboarding process an Azure subscription ID must be provided to Microsoft.
+As part of the MCC preview onboarding process, an Azure subscription ID must be provided to Microsoft.
> [!IMPORTANT]
-> [Contact Microsoft](mailto:mccforenterprise@microsoft.com?subject=[MCC%20for%20Enterprise]%20Please%20add%20our%20Azure%20subscription%20to%20the%20allow%20list) and provide your Azure subscription ID if you have not already. You'll not be able to proceed if you skip this step.
+> If you haven't already, provide your Azure subscription ID by filling out [this survey](https://aka.ms/MCCForISPSurvey). You can't continue if you skip this step.
-
-For information about creating or locating your subscription ID, see [Steps to obtain an Azure Subscription ID](#steps-to-obtain-an-azure-subscription-id).
+For information about creating or locating your subscription ID, see [Steps to obtain an Azure subscription ID](#steps-to-obtain-an-azure-subscription-id).
### Create the MCC resource in Azure
-The MCC Azure management portal is used to create and manage MCC nodes. An Azure Subscription ID is used to grant access to the preview and to create the MCC resource in Azure and Cache nodes.
+The MCC Azure management portal is used to create and manage MCC nodes. An Azure subscription ID is used to grant access to the preview and to create the MCC resource in Azure and cache nodes.
-Send email to the MCC team ([msconnectedcache@microsoft.com](mailto:msconnectedcache@microsoft.com)) with your Azure subscription ID to get access to the preview. The team will send you a link to the Azure portal, which will allow you to create the resource described below.
+Operators who have been given access to the program will be sent a link to the Azure portal, which will allow you to create this resource.
-1. Choose **Create a resource**
+1. Choose **Create a resource**.
- 
+ :::image type="content" source="images/imcc02.png" alt-text="Select the option to 'Create a resource' in the Azure portal.":::
-2. Type **Microsoft Connected Cache** into the search box, and hit **Enter** to show search results.
+1. Type **Microsoft Connected Cache** into the search box and press **Enter** to show the search results.
-3. Select **Microsoft Connected Cache** and choose **Create** on the next screen to start the process of creating the MCC resource.
+1. Select **Microsoft Connected Cache**.
- 
- 
+ :::image type="content" source="images/imcc03.png" alt-text="Search the Azure Marketplace for 'Microsoft Connected Cache'.":::
-4. Fill in the required fields to create the MCC resource.
+ > [!IMPORTANT]
+ > Don't select _Connected Cache Resources_, which is different from **Microsoft Connected Cache**.
- - Choose the subscription that you provided to Microsoft.
- - Azure resource groups are logical groups of resources. Create a new resource group and choose a name for your resource group.
- - Choose **(US) West US**” for the location of the resource. This choice will not impact MCC if the physical location isn't in the West US, it is just a limitation of the preview.
+1. Select **Create** on the next screen to start the process of creating the MCC resource.
- > [!NOTE]
- > Your MCC resource will not be created properly if you don't select **(US) West US**
+ :::image type="content" source="images/imcc04.png" alt-text="Select the option to Create the Microsoft Connected Cache service.":::
- - Choose a name for the MCC resource.
+1. Fill in the following required fields to create the MCC resource:
- 
+ - Choose the **Subscription** that you provided to Microsoft.
-5. Once all the information has been entered, click the **Review + Create** button. Once validation is complete, click the **Create** button to start the
- resource creation.
+ - Azure resource groups are logical groups of resources. Create a new **Resource group** and choose a name for it.
- 
+ - Choose **(US) West US** for the **Location** of the resource. This choice won't impact MCC if the physical location isn't in the West US, it's just a limitation of the preview.
-#### Error: Validation failed
+ > [!NOTE]
+ > Your MCC resource won't create properly if you don't select **(US) West US**.
-- If you get a Validation failed error message on your portal, it is likely because you selected the **Location** as **US West 2** or some other location that isn't **(US) West US**.
-- To resolve this error, go to the previous step and choose **(US) West US**.
+ - Specify a **Connected Cache Resource Name**.
- 
+ :::image type="content" source="images/imcc05.png" alt-text="Enter the required information to create a Connected Cache in Azure.":::
-### Create an MCC node in Azure
+1. Select **Review + Create**. Once validation is complete, select **Create** to start the resource creation.
-Creating a MCC node is a multi-step process and the first step is to access the MCC private preview management portal.
+ :::image type="content" source="images/imcc06.png" alt-text="'Your deployment is complete' message displaying deployment details.":::
-1. After the successful resource creation click on the **Go to resource**.
-2. Under **Cache Node Management** section on the leftmost panel, click on **Cache Nodes**.
+#### Common Resource Creation Errors
- 
+##### Error: Validation failed
-3. On the **Cache Nodes** blade, click on the **Create Cache Node** button.
+If you get the error message "Validation failed" in the Azure portal, it's likely because you selected the **Location** as **US West 2** or another unsupported location. To resolve this error, go to the previous step and choose **(US) West US** for the **Location**.
- 
+:::image type="content" source="images/imcc07.png" alt-text="'Validation failed' error message for Connected Cache in an unsupported location.":::
-4. Clicking the **Create Cache Node** button will open the **Create Cache Node** page; **Cache Node Name** is the only field required for cache node creation.
+##### Error: Could not create Marketplace item
-| **Field Name** | **Expected Value** | **Description** |
-|-------------------------------|--------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| **Cache Node Name** | Alphanumeric name that includes no spaces. | The name of the cache node. You may choose names based on location like Seattle-1. This name must be unique and can't be changed later. |
-| **Server II Address** | Ipv4 Address | IP address of your MCC server. This is used to route end-user devices in your network to the server for Microsoft content downloads. **The IP address must be publicly accessible.** |
-| **Address Range/CIDR Blocks** | IPv4 CIDR notation | IP Address range/CIDR blocks that should be routed to the MCC server as a comma separated list. For example: 2.21.234.0/24 , 3.22.235.0/24 , 4.23.236.0/24 |
-| **Enable Cache Node** | Enable/Disable Radio Button | **Enable** permits the cache node to receive content requests.
**Disable** prevents the cache node from receiving content requests.
Cache nodes are enabled by default. |
+If you get the error message "Could not create marketplace item" in the Azure portal, use the following steps to troubleshoot:
- 
+- Make sure that you've selected **Microsoft Connected Cache** and not _Connected Cache resources_ while trying to create a MCC resource.
-Hovering your cursor next to each field will populate the details of that field.
+- Make sure that you're using the same subscription that you provided to Microsoft and you have privileges to create an Azure resource.
- 
+- If the issue persists, clear your browser cache and start in a new window.
-There are two other read-only fields on this page that are populated after the cache node is created:
+### Create a MCC node in Azure
-| **Field Name** | **Description** |
-|---------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| **IP Space** | Number of IP addresses that will be routed to your cache server. |
-| **Activation Keys** | Set of keys to activate your cache node with the MCC services. Copy the keys for use during install. The CustomerID is your Azure subscripiton ID. |
+1. After you successfully create the resource, select **Go to resource**.
-5. Enter the information for the Cache Node and click on the Create button. In the screenshot below only the Cache Node Name is provided, but all information can be included if desired.
+1. Under the **Cache Node Management** section in the left panel, select **Cache Nodes**.
- 
+ :::image type="content" source="images/imcc08.png" alt-text="The 'Cache Nodes' option in the Cache Node Management menu section.":::
- If there are errors the form will provide guidance on how to correct the errors. For example:
+1. On the **Cache Nodes** section, select **Create Cache Node**.
- - The cache node name is in use in the resource or is an incorrect format.
- - If the CIDR block notation or list is incorrect.
- - The server IP address or CIDR block are already in use.
+ :::image type="content" source="images/imcc09.png" alt-text="Select the 'Create Cache Node' option.":::
- See the following example with all information entered:
+1. This action opens the **Create Cache Node** page. The only required fields are **Cache Node Name** and **Max Allowable Egress (Mbps)**.
- 
+ | Field name | Expected value | Description |
+ |--|--|--|
+ | **Cache Node Name** | Alphanumeric name that includes no spaces. | The name of the cache node. You may choose names based on location like Seattle-1. This name must be unique and can't be changed later. |
+ | **Server IP Address** | IPv4 Address | IP address of your MCC server. This address is used to route end-user devices in your network to the server for Microsoft content downloads. _The IP address must be publicly accessible._ |
+ | **Max Allowable Egress (Mbps)** | Integer in Mbps | The maximum egress (Mbps) of your MCC based on the specifications of your hardware. For example, `10,000` Mbps. |
+ | **Address Range/CIDR Blocks** | IPv4 CIDR notation | The IP address range (CIDR blocks) that should be routed to the MCC server as a comma separated list. For example: `2.21.234.0/24, 3.22.235.0/24, 4.23.236.0/24` |
+ | **Enable Cache Node** | Enable or Disable | **Enable** permits the cache node to receive content requests.
**Disable** prevents the cache node from receiving content requests.
Cache nodes are enabled by default. |
- Once the MCC Node has been created, the installer instructions will be exposed. More details on the installer instructions will be addressed later in this doc can be found at the [Install Connected Cache](#install-mcc) section.
+ :::image type="content" source="images/imcc10.png" alt-text="Available fields on the Create Cache Node page.":::
- 
+ > [!TIP]
+ > The information icon next to each field provides a description.
+ >
+ > :::image type="content" source="images/imcc11.png" alt-text="Create Cache Node page showing the description for the Server IP Address field.":::
+
+ > [!NOTE]
+ > After you create the cache node, if you return to this page, it populates the values for the two read-only fields:
+ >
+ > | Field name | Description |
+ > |--|--|
+ > | **IP Space** | Number of IP addresses that will be routed to your cache server. |
+ > | **Activation Keys** | Set of keys to activate your cache node with the MCC services. Copy the keys for use during install. The CustomerID is your Azure subscription ID. |
+
+1. Enter the information to create the cache node, and then select **Create**.
+
+ :::image type="content" source="images/imcc12.png" alt-text="Select 'Create' on the Create Cache Node page.":::
+
+If there are errors, the page gives you guidance on how to correct the errors. For example:
+
+- The cache node name is already in use in the resource or is an incorrect format.
+- The CIDR block notation or list is incorrect.
+- The server IP address or CIDR block is already in use.
+
+See the following example with all information entered:
+
+:::image type="content" source="images/imcc13.png" alt-text="Create Cache Node page with all information entered.":::
+
+Once you create the MCC node, it will display the installer instructions. For more information on the installer instructions, see the [Install Connected Cache](#install-mcc) section.
+
+:::image type="content" source="images/imcc14.png" alt-text="Cache node successfully created with Connected Cache installer instructions.":::
### IP address space approval
-There are three states for IP address space that are explained in the table below. The preview will require approval from Microsoft CIDR block ranges that contain more than 50,000 IP addresses. In the future, MCC configuration will support BGP and will therefore have automatic routing capabilities.
+There are three states for IP address space. MCC configuration supports BGP and has automatic routing capabilities.
-| **IP address space status** | **Description** |
-|------------------------|------------------------------------|
-| **Valid** | The IP address space is below the 50,000 IP address space threshold and the space does not overlap with existing cache nodes. |
-| **In Review** | The IP address space exceeds the 50,000 IP address space and is under review with Microsoft to ensure valid IP address space. |
-| **Attention Required** | The IP address space has been reviewed and an issue was discovered. Some examples include: IP address space overlap with existing cache node belonging to another customer. IP address space was exceedingly large. Contact Microsoft for more information if your IP address space has this status. |
+- **Valid**: The IP address space is approved.
-See the following example:
+- **In Review**: The IP address space is under review with Microsoft to ensure valid IP address space.
-
+- **Attention Required**: The IP address space has been reviewed and an issue was discovered. For example:
-## Edit Cache Node Information
+ - The IP address space overlaps with an existing cache node that belongs to another customer
-IP address or CIDR information can be modified for existing MCC nodes in the portal.
+ - The IP address space was exceedingly large.
-To edit IP address or CIDR information, click on the Cache Node Name which will open the Cache Node Configuration page. Cache nodes can be deleted here by clicking the check box to the left of a Cache Node Name and then clicking the delete toolbar item. Be aware that if a cache node is deleted, there is no way to recover the cache node or any of the information related to the cache node.
+ If your IP address space has this status, contact Microsoft for more information.
-
+:::image type="content" source="images/imcc15.png" alt-text="A list of cache node names with example IP address space statuses.":::
-The Server IP Address, Address Range/CIDR Blocks, and Enable Cache Node are all editable as show below:
+## Edit cache node information
-
+:::image type="content" source="images/imcc16.png" alt-text="Cache Nodes list in the Azure portal.":::
-## Set up a server with SR or an Ubuntu
+To modify the configuration for existing MCC nodes in the portal, select the cache node name in the cache nodes list. This action opens the **Cache Node Configuration** page. You can edit the **Server IP Address** or **Address Range/CIDR Blocks** field. You can also enable or disable the cache node.
-The MCC module is optimized for Ubuntu 20.04 LTS. Install Ubuntu 20.04 LTS on a physical server or VM of your choice. As discussed earlier, the recommended configuration (details below) will serve approximately 35,000 consumer devices downloading a 2GB payload in 24-hour timeframe at a sustained rate of 6.5 Gbps.
+:::image type="content" source="images/imcc17.png" alt-text="Cache Node Configuration page, highlighting editable fields.":::
-| | **Minimum** | **Recommended** |
-|-------------|---------------------------------------------|----------------------------------------------------|
-| **Server** | Ubuntu 20.04 LTS VM or physical server | Ubuntu 20.04 LTS VM or physical server (preferred) |
-| **NIC** | 10 Gbps | 10 Gbps |
-| **Disk** | SSD 1 – 2 drives minimum 2 TB each minimum | SSD 2 – 4 drives minimum 2 TB each minimum |
-| **Memory** | 8 GB | 32 GB or more |
-| **Cores** | 4 | 8 or more |
+To delete a cache node, select it in the cache nodes list, and then select **Delete** in the toolbar. If you delete a cache node, there's no way to recover it or any of the information related to the cache node.
## Install MCC
-Installing MCC on your physical server or VM is a straightforward process. A Bash script installer performs the following tasks:
+To install MCC on your physical server or VM, you use a Bash script installer, which runs the following tasks:
-- Azure IoT Edge relies on an OCI-compatible container runtime. The script
- will install the Moby engine and CLI.
-- Installs IoT Edge.
-- Installs SSH to support remote access to the server
-- Enables the firewall and opens port 80 for inbound and outbound traffic. Port 80 is used by MCC.
-- Configures Connected Cache tuning settings.
-- Creates the necessary *FREE* Azure resource - IoT Hub/IoT Edge.
-- Deploys the MCC container to server.
+- Installs the Moby engine and CLI.
+- Installs IoT Edge.
+- Installs SSH to support remote access to the server.
+- Enables the firewall and opens port 80 for inbound and outbound traffic. The MCC uses port 80.
+- Configures Connected Cache tuning settings.
+- Creates the necessary free Azure resource: IoT Hub/IoT Edge.
+- Deploys the MCC container to the server.
> [!IMPORTANT]
-> Ensure that port 5000 is open so Microsoft can verify proper functioning of the cache server
+> Make sure that the following ports are open so that Microsoft can verify proper functionality of the cache server:
+>
+> - 80: content delivery
+> - 179: BGP session
+> - 443: IoT Edge secure communication
+> - 5000: (optional) used to view locally running report
+> - 5671: IoT Edge communication/container management
+> - 8883: IoT Edge communication/container management
### Steps to install MCC
-1. Download and unzip mccinstaller.zip from the create cache node page or cache node configuration page which contains the necessary installation files.
+Before you start, make sure that you have a data drive configured on your server. You'll need to specify the location for this cache drive during this process. The minimum size for the data drive is 100 GB. For instructions to mount a disk on a Linux VM, see [Attach a data disk to a Linux VM](/azure/virtual-machines/linux/attach-disk-portal#find-the-disk).
- 
+1. From either **Create Cache Node** or **Cache Node Configuration** pages, select **Download Installer** to download the installer file.
- Files contained in the mccinstaller.zip file:
+ :::image type="content" source="images/imcc18.png" alt-text="The Create Cache Node page highlighting the Download Installer action.":::
- - **installmcc.sh** – main installer file.
- - **installIotEdge.sh** – Installs the necessary prerequisites like IoT Edge runtime and Docker and makes necessary host OS settings to optimization caching performance.
- - **resourceDeploymentForConnectedCache.sh** – Creates Azure cloud resources required to support MCC control plane.
- - **mccdeployment.json** – Deployment manifest used by IoT Edge to deploy the MCC container and configure settings on the container like cache drives location sizes.
+ Unzip the **mccinstaller.zip** file, which includes the following installation files and folders:
-2. Copy all 4 installation files to your Linux server (physical or VM)
+ - Diagnostics folder: Used to create diagnostics support bundle.
+ - **installmcc.sh**: Main installer file.
+ - **installIotEdge.sh**: Installs the necessary prerequisites. For example, IoT Edge runtime and Docker. It also makes necessary host OS settings to optimize caching performance.
+ - **resourceDeploymentForConnectedCache.sh**: Creates Azure cloud resources required to support the MCC control plane.
+ - **mccdeployment.json**: Deployment manifest used by IoT Edge to deploy the MCC container. It also configures settings on the container like cache drives location and sizes.
+ - **mccupdate.json**
+ - **packagever.txt**
+ - **uninstallmcc.sh**: Main uninstaller file.
+ - **updatemcc.sh**: Main update file.
-3. Before proceeding, ensure that you have a data drive configured on your server. You'll need to specify the location for this cache drive on step 9. Mimimum size for the data drive is 100GB. For instructions to mount a disk on a Linux VM, see [Attach a data disk to a Linux VM](/azure/virtual-machines/linux/attach-disk-portal#find-the-disk)
+1. Copy all files to your Linux server.
-4. Open a terminal and change the access permissions to execute on the **installmcc.sh** Bash script file using chmod.
+1. Open a terminal window. Change the access permissions to execute on the **installmcc.sh** Bash script file using `chmod`.
```bash
sudo chmod +x installmcc.sh
```
-5. Copy the Bash script line provided and run the Bash script from the terminal.
+1. In the Azure portal, in the Connected Cache installer instructions, copy the cache node installer Bash script command. Run the Bash script from the terminal.
- 
+ :::image type="content" source="images/imcc19.png" alt-text="Copy the cache node installer Bash script in the Connected Cache installer instructions.":::
-6. You'll be prompted to sign in to the Azure Portal using a device code.
+1. Sign in to the Azure portal with a device code.
- 
+ :::image type="content" source="images/imcc20.png" alt-text="Bash script prompt to sign in to the Azure portal with a device code.":::
-7. You'll be prompted to enter the Azure Container Registry (ACR) password for access to the MCC container.
+1. Specify the number of drives to configure. Use an integer value less than 10.
- 
+ :::image type="content" source="images/imcc22.png" alt-text="Bash script prompt to enter the number of cache drives to configure.":::
-8. You'll then be prompted with the number of drives to configure.
+1. Specify the location of the cache drives. For example, `/datadrive/`
- 
+ :::image type="content" source="images/imcc23.png" alt-text="Bash script prompt to enter the location for cache drive.":::
-9. The script will prompt for location and size of the cache drives.
+ > [!IMPORTANT]
+ > The script changes the permission and ownership on the cache drive to **everyone** with the command `chmod 777`.
+ >
+ > Don't point the cache drive to any of the following locations:
+ >
+ > - `.`
+ > - `./var`
+ > - `/`
+ > - `
-> **Don't** point the cache drive location to any of the following: “**.**”, “**./var**”, “**/**”, “**\
[Introducing Microsoft Connected Cache](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/introducing-microsoft-connected-cache-microsoft-s-cloud-managed/ba-p/963898)
diff --git a/windows/deployment/images/download_vhd.png b/windows/deployment/images/download_vhd.png
deleted file mode 100644
index 248a512040..0000000000
Binary files a/windows/deployment/images/download_vhd.png and /dev/null differ
diff --git a/windows/deployment/planning/windows-10-deprecated-features.md b/windows/deployment/planning/windows-10-deprecated-features.md
index febbb80275..051bc90e0d 100644
--- a/windows/deployment/planning/windows-10-deprecated-features.md
+++ b/windows/deployment/planning/windows-10-deprecated-features.md
@@ -1,21 +1,22 @@
---
title: Windows 10 features we're no longer developing
-description: Review the list of features that are no longer being developed in Windows 10
+description: Review the list of features that are no longer being developed in Windows 10.
ms.prod: w10
-ms.mktglfcycl: plan
+ms.technology: windows
ms.localizationpriority: medium
-ms.sitesec: library
-audience: itpro
author: aczechowski
ms.author: aaroncz
manager: dougeby
+ms.reviewer:
ms.topic: article
ms.collection: highpri
---
# Windows 10 features we're no longer developing
-> Applies to: Windows 10
+_Applies to:_
+
+- Windows 10
Each version of Windows 10 adds new features and functionality; occasionally we also remove features and functionality, often because we've added a better option. Below are the details about the features and functionalities that are no longer being developed in Windows 10. For information about features that have been removed, see [Features we removed](windows-10-removed-features.md).
@@ -25,38 +26,38 @@ The features described below are no longer being actively developed, and might b
**The following list is subject to change and might not include every affected feature or functionality.**
-> [!NOTE]
-> If you have feedback about the proposed replacement of any of these features, you can use the [Feedback Hub app](https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app).
+> [!NOTE]
+> If you have feedback about the proposed replacement of any of these features, you can use the [Feedback Hub app](https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app).
|Feature | Details and mitigation | Announced in version |
| ----------- | --------------------- | ---- |
-| BitLocker To Go Reader | **Note: BitLocker to Go as a feature is still supported.**
Reading of BitLocker-protected removable drives ([BitLocker To Go](/windows/security/information-protection/bitlocker/bitlocker-to-go-faq)) from Windows XP or Windows Vista in later operating systems is deprecated and might be removed in a future release of Windows 10/11.
The following items might not be available in a future release of Windows client:
- ADMX policy: **Allow access to BitLocker-protected removable data drives from earlier versions of Windows**
- Command line parameter: [manage-bde -DiscoveryVolumeType](/windows-server/administration/windows-commands/manage-bde-on) (-dv)
- Catalog file: **c:\windows\BitLockerDiscoveryVolumeContents**
- BitLocker 2 Go Reader app: **bitlockertogo.exe** and associated files | 21H1 |
+| BitLocker To Go Reader | **Note: BitLocker to Go as a feature is still supported.**
Reading of BitLocker-protected removable drives ([BitLocker To Go](/windows/security/information-protection/bitlocker/bitlocker-to-go-faq)) from Windows XP or Windows Vista in later operating systems is deprecated and might be removed in a future release of Windows 10/11.
The following items might not be available in a future release of Windows client:
- ADMX policy: **Allow access to BitLocker-protected removable data drives from earlier versions of Windows**
- Command line parameter: [`manage-bde -DiscoveryVolumeType`](/windows-server/administration/windows-commands/manage-bde-on) (-dv)
- Catalog file: **c:\windows\BitLockerDiscoveryVolumeContents**
- BitLocker 2 Go Reader app: **bitlockertogo.exe** and associated files | 21H1 |
| Internet Explorer (IE) 11 | The IE11 desktop application will end support for certain operating systems starting June 15, 2022. For more information, see [Internet Explorer 11](/lifecycle/products/internet-explorer-11). | 21H1 |
| Personalization roaming | Roaming of Personalization settings (including wallpaper, slideshow, accent colors, and lock screen images) is no longer being developed and might be removed in a future release. | 21H1 |
-| Windows Management Instrumentation Command line (WMIC) tool. | The WMIC tool is deprecated in Windows 10, version 21H1 and the 21H1 General Availability Channel release of Windows Server. This tool is superseded by [Windows PowerShell for WMI](/powershell/scripting/learn/ps101/07-working-with-wmi). Note: This deprecation only applies to the [command-line management tool](/windows/win32/wmisdk/wmic). WMI itself is not affected. | 21H1 |
-| Timeline | Starting in July 2021, if you have your activity history synced across your devices through your Microsoft account (MSA), you'll no longer have the option to upload new activity in Timeline. See [Get help with timeline](https://support.microsoft.com/windows/get-help-with-timeline-febc28db-034c-d2b0-3bbe-79aa0c501039).| 20H2 |
+| Windows Management Instrumentation Command line (WMIC) tool. | The WMIC tool is deprecated in Windows 10, version 21H1 and the 21H1 General Availability Channel release of Windows Server. This tool is superseded by [Windows PowerShell for WMI](/powershell/scripting/learn/ps101/07-working-with-wmi). Note: This deprecation only applies to the [command-line management tool](/windows/win32/wmisdk/wmic). WMI itself isn't affected. | 21H1 |
+| Timeline | Starting in July 2021, if you have your activity history synced across your devices through your Microsoft account (MSA), you can't upload new activity in Timeline. For more information, see [Get help with timeline](https://support.microsoft.com/windows/get-help-with-timeline-febc28db-034c-d2b0-3bbe-79aa0c501039).| 20H2 |
| Microsoft Edge | The legacy version of Microsoft Edge is no longer being developed.| 2004 |
| Companion Device Framework | The [Companion Device Framework](/windows-hardware/design/device-experiences/windows-hello-companion-device-framework) is no longer under active development.| 2004 |
| Dynamic Disks | The [Dynamic Disks](/windows/win32/fileio/basic-and-dynamic-disks#dynamic-disks) feature is no longer being developed. This feature will be fully replaced by [Storage Spaces](/windows-server/storage/storage-spaces/overview) in a future release.| 2004 |
| Language Community tab in Feedback Hub | The Language Community tab will be removed from the Feedback Hub. The standard feedback process: [Feedback Hub - Feedback](feedback-hub://?newFeedback=true&feedbackType=2) is the recommended way to provide translation feedback. | 1909 |
| My People / People in the Shell | My People is no longer being developed. It may be removed in a future update. | 1909 |
-| Package State Roaming (PSR) | PSR will be removed in a future update. PSR allows non-Microsoft developers to access roaming data on devices, enabling developers of UWP applications to write data to Windows and synchronize it to other instantiations of Windows for that user.
The recommended replacement for PSR is [Azure App Service](/azure/app-service/). Azure App Service is widely supported, well documented, reliable, and supports cross-platform/cross-ecosystem scenarios such as iOS, Android and web. | 1909 |
-| XDDM-based remote display driver | Starting with this release, the Remote Desktop Services uses a Windows Display Driver Model (WDDM) based Indirect Display Driver (IDD) for a single session remote desktop. The support for Windows 2000 Display Driver Model (XDDM) based remote display drivers will be removed in a future release. Independent Software Vendors that use an XDDM-based remote display driver should plan a migration to the WDDM driver model. For more information on implementing remote display indirect display driver, check out [Updates for IddCx versions 1.4 and later](/windows-hardware/drivers/display/iddcx1.4-updates). | 1903 |
+| Package State Roaming (PSR) | PSR will be removed in a future update. PSR allows non-Microsoft developers to access roaming data on devices, enabling developers of UWP applications to write data to Windows and synchronize it to other instantiations of Windows for that user.
The recommended replacement for PSR is [Azure App Service](/azure/app-service/). Azure App Service is widely supported, well documented, reliable, and supports cross-platform/cross-ecosystem scenarios such as iOS, Android and web.
PSR was removed in Windows 11.| 1909 |
+| XDDM-based remote display driver | The Remote Desktop Services uses a Windows Display Driver Model (WDDM) based Indirect Display Driver (IDD) for a single session remote desktop. The support for Windows 2000 Display Driver Model (XDDM) based remote display drivers will be removed in a future release. Independent Software Vendors that use an XDDM-based remote display driver should plan a migration to the WDDM driver model. For more information on implementing remote display indirect display driver, check out [Updates for IddCx versions 1.4 and later](/windows-hardware/drivers/display/iddcx1.4-updates). | 1903 |
| Taskbar settings roaming | Roaming of taskbar settings is no longer being developed and we plan to remove this capability in a future release. | 1903 |
-| Wi-Fi WEP and TKIP | Since the 1903 release, a warning message has appeared when connecting to Wi-Fi networks secured with WEP or TKIP (which are not as secure as those using WPA2 or WPA3). In a future release, any connection to a Wi-Fi network using these old ciphers will be disallowed. Wi-Fi routers should be updated to use AES ciphers, available with WPA2 or WPA3. | 1903 |
-| Windows To Go | Windows To Go is no longer being developed.
The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs.| 1903 |
-| Print 3D app | Going forward, 3D Builder is the recommended 3D printing app. To 3D print objects on new Windows devices, customers must first install 3D Builder from the Store.| 1903 |
-|Companion device dynamic lock APIS|The companion device framework (CDF) APIs enable wearables and other devices to unlock a PC. In Windows 10, version 1709, we introduced [Dynamic Lock](/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock), including an inbox method using Bluetooth to detect whether a user is present and lock or unlock the PC. Because of this, and because non-Microsoft partners didn't adopt the CDF method, we're no longer developing CDF Dynamic Lock APIs.| 1809 |
+| Wi-Fi WEP and TKIP | Since the 1903 release, a warning message has appeared when connecting to Wi-Fi networks secured with WEP or TKIP (which aren't as secure as those using WPA2 or WPA3). In a future release, any connection to a Wi-Fi network using these old ciphers will be disallowed. Wi-Fi routers should be updated to use AES ciphers, available with WPA2 or WPA3. | 1903 |
+| Windows To Go | Windows To Go is no longer being developed.
The feature doesn't support feature updates and therefore doesn't enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs.| 1903 |
+| Print 3D app | 3D Builder is the recommended 3D printing app. To 3D print objects on new Windows devices, customers must first install 3D Builder from the Store.| 1903 |
+|Companion device dynamic lock APIS|The companion device framework (CDF) APIs enable wearables and other devices to unlock a PC. In Windows 10, version 1709, we introduced [Dynamic Lock](/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock), including an inbox method using Bluetooth to detect whether a user is present and lock or unlock the PC. Because of this reason, and because non-Microsoft partners didn't adopt the CDF method, we're no longer developing CDF Dynamic Lock APIs.| 1809 |
|OneSync service|The OneSync service synchronizes data for the Mail, Calendar, and People apps. We've added a sync engine to the Outlook app that provides the same synchronization.| 1809 |
-|Snipping Tool|The Snipping Tool is an application included in Windows 10 that is used to capture screenshots, either the full screen or a smaller, custom "snip" of the screen. In Windows 10, version 1809, we're [introducing a new universal app, Snip & Sketch](https://blogs.windows.com/windowsexperience/2018/05/03/announcing-windows-10-insider-preview-build-17661/#8xbvP8vMO0lF20AM.97), that provides the same screen snipping abilities, as well as additional features. You can launch Snip & Sketch directly and start a snip from there, or just press WIN + Shift + S. Snip & Sketch can also be launched from the “Screen snip” button in the Action Center. We're no longer developing the Snipping Tool as a separate app but are instead consolidating its functionality into Snip & Sketch.| 1809 |
+|Snipping Tool|The Snipping Tool is an application included in Windows 10 that is used to capture screenshots, either the full screen or a smaller, custom "snip" of the screen. In Windows 10, version 1809, we're [introducing a new universal app, Snip & Sketch](https://blogs.windows.com/windowsexperience/2018/05/03/announcing-windows-10-insider-preview-build-17661/#8xbvP8vMO0lF20AM.97). It provides the same screen snipping abilities plus other features. You can launch Snip & Sketch directly and start a snip from there, or just press WIN + Shift + S. Snip & Sketch can also be launched from the "Screen snip" button in the Action Center. We're no longer developing the Snipping Tool as a separate app but are instead consolidating its functionality into Snip & Sketch.| 1809 |
|[Software Restriction Policies](/windows-server/identity/software-restriction-policies/software-restriction-policies) in Group Policy|Instead of using the Software Restriction Policies through Group Policy, you can use [AppLocker](/windows/security/threat-protection/applocker/applocker-overview) or [Windows Defender Application Control](/windows/security/threat-protection/windows-defender-application-control) to control which apps users can access and what code can run in the kernel.| 1803 |
|[Offline symbol packages](/windows-hardware/drivers/debugger/debugger-download-symbols) (Debug symbol MSIs)|We're no longer making the symbol packages available as a downloadable MSI. Instead, the [Microsoft Symbol Server is moving to be an Azure-based symbol store](/archive/blogs/windbg/update-on-microsofts-symbol-server). If you need the Windows symbols, connect to the Microsoft Symbol Server to cache your symbols locally or use a manifest file with SymChk.exe on a computer with internet access.| 1803 |
-|Windows Help Viewer (WinHlp32.exe)|All Windows help information is [available online](https://support.microsoft.com/products/windows?os=windows-10). The Windows Help Viewer is no longer supported in Windows 10. If for any reason you see an error message about "help not supported," possibly when using a non-Microsoft application, read [this support article](https://support.microsoft.com/help/917607/error-opening-help-in-windows-based-programs-feature-not-included-or-h) for additional information and any next steps.| 1803 |
+|Windows Help Viewer (WinHlp32.exe)|All Windows help information is [available online](https://support.microsoft.com/products/windows?os=windows-10). The Windows Help Viewer is no longer supported in Windows 10. For more information, see [Error opening Help in Windows-based programs: "Feature not included" or "Help not supported"](https://support.microsoft.com/topic/error-opening-help-in-windows-based-programs-feature-not-included-or-help-not-supported-3c841463-d67c-6062-0ee7-1a149da3973b).| 1803 |
|MBAE service metadata|The MBAE app experience is replaced by an MO UWP app. For more information, see [Developer guide for creating service metadata](/windows-hardware/drivers/mobilebroadband/developer-guide-for-creating-service-metadata) | 1803 |
|Contacts feature in File Explorer|We're no longer developing the Contacts feature or the corresponding [Windows Contacts API](/previous-versions/windows/desktop/wincontacts/-wincontacts-entry-point). Instead, you can use the People app in Windows 10 to maintain your contacts.| 1803 |
|Phone Companion|Use the **Phone** page in the Settings app. In Windows 10, version 1709, we added the new **Phone** page to help you sync your mobile phone with your PC. It includes all the Phone Companion features.| 1803 |
-|IPv4/6 Transition Technologies (6to4, ISATAP, Teredo, and Direct Tunnels)|6to4 has been disabled by default since Windows 10, version 1607 (the Anniversary Update), ISATAP has been disabled by default since Windows 10, version 1703 (the Creators Update), Teredo has been disabled since Windows 10, version 1803, and Direct Tunnels has always been disabled by default. Please use native IPv6 support instead.| 1803 |
-|[Layered Service Providers](/windows/win32/winsock/categorizing-layered-service-providers-and-applications)|Layered Service Providers has not been developed since Windows 8 and Windows Server 2012. Use the [Windows Filtering Platform](/windows/win32/fwp/windows-filtering-platform-start-page) instead. When you upgrade from an older version of Windows, any layered service providers you're using aren't migrated; you'll need to re-install them after upgrading.| 1803 |
+|IPv4/6 Transition Technologies (6to4, ISATAP, Teredo, and Direct Tunnels)|6to4 has been disabled by default since Windows 10, version 1607 (the Anniversary Update), ISATAP has been disabled by default since Windows 10, version 1703 (the Creators Update), Teredo has been disabled since Windows 10, version 1803. The Direct Tunnels feature has always been disabled by default. Use native IPv6 support instead.| 1803 |
+|[Layered Service Providers](/windows/win32/winsock/categorizing-layered-service-providers-and-applications)|Layered Service Providers haven't been developed since Windows 8 and Windows Server 2012. Use the [Windows Filtering Platform](/windows/win32/fwp/windows-filtering-platform-start-page) instead. When you upgrade from an older version of Windows, any layered service providers you're using aren't migrated; you'll need to reinstall them after upgrading.| 1803 |
|Business Scanning| This feature is also called Distributed Scan Management (DSM) **(Added 05/03/2018)**
The [Scan Management functionality](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd759124(v=ws.11)) was introduced in Windows 7 and enabled secure scanning and the management of scanners in an enterprise. We're no longer investing in this feature, and there are no devices available that support it.| 1803 |
|IIS 6 Management Compatibility* | We recommend that users use alternative scripting tools and a newer management console. | 1709 |
|IIS Digest Authentication | We recommend that users use alternative authentication methods.| 1709 |
@@ -64,15 +65,15 @@ The features described below are no longer being actively developed, and might b
|Screen saver functionality in Themes | Disabled in Themes. Screen saver functionality in Group Policies, Control Panel, and Sysprep continues to be functional. Lock screen features and policies are preferred. | 1709 |
|Sync your settings (updated: August 17, 2017) | Back-end changes: In future releases, the back-end storage for the current sync process will change. A single cloud storage system will be used for Enterprise State Roaming and all other users. The **Sync your settings** options and the Enterprise State Roaming feature will continue to work. | 1709 |
|System Image Backup (SIB) Solution | We recommend that users use full-disk backup solutions from other vendors. | 1709 |
-|TLS RC4 Ciphers |To be disabled by default. For more information, see the following Windows IT Center topic: [TLS (Schannel SSP) changes in Windows 10 and Windows Server 2016](/windows-server/security/tls/tls-schannel-ssp-changes-in-windows-10-and-windows-server)| 1709 |
+|TLS RC4 Ciphers |To be disabled by default. For more information, see [TLS (Schannel SSP) changes in Windows 10 and Windows Server 2016](/windows-server/security/tls/tls-schannel-ssp-changes-in-windows-10-and-windows-server)| 1709 |
|Trusted Platform Module (TPM) Owner Password Management |This functionality within TPM.msc will be migrated to a new user interface.| 1709 |
|Trusted Platform Module (TPM): TPM.msc and TPM Remote Management | To be replaced by a new user interface in a future release. | 1709 |
|Trusted Platform Module (TPM) Remote Management |This functionality within TPM.msc will be migrated to a new user interface. | 1709 |
-|Windows Hello for Business deployment that uses Microsoft Endpoint Manager |Windows Server 2016 Active Directory Federation Services – Registration Authority (ADFS RA) deployment is simpler and provides a better user experience and a more deterministic certificate enrollment experience. | 1709 |
+|Windows Hello for Business deployment that uses Microsoft Endpoint Manager |Windows Server 2016 Active Directory Federation Services - Registration Authority (ADFS RA) deployment is simpler and provides a better user experience and a more deterministic certificate enrollment experience. | 1709 |
|Windows PowerShell 2.0 | Applications and components should be migrated to PowerShell 5.0+. | 1709 |
-|Apndatabase.xml | Apndatabase.xml is being replaced by the COSA database. Therefore, some constructs will no longer function. This includes Hardware ID, incoming SMS messaging rules in mobile apps, a list of privileged apps in mobile apps, autoconnect order, APN parser, and CDMAProvider ID. | 1703 |
+|Apndatabase.xml | Apndatabase.xml is being replaced by the COSA database. Therefore, some constructs will no longer function. This replacement includes Hardware ID, incoming SMS messaging rules in mobile apps, a list of privileged apps in mobile apps, autoconnect order, APN parser, and CDMAProvider ID. | 1703 |
|Tile Data Layer | The [Tile Data Layer](/windows/configuration/start-layout-troubleshoot#symptom-start-menu-issues-with-tile-data-layer-corruption) database stopped development in Windows 10, version 1703. | 1703 |
|TLS DHE_DSS ciphers DisabledByDefault| [TLS RC4 Ciphers](/windows-server/security/tls/tls-schannel-ssp-changes-in-windows-10-and-windows-server) will be disabled by default in this release. | 1703 |
|TCPChimney | TCP Chimney Offload is no longer being developed. See [Performance Tuning Network Adapters](/windows-server/networking/technologies/network-subsystem/net-sub-performance-tuning-nics). | 1703 |
-|IPsec Task Offload| [IPsec Task Offload](/windows-hardware/drivers/network/task-offload) versions 1 and 2 are no longer being developed and should not be used. | 1703 |
-|wusa.exe /uninstall /kb:####### /quiet|The wusa usage to quietly uninstall an update has been deprecated. The uninstall command with /quiet switch fails with event ID 8 in the Setup event log. Uninstalling updates quietly could be a security risk because malicious software could quietly uninstall an update in the background without user intervention.|1507
Applies to Windows Server 2016 and Windows Server 2019 as well.|
+|IPsec Task Offload| [IPsec Task Offload](/windows-hardware/drivers/network/task-offload) versions 1 and 2 are no longer being developed and shouldn't be used. | 1703 |
+|`wusa.exe /uninstall /kb:####### /quiet`|The `wusa` tool usage to quietly uninstall an update has been deprecated. The uninstall command with `/quiet` switch fails with event ID 8 in the Setup event log. Uninstalling updates quietly could be a security risk because malicious software could quietly uninstall an update in the background without user intervention.|1507
Applies to Windows Server 2016 and Windows Server 2019.|
diff --git a/windows/deployment/planning/windows-10-enterprise-faq-itpro.yml b/windows/deployment/planning/windows-10-enterprise-faq-itpro.yml
index 0662961ade..32c08d1d10 100644
--- a/windows/deployment/planning/windows-10-enterprise-faq-itpro.yml
+++ b/windows/deployment/planning/windows-10-enterprise-faq-itpro.yml
@@ -7,7 +7,7 @@ metadata:
ms.mktglfcycl: plan
ms.localizationpriority: medium
ms.sitesec: library
- ms.date: 08/18/2017
+ ms.date: 05/12/2022
ms.reviewer:
author: aczechowski
ms.author: aaroncz
@@ -24,7 +24,7 @@ sections:
- question: |
Where can I download Windows 10 Enterprise?
answer: |
- If you have Windows volume licenses with Software Assurance, or if you have purchased licenses for Windows 10 Enterprise volume licenses, you can download 32-bit and 64-bit versions of Windows 10 Enterprise from the [Volume Licensing Service Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx). If you do not have current Software Assurance for Windows and would like to purchase volume licenses for Windows 10 Enterprise, contact your preferred Microsoft Reseller or see [How to purchase through Volume Licensing](https://www.microsoft.com/Licensing/how-to-buy/how-to-buy.aspx).
+ If you have Windows volume licenses with Software Assurance, or if you have purchased licenses for Windows 10 Enterprise volume licenses, you can download 32-bit and 64-bit versions of Windows 10 Enterprise from the [Volume Licensing Service Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx). If you don't have current Software Assurance for Windows and would like to purchase volume licenses for Windows 10 Enterprise, contact your preferred Microsoft Reseller or see [How to purchase through Volume Licensing](https://www.microsoft.com/Licensing/how-to-buy/how-to-buy.aspx).
- question: |
What are the system requirements?
@@ -34,21 +34,25 @@ sections:
- question: |
What are the hardware requirements for Windows 10?
answer: |
- Most computers that are compatible with Windows 8.1 will be compatible with Windows 10. You may need to install updated drivers in Windows 10 for your devices to properly function. See [Windows 10 specifications](https://www.microsoft.com/windows/windows-10-specifications) for more information.
+ Most computers that are compatible with Windows 8.1 will be compatible with Windows 10. You may need to install updated drivers in Windows 10 for your devices to properly function. For more information, see [Windows 10 specifications](https://www.microsoft.com/windows/windows-10-specifications).
- question: |
Can I evaluate Windows 10 Enterprise?
answer: |
- Yes, a 90-day evaluation of Windows 10 Enterprise is available through the [TechNet Evaluation Center](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise). The evaluation is available in Chinese (Simplified), Chinese (Traditional), French, German, Italian, Japanese, Korean, Portuguese (Brazil), and Spanish (Spain, International Sort). We highly recommend that organizations make use of the Windows 10 Enterprise 90-day Evaluation to try out deployment and management scenarios, test compatibility with hardware and applications, and to get hands on experience with Windows 10 Enterprise features.
+ Yes, a 90-day evaluation of Windows 10 Enterprise is available. The evaluation is available in Chinese (Simplified), Chinese (Traditional), English, French, German, Italian, Japanese, Korean, Portuguese (Brazil), and Spanish (Spain, International Sort). We highly recommend that organizations make use of the Windows 10 Enterprise 90-day evaluation to try out deployment and management scenarios, test compatibility with hardware and applications, and to get hands on experience with Windows 10 Enterprise features.
+
+ > [!NOTE]
+ > The Microsoft Evaluation Center is temporarily unavailable. To access this download, see [Accessing trials and kits for Windows (Eval Center workaround)](https://techcommunity.microsoft.com/t5/windows-11/accessing-trials-and-kits-for-windows-eval-center-workaround/m-p/3361125).
+
- name: Drivers and compatibility
questions:
- question: |
Where can I find drivers for my devices for Windows 10 Enterprise?
answer: |
- For many devices, drivers will be automatically installed in Windows 10 and there will be no need for additional action.
- - For some devices, Windows 10 may be unable to install drivers that are required for operation. If your device drivers are not automatically installed, visit the manufacturer’s support website for your device to download and manually install the drivers. If Windows 10 drivers are not available, the most up-to-date drivers for Windows 8.1 will often work in Windows 10.
- - For some devices, the manufacturer may provide more up-to-date drivers or drivers that enable additional functionality than the drivers installed by Windows 10. Always follow the recommendations of the device manufacturer for optimal performance and stability.
+ For many devices, drivers will be automatically installed in Windows 10 and there will be no need for further action.
+ - For some devices, Windows 10 may be unable to install drivers that are required for operation. If your device drivers aren't automatically installed, visit the manufacturer's support website for your device to download and manually install the drivers. If Windows 10 drivers aren't available, the most up-to-date drivers for Windows 8.1 will often work in Windows 10.
+ - For some devices, the manufacturer may provide more up-to-date drivers or drivers that enable more functionality than the drivers installed by Windows 10. Always follow the recommendations of the device manufacturer for optimal performance and stability.
- Some computer manufacturers provide packs of drivers for easy implementation in management and deployment solutions like the Microsoft Deployment Toolkit (MDT) or Microsoft Endpoint Configuration Manager. These driver packs contain all of the drivers needed for each device and can greatly simplify the process of deploying Windows to a new make or model of computer. Driver packs for some common manufacturers include:
- [HP driver pack](http://www8.hp.com/us/en/ads/clientmanagement/drivers-pack.html)
- [Dell driver packs for enterprise client OS deployment](http://en.community.dell.com/techcenter/enterprise-client/w/wiki/2065.dell-command-deploy-driver-packs-for-enterprise-client-os-deployment)
@@ -58,22 +62,28 @@ sections:
- question: |
Where can I find out if an application or device is compatible with Windows 10?
answer: |
- Many existing Win32 and Win64 applications already run reliably on Windows 10 without any changes. You can also expect strong compatibility and support for Web apps and devices. The [Ready for Windows](https://www.readyforwindows.com/) website lists software solutions that are supported and in use for Windows 10. You can find additional guidance to help with application compatibility at [Windows 10 application compatibility](/windows/windows-10/) on the Windows IT Center.
+ Many existing Win32 and Win64 applications already run reliably on Windows 10 without any changes. You can also expect strong compatibility and support for Web apps and devices.
- question: |
- Is there an easy way to assess if my organization’s devices are ready to upgrade to Windows 10?
+ Is there an easy way to assess if my organization's devices are ready to upgrade to Windows 10?
answer: |
- [Windows Analytics Upgrade Readiness](/mem/configmgr/desktop-analytics/overview) (formerly known as Upgrade Analytics) provides powerful insights and recommendations about the computers, applications, and drivers in your organization, at no extra cost and without additional infrastructure requirements. This new service guides you through your upgrade and feature update projects using a workflow based on Microsoft recommended practices. Up-to-date inventory data allows you to balance cost and risk in your upgrade projects. You can find additional product information at [Windows Analytics](https://www.microsoft.com/WindowsForBusiness/Windows-Analytics).
+ [Desktop Analytics](/mem/configmgr/desktop-analytics/overview) provides powerful insights and recommendations about the computers, applications, and drivers in your organization, at no extra cost and without other infrastructure requirements. This service guides you through your upgrade and feature update projects using a workflow based on Microsoft recommended practices. Up-to-date inventory data allows you to balance cost and risk in your upgrade projects.
- name: Administration and deployment
questions:
- question: |
Which deployment tools support Windows 10?
answer: |
- Updated versions of Microsoft deployment tools, including MDT, Configuration Manager, and the Windows Assessment and Deployment Kit (Windows ADK) have been released to support Windows 10.
- - [MDT](https://www.microsoft.com/mdt) is Microsoft’s recommended collection of tools, processes, and guidance for automating desktop and server deployment.
- - Configuration Manager simplifies the deployment and management of Windows 10. If you are not currently using Configuration Manager, you can download a free 180-day trial of [Microsoft Endpoint Manager and Endpoint Protection (current branch)](https://www.microsoft.com/evalcenter/evaluate-system-center-configuration-manager-and-endpoint-protection) from the TechNet Evaluation Center.
- - The [Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit#winADK) has tools that allow you to customize Windows images for large-scale deployment, and test system quality and performance. You can download the latest version of the Windows ADK for Windows 10 from the Hardware Dev Center.
+ Updated versions of Microsoft deployment tools, including Microsoft Endpoint Configuration Manager, MDT, and the Windows Assessment and Deployment Kit (Windows ADK) have been released to support Windows 10.
+
+ - [Microsoft Endpoint Configuration Manager](/mem/configmgr) simplifies the deployment and management of Windows 10. If you aren't currently using Configuration Manager, download a free 180-day trial.
+
+ > [!NOTE]
+ > The Microsoft Evaluation Center is temporarily unavailable. To access this download, see [Accessing trials and kits for Windows (Eval Center workaround)](https://techcommunity.microsoft.com/t5/windows-11/accessing-trials-and-kits-for-windows-eval-center-workaround/m-p/3361125).
+
+ - [MDT](/mem/configmgr/mdt) is a collection of tools, processes, and guidance for automating desktop and server deployment.
+
+ - The [Windows ADK](/windows-hardware/get-started/adk-install) has tools that allow you to customize Windows images for large-scale deployment, and test system quality and performance. You can download the latest version of the Windows ADK for Windows 10 from the Hardware Dev Center.
- question: |
Can I upgrade computers from Windows 7 or Windows 8.1 without deploying a new image?
@@ -83,9 +93,9 @@ sections:
- question: |
Can I upgrade from Windows 7 Enterprise or Windows 8.1 Enterprise to Windows 10 Enterprise for free?
answer: |
- If you have Windows 7 Enterprise or Windows 8.1 Enterprise and current Windows 10 Enterprise E3 or E5 subscription, you are entitled to the upgrade to Windows 10 Enterprise through the rights of Software Assurance. You can find your product keys and installation media at the [Volume Licensing Service Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx).
+ If you have Windows 7 Enterprise or Windows 8.1 Enterprise and current Windows 10 Enterprise E3 or E5 subscription, you're entitled to the upgrade to Windows 10 Enterprise through the rights of Software Assurance. You can find your product keys and installation media at the [Volume Licensing Service Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx).
- For devices that are licensed under a volume license agreement for Windows that does not include Software Assurance, new licenses will be required to upgrade these devices to Windows 10.
+ For devices that are licensed under a volume license agreement for Windows that doesn't include Software Assurance, new licenses will be required to upgrade these devices to Windows 10.
- name: Managing updates
questions:
@@ -97,7 +107,7 @@ sections:
- question: |
How is servicing different with Windows as a service?
answer: |
- Traditional Windows servicing has included several release types: major revisions (e.g., the Windows 8.1, Windows 8, and Windows 7 operating systems), service packs, and monthly updates. With Windows 10, there are two release types: feature updates that add new functionality two to three times per year, and quality updates that provide security and reliability fixes at least once a month.
+ Traditional Windows servicing has included several release types: major revisions (for example, Windows 8.1, Windows 8, and Windows 7 operating systems), service packs, and monthly updates. With Windows 10, there are two release types: feature updates that add new functionality two to three times per year, and quality updates that provide security and reliability fixes at least once a month.
- question: |
What are the servicing channels?
@@ -107,13 +117,13 @@ sections:
- question: |
What tools can I use to manage Windows as a service updates?
answer: |
- There are many tools are available. You can choose from these:
+ There are many available tools:
- Windows Update
- Windows Update for Business
- Windows Server Update Services
- Microsoft Endpoint Configuration Manager
- For more information on pros and cons for these tools, see [Servicing Tools](../update/waas-overview.md#servicing-tools).
+ For more information, see [Servicing Tools](../update/waas-overview.md#servicing-tools).
- name: User experience
questions:
@@ -122,17 +132,17 @@ sections:
answer: |
For an overview of the new enterprise features in Windows 10 Enterprise, see [What's new in Windows 10](/windows/whats-new/) and [What's new in Windows 10, version 1703](/windows/whats-new/whats-new-windows-10-version-1703) in the Docs library.
- Another place to track the latest information about new features of interest to IT professionals is the [Windows for IT Pros blog](https://blogs.technet.microsoft.com/windowsitpro/). Here you’ll find announcements of new features, information on updates to the Windows servicing model, and details about the latest resources to help you more easily deploy and manage Windows 10.
+ Another place to track the latest information about new features of interest to IT professionals is the [Windows for IT Pros blog](https://blogs.technet.microsoft.com/windowsitpro/). Here you'll find announcements of new features, information on updates to the Windows servicing model, and details about the latest resources to help you more easily deploy and manage Windows 10.
To find out which version of Windows 10 is right for your organization, you can also [compare Windows editions](https://www.microsoft.com/WindowsForBusiness/Compare).
- question: |
How will people in my organization adjust to using Windows 10 Enterprise after upgrading from Windows 7 or Windows 8.1?
answer: |
- Windows 10 combines the best aspects of the user experience from Windows 8.1 and Windows 7 to make using Windows simple and straightforward. Users of Windows 7 will find the Start menu in the same location as they always have. In the same place, users of Windows 8.1 will find the live tiles from their Start screen, accessible by the Start button in the same way as they were accessed in Windows 8.1. To help you make the transition a seamless one, download the [Windows 10 Adoption Planning Kit](https://info.microsoft.com/Windows10AdoptionPlanningKit) and see our [end user readiness](/windows/windows-10/) resources.
+ Windows 10 combines the best aspects of the user experience from Windows 8.1 and Windows 7 to make using Windows simple and straightforward. Users of Windows 7 will find the Start menu in the same location as they always have. In the same place, users of Windows 8.1 will find the live tiles from their Start screen, accessible by the Start button in the same way as they were accessed in Windows 8.1.
- question: |
- How does Windows 10 help people work with applications and data across a variety of devices?
+ How does Windows 10 help people work with applications and data across various devices?
answer: |
The desktop experience in Windows 10 has been improved to provide a better experience for people that use a traditional mouse and keyboard. Key changes include:
- Start menu is a launching point for access to apps.
@@ -146,7 +156,7 @@ sections:
Where can I ask a question about Windows 10?
answer: |
Use the following resources for additional information about Windows 10.
- - If you are an IT professional or if you have a question about administering, managing, or deploying Windows 10 in your organization or business, visit the [Windows 10 IT Professional forums](https://social.technet.microsoft.com/forums/home?category=windows10itpro) on TechNet.
- - If you are an end user or if you have a question about using Windows 10, visit the [Windows 10 forums on Microsoft Community](https://answers.microsoft.com/windows/forum).
- - If you are a developer or if you have a question about making apps for Windows 10, visit the [Windows Desktop Development forums](https://social.msdn.microsoft.com/forums/en-us/home?category=windowsdesktopdev).
+ - If you're an IT professional or if you have a question about administering, managing, or deploying Windows 10 in your organization or business, visit the [Windows 10 IT Professional forums](https://social.technet.microsoft.com/forums/home?category=windows10itpro) on TechNet.
+ - If you're an end user or if you have a question about using Windows 10, visit the [Windows 10 forums on Microsoft Community](https://answers.microsoft.com/windows/forum).
+ - If you're a developer or if you have a question about making apps for Windows 10, visit the [Windows Desktop Development forums](https://social.msdn.microsoft.com/forums/en-us/home?category=windowsdesktopdev).
- If you have a question about Internet Explorer, visit the [Internet Explorer forums](https://social.technet.microsoft.com/forums/ie/en-us/home).
diff --git a/windows/deployment/usmt/usmt-what-does-usmt-migrate.md b/windows/deployment/usmt/usmt-what-does-usmt-migrate.md
index c1f3295abc..77ff8332d5 100644
--- a/windows/deployment/usmt/usmt-what-does-usmt-migrate.md
+++ b/windows/deployment/usmt/usmt-what-does-usmt-migrate.md
@@ -16,18 +16,6 @@ ms.topic: article
# What does USMT migrate?
-## In this topic
-
-- [Default migration scripts](#bkmk-defaultmigscripts)
-
-- [User Data](#bkmk-3)
-
-- [Operating-system components](#bkmk-4)
-
-- [Supported applications](#bkmk-2)
-
-- [What USMT does not migrate](#no)
-
## Default migration scripts
The User State Migration Tool (USMT) 10.0 is designed so that an IT engineer can precisely define migrations using the USMT .xml scripting language. USMT provides the following sample scripts:
@@ -106,7 +94,7 @@ The following components are migrated by default using the manifest files:
- Fonts
-- Group membership. USMT migrates users’ group settings. The groups to which a user belongs can be found by right-clicking **My Computer** on the Start menu and then clicking **Manage**. When running an offline migration, the use of a **<ProfileControl>** section in the Config.xml file is required.
+- Group membership. USMT migrates users’ group settings. The groups to which a user belongs can be found by right-clicking **My Computer** on the Start menu and then selecting **Manage**. When running an offline migration, the use of a **<ProfileControl>** section in the Config.xml file is required.
- \*Windows Internet Explorer® settings
@@ -138,17 +126,17 @@ The following components are migrated by default using the manifest files:
- Windows Rights Management
-\* These settings are not available for an offline migration. For more information, see [Offline Migration Reference](offline-migration-reference.md).
+\* These settings aren't available for an offline migration. For more information, see [Offline Migration Reference](offline-migration-reference.md).
> [!IMPORTANT]
> This list may not be complete. There may be additional components that are migrated.
> [!NOTE]
-> Some settings, such as fonts, are not applied by the LoadState tool until after the destination computer has been restarted. For this reason, restart the destination computer after you run the LoadState tool.
+> Some settings, such as fonts, aren't applied by the LoadState tool until after the destination computer has been restarted. For this reason, restart the destination computer after you run the LoadState tool.
## Supported applications
-Although it is not required for all applications, it is good practice to install all applications on the destination computer before restoring the user state. Installing applications before migrating settings helps to ensure that the migrated settings are not overwritten by the application installers.
+Even though it's not required for all applications, it's good practice to install all applications on the destination computer before restoring the user state. Installing applications before migrating settings helps to ensure that migrated settings aren't overwritten by the application installers.
> [!NOTE]
>
@@ -204,9 +192,9 @@ When you specify the MigApp.xml file, USMT migrates the settings for the followi
|Yahoo Messenger|9|
|Microsoft Zune™ Software|3|
-## What USMT does not migrate
+## What USMT doesn't migrate
-The following is a list of the settings that USMT does not migrate. If you are having a problem that is not listed here, see [Common Issues](usmt-common-issues.md).
+The following is a list of the settings that USMT doesn't migrate. If you are having a problem that isn't listed here, see [Common Issues](usmt-common-issues.md).
### Application settings
@@ -218,7 +206,7 @@ USMT does not migrate the following application settings:
- Microsoft Project settings, when migrating from Office 2003 to Office 2007 system.
-- ICQ Pro settings, if ICQ Pro is installed in a different location on the destination computer. To successfully migrate the settings of ICQ Pro, you must install ICQ Pro in the same location on the destination computer as it was on the source computer. Otherwise, after you run the LoadState tool, the application will not start. You may encounter problems when:
+- ICQ Pro settings, if ICQ Pro is installed in a different location on the destination computer. To successfully migrate the settings of ICQ Pro, you must install ICQ Pro in the same location on the destination computer as it was on the source computer. Otherwise, after you run the LoadState tool, the application won't start. You may encounter problems when:
- You change the default installation location on 32-bit destination computers.
@@ -230,7 +218,7 @@ USMT does not migrate the following operating-system settings.
- Local printers, hardware-related settings, drivers, passwords, application binary files, synchronization files, DLL files, or other executable files.
-- Permissions for shared folders. After migration, you must manually re-share any folders that were shared on the source computer.
+- Permissions for shared folders. After migration, you must manually reshare any folders that were shared on the source computer.
- Files and settings migrating between operating systems with different languages. The operating system of the source computer must match the language of the operating system on the destination computer.
@@ -240,7 +228,7 @@ USMT does not migrate the following operating-system settings.
You should also note the following:
-- You should run USMT from an account with administrative credentials. Otherwise, some data will not migrate. When running the ScanState and LoadState tools you must run the tools in Administrator mode from an account with administrative credentials. If you do not run USMT in Administrator mode, only the user profile that is logged on will be included in the migration. In addition, you must run the ScanState tool on Windows XP from an account with administrative credentials. Otherwise, some operating-system settings will not migrate. To run in Administrator mode, click **Start**, click **All Programs**, click **Accessories**, right-click **Command Prompt**, and then click **Run as administrator**.
+- You should run USMT from an account with administrative credentials. Otherwise, some data will not migrate. When running the ScanState and LoadState tools you must run the tools in Administrator mode from an account with administrative credentials. If you don't run USMT in Administrator mode, only the user profile that is logged on will be included in the migration. In addition, you must run the ScanState tool on Windows XP from an account with administrative credentials. Otherwise, some operating-system settings will not migrate. To run in Administrator mode, select **Start**, **All Programs**, **Accessories**, right-click **Command Prompt**, and then select **Run as administrator**.
- You can use the /**localonly** option to exclude the data from removable drives and network drives mapped on the source computer. For more information about what is excluded when you specify /**localonly**, see [ScanState Syntax](usmt-scanstate-syntax.md).
@@ -248,6 +236,10 @@ You should also note the following:
Starting in Windows 10, version 1607 the USMT does not migrate the Start menu layout. To migrate a user's Start menu, you must export and then import settings using the Windows PowerShell cmdlets **Export-StartLayout** and **Import-StartLayout**. For more information, see [USMT common issues](./usmt-common-issues.md#usmt-does-not-migrate-the-start-layout).
+### User profiles from Active Directory to Azure Active Directory
+
+USMT doesn't support migrating user profiles from Active Directory to Azure Active Directory.
+
## Related topics
[Plan your migration](usmt-plan-your-migration.md)
diff --git a/windows/deployment/windows-10-poc-sc-config-mgr.md b/windows/deployment/windows-10-poc-sc-config-mgr.md
index e4f15a4aa4..9b38379f79 100644
--- a/windows/deployment/windows-10-poc-sc-config-mgr.md
+++ b/windows/deployment/windows-10-poc-sc-config-mgr.md
@@ -1,53 +1,48 @@
---
-title: Steps to deploy Windows 10 with Microsoft Endpoint Configuration Manager
-description: In this article, you'll learn how to deploy Windows 10 in a test lab using Microsoft endpoint configuration manager.
+title: Steps to deploy Windows 10 with Configuration Manager
+description: Learn how to deploy Windows 10 in a test lab using Microsoft Endpoint Configuration Manager.
ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: deploy
-keywords: deployment, automate, tools, configure, sccm
+ms.technology: windows
ms.localizationpriority: medium
ms.reviewer:
manager: dougeby
ms.audience: itpro
ms.author: aaroncz
author: aczechowski
-audience: itpro
-ms.topic: article
-ms.custom: seo-marvel-apr2020
+ms.topic: tutorial
---
-# Deploy Windows 10 in a test lab using Microsoft Endpoint Configuration Manager
+# Deploy Windows 10 in a test lab using Configuration Manager
-**Applies to**
+*Applies to*
-- Windows 10
+- Windows 10
-**Important**: This guide leverages the proof of concept (PoC) environment, and some settings that are configured in the following guides:
-
-- [Step by step guide: Deploy Windows 10 in a test lab](windows-10-poc.md)
-- [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md)
-
-Please complete all steps in these guides before attempting the procedures in this guide. If you wish to skip the Windows 10 deployment procedures in the MDT guide and move directly to this guide, you must at least install MDT and the Windows ADK before performing procedures in this guide. All steps in the first guide are required before attempting the procedures in this guide.
+> [!Important]
+> This guide uses the proof of concept (PoC) environment, and some settings that are configured in the following guides:
+>
+> - [Step by step guide: Deploy Windows 10 in a test lab](windows-10-poc.md)
+> - [Deploy Windows 10 in a test lab using the Microsoft Deployment Toolkit](windows-10-poc-mdt.md)
+>
+> Complete all steps in these guides before you start the procedures in this guide. If you want to skip the Windows 10 deployment procedures in the MDT guide, and move directly to this guide, at least install MDT and the Windows ADK before starting this guide. All steps in the first guide are required before attempting the procedures in this guide.
The PoC environment is a virtual network running on Hyper-V with three virtual machines (VMs):
- **DC1**: A contoso.com domain controller, DNS server, and DHCP server.
- **SRV1**: A dual-homed contoso.com domain member server, DNS server, and default gateway providing NAT service for the PoC network.
-- **PC1**: A contoso.com member computer running Windows 7, Windows 8, or Windows 8.1 that has been cloned from a physical computer on your corporate network for testing purposes.
+- **PC1**: A contoso.com member computer running Windows 7, Windows 8, or Windows 8.1 that has been cloned from a physical computer on your network for testing purposes.
->This guide leverages the Hyper-V server role to perform procedures. If you do not complete all steps in a single session, consider using [checkpoints](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn818483(v=ws.11)) and [saved states](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee247418(v=ws.10)) to pause, resume, or restart your work.
+This guide uses the Hyper-V server role to perform procedures. If you don't complete all steps in a single session, consider using [checkpoints](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn818483(v=ws.11)) and [saved states](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee247418(v=ws.10)) to pause, resume, or restart your work.
->Multiple features and services are installed on SRV1 in this guide. This is not a typical installation, and is only done to set up a lab environment with a bare minimum of resources. However, if less than 4 GB of RAM is allocated to SRV1 in the Hyper-V console, some procedures will be extremely slow to complete. If resources are limited on the Hyper-V host, consider reducing RAM allocation on DC1 and PC1, and then increasing the RAM allocation on SRV1. You can adjust RAM allocation for a VM by right-clicking the VM in the Hyper-V Manager console, clicking **Settings**, clicking **Memory**, and modifying the value next to **Maximum RAM**.
+Multiple features and services are installed on SRV1 in this guide. This configuration isn't a typical installation, and is only done to set up a lab environment with a bare minimum of resources. However, if less than 4 GB of RAM is allocated to SRV1 in the Hyper-V console, some procedures will be slow to complete. If resources are limited on the Hyper-V host, consider reducing RAM allocation on DC1 and PC1, and then increasing the RAM allocation on SRV1. You can adjust RAM allocation for a VM by right-clicking the VM in the Hyper-V Manager console, select **Settings**, select **Memory**, and modify the value next to **Maximum RAM**.
## In this guide
This guide provides end-to-end instructions to install and configure Microsoft Endpoint Configuration Manager, and use it to deploy a Windows 10 image. Depending on the speed of your Hyper-V host, the procedures in this guide will require 6-10 hours to complete.
-Topics and procedures in this guide are summarized in the following table. An estimate of the time required to complete each procedure is also provided. Time required to complete procedures will vary depending on the resources available to the Hyper-V host and assigned to VMs, such as processor speed, memory allocation, disk speed, and network speed.
+The procedures in this guide are summarized in the following table. An estimate of the time required to complete each procedure is also provided. Time required to complete procedures will vary depending on the resources available to the Hyper-V host and assigned to VMs, such as processor speed, memory allocation, disk speed, and network speed.
-
-|Topic|Description|Time|
+|Procedure|Description|Time|
|--- |--- |--- |
|[Install prerequisites](#install-prerequisites)|Install prerequisite Windows Server roles and features, download, install and configure SQL Server, configure firewall rules, and install the Windows ADK.|60 minutes|
|[Install Microsoft Endpoint Configuration Manager](#install-microsoft-endpoint-configuration-manager)|Download Microsoft Endpoint Configuration Manager, configure prerequisites, and install the package.|45 minutes|
@@ -55,9 +50,9 @@ Topics and procedures in this guide are summarized in the following table. An es
|[Prepare for Zero Touch installation](#prepare-for-zero-touch-installation)|Prerequisite procedures to support Zero Touch installation.|60 minutes|
|[Create a boot image for Configuration Manager](#create-a-boot-image-for-configuration-manager)|Use the MDT wizard to create the boot image in Configuration Manager.|20 minutes|
|[Create a Windows 10 reference image](#create-a-windows-10-reference-image)|This procedure can be skipped if it was done previously, otherwise instructions are provided to create a reference image.|0-60 minutes|
-|[Add a Windows 10 operating system image](#add-a-windows-10-operating-system-image)|Add a Windows 10 operating system image and distribute it.|10 minutes|
+|[Add a Windows 10 OS image](#add-a-windows-10-os-image)|Add a Windows 10 OS image and distribute it.|10 minutes|
|[Create a task sequence](#create-a-task-sequence)|Create a Configuration Manager task sequence with MDT integration using the MDT wizard|15 minutes|
-|[Finalize the operating system configuration](#finalize-the-operating-system-configuration)|Enable monitoring, configure rules, and distribute content.|30 minutes|
+|[Finalize the OS configuration](#finalize-the-os-configuration)|Enable monitoring, configure rules, and distribute content.|30 minutes|
|[Deploy Windows 10 using PXE and Configuration Manager](#deploy-windows-10-using-pxe-and-configuration-manager)|Deploy Windows 10 using Configuration Manager deployment packages and task sequences.|60 minutes|
|[Replace a client with Windows 10 using Configuration Manager](#replace-a-client-with-windows-10-using-configuration-manager)|Replace a client computer with Windows 10 using Configuration Manager.|90 minutes|
|[Refresh a client with Windows 10 using Configuration Manager](#refresh-a-client-with-windows-10-using-configuration-manager)|Use a task sequence to refresh a client with Windows 10 using Configuration Manager and MDT|90 minutes|
@@ -70,10 +65,11 @@ Topics and procedures in this guide are summarized in the following table. An es
Install-WindowsFeature Web-Windows-Auth,Web-ISAPI-Ext,Web-Metabase,Web-WMI,BITS,RDC,NET-Framework-Features,Web-Asp-Net,Web-Asp-Net45,NET-HTTP-Activation,NET-Non-HTTP-Activ
```
- >If the request to add features fails, retry the installation by typing the command again.
+ > [!NOTE]
+ > If the request to add features fails, retry the installation by typing the command again.
2. Download [SQL Server 2014 SP2](https://www.microsoft.com/evalcenter/evaluate-sql-server-2014-sp2) from the Microsoft Evaluation Center as an .ISO file on the Hyper-V host computer. Save the file to the **C:\VHD** directory.
-3. When you have downloaded the file **SQLServer2014SP2-FullSlipstream-x64-ENU.iso** and placed it in the C:\VHD directory, type the following command at an elevated Windows PowerShell prompt on the Hyper-V host:
+3. When you've downloaded the file **SQLServer2014SP2-FullSlipstream-x64-ENU.iso** and placed it in the C:\VHD directory, type the following command at an elevated Windows PowerShell prompt on the Hyper-V host:
```powershell
Set-VMDvdDrive -VMName SRV1 -Path c:\VHD\SQLServer2014SP2-FullSlipstream-x64-ENU.iso
@@ -109,11 +105,11 @@ Topics and procedures in this guide are summarized in the following table. An es
5. Type the following commands at an elevated Windows PowerShell prompt on SRV1:
```powershell
- New-NetFirewallRule -DisplayName "SQL Server" -Direction Inbound –Protocol TCP –LocalPort 1433 -Action allow
- New-NetFirewallRule -DisplayName "SQL Admin Connection" -Direction Inbound –Protocol TCP –LocalPort 1434 -Action allow
- New-NetFirewallRule -DisplayName "SQL Database Management" -Direction Inbound –Protocol UDP –LocalPort 1434 -Action allow
- New-NetFirewallRule -DisplayName "SQL Service Broker" -Direction Inbound –Protocol TCP –LocalPort 4022 -Action allow
- New-NetFirewallRule -DisplayName "SQL Debugger/RPC" -Direction Inbound –Protocol TCP –LocalPort 135 -Action allow
+ New-NetFirewallRule -DisplayName "SQL Server" -Direction Inbound -Protocol TCP -LocalPort 1433 -Action allow
+ New-NetFirewallRule -DisplayName "SQL Admin Connection" -Direction Inbound -Protocol TCP -LocalPort 1434 -Action allow
+ New-NetFirewallRule -DisplayName "SQL Database Management" -Direction Inbound -Protocol UDP -LocalPort 1434 -Action allow
+ New-NetFirewallRule -DisplayName "SQL Service Broker" -Direction Inbound -Protocol TCP -LocalPort 4022 -Action allow
+ New-NetFirewallRule -DisplayName "SQL Debugger/RPC" -Direction Inbound -Protocol TCP -LocalPort 135 -Action allow
```
6. Download and install the latest [Windows Assessment and Deployment Kit (ADK)](/windows-hardware/get-started/adk-install) on SRV1 using the default installation settings. The current version is the ADK for Windows 10, version 2004. Installation might require several minutes to acquire all components.
@@ -128,9 +124,14 @@ Topics and procedures in this guide are summarized in the following table. An es
Stop-Process -Name Explorer
```
-2. Download [Microsoft Endpoint Manager and Endpoint Protection](https://www.microsoft.com/evalcenter/evaluate-system-center-configuration-manager-and-endpoint-protection) on SRV1 (download the executable file anywhere on SRV1), double-click the file, enter **C:\configmgr** for **Unzip to folder**, and click **Unzip**. The C:\configmgr directory will be automatically created. Click **OK** and then close the **WinZip Self-Extractor** dialog box when finished.
+1. Download **Microsoft Endpoint Configuration Manager** on SRV1.
-3. Before starting the installation, verify that WMI is working on SRV1. See the following examples. Verify that **Running** is displayed under **Status** and **True** is displayed next to **TcpTestSucceeded**:
+ > [!NOTE]
+ > The Microsoft Evaluation Center is temporarily unavailable. To access this download, see [Accessing trials and kits for Windows (Eval Center workaround)](https://techcommunity.microsoft.com/t5/windows-11/accessing-trials-and-kits-for-windows-eval-center-workaround/m-p/3361125).
+
+1. Open the file, enter **C:\configmgr** for **Unzip to folder**, and select **Unzip**. The `C:\configmgr` directory will be automatically created. Select **OK** and then close the **WinZip Self-Extractor** dialog box when finished.
+
+1. Before starting the installation, verify that WMI is working on SRV1. See the following examples. Verify that **Running** is displayed under **Status** and **True** is displayed next to **TcpTestSucceeded**:
```dos
Get-Service Winmgmt
@@ -157,57 +158,58 @@ Topics and procedures in this guide are summarized in the following table. An es
You can also verify WMI using the WMI console by typing **wmimgmt.msc**, right-clicking **WMI Control (Local)** in the console tree, and then clicking **Properties**.
- If the WMI service is not started, attempt to start it or reboot the computer. If WMI is running but errors are present, see [WMIDiag](https://blogs.technet.microsoft.com/askperf/2015/05/12/wmidiag-2-2-is-here/) for troubleshooting information.
+ If the WMI service isn't started, attempt to start it or reboot the computer. If WMI is running but errors are present, see [WMIDiag](https://blogs.technet.microsoft.com/askperf/2015/05/12/wmidiag-2-2-is-here/) for troubleshooting information.
-4. To extend the Active Directory schema, type the following command at an elevated Windows PowerShell prompt:
+1. To extend the Active Directory schema, type the following command at an elevated Windows PowerShell prompt:
```powershell
cmd /c C:\configmgr\SMSSETUP\BIN\X64\extadsch.exe
```
-5. Temporarily switch to the DC1 VM, and type the following command at an elevated command prompt on DC1:
+1. Temporarily switch to the DC1 VM, and type the following command at an elevated command prompt on DC1:
```dos
adsiedit.msc
```
-6. Right-click **ADSI Edit**, click **Connect to**, select **Default (Domain or server that you logged in to)** under **Computer** and then click **OK**.
-7. Expand **Default naming context**>**DC=contoso,DC=com**, and then in the console tree right-click **CN=System**, point to **New**, and then click **Object**.
-8. Click **container** and then click **Next**.
-9. Next to **Value**, type **System Management**, click **Next**, and then click **Finish**.
-10. Right-click **CN=system Management** and then click **Properties**.
-11. On the **Security** tab, click **Add**, click **Object Types**, select **Computers**, and click **OK**.
-12. Under **Enter the object names to select**, type **SRV1** and click **OK**.
-13. The **SRV1** computer account will be highlighted, select **Allow** next to **Full control**.
-14. Click **Advanced**, click **SRV1 (CONTOSO\SRV1$)** and click **Edit**.
-15. Next to **Applies to**, choose **This object and all descendant objects**, and then click **OK** three times.
-16. Close the ADSI Edit console and switch back to SRV1.
-17. To start Configuration Manager installation, type the following command at an elevated Windows PowerShell prompt on SRV1:
+1. Right-click **ADSI Edit**, select **Connect to**, select **Default (Domain or server that you logged in to)** under **Computer** and then select **OK**.
+1. Expand **Default naming context**>**DC=contoso,DC=com**, and then in the console tree right-click **CN=System**, point to **New**, and then select **Object**.
+1. Select **container** and then select **Next**.
+1. Next to **Value**, type **System Management**, select **Next**, and then select **Finish**.
+1. Right-click **CN=system Management** and then select **Properties**.
+1. On the **Security** tab, select **Add**, select **Object Types**, select **Computers**, and select **OK**.
+1. Under **Enter the object names to select**, type **SRV1** and select **OK**.
+1. The **SRV1** computer account will be highlighted, select **Allow** next to **Full control**.
+1. Select **Advanced**, select **SRV1 (CONTOSO\SRV1$)** and select **Edit**.
+1. Next to **Applies to**, choose **This object and all descendant objects**, and then select **OK** three times.
+1. Close the ADSI Edit console and switch back to SRV1.
+1. To start Configuration Manager installation, type the following command at an elevated Windows PowerShell prompt on SRV1:
```powershell
cmd /c C:\configmgr\SMSSETUP\BIN\X64\Setup.exe
```
-18. Provide the following in the Microsoft Endpoint Manager Setup Wizard:
- - **Before You Begin**: Read the text and click *Next*.
+1. Provide the following information in the Configuration Manager Setup Wizard:
+ - **Before You Begin**: Read the text and select *Next*.
- **Getting Started**: Choose **Install a Configuration Manager primary site** and select the **Use typical installation options for a stand-alone primary site** checkbox.
- - Click **Yes** in response to the popup window.
+ - Select **Yes** in response to the popup window.
- **Product Key**: Choose **Install the evaluation edition of this Product**.
- **Microsoft Software License Terms**: Read the terms and then select the **I accept these license terms** checkbox.
- **Prerequisite Licenses**: Review license terms and select all three checkboxes on the page.
- **Prerequisite Downloads**: Choose **Download required files** and enter **c:\windows\temp** next to **Path**.
- **Site and Installation Settings**: Site code: **PS1**, Site name: **Contoso**.
- use default settings for all other options
- - **Usage Data**: Read the text and click **Next**.
+ - **Usage Data**: Read the text and select **Next**.
- **Service Connection Point Setup**: Accept the default settings (SRV1.contoso.com is automatically added under Select a server to use).
- - **Settings Summary**: Review settings and click **Next**.
- - **Prerequisite Check**: No failures should be listed. Ignore any warnings and click **Begin Install**.
+ - **Settings Summary**: Review settings and select **Next**.
+ - **Prerequisite Check**: No failures should be listed. Ignore any warnings and select **Begin Install**.
- >There should be at most three warnings present: WSUS on site server, configuration for SQL Server memory usage, and SQL Server process memory allocation. These warnings can safely be ignored in this test environment.
+ > [!NOTE]
+ > There should be at most three warnings present: WSUS on site server, configuration for SQL Server memory usage, and SQL Server process memory allocation. These warnings can safely be ignored in this test environment.
- Depending on the speed of the Hyper-V host and resources allocated to SRV1, installation can require approximately one hour. Click **Close** when installation is complete.
+ Depending on the speed of the Hyper-V host and resources allocated to SRV1, installation can require approximately one hour. Select **Close** when installation is complete.
-19. If desired, re-enable IE Enhanced Security Configuration at this time on SRV1:
+1. If desired, re-enable IE Enhanced Security Configuration at this time on SRV1:
```powershell
Set-ItemProperty -Path $AdminKey -Name "IsInstalled" -Value 1
@@ -263,45 +265,45 @@ This section contains several procedures to support Zero Touch installation with
### Enable MDT ConfigMgr integration
-1. On SRV1, click **Start**, type **configmgr**, and then click **Configure ConfigMgr Integration**.
-2. Type **PS1** next to **Site code**, and then click **Next**.
-3. Verify **The process completed successfully** is displayed, and then click **Finish**.
+1. On SRV1, select **Start**, type `configmgr`, and then select **Configure ConfigMgr Integration**.
+2. Type `PS1` as the **Site code**, and then select **Next**.
+3. Verify **The process completed successfully** is displayed, and then select **Finish**.
### Configure client settings
-1. On SRV1, click **Start**, type **configuration manager**, right-click **Configuration Manager Console**, and then click **Pin to Taskbar**.
-2. Click **Desktop**, and then launch the Configuration Manager console from the taskbar.
-3. If the console notifies you that an update is available, click **OK**. It is not necessary to install updates to complete this lab.
-4. In the console tree, open the **Administration** workspace (in the lower left corner) and click **Client Settings**.
+1. On SRV1, select **Start**, type **configuration manager**, right-click **Configuration Manager Console**, and then select **Pin to Taskbar**.
+2. Select **Desktop**, and then launch the Configuration Manager console from the taskbar.
+3. If the console notifies you that an update is available, select **OK**. It isn't necessary to install updates to complete this lab.
+4. In the console tree, open the **Administration** workspace (in the lower left corner) and select **Client Settings**.
5. In the display pane, double-click **Default Client Settings**.
-6. Click **Computer Agent**, next to **Organization name displayed in Software Center** type **Contoso**, and then click **OK**.
+6. Select **Computer Agent**, next to **Organization name displayed in Software Center** type **Contoso**, and then select **OK**.
### Configure the network access account
-1. In the Administration workspace, expand **Site Configuration** and click **Sites**.
-2. On the **Home** ribbon at the top of the console window, click **Configure Site Components** and then click **Software Distribution**.
+1. In the Administration workspace, expand **Site Configuration** and select **Sites**.
+2. On the **Home** ribbon at the top of the console window, select **Configure Site Components** and then select **Software Distribution**.
3. On the **Network Access Account** tab, choose **Specify the account that accesses network locations**.
-4. Click the yellow starburst and then click **New Account**.
-5. Click **Browse** and then under **Enter the object name to select**, type **CM_NAA** and click **OK**.
-6. Next to **Password** and **Confirm Password**, type **pass\@word1**, and then click **OK** twice.
+4. Select the yellow starburst and then select **New Account**.
+5. Select **Browse** and then under **Enter the object name to select**, type **CM_NAA** and select **OK**.
+6. Next to **Password** and **Confirm Password**, type **pass\@word1**, and then select **OK** twice.
### Configure a boundary group
-1. In the Administration workspace, expand **Hierarchy Configuration**, right-click **Boundaries** and then click **Create Boundary**.
-2. Next to **Description**, type **PS1**, next to **Type** choose **Active Directory Site**, and then click **Browse**.
-3. Choose **Default-First-Site-Name** and then click **OK** twice.
-4. In the Administration workspace, right-click **Boundary Groups** and then click **Create Boundary Group**.
-5. Next to **Name**, type **PS1 Site Assignment and Content Location**, click **Add**, select the **Default-First-Site-Name** boundary and then click **OK**.
-6. On the **References** tab in the **Create Boundary Group** window select the **Use this boundary group for site assignment** checkbox.
-7. Click **Add**, select the **\\\SRV1.contoso.com** checkbox, and then click **OK** twice.
+1. In the Administration workspace, expand **Hierarchy Configuration**, right-click **Boundaries** and then select **Create Boundary**.
+2. Next to **Description**, type **PS1**, next to **Type** choose **Active Directory Site**, and then select **Browse**.
+3. Choose **Default-First-Site-Name** and then select **OK** twice.
+4. In the Administration workspace, right-click **Boundary Groups** and then select **Create Boundary Group**.
+5. Next to **Name**, type **PS1 Site Assignment and Content Location**, select **Add**, select the **Default-First-Site-Name** boundary and then select **OK**.
+6. On the **References** tab in the **Create Boundary Group** window, select the **Use this boundary group for site assignment** checkbox.
+7. Select **Add**, select the **\\\SRV1.contoso.com** checkbox, and then select **OK** twice.
### Add the state migration point role
-1. In the Administration workspace, expand **Site Configuration**, click **Sites**, and then in on the **Home** ribbon at the top of the console click **Add Site System Roles**.
-2. In the Add site System Roles Wizard, click **Next** twice and then on the Specify roles for this server page, select the **State migration point** checkbox.
-3. Click **Next**, click the yellow starburst, type **C:\MigData** for the **Storage folder**, and click **OK**.
-4. Click **Next**, and then verify under **Boundary groups** that **PS1 Site Assignment and Content Location** is displayed.
-5. Click **Next** twice and then click **Close**.
+1. In the Administration workspace, expand **Site Configuration**, select **Sites**, and then in on the **Home** ribbon at the top of the console select **Add Site System Roles**.
+2. In the Add site System Roles Wizard, select **Next** twice and then on the Specify roles for this server page, select the **State migration point** checkbox.
+3. Select **Next**, select the yellow starburst, type **C:\MigData** for the **Storage folder**, and select **OK**.
+4. Select **Next**, and then verify under **Boundary groups** that **PS1 Site Assignment and Content Location** is displayed.
+5. Select **Next** twice and then select **Close**.
### Enable PXE on the distribution point
@@ -312,28 +314,29 @@ This section contains several procedures to support Zero Touch installation with
WDSUTIL /Set-Server /AnswerClients:None
```
-1. Determine the MAC address of the internal network adapter on SRV1. To determine this, type the following command at an elevated Windows PowerShell prompt on SRV1:
+1. Determine the MAC address of the internal network adapter on SRV1. Type the following command at an elevated Windows PowerShell prompt on SRV1:
```powershell
(Get-NetAdapter "Ethernet").MacAddress
```
- > If the internal network adapter, assigned an IP address of 192.168.0.2, is not named "Ethernet" then replace the name "Ethernet" in the previous command with the name of this network adapter. You can review the names of network adapters and the IP addresses assigned to them by typing **ipconfig**.
+ > [!NOTE]
+ > If the internal network adapter, assigned an IP address of 192.168.0.2, isn't named "Ethernet" then replace the name "Ethernet" in the previous command with the name of this network adapter. You can review the names of network adapters and the IP addresses assigned to them by typing **ipconfig**.
-2. In the Microsoft Endpoint Manager console, in the **Administration** workspace, click **Distribution Points**.
-3. In the display pane, right-click **SRV1.CONTOSO.COM** and then click **Properties**.
+2. In the Configuration Manager console, in the **Administration** workspace, select **Distribution Points**.
+3. In the display pane, right-click **SRV1.CONTOSO.COM** and then select **Properties**.
4. On the PXE tab, select the following settings:
- - **Enable PXE support for clients**. Click **Yes** in the popup that appears.
+ - **Enable PXE support for clients**. Select **Yes** in the popup that appears.
- **Allow this distribution point to respond to incoming PXE requests**
- - **Enable unknown computer support**. Click **OK** in the popup that appears.
+ - **Enable unknown computer support**. Select **OK** in the popup that appears.
- **Require a password when computers use PXE**
- **Password** and **Confirm password**: pass@word1
- - **Respond to PXE requests on specific network interfaces**: Click the yellow starburst and then enter the MAC address determined in the first step of this procedure.
+ - **Respond to PXE requests on specific network interfaces**: Select the yellow starburst and then enter the MAC address determined in the first step of this procedure.
See the following example:
-5. Click **OK**.
+5. Select **OK**.
6. Wait for a minute, then type the following command at an elevated Windows PowerShell prompt on SRV1, and verify that the files displayed are present:
```powershell
@@ -348,57 +351,60 @@ WDSUTIL /Set-Server /AnswerClients:None
wdsnbp.com
```
- >If these files are not present in the C:\RemoteInstall directory, verify that the REMINST share is configured as C:\RemoteInstall. You can view the properties of this share by typing "net share REMINST" at a command prompt. If the share path is set to a different value, then replace C:\RemoteInstall with your REMINST share path.
- >You can also type the following command at an elevated Windows PowerShell prompt to open the Configuration Manager Trace Log Tool. In the tool, click **File**, click **Open**, and then open the **distmgr.log** file. If errors are present, they will be highlighted in red:
-
- ```powershell
- Invoke-Item 'C:\Program Files\Microsoft Configuration Manager\tools\cmtrace.exe'
- ```
-
- The log file will updated continuously while Configuration Manager is running. Wait for Configuration Manager to repair any issues that are present, and periodically re-check that the files are present in the REMINST share location. Close the Configuration Manager Trace Log Tool when done. You will see the following line in distmgr.log that indicates the REMINST share is being populated with necessary files:
-
- `Running: WDSUTIL.exe /Initialize-Server /REMINST:"C:\RemoteInstall"`
-
- Once the files are present in the REMINST share location, you can close the cmtrace tool.
+ > [!NOTE]
+ > If these files aren't present in the C:\RemoteInstall directory, verify that the REMINST share is configured as C:\RemoteInstall. You can view the properties of this share by typing `net share REMINST` at a command prompt. If the share path is set to a different value, then replace C:\RemoteInstall with your REMINST share path.
+ >
+ > You can also type the following command at an elevated Windows PowerShell prompt to open the CMTrace. In the tool, select **File**, select **Open**, and then open the **distmgr.log** file. If errors are present, they will be highlighted in red:
+ >
+ > ```powershell
+ > Invoke-Item 'C:\Program Files\Microsoft Configuration Manager\tools\cmtrace.exe'
+ > ```
+ >
+ > The log file is updated continuously while Configuration Manager is running. Wait for Configuration Manager to repair any issues that are present, and periodically recheck that the files are present in the REMINST share location. Close CMTrace when done. You'll see the following line in distmgr.log that indicates the REMINST share is being populated with necessary files:
+ >
+ > `Running: WDSUTIL.exe /Initialize-Server /REMINST:"C:\RemoteInstall"`
+ >
+ > Once the files are present in the REMINST share location, you can close the CMTrace tool.
### Create a branding image file
-1. If you have a bitmap (.BMP) image for suitable use as a branding image, copy it to the C:\Sources\OSD\Branding folder on SRV1. Otherwise, use the following step to copy a simple branding image.
+1. If you have a bitmap (.BMP) image for suitable use as a branding image, copy it to the C:\Sources\OSD\Branding folder on SRV1. Otherwise, use the following step to copy a branding image.
2. Type the following command at an elevated Windows PowerShell prompt:
```powershell
Copy-Item -Path "C:\ProgramData\Microsoft\User Account Pictures\user.bmp" -Destination "C:\Sources\OSD\Branding\contoso.bmp"
```
- >You can open C:\Sources\OSD\Branding\contoso.bmp in MSPaint.exe if desired to customize this image.
+ > [!NOTE]
+ > You can open C:\Sources\OSD\Branding\contoso.bmp in Microsoft Paint to customize this image.
### Create a boot image for Configuration Manager
-1. In the Configuration Manager console, in the **Software Library** workspace, expand **Operating Systems**, right-click **Boot Images**, and then click **Create Boot Image using MDT**.
-2. On the Package Source page, under **Package source folder to be created (UNC Path):**, type **\\\SRV1\Sources$\OSD\Boot\Zero Touch WinPE x64**, and then click **Next**.
- - The Zero Touch WinPE x64 folder does not yet exist. The folder will be created later.
-3. On the General Settings page, type **Zero Touch WinPE x64** next to **Name**, and click **Next**.
-4. On the Options page, under **Platform** choose **x64**, and click **Next**.
-5. On the Components page, in addition to the default selection of **Microsoft Data Access Components (MDAC/ADO) support**, select the **Microsoft Diagnostics and Recovery Toolkit (DaRT)** checkbox, and click **Next**.
-6. On the Customization page, select the **Use a custom background bitmap file** checkbox, and under **UNC path**, type or browse to **\\\SRV1\Sources$\OSD\Branding\contoso.bmp**, and then click **Next** twice. It will take a few minutes to generate the boot image.
-7. Click **Finish**.
-8. In the console display pane, right-click the **Zero Touch WinPE x64** boot image, and then click **Distribute Content**.
-9. In the Distribute Content Wizard, click **Next**, click **Add** and select **Distribution Point**, select the **SRV1.CONTOSO.COM** checkbox, click **OK**, click **Next** twice, and then click **Close**.
+1. In the Configuration Manager console, in the **Software Library** workspace, expand **Operating Systems**, right-click **Boot Images**, and then select **Create Boot Image using MDT**.
+2. On the Package Source page, under **Package source folder to be created (UNC Path):**, type **\\\SRV1\Sources$\OSD\Boot\Zero Touch WinPE x64**, and then select **Next**.
+ - The Zero Touch WinPE x64 folder doesn't yet exist. The folder will be created later.
+3. On the General Settings page, type **Zero Touch WinPE x64** next to **Name**, and select **Next**.
+4. On the Options page, under **Platform** choose **x64**, and select **Next**.
+5. On the Components page, in addition to the default selection of **Microsoft Data Access Components (MDAC/ADO) support**, select the **Microsoft Diagnostics and Recovery Toolkit (DaRT)** checkbox, and select **Next**.
+6. On the Customization page, select the **Use a custom background bitmap file** checkbox, and under **UNC path**, type or browse to **\\\SRV1\Sources$\OSD\Branding\contoso.bmp**, and then select **Next** twice. It will take a few minutes to generate the boot image.
+7. Select **Finish**.
+8. In the console display pane, right-click the **Zero Touch WinPE x64** boot image, and then select **Distribute Content**.
+9. In the Distribute Content Wizard, select **Next**, select **Add** and select **Distribution Point**, select the **SRV1.CONTOSO.COM** checkbox, select **OK**, select **Next** twice, and then select **Close**.
10. Use the CMTrace application to view the **distmgr.log** file again and verify that the boot image has been distributed. To open CMTrace, type the following command at an elevated Windows PowerShell prompt on SRV1:
```powershell
Invoke-Item 'C:\Program Files\Microsoft Configuration Manager\tools\cmtrace.exe'
```
- In the trace tool, click **Tools** on the menu and choose **Find**. Search for "**STATMSG: ID=2301**". For example:
+ In the trace tool, select **Tools** on the menu and choose **Find**. Search for "**STATMSG: ID=2301**". For example:
```console
STATMSG: ID=2301 SEV=I LEV=M SOURCE="SMS Server" COMP="SMS_DISTRIBUTION_MANAGER" SYS=SRV1.CONTOSO.COM SITE=PS1 PID=924 TID=1424 GMTDATE=Tue Oct 09 22:36:30.986 2018 ISTR0="Zero Touch WinPE x64" ISTR1="PS10000A" ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=1 AID0=400 AVAL0="PS10000A" SMS_DISTRIBUTION_MANAGER 10/9/2018 3:36:30 PM 1424 (0x0590)
```
11. You can also review status by clicking the **Zero Touch WinPE x64** image, and then clicking **Content Status** under **Related Objects** in the bottom right-hand corner of the console, or by entering **\Monitoring\Overview\Distribution Status\Content Status** on the location bar in the console. Double-click **Zero Touch WinPE x64** under **Content Status** in the console tree and verify that a status of **Successfully distributed content** is displayed on the **Success** tab.
-12. Next, in the **Software Library** workspace, double-click **Zero Touch WinPE x64** and then click the **Data Source** tab.
-13. Select the **Deploy this boot image from the PXE-enabled distribution point** checkbox, and click **OK**.
+12. Next, in the **Software Library** workspace, double-click **Zero Touch WinPE x64** and then select the **Data Source** tab.
+13. Select the **Deploy this boot image from the PXE-enabled distribution point** checkbox, and select **OK**.
14. Review the distmgr.log file again for "**STATMSG: ID=2301**" and verify that there are three folders under **C:\RemoteInstall\SMSImages** with boot images. See the following example:
```console
@@ -412,11 +418,12 @@ WDSUTIL /Set-Server /AnswerClients:None
C:\RemoteInstall\SMSImages\PS100006\WinPE.PS100006.wim
```
- >The first two images (*.wim files) are default boot images. The third is the new boot image with DaRT.
+ > [!NOTE]
+ > The first two images (`*.wim` files) are default boot images. The third is the new boot image with DaRT.
### Create a Windows 10 reference image
-If you have already completed steps in [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md) then you have already created a Windows 10 reference image. In this case, skip to the next procedure in this guide: [Add a Windows 10 operating system image](#add-a-windows-10-operating-system-image). If you have not yet created a Windows 10 reference image, complete the steps in this section.
+If you've already completed steps in [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md) then you've already created a Windows 10 reference image. In this case, skip to the next procedure in this guide: [Add a Windows 10 OS image](#add-a-windows-10-os-image). If you've not yet created a Windows 10 reference image, complete the steps in this section.
1. In [Step by step guide: Deploy Windows 10 in a test lab](windows-10-poc.md) the Windows 10 Enterprise .iso file was saved to the c:\VHD directory as **c:\VHD\w10-enterprise.iso**. The first step in creating a deployment share is to mount this file on SRV1. To mount the Windows 10 Enterprise DVD on SRV1, open an elevated Windows PowerShell prompt on the Hyper-V host computer and type the following command:
@@ -424,68 +431,70 @@ If you have already completed steps in [Deploy Windows 10 in a test lab using Mi
Set-VMDvdDrive -VMName SRV1 -Path c:\VHD\w10-enterprise.iso
```
-2. Verify that the Windows Enterprise installation DVD is mounted on SRV1 as drive letter D.
+1. Verify that the Windows Enterprise installation DVD is mounted on SRV1 as drive letter D.
-3. The Windows 10 Enterprise installation files will be used to create a deployment share on SRV1 using the MDT deployment workbench. To open the deployment workbench, click **Start**, type **deployment**, and then click **Deployment Workbench**.
+1. The Windows 10 Enterprise installation files will be used to create a deployment share on SRV1 using the MDT deployment workbench. To open the deployment workbench, select **Start**, type **deployment**, and then select **Deployment Workbench**.
-4. In the Deployment Workbench console, right-click **Deployment Shares** and select **New Deployment Share**.
+1. In the Deployment Workbench console, right-click **Deployment Shares** and select **New Deployment Share**.
-5. Use the following settings for the New Deployment Share Wizard:
+1. Use the following settings for the New Deployment Share Wizard:
- Deployment share path: **C:\MDTBuildLab**
- Share name: **MDTBuildLab$**
- Deployment share description: **MDT build lab**
- - Options: click **Next** to accept the default
- - Summary: click **Next**
+ - Options: Select **Next** to accept the default
+ - Summary: Select **Next**
- Progress: settings will be applied
- - Confirmation: click **Finish**
+ - Confirmation: Select **Finish**
-6. Expand the **Deployment Shares** node, and then expand **MDT build lab**.
+1. Expand the **Deployment Shares** node, and then expand **MDT build lab**.
-7. Right-click the **Operating Systems** node, and then click **New Folder**. Name the new folder **Windows 10**. Complete the wizard using default values and click **Finish**.
+1. Right-click the **Operating Systems** node, and then select **New Folder**. Name the new folder **Windows 10**. Complete the wizard using default values and select **Finish**.
-7. Right-click the **Windows 10** folder created in the previous step, and then click **Import Operating System**.
+1. Right-click the **Windows 10** folder created in the previous step, and then select **Import Operating System**.
-8. Use the following settings for the Import Operating System Wizard:
+1. Use the following settings for the Import Operating System Wizard:
- OS Type: **Full set of source files**
- Source: **D:\\**
- Destination: **W10Ent_x64**
- - Summary: click **Next**
- - Confirmation: click **Finish**
+ - Summary: Select **Next**
+ - Confirmation: Select **Finish**
-9. For purposes of this test lab, we will not add applications, such as Microsoft Office, to the deployment share. For information about adding applications, see the [Add applications](deploy-windows-mdt/create-a-windows-10-reference-image.md#add-applications) section of the [Create a Windows 10 reference image](deploy-windows-mdt/create-a-windows-10-reference-image.md) topic in the TechNet library.
+1. For purposes of this test lab, we won't add applications, such as Microsoft Office, to the deployment share. For more information about adding applications, see [Add applications](deploy-windows-mdt/create-a-windows-10-reference-image.md#add-applications).
-10. The next step is to create a task sequence to reference the operating system that was imported. To create a task sequence, right-click the **Task Sequences** node under **MDT Build Lab** and then click **New Task Sequence**. Use the following settings for the New Task Sequence Wizard:
+1. The next step is to create a task sequence to reference the OS that was imported. To create a task sequence, right-click the **Task Sequences** node under **MDT Build Lab** and then select **New Task Sequence**. Use the following settings for the New Task Sequence Wizard:
- Task sequence ID: **REFW10X64-001**
- Task sequence name: **Windows 10 Enterprise x64 Default Image**
- Task sequence comments: **Reference Build**
- Template: **Standard Client Task Sequence**
- - Select OS: click **Windows 10 Enterprise Evaluation in W10Ent_x64 install.wim**
+ - Select OS: Select **Windows 10 Enterprise Evaluation in W10Ent_x64 install.wim**
- Specify Product Key: **Do not specify a product key at this time**
- Full Name: **Contoso**
- Organization: **Contoso**
- Internet Explorer home page: **http://www.contoso.com**
- Admin Password: **Do not specify an Administrator password at this time**
- - Summary: click **Next**
- - Confirmation: click **Finish**
+ - Summary: Select **Next**
+ - Confirmation: Select **Finish**
-11. Edit the task sequence to add the Microsoft NET Framework 3.5, which is required by many applications. To edit the task sequence, double-click **Windows 10 Enterprise x64 Default Image** that was created in the previous step.
+1. Edit the task sequence to add the Microsoft NET Framework 3.5, which is required by many applications. To edit the task sequence, double-click **Windows 10 Enterprise x64 Default Image** that was created in the previous step.
-12. Click the **Task Sequence** tab. Under **State Restore** click **Tattoo** to highlight it, then click **Add** and choose **New Group**. A new group will be added under Tattoo.
+1. Select the **Task Sequence** tab. Under **State Restore**, select **Tattoo** to highlight it, then select **Add** and choose **New Group**. A new group will be added under Tattoo.
-13. On the Properties tab of the group that was created in the previous step, change the Name from New Group to **Custom Tasks (Pre-Windows Update)** and then click **Apply**. To see the name change, click **Tattoo**, then click the new group again.
+1. On the Properties tab of the group that was created in the previous step, change the Name from New Group to **Custom Tasks (Pre-Windows Update)** and then select **Apply**. To see the name change, select **Tattoo**, then select the new group again.
-14. Click the **Custom Tasks (Pre-Windows Update)** group again, click **Add**, point to **Roles**, and then click **Install Roles and Features**.
+1. Select the **Custom Tasks (Pre-Windows Update)** group again, select **Add**, point to **Roles**, and then select **Install Roles and Features**.
-15. Under **Select the roles and features that should be installed**, select **.NET Framework 3.5 (includes .NET 2.0 and 3.0)** and then click **Apply**.
+1. Under **Select the roles and features that should be installed**, select **.NET Framework 3.5 (includes .NET 2.0 and 3.0)** and then select **Apply**.
-16. Enable Windows Update in the task sequence by clicking the **Windows Update (Post-Application Installation)** step, clicking the **Options** tab, and clearing the **Disable this step** checkbox.
- >Note: Since we are not installing applications in this test lab, there is no need to enable the Windows Update Pre-Application Installation step. However, you should enable this step if you are also installing applications.
+1. Enable Windows Update in the task sequence by clicking the **Windows Update (Post-Application Installation)** step, clicking the **Options** tab, and clearing the **Disable this step** checkbox.
-17. Click **OK** to complete editing the task sequence.
+ > [!NOTE]
+ > Since we aren't installing applications in this test lab, there's no need to enable the Windows Update Pre-Application Installation step. However, you should enable this step if you're also installing applications.
-18. The next step is to configure the MDT deployment share rules. To configure rules in the Deployment Workbench, right-click MDT build lab (C:\MDTBuildLab) and click **Properties**, and then click the **Rules** tab.
+1. Select **OK** to complete editing the task sequence.
-19. Replace the default rules with the following text:
+1. The next step is to configure the MDT deployment share rules. To configure rules in the Deployment Workbench, right-click MDT build lab (C:\MDTBuildLab) and select **Properties**, and then select the **Rules** tab.
+
+1. Replace the default rules with the following text:
```ini
[Settings]
@@ -520,7 +529,7 @@ If you have already completed steps in [Deploy Windows 10 in a test lab using Mi
SkipFinalSummary=NO
```
-20. Click **Apply** and then click **Edit Bootstrap.ini**. Replace the contents of the Bootstrap.ini file with the following text, and save the file:
+1. Select **Apply** and then select **Edit Bootstrap.ini**. Replace the contents of the Bootstrap.ini file with the following text, and save the file:
```ini
[Settings]
@@ -534,43 +543,44 @@ If you have already completed steps in [Deploy Windows 10 in a test lab using Mi
SkipBDDWelcome=YES
```
-21. Click **OK** to complete the configuration of the deployment share.
+1. Select **OK** to complete the configuration of the deployment share.
-22. Right-click **MDT build lab (C:\MDTBuildLab)** and then click **Update Deployment Share**.
+1. Right-click **MDT build lab (C:\MDTBuildLab)** and then select **Update Deployment Share**.
-23. Accept all default values in the Update Deployment Share Wizard by clicking **Next**. The update process will take 5 to 10 minutes. When it has completed, click **Finish**.
+1. Accept all default values in the Update Deployment Share Wizard by clicking **Next**. The update process will take 5 to 10 minutes. When it has completed, select **Finish**.
-24. Copy **c:\MDTBuildLab\Boot\LiteTouchPE_x86.iso** on SRV1 to the **c:\VHD** directory on the Hyper-V host computer. Note that in MDT, the x86 boot image can deploy both x86 and x64 operating systems, except on computers based on Unified Extensible Firmware Interface (UEFI).
+1. Copy **c:\MDTBuildLab\Boot\LiteTouchPE_x86.iso** on SRV1 to the **c:\VHD** directory on the Hyper-V host computer. In MDT, the x86 boot image can deploy both x86 and x64 operating systems, except on computers based on Unified Extensible Firmware Interface (UEFI).
- >Hint: Top copy the file, right-click the **LiteTouchPE_x86.iso** file and click **Copy** on SRV1, then open the **c:\VHD** folder on the Hyper-V host, right-click inside the folder and click **Paste**.
+ > [!TIP]
+ > To copy the file, right-click the **LiteTouchPE_x86.iso** file, and select **Copy** on SRV1. Then open the **c:\VHD** folder on the Hyper-V host, right-click inside the folder, and select **Paste**.
-25. Open a Windows PowerShell prompt on the Hyper-V host computer and type the following commands:
+1. Open a Windows PowerShell prompt on the Hyper-V host computer and type the following commands:
```powershell
- New-VM –Name REFW10X64-001 -SwitchName poc-internal -NewVHDPath "c:\VHD\REFW10X64-001.vhdx" -NewVHDSizeBytes 60GB
+ New-VM -Name REFW10X64-001 -SwitchName poc-internal -NewVHDPath "c:\VHD\REFW10X64-001.vhdx" -NewVHDSizeBytes 60GB
Set-VMMemory -VMName REFW10X64-001 -DynamicMemoryEnabled $true -MinimumBytes 1024MB -MaximumBytes 1024MB -Buffer 20
Set-VMDvdDrive -VMName REFW10X64-001 -Path c:\VHD\LiteTouchPE_x86.iso
Start-VM REFW10X64-001
vmconnect localhost REFW10X64-001
```
-26. In the Windows Deployment Wizard, select **Windows 10 Enterprise x64 Default Image**, and then click **Next**.
+1. In the Windows Deployment Wizard, select **Windows 10 Enterprise x64 Default Image**, and then select **Next**.
-27. Accept the default values on the Capture Image page, and click **Next**. Operating system installation will complete after 5 to 10 minutes and then the VM will reboot automatically. Allow the system to boot normally (do not press a key). The process is fully automated.
+1. Accept the default values on the Capture Image page, and select **Next**. OS installation will complete after 5 to 10 minutes and then the VM will reboot automatically. Allow the system to boot normally, don't press a key. The process is fully automated.
- Additional system restarts will occur to complete updating and preparing the operating system. Setup will complete the following procedures:
+ Other system restarts will occur to complete updating and preparing the OS. Setup will complete the following procedures:
- - Install the Windows 10 Enterprise operating system.
+ - Install the Windows 10 Enterprise OS.
- Install added applications, roles, and features.
- - Update the operating system using Windows Update (or WSUS if optionally specified).
+ - Update the OS using Windows Update (or WSUS if optionally specified).
- Stage Windows PE on the local disk.
- Run System Preparation (Sysprep) and reboot into Windows PE.
- Capture the installation to a Windows Imaging (WIM) file.
- Turn off the virtual machine.
- This step requires from 30 minutes to 2 hours, depending on the speed of the Hyper-V host and your network's download speed. After some time, you will have a Windows 10 Enterprise x64 image that is fully patched and has run through Sysprep. The image is located in the C:\MDTBuildLab\Captures folder on SRV1. The file name is **REFW10X64-001.wim**.
+ This step requires from 30 minutes to 2 hours, depending on the speed of the Hyper-V host and your network's download speed. After some time, you'll have a Windows 10 Enterprise x64 image that is fully patched and has run through Sysprep. The image is located in the C:\MDTBuildLab\Captures folder on SRV1. The file name is **REFW10X64-001.wim**.
-### Add a Windows 10 operating system image
+### Add a Windows 10 OS image
1. Type the following commands at an elevated Windows PowerShell prompt on SRV1:
@@ -579,37 +589,39 @@ If you have already completed steps in [Deploy Windows 10 in a test lab using Mi
cmd /c copy /z "C:\MDTBuildLab\Captures\REFW10X64-001.wim" "C:\Sources\OSD\OS\Windows 10 Enterprise x64"
```
-2. In the Configuration Manager console, in the **Software Library** workspace, expand **Operating Systems**, right-click **Operating System Images**, and then click **Add Operating System Image**.
+2. In the Configuration Manager console, in the **Software Library** workspace, expand **Operating Systems**, right-click **Operating System Images**, and then select **Add Operating System Image**.
-3. On the Data Source page, under **Path:**, type or browse to **\\\SRV1\Sources$\OSD\OS\Windows 10 Enterprise x64\REFW10X64-001.wim**, and click **Next**.
+3. On the Data Source page, under **Path:**, type or browse to **\\\SRV1\Sources$\OSD\OS\Windows 10 Enterprise x64\REFW10X64-001.wim**, and select **Next**.
-4. On the General page, next to **Name:**, type **Windows 10 Enterprise x64**, click **Next** twice, and then click **Close**.
+4. On the General page, next to **Name:**, type **Windows 10 Enterprise x64**, select **Next** twice, and then select **Close**.
-5. Distribute the operating system image to the SRV1 distribution point by right-clicking the **Windows 10 Enterprise x64** operating system image and then clicking **Distribute Content**.
+5. Distribute the OS image to the SRV1 distribution point by right-clicking the **Windows 10 Enterprise x64** OS image and then clicking **Distribute Content**.
-6. In the Distribute Content Wizard, click **Next**, click **Add**, click **Distribution Point**, add the **SRV1.CONTOSO.COM** distribution point, click **OK**, click **Next** twice and then click **Close**.
+6. In the Distribute Content Wizard, select **Next**, select **Add**, select **Distribution Point**, add the **SRV1.CONTOSO.COM** distribution point, select **OK**, select **Next** twice and then select **Close**.
-7. Enter **\Monitoring\Overview\Distribution Status\Content Status** on the location bar (be sure there is no space at the end of the location or you will get an error), click **Windows 10 Enterprise x64**, and monitor the status of content distribution until it is successful and no longer in progress. Refresh the view with the F5 key or by right-clicking **Windows 10 Enterprise x64** and clicking **Refresh**. Processing of the image on the site server can take several minutes.
+7. Enter **\Monitoring\Overview\Distribution Status\Content Status** on the location bar. (Make sure there's no space at the end of the location or you'll get an error.) Select **Windows 10 Enterprise x64** and monitor the status of content distribution until it's successful and no longer in progress. Refresh the view with the F5 key or by right-clicking **Windows 10 Enterprise x64** and clicking **Refresh**. Processing of the image on the site server can take several minutes.
- >If content distribution is not successful, verify that sufficient disk space is available.
+ > [!NOTE]
+ > If content distribution isn't successful, verify that sufficient disk space is available.
### Create a task sequence
->Complete this section slowly. There are a large number of similar settings from which to choose.
+> [!TIP]
+> Complete this section slowly. There are a large number of similar settings from which to choose.
-1. In the Configuration Manager console, in the **Software Library** workspace expand **Operating Systems**, right-click **Task Sequences**, and then click **Create MDT Task Sequence**.
+1. In the Configuration Manager console, in the **Software Library** workspace expand **Operating Systems**, right-click **Task Sequences**, and then select **Create MDT Task Sequence**.
-2. On the Choose Template page, select the **Client Task Sequence** template and click **Next**.
+2. On the Choose Template page, select the **Client Task Sequence** template and select **Next**.
-3. On the General page, type **Windows 10 Enterprise x64** under **Task sequence name:** and then click **Next**.
+3. On the General page, type **Windows 10 Enterprise x64** under **Task sequence name:** and then select **Next**.
4. On the Details page, enter the following settings:
- Join a domain: **contoso.com**
- - Account: click **Set**
+ - Account: Select **Set**
- User name: **contoso\CM_JD**
- Password: **pass@word1**
- Confirm password: **pass@word1**
- - Click **OK**
+ - Select **OK**
- Windows Settings
- User name: **Contoso**
- Organization name: **Contoso**
@@ -617,43 +629,43 @@ If you have already completed steps in [Deploy Windows 10 in a test lab using Mi
- Administrator Account: **Enable the account and specify the local administrator password**
- Password: **pass@word1**
- Confirm password: **pass@word1**
- - Click **Next**
+ - Select **Next**
-5. On the Capture Settings page, accept the default settings and click **Next**.
+5. On the Capture Settings page, accept the default settings and select **Next**.
-6. On the Boot Image page, browse and select the **Zero Touch WinPE x64** boot image package, click **OK**, and then click **Next**.
+6. On the Boot Image page, browse and select the **Zero Touch WinPE x64** boot image package, select **OK**, and then select **Next**.
-7. On the MDT Package page, select **Create a new Microsoft Deployment Toolkit Files package**, under **Package source folder to be created (UNC Path):**, type **\\\SRV1\Sources$\OSD\MDT\MDT** (MDT is repeated here, not a typo), and then click **Next**.
+7. On the MDT Package page, select **Create a new Microsoft Deployment Toolkit Files package**, under **Package source folder to be created (UNC Path):**, type **\\\SRV1\Sources$\OSD\MDT\MDT** (MDT is repeated here, not a typo), and then select **Next**.
-8. On the MDT Details page, next to **Name:** type **MDT** and then click **Next**.
+8. On the MDT Details page, next to **Name:** type **MDT** and then select **Next**.
-9. On the OS Image page, browse and select the **Windows 10 Enterprise x64** package, click **OK**, and then click **Next**.
+9. On the OS Image page, browse and select the **Windows 10 Enterprise x64** package, select **OK**, and then select **Next**.
-10. On the Deployment Method page, accept the default settings for **Zero Touch Installation** and click **Next**.
+10. On the Deployment Method page, accept the default settings for **Zero Touch Installation** and select **Next**.
-11. On the Client Package page, browse and select the **Microsoft Corporation Configuration Manager Client package**, click **OK**, and then click **Next**.
+11. On the Client Package page, browse and select the **Microsoft Corporation Configuration Manager Client package**, select **OK**, and then select **Next**.
-12. On the USMT Package page, browse and select the **Microsoft Corporation User State Migration Tool for Windows 10.0.14393.0** package, click **OK**, and then click **Next**.
+12. On the USMT Package page, browse and select the **Microsoft Corporation User State Migration Tool for Windows 10.0.14393.0** package, select **OK**, and then select **Next**.
-13. On the Settings Package page, select **Create a new settings package**, and under **Package source folder to be created (UNC Path):**, type **\\\SRV1\Sources$\OSD\Settings\Windows 10 x64 Settings**, and then click **Next**.
+13. On the Settings Package page, select **Create a new settings package**, and under **Package source folder to be created (UNC Path):**, type **\\\SRV1\Sources$\OSD\Settings\Windows 10 x64 Settings**, and then select **Next**.
-14. On the Settings Details page, next to **Name:**, type **Windows 10 x64 Settings**, and click **Next**.
+14. On the Settings Details page, next to **Name:**, type **Windows 10 x64 Settings**, and select **Next**.
-15. On the Sysprep Package page, click **Next** twice.
+15. On the Sysprep Package page, select **Next** twice.
-16. On the Confirmation page, click **Finish**.
+16. On the Confirmation page, select **Finish**.
### Edit the task sequence
-1. In the Configuration Manager console, in the **Software Library** workspace, click **Task Sequences**, right-click **Windows 10 Enterprise x64**, and then click **Edit**.
+1. In the Configuration Manager console, in the **Software Library** workspace, select **Task Sequences**, right-click **Windows 10 Enterprise x64**, and then select **Edit**.
-2. Scroll down to the **Install** group and click the **Set Variable for Drive Letter** action.
+2. Scroll down to the **Install** group and select the **Set Variable for Drive Letter** action.
-3. Change the Value under **OSDPreserveDriveLetter** from **False** to **True**, and then click **Apply**.
+3. Change the Value under **OSDPreserveDriveLetter** from **False** to **True**, and then select **Apply**.
-4. In the **State Restore** group, click the **Set Status 5** action, click **Add** in the upper left corner, point to **User State**, and click **Request State Store**. This adds a new action immediately after **Set Status 5**.
+4. In the **State Restore** group, select the **Set Status 5** action, select **Add** in the upper left corner, point to **User State**, and select **Request State Store**. This action adds a new step immediately after **Set Status 5**.
-5. Configure the **Request State Store** action that was just added with the following settings:
+5. Configure this **Request State Store** step with the following settings:
- Request state storage location to: **Restore state from another computer**
- Select the **If computer account fails to connect to state store, use the Network Access account** checkbox.
- Options tab: Select the **Continue on error** checkbox.
@@ -661,38 +673,39 @@ If you have already completed steps in [Deploy Windows 10 in a test lab using Mi
- Variable: **USMTLOCAL**
- Condition: **not equals**
- Value: **True**
- - Click **OK**
- - Click **Apply**
+ - Select **OK**
+ - Select **Apply**
-6. In the **State Restore** group, click **Restore User State**, click **Add**, point to **User State**, and click **Release State Store**.
+6. In the **State Restore** group, select **Restore User State**, select **Add**, point to **User State**, and select **Release State Store**.
-7. Configure the **Release State Store** action that was just added with the following settings:
+7. Configure this **Release State Store** step with the following settings:
- Options tab: Select the **Continue on error** checkbox.
- Add Condition: **Task Sequence Variable**:
- Variable: **USMTLOCAL**
- Condition: **not equals**
- Value: **True**
- - Click **OK**
- - Click **OK**
+ - Select **OK**
+ - Select **OK**
-### Finalize the operating system configuration
+### Finalize the OS configuration
->If you completed all procedures in [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md) then the MDT deployment share is already present on SRV1. In this case, skip the first four steps below and begin with step 5 to edit CustomSettings.ini.
+> [!NOTE]
+> If you completed all procedures in [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md) then the MDT deployment share is already present on SRV1. In this case, skip the first four steps below and begin with step 5 to edit CustomSettings.ini.
-1. In the MDT deployment workbench on SRV1, right-click **Deployment Shares** and then click **New Deployment Share**.
+1. In the MDT deployment workbench on SRV1, right-click **Deployment Shares** and then select **New Deployment Share**.
2. Use the following settings for the New Deployment Share Wizard:
- Deployment share path: **C:\MDTProduction**
- Share name: **MDTProduction$**
- Deployment share description: **MDT Production**
- - Options: click **Next** to accept the default
- - Summary: click **Next**
+ - Options: Select **Next** to accept the default
+ - Summary: Select **Next**
- Progress: settings will be applied
- - Confirmation: click **Finish**
+ - Confirmation: Select **Finish**
-3. Right-click the **MDT Production** deployment share, and click **Properties**.
+3. Right-click the **MDT Production** deployment share, and select **Properties**.
-4. Click the **Monitoring** tab, select the **Enable monitoring for this deployment share** checkbox, and then click **OK**.
+4. Select the **Monitoring** tab, select the **Enable monitoring for this deployment share** checkbox, and then select **OK**.
5. Type the following command at an elevated Windows PowerShell prompt on SRV1:
@@ -718,42 +731,43 @@ If you have already completed steps in [Deploy Windows 10 in a test lab using Mi
ApplyGPOPack=NO
```
- >As noted previously, if you wish to migrate accounts other than those in the Contoso domain, then change the OSDMigrateAdditionalCaptureOptions option. For example, the following option will capture settings from all user accounts:
+ > [!NOTE]
+ > To migrate accounts other than those in the Contoso domain, then change the OSDMigrateAdditionalCaptureOptions option. For example, the following option will capture settings from all user accounts:
+ >
+ > ```ini
+ > OSDMigrateAdditionalCaptureOptions=/all
+ > ```
- ```ini
- OSDMigrateAdditionalCaptureOptions=/all
- ```
+7. Return to the Configuration Manager console, and in the Software Library workspace, expand **Application Management**, select **Packages**, right-click **Windows 10 x64 Settings**, and then select **Update Distribution Points**. Select **OK** in the popup that appears.
-7. Return to the Configuration Manager console, and in the Software Library workspace, expand **Application Management**, click **Packages**, right-click **Windows 10 x64 Settings**, and then click **Update Distribution Points**. Click **OK** in the popup that appears.
+8. In the Software Library workspace, expand **Operating Systems**, select **Task Sequences**, right-click **Windows 10 Enterprise x64**, and then select **Distribute Content**.
-8. In the Software Library workspace, expand **Operating Systems**, click **Task Sequences**, right-click **Windows 10 Enterprise x64**, and then click **Distribute Content**.
+9. In the Distribute Content Wizard, select **Next** twice, select **Add**, select **Distribution Point**, select the **SRV1.CONTOSO.COM** distribution point, select **OK**, select **Next** twice and then select **Close**.
-9. In the Distribute Content Wizard, click **Next** twice, click **Add**, click **Distribution Point**, select the **SRV1.CONTOSO.COM** distribution point, click **OK**, click **Next** twice and then click **Close**.
-
-10. Enter **\Monitoring\Overview\Distribution Status\Content Status\Windows 10 Enterprise x64** on the location bar, double-click **Windows 10 Enterprise x64**, and monitor the status of content distribution until it is successful and no longer in progress. Refresh the view with the F5 key or by right-clicking **Windows 10 Enterprise x64** and clicking **Refresh**.
+10. Enter **\Monitoring\Overview\Distribution Status\Content Status\Windows 10 Enterprise x64** on the location bar, double-click **Windows 10 Enterprise x64**, and monitor the status of content distribution until it's successful and no longer in progress. Refresh the view with the F5 key or by right-clicking **Windows 10 Enterprise x64** and clicking **Refresh**.
### Create a deployment for the task sequence
-1. In the Software Library workspace, expand **Operating Systems**, click **Task Sequences**, right-click **Windows 10 Enterprise x64**, and then click **Deploy**.
+1. In the Software Library workspace, expand **Operating Systems**, select **Task Sequences**, right-click **Windows 10 Enterprise x64**, and then select **Deploy**.
-2. On the General page, next to **Collection**, click **Browse**, select the **All Unknown Computers** collection, click **OK**, and then click **Next**.
+2. On the General page, next to **Collection**, select **Browse**, select the **All Unknown Computers** collection, select **OK**, and then select **Next**.
3. On the Deployment Settings page, use the following settings:
- Purpose: **Available**
- Make available to the following: **Only media and PXE**
- - Click **Next**.
-4. Click **Next** five times to accept defaults on the Scheduling, User Experience, Alerts, and Distribution Points pages.
+ - Select **Next**.
+4. Select **Next** five times to accept defaults on the Scheduling, User Experience, Alerts, and Distribution Points pages.
-5. Click **Close**.
+5. Select **Close**.
## Deploy Windows 10 using PXE and Configuration Manager
-In this first deployment scenario, we will deploy Windows 10 using PXE. This scenario creates a new computer that does not have any migrated users or settings.
+In this first deployment scenario, you'll deploy Windows 10 using PXE. This scenario creates a new computer that doesn't have any migrated users or settings.
1. Type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host:
```powershell
- New-VM –Name "PC4" –NewVHDPath "c:\vhd\pc4.vhdx" -NewVHDSizeBytes 40GB -SwitchName poc-internal -BootDevice NetworkAdapter -Generation 2
+ New-VM -Name "PC4" -NewVHDPath "c:\vhd\pc4.vhdx" -NewVHDSizeBytes 40GB -SwitchName poc-internal -BootDevice NetworkAdapter -Generation 2
Set-VMMemory -VMName "PC4" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes 2048MB -Buffer 20
Start-VM PC4
vmconnect localhost PC4
@@ -761,28 +775,28 @@ In this first deployment scenario, we will deploy Windows 10 using PXE. This sce
2. Press ENTER when prompted to start the network boot service.
-3. In the Task Sequence Wizard, provide the password: **pass@word1**, and then click **Next**.
+3. In the Task Sequence Wizard, provide the password: **pass@word1**, and then select **Next**.
-4. Before you click **Next** in the Task Sequence Wizard, press the **F8** key. A command prompt will open.
+4. Before you select **Next** in the Task Sequence Wizard, press the **F8** key. A command prompt will open.
5. At the command prompt, type **explorer.exe** and review the Windows PE file structure.
6. The smsts.log file is critical for troubleshooting any installation problems that might be encountered. Depending on the deployment phase, the smsts.log file is created in different locations:
- X:\Windows\temp\SMSTSLog\smsts.log before disks are formatted.
- X:\smstslog\smsts.log after disks are formatted.
- - C:\\_SMSTaskSequence\Logs\Smstslog\smsts.log before the Microsoft Endpoint Manager client is installed.
- - C:\Windows\ccm\logs\Smstslog\smsts.log after the Microsoft Endpoint Manager client is installed.
+ - C:\\_SMSTaskSequence\Logs\Smstslog\smsts.log before the Configuration Manager client is installed.
+ - C:\Windows\ccm\logs\Smstslog\smsts.log after the Configuration Manager client is installed.
- C:\Windows\ccm\logs\smsts.log when the task sequence is complete.
Note: If a reboot is pending on the client, the reboot will be blocked as long as the command window is open.
-7. In the explorer window, click **Tools** and then click **Map Network Drive**.
+7. In the explorer window, select **Tools** and then select **Map Network Drive**.
-8. Do not map a network drive at this time. If you need to save the smsts.log file, you can use this method to save the file to a location on SRV1.
+8. Don't map a network drive at this time. If you need to save the smsts.log file, you can use this method to save the file to a location on SRV1.
9. Close the Map Network Drive window, the Explorer window, and the command prompt.
-10. The **Windows 10 Enterprise x64** task sequence is selected in the Task Sequence Wizard. Click **Next** to continue with the deployment.
+10. The **Windows 10 Enterprise x64** task sequence is selected in the Task Sequence Wizard. Select **Next** to continue with the deployment.
11. The task sequence will require several minutes to complete. You can monitor progress of the task sequence using the MDT Deployment Workbench under Deployment Shares > MDTProduction > Monitoring. The task sequence will:
- Install Windows 10
@@ -792,7 +806,7 @@ In this first deployment scenario, we will deploy Windows 10 using PXE. This sce
12. When Windows 10 installation has completed, sign in to PC4 using the **contoso\administrator** account.
-13. Right-click **Start**, click **Run**, type **control appwiz.cpl**, press ENTER, click **Turn Windows features on or off**, and verify that **.NET Framework 3.5 (includes .NET 2.0 and 3.0)** is installed. This is a feature included in the reference image.
+13. Right-click **Start**, select **Run**, type **control appwiz.cpl**, press ENTER, select **Turn Windows features on or off**, and verify that **.NET Framework 3.5 (includes .NET 2.0 and 3.0)** is installed. This feature is included in the reference image.
14. Shut down the PC4 VM.
@@ -801,80 +815,88 @@ In this first deployment scenario, we will deploy Windows 10 using PXE. This sce
## Replace a client with Windows 10 using Configuration Manager
->Before starting this section, you can delete computer objects from Active Directory that were created as part of previous deployment procedures. Use the Active Directory Users and Computers console on DC1 to remove stale entries under contoso.com\Computers, but do not delete the computer account (hostname) for PC1. There should be at least two computer accounts present in the contoso.com\Computers container: one for SRV1, and one for the hostname of PC1. It is not required to delete the stale entries, this is only done to remove clutter.
+> [!NOTE]
+> Before you start this section, you can delete computer objects from Active Directory that were created as part of previous deployment procedures. Use the Active Directory Users and Computers console on DC1 to remove stale entries under contoso.com\Computers, but do not delete the computer account (hostname) for PC1. There should be at least two computer accounts present in the contoso.com\Computers container: one for SRV1, and one for the hostname of PC1. It's not required to delete the stale entries, this action is only done to remove clutter.
-In the replace procedure, PC1 will not be migrated to a new operating system. It is simplest to perform this procedure before performing the refresh procedure. After refreshing PC1, the operating system will be new. The next (replace) procedure does not install a new operating system on PC1 but rather performs a side-by-side migration of PC1 and another computer (PC4), to copy users and settings from PC1 to the new computer.
+In the replace procedure, PC1 won't be migrated to a new OS. It's simplest to perform this procedure before performing the refresh procedure. After you refresh PC1, the OS will be new. The next (replace) procedure doesn't install a new OS on PC1 but rather performs a side-by-side migration of PC1 and another computer (PC4), to copy users and settings from PC1 to the new computer.
### Create a replace task sequence
-1. On SRV1, in the Configuration Manager console, in the Software Library workspace, expand **Operating Systems**, right-click **Task Sequences**, and then click **Create MDT Task Sequence**.
+1. On SRV1, in the Configuration Manager console, in the Software Library workspace, expand **Operating Systems**, right-click **Task Sequences**, and then select **Create MDT Task Sequence**.
-2. On the Choose Template page, select **Client Replace Task Sequence** and click **Next**.
+2. On the Choose Template page, select **Client Replace Task Sequence** and select **Next**.
-3. On the General page, type the following:
+3. On the General page, type the following information:
- Task sequence name: **Replace Task Sequence**
- Task sequence comments: **USMT backup only**
-4. Click **Next**, and on the Boot Image page, browse and select the **Zero Touch WinPE x64** boot image package. Click **OK** and then click **Next** to continue.
-5. On the MDT Package page, browse and select the **MDT** package. Click **OK** and then click **Next** to continue.
-6. On the USMT Package page, browse and select the **Microsoft Corporation User State Migration Tool for Windows** package. Click **OK** and then click **Next** to continue.
-7. On the Settings Package page, browse and select the **Windows 10 x64 Settings** package. Click **OK** and then click **Next** to continue.
-8. On the Summary page, review the details and then click **Next**.
-9. On the Confirmation page, click **Finish**.
+4. Select **Next**, and on the Boot Image page, browse and select the **Zero Touch WinPE x64** boot image package. Select **OK** and then select **Next** to continue.
+5. On the MDT Package page, browse and select the **MDT** package. Select **OK** and then select **Next** to continue.
+6. On the USMT Package page, browse and select the **Microsoft Corporation User State Migration Tool for Windows** package. Select **OK** and then select **Next** to continue.
+7. On the Settings Package page, browse and select the **Windows 10 x64 Settings** package. Select **OK** and then select **Next** to continue.
+8. On the Summary page, review the details and then select **Next**.
+9. On the Confirmation page, select **Finish**.
->If an error is displayed at this stage it can be caused by a corrupt MDT integration. To repair it, close the Configuration Manager console, remove MDT integration, and then restore MDT integration.
+> [!NOTE]
+> If an error is displayed at this stage, it can be caused by a corrupt MDT integration. To repair it, close the Configuration Manager console, remove MDT integration, and then restore MDT integration.
### Deploy PC4
Create a VM named PC4 to receive the applications and settings from PC1. This VM represents a new computer that will replace PC1. To create this VM, type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host:
```powershell
-New-VM –Name "PC4" –NewVHDPath "c:\vhd\pc4.vhdx" -NewVHDSizeBytes 60GB -SwitchName poc-internal -BootDevice NetworkAdapter -Generation 2
+New-VM -Name "PC4" -NewVHDPath "c:\vhd\pc4.vhdx" -NewVHDSizeBytes 60GB -SwitchName poc-internal -BootDevice NetworkAdapter -Generation 2
Set-VMMemory -VMName "PC4" -DynamicMemoryEnabled $true -MinimumBytes 1024MB -MaximumBytes 2048MB -Buffer 20
Set-VMNetworkAdapter -VMName PC4 -StaticMacAddress 00-15-5D-83-26-FF
```
->Hyper-V enables us to define a static MAC address on PC4. In a real-world scenario you must determine the MAC address of the new computer.
+> [!NOTE]
+> Hyper-V lets you define a static MAC address on PC4. In a real-world scenario, you must determine the MAC address of the new computer.
### Install the Configuration Manager client on PC1
1. Verify that the PC1 VM is running and in its original state, which was saved as a checkpoint and then restored in [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md).
-2. If a PC1 checkpoint has not already been saved, then save a checkpoint by typing the following commands at an elevated Windows PowerShell prompt on the Hyper-V host:
+1. If you haven't already saved a checkpoint for PC1, then do it now. Type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host:
```powershell
Checkpoint-VM -Name PC1 -SnapshotName BeginState
```
-3. On SRV1, in the Configuration Manager console, in the Administration workspace, expand **Hierarchy Configuration** and click on **Discovery Methods**.
-4. Double-click **Active Directory System Discovery** and on the **General** tab select the **Enable Active Directory System Discovery** checkbox.
-5. Click the yellow starburst, click **Browse**, select **contoso\Computers**, and then click **OK** three times.
-6. When a popup dialog box asks if you want to run full discovery, click **Yes**.
-7. In the Assets and Compliance workspace, click **Devices** and verify that the computer account names for SRV1 and PC1 are displayed. See the following example (GREGLIN-PC1 is the computer account name of PC1 in this example):
+1. On SRV1, in the Configuration Manager console, in the Administration workspace, expand **Hierarchy Configuration** and select on **Discovery Methods**.
+1. Double-click **Active Directory System Discovery** and on the **General** tab select the **Enable Active Directory System Discovery** checkbox.
+1. Select the yellow starburst, select **Browse**, select **contoso\Computers**, and then select **OK** three times.
+1. When a popup dialog box asks if you want to run full discovery, select **Yes**.
+1. In the Assets and Compliance workspace, select **Devices** and verify that the computer account names for SRV1 and PC1 are displayed. See the following example (GREGLIN-PC1 is the computer account name of PC1 in this example):
->If you do not see the computer account for PC1, try clicking the **Refresh** button in the upper right corner of the console.
+ > [!TIP]
+ > If you don't see the computer account for PC1, select **Refresh** in the upper right corner of the console.
-The **Client** column indicates that the Configuration Manager client is not currently installed. This procedure will be carried out next.
+ The **Client** column indicates that the Configuration Manager client isn't currently installed. This procedure will be carried out next.
-8. Sign in to PC1 using the contoso\administrator account and type the following at an elevated command prompt to remove any pre-existing client configuration, if it exists. Note: this command requires an elevated command prompt not an elevated Windows PowerShell prompt:
+1. Sign in to PC1 using the contoso\administrator account and type the following command at an elevated command prompt to remove any pre-existing client configuration, if it exists.
+
+ > [!Note]
+ > This command requires an elevated _command prompt_, not an elevated Windows PowerShell prompt.
```dos
sc stop ccmsetup
"\\SRV1\c$\Program Files\Microsoft Configuration Manager\Client\CCMSetup.exe" /Uninstall
```
- >If PC1 still has Configuration Manager registry settings that were applied by Group Policy, startup scripts, or other policies in its previous domain, these might not all be removed by CCMSetup /Uninstall and can cause problems with installation or registration of the client in its new environment. It might be necessary to manually remove these settings if they are present. For more information, see [Manual removal of the Configuration Manager client](/archive/blogs/michaelgriswold/manual-removal-of-the-sccm-client).
+ > [!NOTE]
+ > If PC1 still has Configuration Manager registry settings that were applied by Group Policy, startup scripts, or other policies in its previous domain, these might not all be removed by `CCMSetup /Uninstall` and can cause problems with installation or registration of the client in its new environment. It might be necessary to manually remove these settings if they are present. For more information, see [Manual removal of the Configuration Manager client](/archive/blogs/michaelgriswold/manual-removal-of-the-sccm-client).
-9. On PC1, temporarily stop Windows Update from queuing items for download and clear all BITS jobs from the queue. From an elevated command prompt, type:
+1. On PC1, temporarily stop Windows Update from queuing items for download and clear all BITS jobs from the queue. From an elevated command prompt, type:
```dos
net stop wuauserv
net stop BITS
```
- Verify that both services were stopped successfully, then type the following at an elevated command prompt:
+ Verify that both services were stopped successfully, then type the following command at an elevated command prompt:
```dos
del "%ALLUSERSPROFILE%\Application Data\Microsoft\Network\Downloader\qmgr*.dat"
@@ -882,131 +904,132 @@ The **Client** column indicates that the Configuration Manager client is not cur
bitsadmin /list /allusers
```
- Verify that BITSAdmin displays 0 jobs.
+ Verify that BITSAdmin displays zero jobs.
-10. To install the Configuration Manager client as a standalone process, type the following at an elevated command prompt:
+1. To install the Configuration Manager client as a standalone process, type the following command at an elevated command prompt:
```dos
"\\SRV1\c$\Program Files\Microsoft Configuration Manager\Client\CCMSetup.exe" /mp:SRV1.contoso.com /logon SMSSITECODE=PS1
```
-11. On PC1, using file explorer, open the **C:\Windows\ccmsetup** directory. During client installation, files will be downloaded here.
-12. Installation progress will be captured in the file: **c:\windows\ccmsetup\logs\ccmsetup.log**. You can periodically open this file in notepad, or you can type the following command at an elevated Windows PowerShell prompt to monitor installation progress:
+1. On PC1, using file explorer, open the **C:\Windows\ccmsetup** directory. During client installation, files will be downloaded here.
+1. Installation progress will be captured in the file: **c:\windows\ccmsetup\logs\ccmsetup.log**. You can periodically open this file in notepad, or you can type the following command at an elevated Windows PowerShell prompt to monitor installation progress:
```powershell
Get-Content -Path c:\windows\ccmsetup\logs\ccmsetup.log -Wait
```
- Installation might require several minutes, and display of the log file will appear to hang while some applications are installed. This is normal. When setup is complete, verify that **CcmSetup is existing with return code 0** is displayed on the last line of the ccmsetup.log file and then press **CTRL-C** to break out of the Get-Content operation (if you are viewing the log in Windows PowerShell the last line will be wrapped). A return code of 0 indicates that installation was successful and you should now see a directory created at **C:\Windows\CCM** that contains files used in registration of the client with its site.
+ Installation might require several minutes, and display of the log file will appear to hang while some applications are installed. This behavior is normal. When setup is complete, verify that **CcmSetup is existing with return code 0** is displayed on the last line of the ccmsetup.log file. Then press **CTRL-C** to break out of the Get-Content operation. If you're viewing the log file in Windows PowerShell, the last line will be wrapped. A return code of `0` indicates that installation was successful and you should now see a directory created at **C:\Windows\CCM** that contains files used in registration of the client with its site.
-13. On PC1, open the Configuration Manager control panel applet by typing the following command from a command prompt:
+1. On PC1, open the Configuration Manager control panel applet by typing the following command from a command prompt:
```dos
control smscfgrc
```
-14. Click the **Site** tab, click **Configure Settings**, and click **Find Site**. The client will report that it has found the PS1 site. See the following example:
+1. Select the **Site** tab, select **Configure Settings**, and select **Find Site**. The client will report that it has found the PS1 site. See the following example:
- If the client is not able to find the PS1 site, review any error messages that are displayed in **C:\Windows\CCM\Logs\ClientIDManagerStartup.log** and **LocationServices.log**. A common reason the site code is not located is because a previous configuration exists. For example, if a previous site code is configured at **HKLM\SOFTWARE\Microsoft\SMS\Mobile Client\GPRequestedSiteAssignmentCode** this must be deleted or updated.
+ If the client isn't able to find the PS1 site, review any error messages that are displayed in **C:\Windows\CCM\Logs\ClientIDManagerStartup.log** and **LocationServices.log**. A common reason the client can't locate the site code is because a previous configuration exists. For example, if a previous site code is configured at **HKLM\SOFTWARE\Microsoft\SMS\Mobile Client\GPRequestedSiteAssignmentCode**, delete or update this entry.
-15. On SRV1, in the Assets and Compliance workspace, click **Device Collections** and then double-click **All Desktop and Server Clients**. This node will be added under **Devices**.
+1. On SRV1, in the Assets and Compliance workspace, select **Device Collections** and then double-click **All Desktop and Server Clients**. This node will be added under **Devices**.
-16. Click **All Desktop and Server Clients** and verify that the computer account for PC1 is displayed here with **Yes** and **Active** in the **Client** and **Client Activity** columns, respectively. You might have to refresh the view and wait few minutes for the client to appear here. See the following example:
+1. Select **All Desktop and Server Clients** and verify that the computer account for PC1 is displayed here with **Yes** and **Active** in the **Client** and **Client Activity** columns, respectively. You might have to refresh the view and wait few minutes for the client to appear here. See the following example:
- >It might take several minutes for the client to fully register with the site and complete a client check. When it is complete you will see a green check mark over the client icon as shown above. To refresh the client, click it and then press **F5** or right-click the client and click **Refresh**.
+ > [!NOTE]
+ > It might take several minutes for the client to fully register with the site and complete a client check. When it's complete you will see a green check mark over the client icon as shown above. To refresh the client, select it and then press **F5** or right-click the client and select **Refresh**.
### Create a device collection and deployment
-1. On SRV1, in the Configuration Manager console, in the Asset and Compliance workspace, right-click **Device Collections** and then click **Create Device Collection**.
+1. On SRV1, in the Configuration Manager console, in the Asset and Compliance workspace, right-click **Device Collections** and then select **Create Device Collection**.
2. Use the following settings in the **Create Device Collection Wizard**:
- General > Name: **Install Windows 10 Enterprise x64**
- General > Limiting collection: **All Systems**
- Membership Rules > Add Rule: **Direct Rule**
- - The **Create Direct Membership Rule Wizard** opens, click **Next**
+ - The **Create Direct Membership Rule Wizard** opens, select **Next**
- Search for Resources > Resource class: **System Resource**
- Search for Resources > Attribute name: **Name**
- Search for Resources > Value: **%**
- Select Resources > Value: Select the computername associated with the PC1 VM
- - Click **Next** twice and then click **Close** in both windows (Next, Next, Close, then Next, Next, Close)
+ - Select **Next** twice and then select **Close** in both windows (Next, Next, Close, then Next, Next, Close)
3. Double-click the Install Windows 10 Enterprise x64 device collection and verify that the PC1 computer account is displayed.
-4. In the Software Library workspace, expand **Operating Systems**, click **Task Sequences**, right-click **Windows 10 Enterprise x64** and then click **Deploy**.
+4. In the Software Library workspace, expand **Operating Systems**, select **Task Sequences**, right-click **Windows 10 Enterprise x64** and then select **Deploy**.
5. Use the following settings in the Deploy Software wizard:
- - General > Collection: Click Browse and select **Install Windows 10 Enterprise x64**
+ - General > Collection: Select Browse and select **Install Windows 10 Enterprise x64**
- Deployment Settings > Purpose: **Available**
- Deployment Settings > Make available to the following: **Configuration Manager clients, media and PXE**
- - Scheduling > Click **Next**
- - User Experience > Click **Next**
- - Alerts > Click **Next**
- - Distribution Points > Click **Next**
- - Summary > Click **Next**
- - Verify that the wizard completed successfully and then click **Close**
+ - Scheduling > select **Next**
+ - User Experience > select **Next**
+ - Alerts > select **Next**
+ - Distribution Points > select **Next**
+ - Summary > select **Next**
+ - Verify that the wizard completed successfully and then select **Close**
### Associate PC4 with PC1
-1. On SRV1 in the Configuration Manager console, in the Assets and Compliance workspace, right-click **Devices** and then click **Import Computer Information**.
+1. On SRV1 in the Configuration Manager console, in the Assets and Compliance workspace, right-click **Devices** and then select **Import Computer Information**.
-2. On the Select Source page, choose **Import single computer** and click **Next**.
+2. On the Select Source page, choose **Import single computer** and select **Next**.
3. On the Single Computer page, use the following settings:
- Computer Name: **PC4**
- MAC Address: **00:15:5D:83:26:FF**
- - Source Computer: \
-- [Step by step: Deploy Windows 10 in a test lab using Microsoft Endpoint Configuration Manager](windows-10-poc-sc-config-mgr.md)
+- [Step by step: Deploy Windows 10 in a test lab using Microsoft Endpoint Configuration Manager](windows-10-poc-sc-config-mgr.md)
+- [Step by step: Deploy Windows 10 in a test lab using MDT](windows-10-poc-mdt.md)
-The PoC deployment guides are intended to provide a demonstration of Windows 10 deployment tools and processes for IT professionals that are not familiar with these tools, and those that are interested in setting up a proof of concept environment. The instructions in this guide should not be used in a production setting, and are not meant to replace the instructions found in production deployment guidance.
+The proof of concept (PoC) deployment guides are intended to provide a demonstration of Windows 10 deployment tools and processes for IT professionals that aren't familiar with these tools, and you want to set up a PoC environment. Don't use the instructions in this guide in a production setting. They aren't meant to replace the instructions found in production deployment guidance.
-Approximately 3 hours are required to configure the PoC environment. You will need a Hyper-V capable computer running Windows 8.1 or later with at least 16GB of RAM. Detailed [requirements](#hardware-and-software-requirements) are provided below. You will also need to have a [Microsoft account](https://www.microsoft.com/account) to use for downloading evaluation software.
+Approximately 3 hours are required to configure the PoC environment. You'll need a Hyper-V capable computer running Windows 8.1 or later with at least 16 GB of RAM. Detailed [requirements](#hardware-and-software-requirements) are provided below.
-Windows PowerShell commands are provided to set up the PoC environment quickly. You do not need to be an expert in Windows PowerShell to complete the steps in the guide, however you are required to customize some commands to your environment.
+Windows PowerShell commands are provided to set up the PoC environment quickly. You don't need to be an expert in Windows PowerShell to complete the steps in the guide, however you'll need to customize some commands to your environment.
> [!TIP]
> Instructions to "type" Windows PowerShell commands provided in this guide can be followed literally by typing the commands, but the preferred method is to copy and paste these commands.
->
-> A Windows PowerShell window can be used to run all commands in this guide. However, when commands are specified for a command prompt, you must either type CMD at the Windows PowerShell prompt to enter the command prompt, or preface the command with "cmd /c", or if desired you can escape special characters in the command using the back-tick character (`). In most cases, the simplest thing is to type cmd and enter a command prompt, type the necessary commands, then type "exit" to return to Windows PowerShell.
+>
+> A Windows PowerShell window can be used to run all commands in this guide. However, when commands are specified for a command prompt, either type CMD at the Windows PowerShell prompt to enter the command prompt, or preface the command with `cmd /c`. You can also escape special characters in the command using the back-tick character (\`). In most cases, the simplest action is to type `cmd` and enter a command prompt, type the necessary commands, then type `exit` to return to Windows PowerShell.
-Hyper-V is installed, configured and used extensively in this guide. If you are not familiar with Hyper-V, review the [terminology](#appendix-b-terminology-used-in-this-guide) used in this guide before starting.
+Hyper-V is installed, configured and used extensively in this guide. If you aren't familiar with Hyper-V, review the [terminology](#appendix-b-terminology-used-in-this-guide) used in this guide before starting.
## In this guide
-This guide contains instructions for three general procedures: Install Hyper-V, configure Hyper-V, and configure VMs. If you already have a computer running Hyper-V, you can use this computer and skip the first procedure. In this case, your virtual switch settings must be modified to match those used in this guide, or the steps in this guide can be modified to use your existing Hyper-V settings.
+This guide contains instructions for three general procedures: Install Hyper-V, configure Hyper-V, and configure VMs. If you already have a computer running Hyper-V, you can use this computer and skip the first procedure. In this case, modify your virtual switch settings to match the settings used in this guide. Alternatively, you can modify the steps in this guide to use your existing Hyper-V settings.
-After completing the instructions in this guide, you will have a PoC environment that enables you to test Windows 10 deployment procedures by following instructions in companion guides that are written to use the PoC environment. Links are provided to download trial versions of Windows Server 2012, Windows 10 Enterprise, and all deployment tools necessary to complete the lab.
+After completing the instructions in this guide, you'll have a PoC environment that enables you to test Windows 10 deployment procedures by following instructions in companion guides that are written to use the PoC environment. Links are provided to download trial versions of Windows Server 2012, Windows 10 Enterprise, and all deployment tools necessary to complete the lab.
-Topics and procedures in this guide are summarized in the following table. An estimate of the time required to complete each procedure is also provided. Time required to complete procedures will vary depending on the resources available to the Hyper-V host and assigned to VMs, such as processor speed, memory allocation, disk speed, and network speed.
+The procedures in this guide are summarized in the following table. An estimate of the time required to complete each procedure is also provided. Time required to complete procedures will vary depending on the resources available to the Hyper-V host and assigned to VMs, such as processor speed, memory allocation, disk speed, and network speed.
-
-
-|Topic|Description|Time|
+|Procedure|Description|Time|
|--- |--- |--- |
|[Hardware and software requirements](#hardware-and-software-requirements)|Prerequisites to complete this guide.|Informational|
|[Lab setup](#lab-setup)|A description and diagram of the PoC environment.|Informational|
-|[Configure the PoC environment](#configure-the-poc-environment)|Parent topic for procedures.|Informational|
+|[Configure the PoC environment](#configure-the-poc-environment)|Parent section for procedures.|Informational|
|[Verify support and install Hyper-V](#verify-support-and-install-hyper-v)|Verify that installation of Hyper-V is supported, and install the Hyper-V server role.|10 minutes|
|[Download VHD and ISO files](#download-vhd-and-iso-files)|Download evaluation versions of Windows Server 2012 R2 and Windows 10 and prepare these files to be used on the Hyper-V host.|30 minutes|
|[Convert PC to VM](#convert-pc-to-vm)|Convert a physical computer on your network to a VM hosted in Hyper-V.|30 minutes|
@@ -75,31 +68,23 @@ Topics and procedures in this guide are summarized in the following table. An es
One computer that meets the hardware and software specifications below is required to complete the guide; A second computer is recommended to validate the upgrade process.
-- **Computer 1**: the computer you will use to run Hyper-V and host virtual machines. This computer should have 16 GB or more of installed RAM and a multi-core processor.
-- **Computer 2**: a client computer from your corporate network. It is shadow-copied to create a VM that can be added to the PoC environment, enabling you to test a mirror image of a computer on your network. If you do not have a computer to use for this simulation, you can download an evaluation VHD and use it to represent this computer. Subsequent guides use this computer to simulate Windows 10 replace and refresh scenarios, so the VM is required even if you cannot create this VM using computer 2.
+- **Computer 1**: the computer you'll use to run Hyper-V and host virtual machines. This computer should have 16 GB or more of installed RAM and a multi-core processor.
+- **Computer 2**: a client computer from your network. It's shadow-copied to create a VM that can be added to the PoC environment, enabling you to test a mirror image of a computer on your network. If you don't have a computer to use for this simulation, you can download an evaluation VHD and use it to represent this computer. Subsequent guides use this computer to simulate Windows 10 replace and refresh scenarios, so the VM is required even if you can't create this VM using computer 2.
Hardware requirements are displayed below:
-
-
-||Computer 1 (required)|Computer 2 (recommended)|
+| |Computer 1 (required)|Computer 2 (recommended)|
|--- |--- |--- |
|**Role**|Hyper-V host|Client computer|
-|**Description**|This computer will run Hyper-V, the Hyper-V management tools, and the Hyper-V Windows PowerShell module.|This computer is a Windows 7 or Windows 8/8.1 client on your corporate network that will be converted to a VM to demonstrate the upgrade process.|
-|**OS**|Windows 8.1/10 or Windows Server 2012/2012 R2/2016*|Windows 7 or a later|
+|**Description**|This computer will run Hyper-V, the Hyper-V management tools, and the Hyper-V Windows PowerShell module.|This computer is a Windows 8.1 client on your network that will be converted to a VM to demonstrate the upgrade process.|
+|**OS**|Windows 8.1/10 or Windows Server 2012/2012 R2/2016|Windows 8.1 or a later|
|**Edition**|Enterprise, Professional, or Education|Any|
-|**Architecture**|64-bit|Any
*Note: Retaining applications and settings requires that architecture (32 or 64-bit) is the same before and after the upgrade.*|
-|**RAM**|8 GB RAM (16 GB recommended) to test Windows 10 deployment with MDT.
16 GB RAM to test Windows 10 deployment with Microsoft Endpoint Configuration Manager.|Any|
-|**Disk**|200 GB available hard disk space, any format.|Any size, MBR formatted.|
+|**Architecture**|64-bit|Any
Retaining applications and settings requires that architecture (32-bit or 64-bit) is the same before and after the upgrade.|
+|**RAM**|8-GB RAM (16 GB recommended) to test Windows 10 deployment with MDT.
16-GB RAM to test Windows 10 deployment with Microsoft Endpoint Configuration Manager.|Any|
+|**Disk**|200-GB available hard disk space, any format.|Any size, MBR formatted.|
|**CPU**|SLAT-Capable CPU|Any|
|**Network**|Internet connection|Any|
-\*The Hyper-V server role can also be installed on a computer running Windows Server 2008 R2. However, the Windows PowerShell module for Hyper-V is not available on Windows Server 2008 R2, therefore you cannot use many of the steps provided in this guide to configure Hyper-V. To manage Hyper-V on Windows Server 2008 R2, you can use Hyper-V WMI, or you can use the Hyper-V Manager console. Providing all steps in this guide as Hyper-V WMI or as 2008 R2 Hyper-V Manager procedures is beyond the scope of the guide.
-
-The Hyper-V role cannot be installed on Windows 7 or earlier versions of Windows.
-
-
-
## Lab setup
The lab architecture is summarized in the following diagram:
@@ -107,13 +92,13 @@ The lab architecture is summarized in the following diagram:
- Computer 1 is configured to host four VMs on a private, PoC network.
- - Two VMs are running Windows Server 2012 R2 with required network services and tools installed.
- - Two VMs are client systems: One VM is intended to mirror a host on your corporate network (computer 2) and one VM is running Windows 10 Enterprise to demonstrate the hardware replacement scenario.
+ - Two VMs are running Windows Server 2012 R2 with required network services and tools installed.
+ - Two VMs are client systems: One VM is intended to mirror a host on your network (computer 2) and one VM is running Windows 10 Enterprise to demonstrate the hardware replacement scenario.
> [!NOTE]
> If you have an existing Hyper-V host, you can use this host and skip the Hyper-V installation section in this guide.
-The two Windows Server VMs can be combined into a single VM to conserve RAM and disk space if required. However, instructions in this guide assume two server systems are used. Using two servers enables Active Directory Domain Services and DHCP to be installed on a server that is not directly connected to the corporate network. This mitigates the risk of clients on the corporate network receiving DHCP leases from the PoC network (i.e. "rogue" DHCP), and limits NETBIOS service broadcasts.
+The two Windows Server VMs can be combined into a single VM to conserve RAM and disk space if necessary. However, instructions in this guide assume two server systems are used. Using two servers enables Active Directory Domain Services and DHCP to be installed on a server that isn't directly connected to the network. This action mitigates the risk of clients on the network receiving DHCP leases from the PoC network. In other words, a "rogue" DHCP server. It also limits NETBIOS service broadcasts.
## Configure the PoC environment
@@ -122,16 +107,16 @@ The lab architecture is summarized in the following diagram:
### Procedures in this section
-[Verify support and install Hyper-V](#verify-support-and-install-hyper-v)
-[Download VHD and ISO files](#download-vhd-and-iso-files)
-[Convert PC to VM](#convert-pc-to-vm)
-[Resize VHD](#resize-vhd)
-[Configure Hyper-V](#configure-hyper-v)
-[Configure VMs](#configure-vms)
+- [Verify support and install Hyper-V](#verify-support-and-install-hyper-v)
+- [Download VHD and ISO files](#download-vhd-and-iso-files)
+- [Convert PC to VM](#convert-pc-to-vm)
+- [Resize VHD](#resize-vhd)
+- [Configure Hyper-V](#configure-hyper-v)
+- [Configure VMs](#configure-vms)
### Verify support and install Hyper-V
-Starting with Windows 8, the host computer’s microprocessor must support second level address translation (SLAT) to install Hyper-V. See [Hyper-V: List of SLAT-Capable CPUs for Hosts](https://social.technet.microsoft.com/wiki/contents/articles/1401.hyper-v-list-of-slat-capable-cpus-for-hosts.aspx) for more information.
+Starting with Windows 8, the host computer's microprocessor must support second level address translation (SLAT) to install Hyper-V. See [Hyper-V: List of SLAT-Capable CPUs for Hosts](https://social.technet.microsoft.com/wiki/contents/articles/1401.hyper-v-list-of-slat-capable-cpus-for-hosts.aspx) for more information.
1. To verify your computer supports SLAT, open an administrator command prompt, type **systeminfo**, press ENTER, and review the section displayed at the bottom of the output, next to Hyper-V Requirements. See the following example:
@@ -147,7 +132,7 @@ Starting with Windows 8, the host computer’s microprocessor must support secon
In this example, the computer supports SLAT and Hyper-V.
- If one or more requirements are evaluated as **No** then the computer does not support installing Hyper-V. However, if only the virtualization setting is incompatible, you might be able to enable virtualization in the BIOS and change the **Virtualization Enabled In Firmware** setting from **No** to **Yes**. The location of this setting will depend on the manufacturer and BIOS version, but is typically found associated with the BIOS security settings.
+ If one or more requirements are evaluated as **No**, then the computer doesn't support installing Hyper-V. However, if only the virtualization setting is incompatible, you might be able to enable virtualization in the BIOS and change the **Virtualization Enabled In Firmware** setting from **No** to **Yes**. The location of this setting will depend on the manufacturer and BIOS version, but is typically found associated with the BIOS security settings.
You can also identify Hyper-V support using [tools](/archive/blogs/taylorb/hyper-v-will-my-computer-run-hyper-v-detecting-intel-vt-and-amd-v) provided by the processor manufacturer, the [msinfo32](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc731397(v=ws.11)) tool, or you can download the [coreinfo](/sysinternals/downloads/coreinfo) utility and run it, as shown in the following example:
@@ -169,19 +154,19 @@ Starting with Windows 8, the host computer’s microprocessor must support secon
> [!NOTE]
> A 64-bit operating system is required to run Hyper-V.
-2. The Hyper-V feature is not installed by default. To install it, open an elevated Windows PowerShell window and type the following command:
+2. The Hyper-V feature isn't installed by default. To install it, open an elevated Windows PowerShell window and type the following command:
```powershell
Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V -All
```
- This command works on all operating systems that support Hyper-V, but on Windows Server operating systems you must type an additional command to add the Hyper-V Windows PowerShell module and the Hyper-V Manager console. This command will also install Hyper-V if it isn't already installed, so if desired you can just type the following command on Windows Server 2012 or 2016 instead of using the Enable-WindowsOptionalFeature command:
+ This command works on all operating systems that support Hyper-V, but on Windows Server operating systems you must type an extra command to add the Hyper-V Windows PowerShell module and the Hyper-V Manager console. This command will also install Hyper-V if it isn't already installed, so if desired you can just type the following command on Windows Server 2012 or 2016 instead of using the Enable-WindowsOptionalFeature command:
```powershell
Install-WindowsFeature -Name Hyper-V -IncludeManagementTools
```
- When you are prompted to restart the computer, choose **Yes**. The computer might restart more than once. After installation is complete, you can open Hyper-V Manager by typing **virtmgmt.msc** at an elevated command prompt.
+ When you're prompted to restart the computer, choose **Yes**. The computer might restart more than once. After installation is complete, you can open Hyper-V Manager by typing **virtmgmt.msc** at an elevated command prompt.
Alternatively, you can install Hyper-V using the Control Panel in Windows under **Turn Windows features on or off** for a client operating system, or using Server Manager's **Add Roles and Features Wizard** on a server operating system, as shown below:
@@ -189,37 +174,41 @@ Starting with Windows 8, the host computer’s microprocessor must support secon
- If you choose to install Hyper-V using Server Manager, accept all default selections. Also be sure to install both items under Role Administration Tools\Hyper-V Management Tools.
+ If you choose to install Hyper-V using Server Manager, accept all default selections. Also be sure to install both items under **Role Administration Tools\Hyper-V Management Tools**.
### Download VHD and ISO files
-When you have completed installation of Hyper-V on the host computer, begin configuration of Hyper-V by downloading VHD and ISO files to the Hyper-V host. These files will be used to create the VMs used in the lab. Before you can download VHD and ISO files, you will need to register and sign in to the [TechNet Evaluation Center](https://www.microsoft.com/evalcenter/) using your Microsoft account.
+When you have completed installation of Hyper-V on the host computer, begin configuration of Hyper-V by downloading VHD and ISO files to the Hyper-V host. These files will be used to create the VMs used in the lab.
-1. Create a directory on your Hyper-V host named **C:\VHD** and download a single [Windows Server 2012 R2 VHD](https://www.microsoft.com/evalcenter/evaluate-windows-server-2012-r2) from the TechNet Evaluation Center to the **C:\VHD** directory.
+1. Create a directory on your Hyper-V host named **C:\VHD**. Download a single VHD file for **Windows Server** to the **C:\VHD** directory.
+
+ > [!NOTE]
+ > The Microsoft Evaluation Center is temporarily unavailable. To access this download, see [Accessing trials and kits for Windows (Eval Center workaround)](https://techcommunity.microsoft.com/t5/windows-11/accessing-trials-and-kits-for-windows-eval-center-workaround/m-p/3361125).
+ >
+ > The currently available downloads are Windows Server 2019 or Windows Server 2022. The rest of this article refers to "Windows Server 2012 R2" and similar variations.
> [!IMPORTANT]
> This guide assumes that VHDs are stored in the **C:\VHD** directory on the Hyper-V host. If you use a different directory to store VHDs, you must adjust steps in this guide appropriately.
- After completing registration you will be able to download the 7.47 GB Windows Server 2012 R2 evaluation VHD. An example of the download offering is shown below.
-
- :::image type="content" alt-text="VHD" source="images/download_vhd.png":::
-
-2. Download the file to the **C:\VHD** directory. When the download is complete, rename the VHD file that you downloaded to **2012R2-poc-1.vhd**. This is done to make the filename simple to recognize and type.
+2. Download the file to the **C:\VHD** directory. When the download is complete, rename the VHD file that you downloaded to **2012R2-poc-1.vhd**. Do this action to make the filename simple to recognize and type.
3. Copy the VHD to a second file also in the **C:\VHD** directory and name this VHD **2012R2-poc-2.vhd**.
-4. Download the [Windows 10 Enterprise ISO](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise) from the TechNet Evaluation Center to the **C:\VHD** directory on your Hyper-V host.
+4. Download the **Windows 10 Enterprise** ISO file to the **C:\VHD** directory on your Hyper-V host.
- During registration, you must specify the type, version, and language of installation media to download. In this example, a Windows 10 Enterprise, 64 bit, English ISO is chosen. You can choose a different version if desired.
+ > [!NOTE]
+ > The Microsoft Evaluation Center is temporarily unavailable. To access this download, see [Accessing trials and kits for Windows (Eval Center workaround)](https://techcommunity.microsoft.com/t5/windows-11/accessing-trials-and-kits-for-windows-eval-center-workaround/m-p/3361125).
+
+ You can select the type, version, and language of installation media to download. In this example, a Windows 10 Enterprise, 64 bit, English ISO is chosen. You can choose a different version.
> [!NOTE]
- > The evaluation version of Windows 10 does not support in-place upgrade**.
+ > The evaluation version of Windows 10 doesn't support in-place upgrade**.
-5. Rename the ISO file that you downloaded to **w10-enterprise.iso**. Again, this is done so that the filename is simple to type and recognize. After completing registration you will be able to download the 3.63 GB Windows 10 Enterprise evaluation ISO.
+5. Rename the ISO file that you downloaded to **w10-enterprise.iso**. This step is so that the filename is simple to type and recognize.
- After completing these steps, you will have three files in the **C:\VHD** directory: **2012R2-poc-1.vhd**, **2012R2-poc-2.vhd**, **w10-enterprise.iso**.
+ After completing these steps, you'll have three files in the **C:\VHD** directory: **2012R2-poc-1.vhd**, **2012R2-poc-2.vhd**, **w10-enterprise.iso**.
- The following displays the procedures described in this section, both before and after downloading files:
+ The following example displays the procedures described in this section, both before and after downloading files:
```console
C:>mkdir VHD
@@ -237,17 +226,17 @@ When you have completed installation of Hyper-V on the host computer, begin conf
### Convert PC to VM
> [!IMPORTANT]
-> Do not attempt to use the VM resulting from the following procedure as a reference image. Also, to avoid conflicts with existing clients, do not start the VM outside the PoC network.
+> Don't attempt to use the VM resulting from the following procedure as a reference image. Also, to avoid conflicts with existing clients, don't start the VM outside the PoC network.
-If you do not have a PC available to convert to VM, perform the following steps to download an evaluation VM:
+If you don't have a PC available to convert to VM, do the following steps to download an evaluation VM:
-1. Open the [Download virtual machines](https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/) page.
+1. Open the [Download virtual machines](https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/) page.
2. Under **Virtual machine**, choose **IE11 on Win7**.
-3. Under **Select platform** choose **HyperV (Windows)**.
-4. Click **Download .zip**. The download is 3.31 GB.
+3. Under **Select platform**, choose **HyperV (Windows)**.
+4. Select **Download .zip**. The download is 3.31 GB.
5. Extract the zip file. Three directories are created.
6. Open the **Virtual Hard Disks** directory and then copy **IE11 - Win7.vhd** to the **C:\VHD** directory.
-7. Rename **IE11 - Win7.vhd** to **w7.vhd** (do not rename the file to w7.vhdx).
+7. Rename **IE11 - Win7.vhd** to **w7.vhd** (don't rename the file to w7.vhdx).
8. In step 5 of the [Configure Hyper-V](#configure-hyper-v) section, replace the VHD file name **w7.vhdx** with **w7.vhd**.
If you have a PC available to convert to VM (computer 2):
@@ -255,7 +244,7 @@ If you have a PC available to convert to VM (computer 2):
1. Sign in on computer 2 using an account with Administrator privileges.
> [!IMPORTANT]
- > The account used in this step must have local administrator privileges. You can use a local computer account, or a domain account with administrative rights if domain policy allows the use of cached credentials. After converting the computer to a VM, you must be able to sign in on this VM with administrator rights while the VM is disconnected from the corporate network.
+ > The account used in this step must have local administrator privileges. You can use a local computer account, or a domain account with administrative rights if domain policy allows the use of cached credentials. After converting the computer to a VM, you must be able to sign in on this VM with administrator rights while the VM is disconnected from the network.
2. [Determine the VM generation and partition type](#determine-the-vm-generation-and-partition-type) that is required.
3. Based on the VM generation and partition type, perform one of the following procedures: [Prepare a generation 1 VM](#prepare-a-generation-1-vm), [Prepare a generation 2 VM](#prepare-a-generation-2-vm), or [prepare a generation 1 VM from a GPT disk](#prepare-a-generation-1-vm-from-a-gpt-disk).
@@ -278,7 +267,7 @@ If the PC is running a 32-bit OS or the OS is Windows 7, it must be converted to
Get-WmiObject -Class Win32_DiskPartition | Select-Object -Property SystemName,Caption,Type
```
-If the **Type** column does not indicate GPT, then the disk partition format is MBR ("Installable File System" = MBR). In the following example, the disk is GPT:
+If the **Type** column doesn't indicate GPT, then the disk partition format is MBR ("Installable File System" = MBR). In the following example, the disk is GPT:
```powershell
PS C:> Get-WmiObject -Class Win32_DiskPartition | Select-Object -Property SystemName,Caption,Type
@@ -345,12 +334,11 @@ The following tables display the Hyper-V VM generation to choose based on the OS
> [!NOTE]
>
->- If the PC is running Windows 7, it can only be converted and hosted in Hyper-V as a generation 1 VM. This Hyper-V requirement means that if the Windows 7 PC is also using a GPT partition style, the OS disk can be shadow copied, but a new system partition must be created. In this case, see [Prepare a generation 1 VM from a GPT disk](#prepare-a-generation-1-vm-from-a-gpt-disk).
->
->- If the PC is running Windows 8 or later and uses the GPT partition style, you can capture the disk image and create a generation 2 VM. To do this, you must temporarily mount the EFI system partition which is accomplished using the mountvol command. In this case, see [Prepare a generation 2 VM](#prepare-a-generation-2-vm).
->
->- If the PC is using an MBR partition style, you can convert the disk to VHD and use it to create a generation 1 VM. If you use the Disk2VHD tool described in this guide, it is not necessary to mount the MBR system partition, but it is still necessary to capture it. In this case, see [Prepare a generation 1 VM](#prepare-a-generation-1-vm).
-
+> - If the PC is running Windows 7, it can only be converted and hosted in Hyper-V as a generation 1 VM. This Hyper-V requirement means that if the Windows 7 PC is also using a GPT partition style, the OS disk can be shadow copied, but a new system partition must be created. In this case, see [Prepare a generation 1 VM from a GPT disk](#prepare-a-generation-1-vm-from-a-gpt-disk).
+>
+> - If the PC is running Windows 8 or later and uses the GPT partition style, you can capture the disk image and create a generation 2 VM. To do this, you must temporarily mount the EFI system partition which is accomplished using the `mountvol` command. In this case, see [Prepare a generation 2 VM](#prepare-a-generation-2-vm).
+>
+> - If the PC is using an MBR partition style, you can convert the disk to VHD and use it to create a generation 1 VM. If you use the Disk2VHD tool described in this guide, it is not necessary to mount the MBR system partition, but it is still necessary to capture it. In this case, see [Prepare a generation 1 VM](#prepare-a-generation-1-vm).
#### Prepare a generation 1 VM
@@ -361,16 +349,16 @@ The following tables display the Hyper-V VM generation to choose based on the OS
2. On the computer you wish to convert, double-click the disk2vhd utility to start the graphical user interface.
-3. Select the checkboxes next to the **C:\\** and the **system reserved** (BIOS/MBR) volumes. The system volume is not assigned a drive letter, but will be displayed in the Disk2VHD tool with a volume label similar to **\\?\Volume{**. See the following example.
+3. Select the checkboxes next to the `C:\` and the **system reserved** (BIOS/MBR) volumes. The system volume isn't assigned a drive letter, but will be displayed in the Disk2VHD tool with a volume label similar to `\?\Volume{`. See the following example.
> [!IMPORTANT]
- > You must include the system volume in order to create a bootable VHD. If this volume is not displayed in the disk2vhd tool, then the computer is likely to be using the GPT partition style. For more information, see [Determine VM generation](#determine-vm-generation).
+ > You must include the system volume in order to create a bootable VHD. If this volume isn't displayed in the disk2vhd tool, then the computer is likely to be using the GPT partition style. For more information, see [Determine VM generation](#determine-vm-generation).
-4. Specify a location to save the resulting VHD or VHDX file (F:\VHD\w7.vhdx in the following example) and click **Create**. See the following example:
+4. Specify a location to save the resulting VHD or VHDX file (F:\VHD\w7.vhdx in the following example) and select **Create**. See the following example:
- Disk2vhd can save VHDs to local hard drives, even if they are the same as the volumes being converted. Performance is better, however, when the VHD is saved on a disk different than those being converted, such as a flash drive.
+ Disk2vhd can save VHDs to local hard drives, even if they're the same as the volumes being converted. Performance is better, however, when the VHD is saved on a disk different than the disks being converted, such as a flash drive.
5. When the Disk2vhd utility has completed converting the source computer to a VHD, copy the VHDX file (w7.vhdx) to your Hyper-V host in the C:\VHD directory. There should now be four files in this directory:
@@ -398,16 +386,16 @@ The following tables display the Hyper-V VM generation to choose based on the OS
This command temporarily assigns a drive letter of S to the system volume and mounts it. If the letter S is already assigned to a different volume on the computer, then choose one that is available (ex: mountvol z: /s).
3. On the computer you wish to convert, double-click the disk2vhd utility to start the graphical user interface.
-4. Select the checkboxes next to the **C:\\** and the **S:\\** volumes, and clear the **Use Volume Shadow Copy checkbox**. Volume shadow copy will not work if the EFI system partition is selected.
+4. Select the checkboxes next to the **C:\\** and the **S:\\** volumes, and clear the **Use Volume Shadow Copy checkbox**. Volume shadow copy won't work if the EFI system partition is selected.
> [!IMPORTANT]
> You must include the EFI system partition in order to create a bootable VHD. The Windows RE tools partition (shown below) is not required, but it can also be converted if desired.
-5. Specify a location to save the resulting VHD or VHDX file (F:\VHD\PC1.vhdx in the following example) and click **Create**. See the following example:
+5. Specify a location to save the resulting VHD or VHDX file (F:\VHD\PC1.vhdx in the following example) and select **Create**. See the following example:
- Disk2vhd can save VHDs to local hard drives, even if they are the same as the volumes being converted. Performance is better however when the VHD is saved on a disk different than those being converted, such as a flash drive.
+ Disk2vhd can save VHDs to local hard drives, even if they're the same as the volumes being converted. Performance is better however when the VHD is saved on a disk different than those disks being converted, such as a flash drive.
6. When the Disk2vhd utility has completed converting the source computer to a VHD, copy the VHDX file (PC1.vhdx) to your Hyper-V host in the C:\VHD directory. There should now be four files in this directory:
@@ -426,16 +414,16 @@ The following tables display the Hyper-V VM generation to choose based on the OS
You might experience timeouts if you attempt to run Disk2vhd from a network share, or specify a network share for the destination. To avoid timeouts, use local, portable media such as a USB drive.
2. On the computer you wish to convert, double-click the disk2vhd utility to start the graphical user interface.
-3. Select the checkbox next to the **C:\\** volume and clear the checkbox next to **Use Vhdx**.
+3. Select the checkbox next to the **C:\\** volume and clear the checkbox next to **Use Vhdx**.
> [!NOTE]
- > The system volume is not copied in this scenario, it will be added later.
+ > The system volume isn't copied in this scenario, it will be added later.
-4. Specify a location to save the resulting VHD file (F:\VHD\w7.vhd in the following example) and click **Create**. See the following example:
+4. Specify a location to save the resulting VHD file (F:\VHD\w7.vhd in the following example) and select **Create**. See the following example:
- Disk2vhd can save VHDs to local hard drives, even if they are the same as the volumes being converted. Performance is better however when the VHD is saved on a disk different than those being converted, such as a flash drive.
+ Disk2vhd can save VHDs to local hard drives, even if they're the same as the volumes being converted. Performance is better however when the VHD is saved on a disk different than those disks being converted, such as a flash drive.
5. When the Disk2vhd utility has completed converting the source computer to a VHD, copy the VHD file (w7.vhd) to your Hyper-V host in the C:\VHD directory. There should now be four files in this directory:
@@ -447,14 +435,12 @@ The following tables display the Hyper-V VM generation to choose based on the OS
w7.VHD
```
- In its current state, the w7.VHD file is not bootable. The VHD will be used to create a bootable VM later in the [Configure Hyper-V](#configure-hyper-v) section.
+ In its current state, the w7.VHD file isn't bootable. The VHD will be used to create a bootable VM later in the [Configure Hyper-V](#configure-hyper-v) section.
-### Resize VHD
-
-Enhanced session mode
+### Enhanced session mode
> [!IMPORTANT]
-> Before proceeding, verify that you can take advantage of [enhanced session mode](/windows-server/virtualization/hyper-v/learn-more/Use-local-resources-on-Hyper-V-virtual-machine-with-VMConnect) when completing instructions in this guide. Enhanced session mode enables you to copy and paste the commands from the Hyper-V host to VMs, between VMs, and between RDP sessions. After copying some text, you can paste into a Windows PowerShell window by simply right-clicking. Before right-clicking, do not left click other locations as this can empty the clipboard. You can also copy and paste files directly from one computer to another by right-clicking and selecting copy on one computer, then right-clicking and selecting paste on another computer.
+> Before proceeding, verify that you can take advantage of [enhanced session mode](/windows-server/virtualization/hyper-v/learn-more/Use-local-resources-on-Hyper-V-virtual-machine-with-VMConnect) when completing instructions in this guide. Enhanced session mode enables you to copy and paste the commands from the Hyper-V host to VMs, between VMs, and between RDP sessions. After copying some text, you can paste into a Windows PowerShell window by simply right-clicking. Before right-clicking, do not left click other locations as this can empty the clipboard. You can also copy and paste files directly from one computer to another by right-clicking and selecting copy on one computer, then right-clicking and selecting paste on another computer.
To ensure that enhanced session mode is enabled on the Hyper-V host, type the following command at an elevated Windows PowerShell prompt on the Hyper-V host:
@@ -462,11 +448,11 @@ To ensure that enhanced session mode is enabled on the Hyper-V host, type the fo
Set-VMhost -EnableEnhancedSessionMode $TRUE
```
-If enhanced session mode was not previously enabled, close any existing virtual machine connections and re-open them to enable access to enhanced session mode. As mentioned previously: instructions to "type" commands provided in this guide can be typed, but the preferred method is to copy and paste these commands. Most of the commands to this point in the guide have been brief, but many commands in sections below are longer and more complex.
+If enhanced session mode wasn't previously enabled, close any existing virtual machine connections and reopen them to enable access to enhanced session mode. As mentioned previously: instructions to "type" commands provided in this guide can be typed, but the preferred method is to copy and paste these commands. Most of the commands to this point in the guide have been brief, but many commands in sections below are longer and more complex.
-
+### Resize VHD
-The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to 100GB to support installing imaging tools and storing OS images.
+The second Windows Server 2012 R2 VHD needs to be expanded in size from 40 GB to 100 GB to support installing imaging tools and storing OS images.
1. To add available space for the partition, type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host:
@@ -487,15 +473,15 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
1. Open an elevated Windows PowerShell window and type the following command to create two virtual switches named "poc-internal" and "poc-external":
- If the Hyper-V host already has an external virtual switch bound to a physical NIC, do not attempt to add a second external virtual switch. Attempting to add a second external switch will result in an error indicating that the NIC is **already bound to the Microsoft Virtual Switch protocol.** In this case, choose one of the following options:
+ If the Hyper-V host already has an external virtual switch bound to a physical NIC, don't attempt to add a second external virtual switch. Attempting to add a second external switch will result in an error indicating that the NIC is **already bound to the Microsoft Virtual Switch protocol.** In this case, choose one of the following options:
**A**: Remove the existing external virtual switch, then add the poc-external switch
**B**: Rename the existing external switch to "poc-external"
- **C**: Replace each instance of "poc-external" used in this guide with the name of your existing external virtual switch
+ **C**: Replace each instance of "poc-external" used in this guide with the name of your existing external virtual switch
- If you choose B) or C), then do not run the second command below.
+ If you choose B) or C), then don't run the second command below.
```powershell
New-VMSwitch -Name poc-internal -SwitchType Internal -Notes "PoC Network"
@@ -505,7 +491,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
> [!NOTE]
> The second command above will temporarily interrupt network connectivity on the Hyper-V host.
- Since an external virtual switch is associated to a physical network adapter on the Hyper-V host, this adapter must be specified when adding the virtual switch. The previous commands automate this by filtering for active non-virtual ethernet adapters using the Get-NetAdapter cmdlet ($_.Status -eq "Up" -and !$_.Virtual). If your Hyper-V host is dual-homed with multiple active ethernet adapters, this automation will not work, and the second command above will fail. In this case, you must edit the command used to add the "poc-external" virtual switch by inserting the appropriate NetAdapterName. The NetAdapterName value corresponds to the name of the network interface you wish to use. For example, if the network interface you use on the Hyper-V host to connect to the Internet is named "Ethernet 2" then type the following command to create an external virtual switch: New-VMSwitch -Name poc-external -NetAdapterName "Ethernet 2" -Notes "PoC External"
+ Since an external virtual switch is associated to a physical network adapter on the Hyper-V host, this adapter must be specified when adding the virtual switch. The previous commands automate this action by filtering for active non-virtual ethernet adapters using the Get-NetAdapter cmdlet (`$_.Status -eq "Up" -and !$_.Virtual`). If your Hyper-V host is dual-homed with multiple active ethernet adapters, this automation won't work, and the second command above will fail. In this case, you must edit the command used to add the "poc-external" virtual switch by inserting the appropriate NetAdapterName. The NetAdapterName value corresponds to the name of the network interface you wish to use. For example, if the network interface you use on the Hyper-V host to connect to the internet is named "Ethernet 2" then type the following command to create an external virtual switch: `New-VMSwitch -Name poc-external -NetAdapterName "Ethernet 2" -Notes "PoC External"`
2. At the elevated Windows PowerShell prompt, type the following command to determine the megabytes of RAM that are currently available on the Hyper-V host:
@@ -513,9 +499,9 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
(Get-VMHostNumaNode).MemoryAvailable
```
- This command will display the megabytes of RAM available for VMs. On a Hyper-V host computer with 16 GB of physical RAM installed, 10,000 MB of RAM or greater should be available if the computer is not also running other applications. On a computer with 8 GB of physical RAM installed, at least 4000 MB should be available. If the computer has less RAM available than this, try closing applications to free up more memory.
+ This command will display the megabytes of RAM available for VMs. On a Hyper-V host computer with 16 GB of physical RAM installed, 10,000 MB of RAM or greater should be available if the computer isn't also running other applications. On a computer with 8 GB of physical RAM installed, at least 4000 MB should be available. If the computer has less RAM available, try closing applications to free up more memory.
-3. Determine the available memory for VMs by dividing the available RAM by 4. For example:
+3. Determine the available memory for VMs by dividing the available RAM by 4. For example:
```powershell
(Get-VMHostNumaNode).MemoryAvailable/4
@@ -566,7 +552,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
> [!NOTE]
> The following procedure is more complex because it includes steps to convert the OS partition from GPT to MBR format. Steps are included to create a temporary VHD and attach it to the VM, the OS image is saved to this drive, the OS drive is then reformatted to MBR, the OS image restored, and the temporary drive is removed.
- First, type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host to create a temporary VHD that will be used to save the OS image. Do not forget to include a pipe (|) at the end of the first five commands:
+ First, type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host to create a temporary VHD that will be used to save the OS image. Don't forget to include a pipe (`|`) at the end of the first five commands:
```powershell
New-VHD -Path c:\vhd\d.vhd -SizeBytes 1TB |
@@ -592,10 +578,10 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
The VM will automatically boot into Windows Setup. In the PC1 window:
- 1. Click **Next**.
- 2. Click **Repair your computer**.
- 3. Click **Troubleshoot**.
- 4. Click **Command Prompt**.
+ 1. Select **Next**.
+ 2. Select **Repair your computer**.
+ 3. Select **Troubleshoot**.
+ 4. Select **Command Prompt**.
5. Type the following command to save an image of the OS drive:
```console
@@ -626,8 +612,8 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
exit
```
- 8. Click **Continue** and verify the VM boots successfully (do not boot from DVD).
- 9. Click **Ctrl+Alt+Del**, and then in the bottom right corner, click **Shut down**.
+ 8. Select **Continue** and verify the VM boots successfully. Don't boot from DVD.
+ 9. Select **Ctrl+Alt+Del**, and then in the bottom right corner, select **Shut down**.
10. Type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host to remove the temporary disks and drives from PC1:
```powershell
@@ -644,9 +630,9 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
vmconnect localhost DC1
```
-2. Click **Next** to accept the default settings, read the license terms and click **I accept**, provide an administrator password of pass@word1, and click **Finish**.
-3. Click **Ctrl+Alt+Del** in the upper left corner of the virtual machine connection window, and then sign in to DC1 using the Administrator account.
-4. Right-click **Start**, point to **Shut down or sign out**, and click **Sign out**. The VM connection will reset and a new connection dialog box will appear enabling you to choose a custom display configuration. Select a desktop size, click **Connect** and sign in again with the local Administrator account. Note: Signing in this way ensures that [enhanced session mode](/windows-server/virtualization/hyper-v/learn-more/Use-local-resources-on-Hyper-V-virtual-machine-with-VMConnect) is enabled. It is only necessary to do this the first time you sign in to a new VM.
+2. Select **Next** to accept the default settings, read the license terms and select **I accept**, provide a strong administrator password, and select **Finish**.
+3. Select **Ctrl+Alt+Del** in the upper left corner of the virtual machine connection window, and then sign in to DC1 using the Administrator account.
+4. Right-click **Start**, point to **Shut down or sign out**, and select **Sign out**. The VM connection will reset and a new connection dialog box will appear enabling you to choose a custom display configuration. Select a desktop size, select **Connect** and sign in again with the local Administrator account. Note: Signing in this way ensures that [enhanced session mode](/windows-server/virtualization/hyper-v/learn-more/Use-local-resources-on-Hyper-V-virtual-machine-with-VMConnect) is enabled. It's only necessary to do this action the first time you sign in to a new VM.
5. If DC1 is configured as described in this guide, it will currently be assigned an APIPA address, have a randomly generated hostname, and a single network adapter named "Ethernet." Open an elevated Windows PowerShell prompt on DC1 and type or paste the following commands to provide a new hostname and configure a static IP address and gateway:
```powershell
@@ -699,9 +685,9 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
Set-DhcpServerv4OptionValue -ScopeId 192.168.0.0 -DnsDomain contoso.com -Router 192.168.0.2 -DnsServer 192.168.0.1,192.168.0.2 -Force
```
- The -Force option is necessary when adding scope options to skip validation of 192.168.0.2 as a DNS server because we have not configured it yet. The scope should immediately begin issuing leases on the PoC network. The first DHCP lease that will be issued is to vEthernet interface on the Hyper-V host, which is a member of the internal network. You can verify this by using the command: Get-DhcpServerv4Lease -ScopeId 192.168.0.0.
+ The -Force option is necessary when adding scope options to skip validation of 192.168.0.2 as a DNS server because we haven't configured it yet. The scope should immediately begin issuing leases on the PoC network. The first DHCP lease that will be issued is to vEthernet interface on the Hyper-V host, which is a member of the internal network. You can verify this configuration by using the command: `Get-DhcpServerv4Lease -ScopeId 192.168.0.0`
-11. The DNS server role will also be installed on the member server, SRV1, at 192.168.0.2 so that we can forward DNS queries from DC1 to SRV1 to resolve Internet names without having to configure a forwarder outside the PoC network. Since the IP address of SRV1 already exists on DC1's network adapter, it will be automatically added during the DCPROMO process. To verify this server-level DNS forwarder on DC1, type the following command at an elevated Windows PowerShell prompt on DC1:
+11. The DNS server role will also be installed on the member server, SRV1, at 192.168.0.2 so that we can forward DNS queries from DC1 to SRV1 to resolve internet names without having to configure a forwarder outside the PoC network. Since the IP address of SRV1 already exists on DC1's network adapter, it will be automatically added during the DCPROMO process. To verify this server-level DNS forwarder on DC1, type the following command at an elevated Windows PowerShell prompt on DC1:
```powershell
Get-DnsServerForwarder
@@ -717,7 +703,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
ReorderedIPAddress : 192.168.0.2
```
- If this output is not displayed, you can use the following command to add SRV1 as a forwarder:
+ If this output isn't displayed, you can use the following command to add SRV1 as a forwarder:
```powershell
Add-DnsServerForwarder -IPAddress 192.168.0.2
@@ -725,9 +711,9 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
**Configure service and user accounts**
- Windows 10 deployment with MDT and Microsoft Endpoint Manager requires specific accounts to perform some actions. Service accounts will be created to use for these tasks. A user account is also added in the contoso.com domain that can be used for testing purposes. In the test lab environment, passwords are set to never expire.
+ Windows 10 deployment with Configuration Manager and MDT requires specific accounts to perform some actions. Service accounts will be created to use for these tasks. A user account is also added in the contoso.com domain that can be used for testing purposes. In the test lab environment, passwords are set to never expire.
- To keep this test lab relatively simple, we will not create a custom OU structure and set permissions. Required permissions are enabled by adding accounts to the Domain Admins group. To configure these settings in a production environment, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
+ To keep this test lab relatively simple, we won't create a custom OU structure and set permissions. Required permissions are enabled by adding accounts to the Domain Admins group. To configure these settings in a production environment, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
On DC1, open an elevated Windows PowerShell prompt and type the following commands:
@@ -746,9 +732,9 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
12. Minimize the DC1 VM window but **do not stop** the VM.
- Next, the client VM will be started and joined to the contoso.com domain. This is done before adding a gateway to the PoC network so that there is no danger of duplicate DNS registrations for the physical client and its cloned VM in the corporate domain.
+ Next, the client VM will be started and joined to the contoso.com domain. This action is done before adding a gateway to the PoC network so that there's no danger of duplicate DNS registrations for the physical client and its cloned VM in the domain.
-13. If the PC1 VM is not started yet, using an elevated Windows PowerShell prompt on the Hyper-V host, start the client VM (PC1), and connect to it:
+13. If the PC1 VM isn't started yet, using an elevated Windows PowerShell prompt on the Hyper-V host, start the client VM (PC1), and connect to it:
```powershell
Start-VM PC1
@@ -757,19 +743,19 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
14. Sign in to PC1 using an account that has local administrator rights.
- PC1 will be disconnected from its current domain, so you cannot use a domain account to sign on unless these credentials are cached and the use of cached credentials is permitted by Group Policy. If cached credentials are available and permitted, you can use these credentials to sign in. Otherwise, use an existing local administrator account.
+ PC1 will be disconnected from its current domain, so you can't use a domain account to sign on unless these credentials are cached and the use of cached credentials is permitted by Group Policy. If cached credentials are available and permitted, you can use these credentials to sign in. Otherwise, use an existing local administrator account.
-15. After signing in, the operating system detects that it is running in a new environment. New drivers will be automatically installed, including the network adapter driver. The network adapter driver must be updated before you can proceed, so that you will be able to join the contoso.com domain. Depending on the resources allocated to PC1, installing the network adapter driver might take a few minutes. You can monitor device driver installation by clicking **Show hidden icons** in the notification area.
+15. After you sign in, Windows detects that it's running in a new environment. New drivers will be automatically installed, including the network adapter driver. The network adapter driver must be updated before you can proceed, so that you'll be able to join the contoso.com domain. Depending on the resources allocated to PC1, installing the network adapter driver might take a few minutes. You can monitor device driver installation by clicking **Show hidden icons** in the notification area.
- If the client was configured with a static address, you must change this to a dynamic one so that it can obtain a DHCP lease.
+ If the client was configured with a static address, you must change this address to a dynamic one so that it can obtain a DHCP lease.
-16. When the new network adapter driver has completed installation, you will receive an alert to set a network location for the contoso.com network. Select **Work network** and then click **Close**. When you receive an alert that a restart is required, click **Restart Later**.
+16. When the new network adapter driver has completed installation, you'll receive an alert to set a network location for the contoso.com network. Select **Work network** and then select **Close**. When you receive an alert that a restart is required, select **Restart Later**.
17. Open an elevated Windows PowerShell prompt on PC1 and verify that the client VM has received a DHCP lease and can communicate with the consoto.com domain controller.
- To open Windows PowerShell on Windows 7, click **Start**, and search for "**power**." Right-click **Windows PowerShell** and then click **Pin to Taskbar** so that it is simpler to use Windows PowerShell during this lab. Click **Windows PowerShell** on the taskbar, and then type **ipconfig** at the prompt to see the client's current IP address. Also type **ping dc1.contoso.com** and **nltest /dsgetdc:contoso.com** to verify that it can reach the domain controller. See the following examples of a successful network connection:
+ To open Windows PowerShell on Windows 7, select **Start**, and search for "**power**." Right-click **Windows PowerShell** and then select **Pin to Taskbar** so that it's simpler to use Windows PowerShell during this lab. Select **Windows PowerShell** on the taskbar, and then type `ipconfig` at the prompt to see the client's current IP address. Also type `ping dc1.contoso.com` and `nltest /dsgetdc:contoso.com` to verify that it can reach the domain controller. See the following examples of a successful network connection:
```console
ipconfig
@@ -803,9 +789,9 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
```
> [!NOTE]
- > If PC1 is running Windows 7, enhanced session mode might not be available, which means that you cannot copy and paste commands from the Hyper-V host to a Windows PowerShell prompt on PC1. However, it is possible to use integration services to copy a file from the Hyper-V host to a VM. The next procedure demonstrates this. If the Copy-VMFile command fails, then type the commands below at an elevated Windows PowerShell prompt on PC1 instead of saving them to a script to run remotely. If PC1 is running Windows 8 or a later operating system, you can use enhanced session mode to copy and paste these commands instead of typing them.
+ > If PC1 is running Windows 7, enhanced session mode might not be available, which means that you cannot copy and paste commands from the Hyper-V host to a Windows PowerShell prompt on PC1. However, it's possible to use integration services to copy a file from the Hyper-V host to a VM. The next procedure demonstrates this. If the Copy-VMFile command fails, then type the commands below at an elevated Windows PowerShell prompt on PC1 instead of saving them to a script to run remotely. If PC1 is running Windows 8 or a later operating system, you can use enhanced session mode to copy and paste these commands instead of typing them.
-18. Minimize the PC1 window and switch to the Hyper-V host computer. Open an elevated Windows PowerShell ISE window on the Hyper-V host (right-click Windows PowerShell and then click **Run ISE as Administrator**) and type the following commands in the (upper) script editor pane:
+18. Minimize the PC1 window and switch to the Hyper-V host computer. Open an elevated Windows PowerShell ISE window on the Hyper-V host (right-click Windows PowerShell and then select **Run ISE as Administrator**) and type the following commands in the (upper) script editor pane:
```powershell
(Get-WmiObject Win32_ComputerSystem).UnjoinDomainOrWorkgroup($null,$null,0)
@@ -816,13 +802,13 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
Restart-Computer
```
- If you do not see the script pane, click **View** and verify **Show Script Pane Top** is enabled. Click **File** and then click **New**.
+ If you don't see the script pane, select **View** and verify **Show Script Pane Top** is enabled. Select **File** and then select **New**.
See the following example:
:::image type="content" alt-text="ISE 1." source="images/ISE.png" lightbox="images/ISE.png":::
-19. Click **File**, click **Save As**, and save the commands as **c:\VHD\pc1.ps1** on the Hyper-V host.
+19. Select **File**, select **Save As**, and save the commands as **c:\VHD\pc1.ps1** on the Hyper-V host.
20. In the (lower) terminal input window, type the following commands to enable Guest Service Interface on PC1 and then use this service to copy the script to PC1:
@@ -832,9 +818,9 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
```
> [!NOTE]
- > In order for this command to work properly, PC1 must be running the vmicguestinterface (Hyper-V Guest Service Interface) service. If this service is not enabled in this step, then the copy-VMFile command will fail. In this case, you can try updating integration services on the VM by mounting the Hyper-V Integration Services Setup (vmguest.iso), which is located in C:\Windows\System32 on Windows Server 2012 and 2012 R2 operating systems that are running the Hyper-V role service.
+ > In order for this command to work properly, PC1 must be running the vmicguestinterface (Hyper-V Guest Service Interface) service. If this service is not enabled in this step, then the copy-VMFile command will fail. In this case, you can try updating integration services on the VM by mounting the Hyper-V Integration Services Setup (vmguest.iso), which is located in C:\Windows\System32 on Windows Server 2012 and 2012 R2 operating systems that are running the Hyper-V role service.
- If the copy-vmfile command does not work and you cannot properly enable or upgrade integration services on PC1, then create the file c:\pc1.ps1 on the VM by typing the commands into this file manually. The copy-vmfile command is only used in this procedure as a demonstration of automation methods that can be used in a Hyper-V environment when enhanced session mode is not available. After typing the script file manually, be sure to save the file as a Windows PowerShell script file with the .ps1 extension and not as a text (.txt) file.
+ If the copy-vmfile command doesn't work and you can't properly enable or upgrade integration services on PC1, then create the file c:\pc1.ps1 on the VM by typing the commands into this file manually. The copy-vmfile command is only used in this procedure as a demonstration of automation methods that can be used in a Hyper-V environment when enhanced session mode isn't available. After typing the script file manually, be sure to save the file as a Windows PowerShell script file with the `.ps1` extension and not as a text (`.txt`) file.
21. On PC1, type the following commands at an elevated Windows PowerShell prompt:
@@ -842,14 +828,14 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
Get-Content c:\pc1.ps1 | powershell.exe -noprofile -
```
- The commands in this script might take a few moments to complete. If an error is displayed, check that you typed the command correctly, paying close attention to spaces. PC1 is removed from its domain in this step while not connected to the corporate network so as to ensure the computer object in the corporate domain is unaffected. PC1 is also not renamed to "PC1" in system properties so that it maintains some of its mirrored identity. However, if desired you can also rename the computer.
+ The commands in this script might take a few moments to complete. If an error is displayed, check that you typed the command correctly, paying close attention to spaces. PC1 is removed from its domain in this step while not connected to the network so as to ensure the computer object in the domain is unaffected. PC1 is also not renamed to "PC1" in system properties so that it maintains some of its mirrored identity. However, if desired you can also rename the computer.
22. Upon completion of the script, PC1 will automatically restart. When it has restarted, sign in to the contoso.com domain using the **Switch User** option, with the **user1** account you created in step 11 of this section.
> [!IMPORTANT]
> The settings that will be used later to migrate user data specifically select only accounts that belong to the CONTOSO domain. However, this can be changed to migrate all user accounts, or only other specified accounts. If you wish to test migration of user data and settings with accounts other than those in the CONTOSO domain, you must specify these accounts or domains when you configure the value of **ScanStateArgs** in the MDT test lab guide. This value is specifically called out when you get to that step. If you wish to only migrate CONTOSO accounts, then you can log in with the user1 account or the administrator account at this time and modify some of the files and settings for later use in migration testing.
-23. Minimize the PC1 window but do not turn it off while the second Windows Server 2012 R2 VM (SRV1) is configured. This verifies that the Hyper-V host has enough resources to run all VMs simultaneously. Next, SRV1 will be started, joined to the contoso.com domain, and configured with RRAS and DNS services.
+23. Minimize the PC1 window but don't turn it off while the second Windows Server 2012 R2 VM (SRV1) is configured. This action verifies that the Hyper-V host has enough resources to run all VMs simultaneously. Next, SRV1 will be started, joined to the contoso.com domain, and configured with RRAS and DNS services.
24. On the Hyper-V host computer, at an elevated Windows PowerShell prompt, type the following commands:
@@ -858,7 +844,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
vmconnect localhost SRV1
```
-25. Accept the default settings, read license terms and accept them, provide an administrator password of pass@word1, and click **Finish**. When you are prompted about finding PCs, devices, and content on the network, click **Yes**.
+25. Accept the default settings, read license terms and accept them, provide a strong administrator password, and select **Finish**. When you're prompted about finding PCs, devices, and content on the network, select **Yes**.
26. Sign in to SRV1 using the local administrator account. In the same way that was done on DC1, sign out of SRV1 and then sign in again to enable enhanced session mode. This will enable you to copy and paste Windows PowerShell commands from the Hyper-V host to the VM.
@@ -892,12 +878,12 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
Install-WindowsFeature -Name Routing -IncludeManagementTools
```
-30. Before configuring the routing service that was just installed, verify that network interfaces were added to SRV1 in the right order, resulting in an interface alias of "Ethernet" for the private interface, and an interface alias of "Ethernet 2" for the public interface. Also verify that the external interface has a valid external DHCP IP address lease.
+30. Before configuring the routing service that was installed, verify that network interfaces were added to SRV1 in the right order, resulting in an interface alias of "Ethernet" for the private interface, and an interface alias of "Ethernet 2" for the public interface. Also verify that the external interface has a valid external DHCP IP address lease.
To view a list of interfaces, associated interface aliases, and IP addresses on SRV1, type the following Windows PowerShell command. Example output of the command is also shown below:
```powershell
- Get-NetAdapter | ? status -eq ‘up’ | Get-NetIPAddress -AddressFamily IPv4 | ft IPAddress, InterfaceAlias
+ Get-NetAdapter | ? status -eq 'up' | Get-NetIPAddress -AddressFamily IPv4 | ft IPAddress, InterfaceAlias
IPAddress InterfaceAlias
--------- --------------
@@ -905,11 +891,10 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
192.168.0.2 Ethernet
```
- In this example, the poc-internal network interface at 192.168.0.2 is associated with the "Ethernet" interface and the Internet-facing poc-external interface is associated with the "Ethernet 2" interface. If your interfaces are different, you must adjust the commands provided in the next step appropriately to configure routing services. Also note that if the "Ethernet 2" interface has an IP address in the 192.168.0.100-105 range then it likely is getting a DHCP lease from DC1 instead of your corporate network. If this is the case, you can try removing and re-adding the second network interface from the SRV1 VM through its Hyper-V settings.
-
- >[!TIP]
- >Sometimes a computer will have hidden, disconnected interfaces that prevent you from naming a network adapter. When you attempt to rename an adapter, you will receive an error that the adapter name already exists. These disconnected devices can be viewed in device manager by clicking **View** and then clicking **Show hidden devices**. The disconnected device can then be uninstalled, enabling you to reuse the adapter name.
+ In this example, the poc-internal network interface at 192.168.0.2 is associated with the "Ethernet" interface and the internet-facing poc-external interface is associated with the "Ethernet 2" interface. If your interfaces are different, you must adjust the commands provided in the next step appropriately to configure routing services. Also note that if the "Ethernet 2" interface has an IP address in the 192.168.0.100-105 range then it likely is getting a DHCP lease from DC1 instead of your network. If so, you can try removing and readding the second network interface from the SRV1 VM through its Hyper-V settings.
+ > [!TIP]
+ > Sometimes a computer will have hidden, disconnected interfaces that prevent you from naming a network adapter. When you attempt to rename an adapter, you will receive an error that the adapter name already exists. These disconnected devices can be viewed in device manager by clicking **View** and then clicking **Show hidden devices**. The disconnected device can then be uninstalled, enabling you to reuse the adapter name.
31. To configure SRV1 with routing capability for the PoC network, type or paste the following commands at an elevated Windows PowerShell prompt on SRV1:
@@ -921,19 +906,19 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
cmd /c netsh routing ip nat add interface name="Internal" mode=PRIVATE
```
-32. The DNS service on SRV1 also needs to resolve hosts in the `contoso.com` domain. This can be accomplished with a conditional forwarder. Open an elevated Windows PowerShell prompt on SRV1 and type the following command:
+32. The DNS service on SRV1 also needs to resolve hosts in the `contoso.com` domain. This step can be accomplished with a conditional forwarder. Open an elevated Windows PowerShell prompt on SRV1 and type the following command:
```powershell
Add-DnsServerConditionalForwarderZone -Name contoso.com -MasterServers 192.168.0.1
```
-33. In most cases, this completes configuration of the PoC network. However, if your corporate network has a firewall that filters queries from local DNS servers, you will also need to configure a server-level DNS forwarder on SRV1 to resolve Internet names. To test whether or not DNS is working without this forwarder, try to reach a name on the Internet from DC1 or PC1, which are only using DNS services on the PoC network. You can test DNS with the ping command, for example:
+33. In most cases, this process completes configuration of the PoC network. However, if your network has a firewall that filters queries from local DNS servers, you'll also need to configure a server-level DNS forwarder on SRV1 to resolve internet names. To test whether or not DNS is working without this forwarder, try to reach a name on the internet from DC1 or PC1, which are only using DNS services on the PoC network. You can test DNS with the ping command, for example:
```powershell
ping www.microsoft.com
```
- If you see "Ping request could not find host `www.microsoft.com`" on PC1 and DC1, but not on SRV1, then you will need to configure a server-level DNS forwarder on SRV1. To do this, open an elevated Windows PowerShell prompt on SRV1 and type the following command.
+ If you see "Ping request could not find host `www.microsoft.com`" on PC1 and DC1, but not on SRV1, then you'll need to configure a server-level DNS forwarder on SRV1. To do this action, open an elevated Windows PowerShell prompt on SRV1 and type the following command.
> [!NOTE]
> This command also assumes that "Ethernet 2" is the external-facing network adapter on SRV1. If the external adapter has a different name, replace "Ethernet 2" in the command below with that name:
@@ -942,7 +927,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
Add-DnsServerForwarder -IPAddress (Get-DnsClientServerAddress -InterfaceAlias "Ethernet 2").ServerAddresses
```
-34. If DNS and routing are both working correctly, you will see the following on DC1 and PC1 (the IP address might be different, but that is OK):
+34. If DNS and routing are both working correctly, you'll see the following output on DC1 and PC1 (the IP address might be different, but that's OK):
```powershell
PS C:\> ping www.microsoft.com
@@ -959,15 +944,15 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
Minimum = 1ms, Maximum = 3ms, Average = 2ms
```
-35. Verify that all three VMs can reach each other, and the Internet. See [Appendix A: Verify the configuration](#appendix-a-verify-the-configuration) for more information.
-36. Lastly, because the client computer has different hardware after copying it to a VM, its Windows activation will be invalidated and you might receive a message that you must activate Windows in 3 days. To extend this period to 30 days, type the following commands at an elevated Windows PowerShell prompt on PC1:
+35. Verify that all three VMs can reach each other, and the internet. See [Appendix A: Verify the configuration](#appendix-a-verify-the-configuration) for more information.
+36. Lastly, because the client computer has different hardware after copying it to a VM, its Windows activation will be invalidated and you might receive a message that you must activate Windows in three days. To extend this period to 30 days, type the following commands at an elevated Windows PowerShell prompt on PC1:
```powershell
runas /noprofile /env /user:administrator@contoso.com "cmd /c slmgr -rearm"
Restart-Computer
```
-This completes configuration of the starting PoC environment. Additional services and tools are installed in subsequent guides.
+This process completes configuration of the starting PoC environment. More services and tools are installed in subsequent guides.
## Appendix A: Verify the configuration
@@ -987,19 +972,19 @@ Use the following procedures to verify that the PoC environment is configured pr
```
**Get-Service** displays a status of "Running" for all three services.
-
+
**DCDiag** displays "passed test" for all tests.
-
- **Get-DnsServerResourceRecord** displays the correct DNS address records for DC1, SRV1, and the computername of PC1. Additional address records for the zone apex (@), DomainDnsZones, and ForestDnsZones will also be registered.
-
+
+ **Get-DnsServerResourceRecord** displays the correct DNS address records for DC1, SRV1, and the computername of PC1. Other address records for the zone apex (@), DomainDnsZones, and ForestDnsZones will also be registered.
+
**Get-DnsServerForwarder** displays a single forwarder of 192.168.0.2.
-
+
**Resolve-DnsName** displays public IP address results for `www.microsoft.com`.
**Get-DhcpServerInDC** displays 192.168.0.1, `dc1.contoso.com`.
-
- **Get-DhcpServerv4Statistics** displays 1 scope with 2 addresses in use (these belong to PC1 and the Hyper-V host).
-
+
+ **Get-DhcpServerv4Statistics** displays one scope with two addresses in use. These addresses belong to PC1 and the Hyper-V host.
+
**ipconfig** displays a primary DNS suffix and suffix search list of `contoso.com`, IP address of 192.168.0.1, subnet mask of 255.255.255.0, default gateway of 192.168.0.2, and DNS server addresses of 192.168.0.1 and 192.168.0.2.
2. On SRV1, open an elevated Windows PowerShell prompt and type the following commands:
@@ -1014,13 +999,13 @@ Use the following procedures to verify that the PoC environment is configured pr
**Get-Service** displays a status of "Running" for both services.
- **Get-DnsServerForwarder** either displays no forwarders, or displays a list of forwarders you are required to use so that SRV1 can resolve Internet names.
+ **Get-DnsServerForwarder** either displays no forwarders, or displays a list of forwarders you're required to use so that SRV1 can resolve internet names.
**Resolve-DnsName** displays public IP address results for `www.microsoft.com`.
- **ipconfig** displays a primary DNS suffix of `contoso.com`. The suffix search list contains `contoso.com` and your corporate domain. Two ethernet adapters are shown: Ethernet adapter "Ethernet" has an IP addresses of 192.168.0.2, subnet mask of 255.255.255.0, no default gateway, and DNS server addresses of 192.168.0.1 and 192.168.0.2. Ethernet adapter "Ethernet 2" has an IP address, subnet mask, and default gateway configured by DHCP on your corporate network.
+ **ipconfig** displays a primary DNS suffix of `contoso.com`. The suffix search list contains `contoso.com` and your domain. Two ethernet adapters are shown: Ethernet adapter "Ethernet" has an IP address of 192.168.0.2, subnet mask of 255.255.255.0, no default gateway, and DNS server addresses of 192.168.0.1 and 192.168.0.2. Ethernet adapter "Ethernet 2" has an IP address, subnet mask, and default gateway configured by DHCP on your network.
- **netsh** displays three interfaces on the computer: interface "Ethernet 2" with DHCP enabled = Yes and IP address assigned by your corporate network, interface "Ethernet" with DHCP enabled = No and IP address of 192.168.0.2, and interface "Loopback Pseudo-Interface 1" with IP address of 127.0.0.1.
+ **netsh** displays three interfaces on the computer: interface "Ethernet 2" with DHCP enabled = Yes and IP address assigned by your network, interface "Ethernet" with DHCP enabled = No and IP address of 192.168.0.2, and interface "Loopback Pseudo-Interface 1" with IP address of 127.0.0.1.
3. On PC1, open an elevated Windows PowerShell prompt and type the following commands:
@@ -1038,11 +1023,10 @@ Use the following procedures to verify that the PoC environment is configured pr
**nslookup** displays the DNS server used for the query, and the results of the query. For example, server `dc1.contoso.com`, address 192.168.0.1, Name `e2847.dspb.akamaiedge.net`.
- **ping** displays if the source can resolve the target name, and whether or not the target responds to ICMP. If it cannot be resolved, "..could not find host" will be displayed and if the target is found and also responds to ICMP, you will see "Reply from" and the IP address of the target.
+ **ping** displays if the source can resolve the target name, and whether or not the target responds to ICMP. If it can't be resolved, "could not find host" will be displayed. If the target is found and also responds to ICMP, you'll see "Reply from" and the IP address of the target.
**tracert** displays the path to reach the destination, for example `srv1.contoso.com` [192.168.0.2] followed by a list of hosts and IP addresses corresponding to subsequent routing nodes between the source and the destination.
-
## Appendix B: Terminology used in this guide
|Term|Definition|
@@ -1058,9 +1042,6 @@ Use the following procedures to verify that the PoC environment is configured pr
|Virtual switch|A virtual network connection used to connect VMs to each other and to physical network adapters on the Hyper-V host.|
|VM snapshot|A point in time image of a VM that includes its disk, memory and device state. It can be used to return a virtual machine to a former state corresponding to the time the snapshot was taken.|
-## Related Topics
-
+## Next steps
[Windows 10 deployment scenarios](windows-10-deployment-scenarios.md)
-
-
diff --git a/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md
index 03e2aee015..f0e2079b1c 100644
--- a/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md
+++ b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md
@@ -1,63 +1,60 @@
---
title: Demonstrate Autopilot deployment
manager: dougeby
-description: In this article, find step-by-step instructions on how to set up a Virtual Machine with a Windows Autopilot deployment.
-keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune, upgrade
+description: Step-by-step instructions on how to set up a virtual machine with a Windows Autopilot deployment.
ms.prod: w10
-ms.mktglfcycl: deploy
+ms.technology: windows
ms.localizationpriority: medium
-ms.sitesec: library
-ms.pagetype: deploy
author: aczechowski
ms.author: aaroncz
ms.collection:
- M365-modern-desktop
- highpri
-ms.topic: article
-ms.custom:
- - autopilot
- - seo-marvel-apr2020
+ms.topic: tutorial
+ms.date: 05/12/2022
---
-
# Demonstrate Autopilot deployment
-**Applies to**
+*Applies to*
- Windows 10
-To get started with Windows Autopilot, you should try it out with a virtual machine (VM) or you can use a physical device that will be wiped and then have a fresh install of Windows 10.
+To get started with Windows Autopilot, you should try it out with a virtual machine (VM). You can also use a physical device that will be wiped and then have a fresh install of Windows 10.
-In this topic, you'll learn how to set up a Windows Autopilot deployment for a VM using Hyper-V.
+In this article, you'll learn how to set up a Windows Autopilot deployment for a VM using Hyper-V.
> [!NOTE]
-> Although there are [multiple platforms](/mem/autopilot/add-devices#registering-devices) available to enable Autopilot, this lab primarily uses Intune.
+> Although there are [multiple platforms](/mem/autopilot/add-devices#registering-devices) available to enable Autopilot, this lab primarily uses Microsoft Intune.
>
-> Hyper-V and a VM are not required for this lab. You can use a physical device instead. However, the instructions assume that you're using a VM. To use a physical device, skip the instructions to install Hyper-V and create a VM. All references to 'device' in the guide refer to the client device, either physical or virtual.
+> Hyper-V and a VM aren't required for this lab. You can use a physical device instead. However, the instructions assume that you're using a VM. To use a physical device, skip the instructions to install Hyper-V and create a VM. All references to _device_ in the guide refer to the client device, either physical or virtual.
The following video provides an overview of the process:
-
-
+> [!VIDEO https://www.youtube.com/embed/KYVptkpsOqs]
+> [!TIP]
> For a list of terms used in this guide, see the [Glossary](#glossary) section.
## Prerequisites
-These are the things you'll need to complete this lab:
+You'll need the following components to complete this lab:
-| | Description |
+| Component | Description |
|:---|:---|
-|**Windows 10 installation media**|Windows 10 Professional or Enterprise (ISO file) for a supported version of Windows 10, General Availability Channel. If you don't already have an ISO to use, a link is provided to download an evaluation version of Windows 10 Enterprise.|
-|**Internet access**|If you're behind a firewall, see the detailed networking requirements. Otherwise, just ensure that you have a connection to the internet.|
+|**Windows 10 installation media**|Windows 10 Professional or Enterprise ISO file for a supported version of Windows 10, general availability channel. If you don't already have an ISO to use, download an evaluation version of Windows 10 Enterprise.|
+|**Internet access**|If you're behind a firewall, see the detailed [networking requirements](/mem/autopilot/software-requirements#networking-requirements). Otherwise, just make sure that you have a connection to the internet.|
|**Hyper-V or a physical device running Windows 10**|The guide assumes that you'll use a Hyper-V VM, and provides instructions to install and configure Hyper-V if needed. To use a physical device, skip the steps to install and configure Hyper-V.|
-|**An account with Azure Active Directory (AD) Premium license**|This guide will describe how to obtain a free 30-day trial Azure AD Premium subscription that can be used to complete the lab.|
+|**An account with Azure Active Directory (Azure AD) Premium license**|This guide will describe how to get a free 30-day trial Azure AD Premium subscription that can be used to complete the lab.|
+
+> [!NOTE]
+> The Microsoft Evaluation Center is temporarily unavailable. To access Windows client evaluation media, see [Accessing trials and kits for Windows (Eval Center workaround)](https://techcommunity.microsoft.com/t5/windows-11/accessing-trials-and-kits-for-windows-eval-center-workaround/m-p/3361125).
## Procedures
A summary of the sections and procedures in the lab is provided below. Follow each section in the order it's presented, skipping the sections that don't apply to you. Optional procedures are provided in the appendices.
-If you already have Hyper-V and a Windows 10 VM, you can skip directly to the [Capture the hardware ID](#capture-the-hardware-id) step. The VM must be running Windows 10, version 1903 or a later version.
+If you already have Hyper-V and a Windows 10 VM, you can skip directly to the [Capture the hardware ID](#capture-the-hardware-id) step. The VM must be running Windows 10, version 1903 or later.
- [Verify support for Hyper-V](#verify-support-for-hyper-v)
- [Enable Hyper-V](#enable-hyper-v)
@@ -107,7 +104,7 @@ To enable Hyper-V, open an elevated Windows PowerShell prompt and run the follow
Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V -All
```
-This command works on all operating systems that support Hyper-V. However, on Windows Server operating systems you must type an additional command (below) to add the Hyper-V Windows PowerShell module and the Hyper-V Manager console. The following command will also install Hyper-V if it isn't already installed. So, if you're using Windows Server, you can just type the following command instead of using the **Enable-WindowsOptionalFeature** command:
+This command works on all operating systems that support Hyper-V. However, on Windows Server operating systems you must type another command to add the Hyper-V Windows PowerShell module and the Hyper-V Manager console. The following command will also install Hyper-V if it isn't already installed. So, if you're using Windows Server, you can just type the following command instead of using the **Enable-WindowsOptionalFeature** command:
```powershell
Install-WindowsFeature -Name Hyper-V -IncludeManagementTools
@@ -139,17 +136,18 @@ To use Windows PowerShell, you need to know two things:
2. The name of the network interface that connects to the internet.
- In the example, you'll use a Windows PowerShell command to determine this automatically.
+ In the example, you'll use a Windows PowerShell command to determine this information automatically.
After you determine the ISO file location and the name of the appropriate network interface, you can install Windows 10.
### Set ISO file location
-You can download an ISO file for an evaluation version of the latest release of Windows 10 Enterprise from [Evaluation Center](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise).
+Download an ISO file for an evaluation version of the latest release of Windows 10 Enterprise. Choose a 64-bit version.
-When asked to select a platform, choose **64 bit**.
+> [!NOTE]
+> The Microsoft Evaluation Center is temporarily unavailable. To access this download, see [Accessing trials and kits for Windows (Eval Center workaround)](https://techcommunity.microsoft.com/t5/windows-11/accessing-trials-and-kits-for-windows-eval-center-workaround/m-p/3361125).
-After you download this file, the name will be extremely long (ex: 19042.508.200927-1902.20h2_release_svc_refresh_CLIENTENTERPRISEEVAL_OEMRET_x64FRE_en-us.iso).
+After you download an ISO file, the name will be long. For example, `19042.508.200927-1902.20h2_release_svc_refresh_CLIENTENTERPRISEEVAL_OEMRET_x64FRE_en-us.iso`
1. So that it's easier to type and remember, rename the file to **win10-eval.iso**.
@@ -165,9 +163,9 @@ The **Get-NetAdaper** cmdlet is used to automatically find the network adapter t
(Get-NetAdapter | Where-Object {$_.Status -eq "Up" -and !$_.Virtual}).Name
```
-The output of this command should be the name of the network interface you use to connect to the internet. Verify that this is the correct interface name. If it isn't the correct interface name, you'll need to edit the first command below to use your network interface name.
+The output of this command should be the name of the network interface you use to connect to the internet. Verify that this interface name is correct. If it isn't the correct interface name, you'll need to edit the first command below to use your network interface name.
-For example, if the command above displays **Ethernet** but you wish to use **Ethernet2**, then the first command below would be **New-VMSwitch -Name AutopilotExternal -AllowManagementOS $true -NetAdapterName **Ethernet2**.
+For example, if the command above displays **Ethernet** but you wish to use **Ethernet2**, then the first command below would be `New-VMSwitch -Name AutopilotExternal -AllowManagementOS $true -NetAdapterName **Ethernet2`
### Use Windows PowerShell to create the demo VM
@@ -176,7 +174,7 @@ All VM data will be created under the current path in your PowerShell prompt. Co
> [!IMPORTANT]
> **VM switch**: a VM switch is how Hyper-V connects VMs to a network.
>
->- If you previously enabled Hyper-V and your internet-connected network interface is already bound to a VM switch, then the PowerShell commands below will fail. In this case, you can either delete the existing VM switch (so that the commands below can create one), or you can reuse this VM switch by skipping the first command below and either modifying the second command to replace the switch name **AutopilotExternal** with the name of your switch, or by renaming your existing switch to "AutopilotExternal."
+>- If you previously enabled Hyper-V and your internet-connected network interface is already bound to a VM switch, then the PowerShell commands below will fail. In this case, you can either delete the existing VM switch (so that the commands below can create one), or you can reuse this VM switch by skipping the first command below and either modifying the second command to replace the switch name **AutopilotExternal** with the name of your switch, or by renaming your existing switch to `AutopilotExternal`.
>- If you have never created an external VM switch before, then just run the commands below.
>- If you're not sure if you already have an External VM switch, enter **get-vmswitch** at a Windows PowerShell prompt to display a current list of the VM switches that are provisioned in Hyper-V. If one of them is of SwitchType **External**, then you already have a VM switch configured on the server that's used to connect to the internet. In this case, you need to skip the first command below and modify the others to use the name of your VM switch instead of the name "AutopilotExternal" (or change the name of your switch).
@@ -187,9 +185,9 @@ Add-VMDvdDrive -Path c:\iso\win10-eval.iso -VMName WindowsAutopilot
Start-VM -VMName WindowsAutopilot
```
-After you enter these commands, connect to the VM that you just created. Double-click the VM in Hyper-V Manager to connect to it. Then wait for a prompt to press a key and boot from the DVD.
+After you enter these commands, connect to this VM. Double-click the VM in Hyper-V Manager to connect to it. Then wait for a prompt to press a key and boot from the DVD.
-See the sample output below. In this sample, the VM is created under the **c:\autopilot** directory and the **vmconnect.exe** command is used (which is only available on Windows Server). If you installed Hyper-V on Windows 10, use Hyper-V Manager to connect to your VM.
+See the sample output below. In this sample, the VM is created under the **c:\autopilot** directory and the **vmconnect.exe** command is used, which is only available on Windows Server. If you installed Hyper-V on Windows 10, use Hyper-V Manager to connect to your VM.
PS C:\autopilot> dir c:\iso
@@ -250,7 +248,7 @@ Make sure that the VM booted from the installation ISO, select **Next**, select
-After the VM restarts, during OOBE, it's fine to select **Set up for personal use** or **Domain join instead** and then choose an offline account on the **Sign in** screen. This offers the fastest way to the desktop. For example:
+After the VM restarts, during OOBE, it's fine to select **Set up for personal use** or **Domain join instead** and then choose an offline account on the **Sign in** screen. This option offers the fastest way to the desktop. For example:
@@ -259,7 +257,7 @@ Once the installation is complete, sign in and verify that you're at the Windows
> [!div class="mx-imgBorder"]
> 
-To create a checkpoint, open an elevated Windows PowerShell prompt on the computer running Hyper-V (not on the VM), and then run the following:
+To create a checkpoint, open an elevated Windows PowerShell prompt on the computer running Hyper-V (not on the VM), and then run the following command:
```powershell
Checkpoint-VM -Name WindowsAutopilot -SnapshotName "Finished Windows install"
@@ -327,7 +325,7 @@ Follow these steps to run the PowerShell script:
PS C:\HWID>
```
-
+
1. Verify that there's an **AutopilotHWID.csv** file in the **c:\HWID** directory that's about 8 KB in size. This file contains the complete 4K HH.
> [!NOTE]
@@ -335,19 +333,20 @@ Follow these steps to run the PowerShell script:
- You'll need to upload this data into Intune to register your device for Autopilot. So, the next step is to transfer this file to the computer you'll use to access the Azure portal. If you're using a physical device instead of a VM, you can copy the file to a USB drive. If you’re using a VM, you can right-click the **AutopilotHWID.csv** file and copy it. Then right-click and paste the file to your desktop (outside the VM).
+ You'll need to upload this data into Intune to register your device for Autopilot. So, the next step is to transfer this file to the computer you'll use to access the Azure portal. If you're using a physical device instead of a VM, you can copy the file to a USB drive. If you're using a VM, you can right-click the **AutopilotHWID.csv** file and copy it. Then right-click and paste the file to your desktop (outside the VM).
- If you have trouble copying and pasting the file, just view the contents in Notepad on the VM, and then copy the text into Notepad outside the VM. Don't use another text editor to do this.
+ If you have trouble copying and pasting the file, just view the contents in Notepad on the VM, and then copy the text into Notepad outside the VM. Don't use another text editor.
> [!NOTE]
> When copying and pasting to or from VMs, avoid selecting other things with your mouse cursor in between the copy and paste process. Doing so can empty or overwrite the clipboard and require that you start over. Go directly from copy to paste.
## Reset the VM back to Out-Of-Box-Experience (OOBE)
-With the hardware ID captured in a file, prepare your Virtual Machine for Windows Autopilot deployment by resetting it back to OOBE.
+With the hardware ID captured in a file, prepare your VM for Windows Autopilot deployment by resetting it back to OOBE.
-On the Virtual Machine, go to **Settings > Update & Security > Recovery** and select **Get started** under **Reset this PC**.
-Select **Remove everything**, then, on **How would you like to reinstall Windows**, select **Local reinstall**. Finally, select **Reset**.
+1. On the Virtual Machine, go to **Settings > Update & Security > Recovery** and select **Get started** under **Reset this PC**.
+1. Select **Remove everything**. On **How would you like to reinstall Windows**, select **Local reinstall**.
+1. Finally, select **Reset**.
@@ -357,13 +356,13 @@ Resetting the VM or device can take a while. Proceed to the next step (verify su
## Verify subscription level
-For this lab, you need an Azure AD Premium subscription. To tell if you have a Premium subscription, go to the [MDM enrollment configuration](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Mobility) blade. See the following example:
+For this lab, you need an Azure AD Premium subscription. To tell if you have a Premium subscription, go to [MDM enrollment configuration](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Mobility) in the Azure portal. See the following example:
**Azure Active Directory** > **Mobility (MDM and MAM)** > **Microsoft Intune**
-If the configuration blade shown above doesn't appear, it's likely that you don't have a **Premium** subscription. Auto-enrollment is a feature only available in Azure AD Premium.
+If this configuration doesn't appear, it's likely that you don't have a **Premium** subscription. Auto-enrollment is a feature only available in Azure AD Premium.
To convert your Intune trial account to a free Premium trial account, go to **Azure Active Directory** > **Licenses** > **All products** > **Try / Buy** and select **Free trial** for Azure AD Premium, or EMS E5.
@@ -414,7 +413,7 @@ Your VM (or device) can be registered either via Intune or Microsoft Store for B
You should receive confirmation that the file is formatted correctly before you upload it, as shown above.
-3. Select **Import** and wait until the import process completes. This can take up to 15 minutes.
+3. Select **Import** and wait until the import process completes. This action can take up to 15 minutes.
4. Select **Refresh** to verify your VM or device is added. See the following example.
@@ -465,7 +464,7 @@ The Autopilot deployment profile wizard asks for a device group, so you must cre
1. In the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), choose **Groups** > **New group**.
-2. In the **Group** blade:
+2. In the **Group** pane:
1. For **Group type**, choose **Security**.
2. Type a **Group name** and **Group description** (ex: Autopilot Lab).
3. Azure AD roles can be assigned to the group: **No**
@@ -490,7 +489,7 @@ Select **Create profile** and then select **Windows PC**.
> [!div class="mx-imgBorder"]
> 
-On the **Create profile** blade, use the following values:
+On the **Create profile** pane, use the following values:
| Setting | Value |
|---|---|
@@ -580,7 +579,7 @@ To confirm the profile was successfully assigned to the intended device, check t
## See Windows Autopilot in action
-If you shut down your VM after the last reset, it's time to start it back up again so it can progress through the Autopilot OOBE experience. However, don't attempt to start your device again until the **PROFILE STATUS** for your device in Intune is changed from **Not assigned** to **Assigning**, and finally to **Assigned**:
+If you shut down your VM after the last reset, start it again. Then it can progress through the Autopilot OOBE experience. However, don't attempt to start your device again until the **PROFILE STATUS** for your device in Intune is changed from **Not assigned** to **Assigning**, and finally to **Assigned**:
> [!div class="mx-imgBorder"]
> 
@@ -596,7 +595,7 @@ Also, make sure to wait at least 30 minutes from the time you've [configured com
-Soon after reaching the desktop, the device should show up in Intune as an **enabled** Autopilot device. Go into the Intune Azure portal, and select **Devices > All devices**. Then, **Refresh** the data to verify that your device has changed from disabled to enabled, and the name of the device is updated.
+After the device loads the desktop, the device should show up in Intune as an **enabled** Autopilot device. Go to the Intune portal, and select **Devices > All devices**. Then **Refresh** the data to verify that your device has changed to an enabled state, and the name of the device is updated.
> [!div class="mx-imgBorder"]
> 
@@ -619,9 +618,9 @@ You need to delete (or retire, or factory reset) the device from Intune before d
> [!div class="mx-imgBorder"]
> 
-This action removes the device from Intune management, and it will disappear from **Intune > Devices > All devices**. But this doesn't yet deregister the device from Autopilot. So, the device should still appear under **Intune > Device Enrollment > Windows Enrollment > Windows Autopilot Deployment Program > Devices**.
+This action removes the device from Intune management, and it will disappear from **Intune > Devices > All devices**. But this action doesn't yet deregister the device from Autopilot. So, the device should still appear under **Intune > Device Enrollment > Windows Enrollment > Windows Autopilot Deployment Program > Devices**.
-The **Intune > Devices > All Devices** list and the **Intune > Device Enrollment > Windows Enrollment > Windows Autopilot Deployment Program > Devices** list mean different things and are two completely separate datastores. The former (All devices) is the list of devices currently enrolled into Intune.
+The **Intune > Devices > All Devices** list and the **Intune > Device Enrollment > Windows Enrollment > Windows Autopilot Deployment Program > Devices** list mean different things and are two separate datastores. The former (All devices) is the list of devices currently enrolled into Intune.
> [!NOTE]
> A device only appears in the **All devices** list once it has booted. The latter (**Windows Autopilot Deployment Program** > **Devices**) is the list of devices currently registered from that Intune account into the Autopilot program - which may or may not be enrolled to Intune.
@@ -684,7 +683,7 @@ EPT * Supports Intel extended page tables (SLAT)
#### Prepare the app for Intune
-Before you can pull an application into Intune to make it part of your AP profile, you need to "package" the application for delivery using the [IntuneWinAppUtil.exe command-line tool](https://github.com/Microsoft/Microsoft-Win32-Content-Prep-Tool). After downloading the tool, gather the following three bits of information to use the tool:
+Before you can pull an application into Intune to make it part of your AP profile, you need to "package" the application for delivery using the [IntuneWinAppUtil.exe command-line tool](https://github.com/Microsoft/Microsoft-Win32-Content-Prep-Tool). After downloading the tool, gather the following information to use the tool:
1. The source folder for your application
2. The name of the setup executable file
@@ -699,11 +698,11 @@ Run the IntuneWinAppUtil tool, supplying answers to the three questions, for exa
> [!div class="mx-imgBorder"]
> 
-After the tool finishes running, you should have an .intunewin file in the Output folder. You can upload the file into Intune by using the following steps.
+After the tool finishes running, you should have an `.intunewin` file in the Output folder. You can upload the file into Intune by using the following steps.
#### Create app in Intune
-Log in to the Azure portal, and then select **Intune**.
+Sign in to the Azure portal, and then select **Intune**.
Go to **Intune > Clients apps > Apps**, and then select the **Add** button to create a new app package.
@@ -713,16 +712,16 @@ Under **App Type**, select **Windows app (Win32)**:
-On the **App package file** blade, browse to the **npp.7.6.3.installer.x64.intunewin** file in your output folder, open it, then select **OK**:
+On the **App package file** pane, browse to the `npp.7.6.3.installer.x64.intunewin` file in your output folder, open it, then select **OK**:
> [!div class="mx-imgBorder"]
> 
-On the **App Information Configure** blade, provide a friendly name, description, and publisher, such as:
+On the **App Information Configure** pane, provide a friendly name, description, and publisher, such as:
-On the **Program Configuration** blade, supply the install and uninstall commands:
+On the **Program Configuration** pane, supply the install and uninstall commands:
```console
Install: msiexec /i "npp.7.6.3.installer.x64.msi" /q
@@ -734,11 +733,11 @@ Uninstall: msiexec /x "{F188A506-C3C6-4411-BE3A-DA5BF1EA6737}" /q
-Simply using an install command like "notepad++.exe /S" doesn't actually install Notepad++; it only launches the app. To install the program, you need to use the .msi file instead. Notepad++ doesn't have a .msi version of their program, but there's a .msi version from a [third party provider](https://www.hass.de/content/notepad-msi-package-enterprise-deployment-available).
+Simply using an install command like `notepad++.exe /S` doesn't actually install Notepad++. It only launches the app. To install the program, you need to use the `.msi` file instead. Notepad++ doesn't have an MSI version of their program, but there's an MSI version from a [third party provider](https://www.hass.de/content/notepad-msi-package-enterprise-deployment-available).
-Select **OK** to save your input and activate the **Requirements** blade.
+Select **OK** to save your input and activate the **Requirements** pane.
-On the **Requirements Configuration** blade, specify the **OS architecture** and the **Minimum OS version**:
+On the **Requirements Configuration** pane, specify the **OS architecture** and the **Minimum OS version**:
> [!div class="mx-imgBorder"]
> 
@@ -752,7 +751,7 @@ Select **Add** to define the rule properties. For **Rule type**, select **MSI**,
-Select **OK** twice to save, as you back out to the main **Add app** blade again for the final configuration.
+Select **OK** twice to save, as you back out to the main **Add app** pane again for the final configuration.
**Return codes**: For the purposes of this lab, leave the return codes at their default values:
@@ -761,7 +760,7 @@ Select **OK** twice to save, as you back out to the main **Add app** blade again
Select **OK** to exit.
-You can skip configuring the final **Scope (Tags)** blade.
+You can skip configuring the final **Scope (Tags)** pane.
Select the **Add** button to finalize and save your app package.
@@ -780,7 +779,7 @@ Find your app in your app list:
> [!NOTE]
> The following steps only work if you previously [created a GROUP in Intune and assigned a profile to it](#create-a-device-group). If you haven't done that, return to the main part of the lab and complete those steps before returning here.
-In the **Intune > Client Apps > Apps** pane, select the app package you already created to reveal its properties blade. Then select **Assignments** from the menu:
+In the **Intune > Client Apps > Apps** pane, select the app package you already created to reveal its properties pane. Then select **Assignments** from the menu:
> [!div class="mx-imgBorder"]
> 
@@ -818,7 +817,7 @@ For more information on adding apps to Intune, see [Intune Standalone - Win32 ap
#### Create app in Microsoft Endpoint Manager
-Log in to the Azure portal and select **Intune**.
+Sign in to the Azure portal and select **Intune**.
Go to **Intune > Clients apps > Apps**, and then select the **Add** button to create a new app package.
@@ -855,7 +854,7 @@ Select **OK** and, then select **Add**.
> [!NOTE]
> The following steps only work if you previously [created a GROUP in Intune and assigned a profile to it](#create-a-device-group). If you haven't done that, return to the main part of the lab and complete those steps before returning here.
-In the **Intune > Client Apps > Apps** pane, select the Office package you already created to reveal its properties blade. Then select **Assignments** from the menu:
+In the **Intune > Client Apps > Apps** pane, select the Office package you already created to reveal its properties pane. Then select **Assignments** from the menu:
> [!div class="mx-imgBorder"]
> 
diff --git a/windows/hub/doc-test.md b/windows/hub/doc-test.md
new file mode 100644
index 0000000000..bb5825132e
--- /dev/null
+++ b/windows/hub/doc-test.md
@@ -0,0 +1,154 @@
+---
+title: Doc team test
+description: A test article for the doc team's use.
+ms.date: 05/10/2022
+ms.prod: windows
+ms.technology: windows
+ms.topic: reference
+ms.localizationpriority: null
+ROBOTS: NOINDEX
+author: aczechowski
+ms.author: aaroncz
+ms.reviewer: mstewart
+manager: dougeby
+---
+
+# Doc team test
+
+This article is for testing purposes only.
+
+> [!NOTE]
+> For more markdown examples and tips, see the **template.md** file at the root of the repository. Including examples of links and images.
+
+## Basic Markdown and GFM
+
+All basic and Github-flavored markdown is supported. For more information, see:
+
+- [Baseline markdown syntax](https://daringfireball.net/projects/markdown/syntax)
+- [Github-flavored markdown (GFM) documentation](https://guides.github.com/features/mastering-markdown)
+
+## Headings
+
+Examples of first and second-level headings are above.
+
+There **must** be only one first level heading in your article, which will be displayed as the on-page title.
+
+Second-level headings will generate the on-page TOC that appears in the "In this article" section underneath the on-page title.
+
+### Third-level heading (`###`)
+#### Fourth-level heading (`####`)
+##### Fifth-level heading (`#####`)
+
+## Text styling
+
+_Italics_ (`_`)
+
+**Bold** (`**`)
+
+~~Strikethrough~~ (`~~`)
+
+## Lists
+
+### Ordered lists
+
+1. This
+1. Is
+1. An
+1. Ordered
+1. List
+
+#### Ordered list with an embedded list
+
+1. Here
+1. Comes
+1. An
+1. Embedded
+ 1. Scarlett
+ 1. Professor Plum
+1. Ordered
+1. List
+
+### Unordered Lists
+
+- This
+- Is
+- A
+- Bulleted
+- List
+
+#### Unordered list with an embedded list
+
+- This
+- Bulleted
+- List
+ - Peacock
+ - Green
+- Contains
+- Other
+ 1. Colonel Mustard
+ 1. Yellow
+ 1. gold
+ 1. White
+ 1. cream
+ 1. silver
+- Lists
+
+## Horizontal rule
+
+---
+
+## Tables
+
+| Tables | Are | Cool |
+|---------------------|:-------------:|------:|
+| Column 3 is | Right-aligned | $1600 |
+| Column 2 is | Centered | $12 |
+| Column 1 is default | Left-aligned | $1 |
+
+## Code
+
+### Code block
+
+```json
+{
+ "aggregator": {
+ "batchSize": 1000,
+ flushTimeout": "00:00:30"
+ }
+}
+ ```
+
+### In-line code
+
+This example is for `in-line code`.
+
+## Blockquotes
+
+> The drought had lasted now for ten million years, and the reign of the terrible lizards had long since ended. Here on the Equator, in the continent which would one day be known as Africa, the battle for existence had reached a new climax of ferocity, and the victor was not yet in sight. In this barren and desiccated land, only the small or the swift or the fierce could flourish, or even hope to survive.
+
+## Alerts
+
+### Note
+
+> [!NOTE]
+> This alert is a NOTE
+
+### Warning
+
+> [!WARNING]
+> This alert is a WARNING
+
+### Tip
+
+> [!TIP]
+> This alert is a TIP
+
+### Caution
+
+> [!CAUTION]
+> This alert is a CAUTION
+
+### Important
+
+> [!IMPORTANT]
+> This alert is a IMPORTANT
diff --git a/windows/security/identity-protection/access-control/special-identities.md b/windows/security/identity-protection/access-control/special-identities.md
index 66754be796..db7379ba1f 100644
--- a/windows/security/identity-protection/access-control/special-identities.md
+++ b/windows/security/identity-protection/access-control/special-identities.md
@@ -485,8 +485,8 @@ Any user accessing the system through Terminal Services has the Terminal Server
| Attribute | Value |
| :--: | :--: |
-| Well-Known SID/RID | |
-|Object Class| |
+| Well-Known SID/RID | S-1-5-90 |
+|Object Class| Foreign Security Principal|
|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\
[Increase a process working set](/windows/device-security/security-policy-settings/increase-a-process-working-set): SeIncreaseWorkingSetPrivilege
|
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md b/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md
index 3599199593..7d71cc00ce 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md
@@ -59,6 +59,10 @@ The following known issues have been fixed by servicing releases made available
## Known issues involving third-party applications
+The following issue affects MSCHAPv2:
+
+- [Credential guard doesn't work with MSCHAPv2 configurations, of which Cisco ISE is a very popular enterprise implementation](https://quickview.cloudapps.cisco.com/quickview/bug/CSCul55352).
+
The following issue affects the Java GSS API. See the following Oracle bug database article:
- [JDK-8161921: Windows Defender Credential Guard doesn't allow sharing of TGT with Java](http://bugs.java.com/bugdatabase/view_bug.do?bug_id=8161921)
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-manage.md b/windows/security/identity-protection/credential-guard/credential-guard-manage.md
index f5c9ad4cbf..a5041cd575 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-manage.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-manage.md
@@ -26,6 +26,7 @@ ms.custom:
- Windows 11
- Windows Server 2016
- Windows Server 2019
+- Windows Server 2022
## Enable Windows Defender Credential Guard
@@ -204,9 +205,7 @@ DG_Readiness_Tool_v3.6.ps1 -Ready
- **Event ID 17** Error reading Windows Defender Credential Guard (LsaIso.exe) UEFI configuration: \[error code\]
- You can also verify that TPM is being used for key protection by checking Event ID 51 in the **Microsoft** -> **Windows** -> **Kernel-Boot** event source. If you are running with a TPM, the TPM PCR mask value will be something other than 0.
-
- - **Event ID 51** VSM Master Encryption Key Provisioning. Using cached copy status: **0x0**. Unsealing cached copy status: 0x1. New key generation status: 0x1. Sealing status: **0x1**. TPM PCR mask: **0x0**.
+ - You can also verify that TPM is being used for key protection by checking **Event ID 51** in *Applications and Services logs → Microsoft → Windows → Kernel-Boot* event log. The full event text will read like this: `VSM Master Encryption Key Provisioning. Using cached copy status: 0x0. Unsealing cached copy status: 0x1. New key generation status: 0x1. Sealing status: 0x1. TPM PCR mask: 0x0.` If you are running with a TPM, the TPM PCR mask value will be something other than 0.
- You can use Windows PowerShell to determine whether credential guard is running on a client computer. On the computer in question, open an elevated PowerShell window and run the following command:
diff --git a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md
index 72148e773a..4753b3c6f4 100644
--- a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md
+++ b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md
@@ -84,8 +84,9 @@ For errors listed in this table, contact Microsoft Support for assistance.
| Hex | Cause |
|-------------|---------|
-| 0X80072F0C | Unknown |
| 0x80070057 | Invalid parameter or argument is passed. |
+| 0X80072F0C | Unknown |
+| 0x80072F8F | A mismatch happens between the system's clock and the activation server's clock when attempting to activate Windows.|
| 0x80090010 | NTE_PERM |
| 0x80090020 | NTE\_FAIL |
| 0x80090027 | Caller provided a wrong parameter. If third-party code receives this error, they must change their code. |
@@ -105,7 +106,6 @@ For errors listed in this table, contact Microsoft Support for assistance.
| 0x801C044C | There is no core window for the current thread. |
| 0x801c004D | DSREG_NO_DEFAULT_ACCOUNT: NGC provisioning is unable to find the default WAM account to use to request AAD token for provisioning. Unable to enroll a device to use a PIN for login. |
-
## Related topics
- [Windows Hello for Business](hello-identity-verification.md)
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md
index 49ed9f19f0..e1fac8d907 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md
@@ -25,7 +25,7 @@ ms.reviewer:
- Hybrid deployment
- Certificate trust
-Your environment is federated and you are ready to configure device registration for your hybrid environment. Hybrid Windows Hello for Business deployment needs device registration and device write-back to enable proper device authentication.
+Your environment is federated and you're ready to configure device registration for your hybrid environment. Hybrid Windows Hello for Business deployment needs device registration and device write-back to enable proper device authentication.
> [!IMPORTANT]
> If your environment is not federated, review the [New Installation baseline](hello-hybrid-cert-new-install.md) section of this deployment document to learn how to federate your environment for your Windows Hello for Business deployment.
@@ -35,7 +35,7 @@ Your environment is federated and you are ready to configure device registration
Use this three-phased approach for configuring device registration.
-1. [Configure devices to register in Azure](#configure-azure-for-device-registration)
+1. [Configure devices to register in Azure](#configure-hybrid-azure-ad-join)
2. [Synchronize devices to on-premises Active Directory](#configure-active-directory-to-support-azure-device-synchronization)
3. [Configure AD FS to use cloud devices](#configure-ad-fs-to-use-azure-registered-devices)
@@ -51,11 +51,21 @@ Use this three-phased approach for configuring device registration.
>[!IMPORTANT]
> To use hybrid identity with Azure Active Directory and device WriteBack features, you must use the built-in GUI with the [latest updates for ADConnect](https://www.microsoft.com/download/details.aspx?id=47594).
-## Configure Azure for Device Registration
+## Configure Hybrid Azure AD join
-Begin configuring device registration to support Hybrid Windows Hello for Business by configuring device registration capabilities in Azure AD.
+To support hybrid Windows Hello for Business, configure hybrid Azure AD join.
-To do this, follow the **Configure device settings** steps under [Setting up Azure AD Join in your organization](/azure/active-directory/devices/device-management-azure-portal)
+Follow the guidance on [How to configure hybrid Azure Active Directory joined devices](/azure/active-directory/devices/hybrid-azuread-join-plan) page. In the **Select your scenario based on your identity infrastructure** section, identify your configuration (either **Managed environment** or **Federated environment**) and perform only the steps applicable to your environment.
+
+If the user principal name (UPN) in your on-premises Active Directory is different from the UPN in Azure AD, you also need to complete the following steps:
+
+- Configure Azure AD Connect to sync the user's on-premises UPN to the `onPremisesUserPrincipalName attribute` in Azure AD.
+- Add the domain name of the on-premises UPN as a [verified domain](/azure/active-directory/fundamentals/add-custom-domain) in Azure AD.
+
+You can learn more about this scenario by reading [Review on-premises UPN support for Hybrid Azure Ad join](/azure/active-directory/devices/hybrid-azuread-join-plan#review-on-premises-ad-users-upn-support-for-hybrid-azure-ad-join).
+
+> [!NOTE]
+> Windows Hello for Business Hybrid key trust is not supported, if your users' on-premises domain cannot be added as a verified domain in Azure AD.
## Configure Active Directory to support Azure device synchronization
@@ -90,14 +100,14 @@ Sign-in to the domain controller hosting the schema master operational role usin
2. Type ```cd /d x:\support\adprep``` where *x* is the drive letter of the DVD or mounted ISO.
3. To update the schema, type ```adprep /forestprep```.
4. Read the Adprep Warning. Type the letter **C*** and press **Enter** to update the schema.
-5. Close the Command Prompt and sign-out.
+5. Close the Command Prompt and sign out.
> [!NOTE]
> If you installed Azure AD Connect prior to upgrading the schema, you will need to re-run the Azure AD Connect installation and refresh the on-premises AD schema to ensure the synchronization rule for msDS-KeyCredentialLink is configured.
### Setup Active Directory Federation Services
-If you are new to AD FS and federation services, you should review [Understanding Key AD FS Concepts](/windows-server/identity/ad-fs/technical-reference/understanding-key-ad-fs-concepts) to prior to designing and deploying your federation service.
+If you're new to AD FS and federation services, you should review [Understanding Key AD FS Concepts](/windows-server/identity/ad-fs/technical-reference/understanding-key-ad-fs-concepts) to prior to designing and deploying your federation service.
Review the [AD FS Design guide](/windows-server/identity/ad-fs/design/ad-fs-design-guide-in-windows-server-2012-r2) to plan your federation service.
Once you have your AD FS design ready, review [Deploying a Federation Server farm](/windows-server/identity/ad-fs/deployment/deploying-a-federation-server-farm) to configure AD FS in your environment.
@@ -115,11 +125,11 @@ Use the [Setting of a Federation Proxy](/windows-server/identity/ad-fs/deploymen
Next, you need to synchronize the on-premises Active Directory with Azure Active Directory. To do this, first review the [Integrating on-prem directories with Azure Active Directory](/azure/active-directory/connect/active-directory-aadconnect) and [hardware and prerequisites](/azure/active-directory/connect/active-directory-aadconnect-prerequisites) needed and then [download the software](https://go.microsoft.com/fwlink/?LinkId=615771).
-When you are ready to install, follow the **Configuring federation with AD FS** section of [Custom installation of Azure AD Connect](/azure/active-directory/connect/active-directory-aadconnect-get-started-custom). Select the **Federation with AD FS** option on the **User sign-in** page. At the **AD FS Farm** page, select the use an existing option and click **Next**.
+When you're ready to install, follow the **Configuring federation with AD FS** section of [Custom installation of Azure AD Connect](/azure/active-directory/connect/active-directory-aadconnect-get-started-custom). Select the **Federation with AD FS** option on the **User sign-in** page. At the **AD FS Farm** page, select the use an existing option and click **Next**.
### Create AD objects for AD FS Device Authentication
-If your AD FS farm is not already configured for Device Authentication (you can see this in the AD FS Management console under Service -> Device Registration), use the following steps to create the correct AD DS objects and configuration.
+If your AD FS farm isn't already configured for Device Authentication (you can see this in the AD FS Management console under Service -> Device Registration), use the following steps to create the correct AD DS objects and configuration.
> [!NOTE]
@@ -127,10 +137,10 @@ If your AD FS farm is not already configured for Device Authentication (you can
1. Run the **Add Roles & Features** wizard and select feature **Remote Server Administration Tools** -> **Role Administration Tools** -> **AD DS and AD LDS Tools** -> Choose both the **Active Directory module for Windows PowerShell** and the **AD DS Tools**.
-2. On your AD FS primary server, ensure you are logged in as AD DS user with enterprise administrator privileges and open an elevated Windows PowerShell prompt. Then, run the following commands:
+2. On your AD FS primary server, ensure you're logged in as AD DS user with enterprise administrator privileges and open an elevated Windows PowerShell prompt. Then, run the following commands:
`Import-module activedirectory`
`PS C:\> Initialize-ADDeviceRegistration -ServiceAccountName "
-4. Once this is done, you will see a successful completion message.
+4. Once this is done, you'll see a successful completion message.
@@ -180,20 +190,20 @@ To ensure AD DS objects and containers are in the correct state for write back o
Where the [AD connector account name] is the name of the account you configured in Azure AD Connect when adding your on-premises AD DS directory in domain\accountname format
-The above command creates the following objects for device write back to AD DS, if they do not exist already, and allows access to the specified AD connector account name
+The above command creates the following objects for device write back to AD DS, if they don't exist already, and allows access to the specified AD connector account name
- RegisteredDevices container in the AD domain partition
- Device Registration Service container and object under Configuration --> Services --> Device Registration Configuration
### Enable Device Write Back in Azure AD Connect
-If you have not done so before, enable device write back in Azure AD Connect by running the wizard a second time and selecting **"Customize Synchronization Options"**, then checking the box for device write back and selecting the forest in which you have run the above cmdlets
+If you haven't done so before, enable device write back in Azure AD Connect by running the wizard a second time and selecting **"Customize Synchronization Options"**, then checking the box for device write back and selecting the forest in which you have run the above cmdlets
## Configure AD FS to use Azure registered devices
### Configure issuance of claims
-In a federated Azure AD configuration, devices rely on Active Directory Federation Services (AD FS) or a 3rd party on-premises federation service to authenticate to Azure AD. Devices authenticate to get an access token to register against the Azure Active Directory Device Registration Service (Azure DRS).
+In a federated Azure AD configuration, devices rely on Active Directory Federation Services (AD FS) or a third party on-premises federation service to authenticate to Azure AD. Devices authenticate to get an access token to register against the Azure Active Directory Device Registration Service (Azure DRS).
Windows current devices authenticate using Integrated Windows Authentication to an active WS-Trust endpoint (either 1.3 or 2005 versions) hosted by the on-premises federation service.
@@ -211,17 +221,17 @@ When you're using AD FS, you need to enable the following WS-Trust endpoints:
> [!NOTE]
>If you don’t have AD FS as your on-premises federation service, follow the instructions from your vendor to make sure they support WS-Trust 1.3 or 2005 endpoints and that these are published through the Metadata Exchange file (MEX).
-The following claims must exist in the token received by Azure DRS for device registration to complete. Azure DRS will create a device object in Azure AD with some of this information which is then used by Azure AD Connect to associate the newly created device object with the computer account on-premises.
+The following claims must exist in the token received by Azure DRS for device registration to complete. Azure DRS will create a device object in Azure AD with some of this information that is then used by Azure AD Connect to associate the newly created device object with the computer account on-premises.
- `http://schemas.microsoft.com/ws/2012/01/accounttype`
- `http://schemas.microsoft.com/identity/claims/onpremobjectguid`
- `http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid`
-If you have more than one verified domain name, you need to provide the following claim for computers:
+If you've more than one verified domain name, you need to provide the following claim for computers:
- `http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid`
-If you are already issuing an ImmutableID claim (e.g., alternate login ID) you need to provide one corresponding claim for computers:
+If you're already issuing an ImmutableID claim (for example, alternate sign in ID) you need to provide one corresponding claim for computers:
- `http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID`
@@ -300,7 +310,7 @@ The definition helps you to verify whether the values are present or if you need
#### Issue issuerID for computer when multiple verified domain names in Azure AD
-**`http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid`** - This claim must contain the Uniform Resource Identifier (URI) of any of the verified domain names that connect with the on-premises federation service (AD FS or 3rd party) issuing the token. In AD FS, you can add issuance transform rules that look like the ones below in that specific order after the ones above. Please note that one rule to explicitly issue the rule for users is necessary. In the rules below, a first rule identifying user vs. computer authentication is added.
+**`http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid`** - This claim must contain the Uniform Resource Identifier (URI) of any of the verified domain names that connect with the on-premises federation service (AD FS or third party) issuing the token. In AD FS, you can add issuance transform rules that look like the ones below in that specific order after the ones above. Note that one rule to explicitly issue the rule for users is necessary. In the rules below, a first rule identifying user vs. computer authentication is added.
```powershell
@@ -352,10 +362,10 @@ In the claim above,
- `$
Network Unlock allows PCs to start automatically when connected to the internal network. |
+| When BitLocker is used with a PIN to protect startup, PCs such as kiosks can't be restarted remotely. | Modern Windows devices are increasingly protected with BitLocker Device Encryption out of the box and support SSO to seamlessly protect the BitLocker encryption keys from cold boot attacks.
Network Unlock allows PCs to start automatically when connected to the internal network. |
| When BitLocker is enabled, the provisioning process can take several hours. | BitLocker pre-provisioning, encrypting hard drives, and Used Space Only encryption allow administrators to enable BitLocker quickly on new computers. |
-| There is no support for using BitLocker with self-encrypting drives (SEDs). | BitLocker supports offloading encryption to encrypted hard drives. |
+| There's no support for using BitLocker with self-encrypting drives (SEDs). | BitLocker supports offloading encryption to encrypted hard drives. |
| Administrators have to use separate tools to manage encrypted hard drives. | BitLocker supports encrypted hard drives with onboard encryption hardware built in, which allows administrators to use the familiar BitLocker administrative tools to manage them. |
| Encrypting a new flash drive can take more than 20 minutes. | Used Space Only encryption in BitLocker To Go allows users to encrypt removable data drives in seconds. |
-| BitLocker could require users to enter a recovery key when system configuration changes occur. | BitLocker requires the user to enter a recovery key only when disk corruption occurs or when he or she loses the PIN or password. |
+| BitLocker could require users to enter a recovery key when system configuration changes occur. | BitLocker requires the user to enter a recovery key only when disk corruption occurs or when you lose the PIN or password. |
| Users need to enter a PIN to start the PC, and then their password to sign in to Windows. | Modern Windows devices are increasingly protected with BitLocker Device Encryption out of the box and support SSO to help protect the BitLocker encryption keys from cold boot attacks. |
## Prepare for drive and file encryption
-The best type of security measures are transparent to the user during implementation and use. Every time there is a possible delay or difficulty because of a security feature, there is strong likelihood that users will try to bypass security. This situation is especially true for data protection, and that’s a scenario that organizations need to avoid.
+The best type of security measures is transparent to the user during implementation and use. Every time there's a possible delay or difficulty because of a security feature, there's strong likelihood that users will try to bypass security. This situation is especially true for data protection, and that’s a scenario that organizations need to avoid.
Whether you’re planning to encrypt entire volumes, removable devices, or individual files, Windows 11 and Windows 10 meet your needs by providing streamlined, usable solutions. In fact, you can take several steps in advance to prepare for data encryption and make the deployment quick and smooth.
### TPM pre-provisioning
@@ -59,13 +59,13 @@ In Windows 7, preparing the TPM for use offered a couple of challenges:
Basically, it was a big hassle. If IT staff were provisioning new PCs, they could handle all of this, but if you wanted to add BitLocker to devices that were already in users’ hands, those users would have struggled with the technical challenges and would either call IT for support or simply leave BitLocker disabled.
-Microsoft includes instrumentation in Windows 11 and Windows 10 that enable the operating system to fully manage the TPM. There is no need to go into the BIOS, and all scenarios that required a restart have been eliminated.
+Microsoft includes instrumentation in Windows 11 and Windows 10 that enable the operating system to fully manage the TPM. There's no need to go into the BIOS, and all scenarios that required a restart have been eliminated.
## Deploy hard drive encryption
-BitLocker is capable of encrypting entire hard drives, including both system and data drives. BitLocker pre-provisioning can drastically reduce the time required to provision new PCs with BitLocker enabled. With Windows 11 and Windows 10, administrators can turn on BitLocker and the TPM from within the Windows Preinstallation Environment before they install Windows or as part of an automated deployment task sequence without any user interaction. Combined with Used Disk Space Only encryption and a mostly empty drive (because Windows is not yet installed), it takes only a few seconds to enable BitLocker.
+BitLocker is capable of encrypting entire hard drives, including both system and data drives. BitLocker pre-provisioning can drastically reduce the time required to provision new PCs with BitLocker enabled. With Windows 11 and Windows 10, administrators can turn on BitLocker and the TPM from within the Windows Pre-installation Environment before they install Windows or as part of an automated deployment task sequence without any user interaction. Combined with Used Disk Space Only encryption and a mostly empty drive (because Windows isn't yet installed), it takes only a few seconds to enable BitLocker.
-With earlier versions of Windows, administrators had to enable BitLocker after Windows had been installed. Although this process could be automated, BitLocker would need to encrypt the entire drive, a process that could take anywhere from several hours to more than a day depending on drive size and performance, which significantly delayed deployment. Microsoft has improved this process through multiple features in Windows 11 and Windows 10.
+With earlier versions of Windows, administrators had to enable BitLocker after Windows had been installed. Although this process could be automated, BitLocker would need to encrypt the entire drive, a process that could take anywhere from several hours to more than a day depending on drive size and performance, which delayed deployment. Microsoft has improved this process through multiple features in Windows 11 and Windows 10.
## BitLocker Device Encryption
@@ -76,8 +76,8 @@ Microsoft expects that most devices in the future will pass the testing requirem
Unlike a standard BitLocker implementation, BitLocker Device Encryption is enabled automatically so that the device is always protected. The following list outlines how this happens:
* When a clean installation of Windows 11 or Windows 10 is completed and the out-of-box experience is finished, the computer is prepared for first use. As part of this preparation, BitLocker Device Encryption is initialized on the operating system drive and fixed data drives on the computer with a clear key (this is the equivalent of standard BitLocker suspended state). In this state, the drive is shown with a warning icon in Windows Explorer. The yellow warning icon is removed after the TPM protector is created and the recovery key is backed up, as explained in the following bullet points.
-* If the device is not domain joined, a Microsoft account that has been granted administrative privileges on the device is required. When the administrator uses a Microsoft account to sign in, the clear key is removed, a recovery key is uploaded to the online Microsoft account, and a TPM protector is created. Should a device require the recovery key, the user will be guided to use an alternate device and navigate to a recovery key access URL to retrieve the recovery key by using his or her Microsoft account credentials.
-* If the user uses a domain account to sign in, the clear key is not removed until the user joins the device to a domain and the recovery key is successfully backed up to Active Directory Domain Services (AD DS). You must enable the **Computer Configuration\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption\\Operating System Drives** Group Policy setting, and select the **Do not enable BitLocker until recovery information is stored in AD DS for operating system drives** option. With this configuration, the recovery password is created automatically when the computer joins the domain, and then the recovery key is backed up to AD DS, the TPM protector is created, and the clear key is removed.
+* If the device isn't domain joined, a Microsoft account that has been granted administrative privileges on the device is required. When the administrator uses a Microsoft account to sign in, the clear key is removed, a recovery key is uploaded to the online Microsoft account, and a TPM protector is created. Should a device require the recovery key, the user will be guided to use an alternate device and navigate to a recovery key access URL to retrieve the recovery key by using his or her Microsoft account credentials.
+* If the user uses a domain account to sign in, the clear key isn't removed until the user joins the device to a domain and the recovery key is successfully backed up to Active Directory Domain Services (AD DS). You must enable the **Computer Configuration\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption\\Operating System Drives** Group Policy setting, and select the **Do not enable BitLocker until recovery information is stored in AD DS for operating system drives** option. With this configuration, the recovery password is created automatically when the computer joins the domain, and then the recovery key is backed up to AD DS, the TPM protector is created, and the clear key is removed.
* Similar to signing in with a domain account, the clear key is removed when the user logs on to an Azure AD account on the device. As described in the bullet point above, the recovery password is created automatically when the user authenticates to Azure AD. Then, the recovery key is backed up to Azure AD, the TPM protector is created, and the clear key is removed.
Microsoft recommends that BitLocker Device Encryption be enabled on any systems that support it, but the automatic BitLocker Device Encryption process can be prevented by changing the following registry setting:
@@ -92,9 +92,9 @@ Administrators can manage domain-joined devices that have BitLocker Device Encry
## Used Disk Space Only encryption
-BitLocker in earlier Windows versions could take a long time to encrypt a drive, because it encrypted every byte on the volume (including parts that did not have data). That is still the most secure way to encrypt a drive, especially if a drive has previously contained confidential data that has since been moved or deleted. In that case, traces of the confidential data could remain on portions of the drive marked as unused.
+BitLocker in earlier Windows versions could take a long time to encrypt a drive, because it encrypted every byte on the volume (including parts that didn't have data). That is still the most secure way to encrypt a drive, especially if a drive has previously contained confidential data that has since been moved or deleted. In that case, traces of the confidential data could remain on portions of the drive marked as unused.
But why encrypt a new drive when you can simply encrypt the data as it is being written? To reduce encryption time, BitLocker in Windows 11 and Windows 10 let users choose to encrypt just their data. Depending on the amount of data on the drive, this option can reduce encryption time by more than 99 percent.
-Exercise caution when encrypting only used space on an existing volume on which confidential data may have already been stored in an unencrypted state, however, because those sectors can be recovered through disk-recovery tools until they are overwritten by new encrypted data. In contrast, encrypting only used space on a brand-new volume can significantly decrease deployment time without the security risk because all new data will be encrypted as it is written to the disk.
+Exercise caution when encrypting only used space on an existing volume on which confidential data may have already been stored in an unencrypted state, however, because those sectors can be recovered through disk-recovery tools until they're overwritten by new encrypted data. In contrast, encrypting only used space on a brand-new volume can significantly decrease deployment time without the security risk because all new data will be encrypted as it's written to the disk.
## Encrypted hard drive support
@@ -105,22 +105,22 @@ For more information about encrypted hard drives, see [Encrypted Hard Drive](../
## Preboot information protection
An effective implementation of information protection, like most security controls, considers usability as well as security. Users typically prefer a simple security experience. In fact, the more transparent a security solution becomes, the more likely users are to conform to it.
-It is crucial that organizations protect information on their PCs regardless of the state of the computer or the intent of users. This protection should not be cumbersome to users. One undesirable and previously commonplace situation is when the user is prompted for input during preboot, and then again during Windows logon. Challenging users for input more than once should be avoided.
-Windows 11 and Windows 10 can enable a true SSO experience from the preboot environment on modern devices and in some cases even on older devices when robust information protection configurations are in place. The TPM in isolation is able to securely protect the BitLocker encryption key while it is at rest, and it can securely unlock the operating system drive. When the key is in use and thus in memory, a combination of hardware and Windows capabilities can secure the key and prevent unauthorized access through cold-boot attacks. Although other countermeasures like PIN-based unlock are available, they are not as user-friendly; depending on the devices’ configuration they may not offer additional security when it comes to key protection. For more information, see [BitLocker Countermeasures](bitlocker-countermeasures.md).
+It's crucial that organizations protect information on their PCs regardless of the state of the computer or the intent of users. This protection shouldn't be cumbersome to users. One undesirable and previously commonplace situation is when the user is prompted for input during preboot, and then again during Windows sign in. Challenging users for input more than once should be avoided.
+Windows 11 and Windows 10 can enable a true SSO experience from the preboot environment on modern devices and in some cases even on older devices when robust information protection configurations are in place. The TPM in isolation is able to securely protect the BitLocker encryption key while it is at rest, and it can securely unlock the operating system drive. When the key is in use and thus in memory, a combination of hardware and Windows capabilities can secure the key and prevent unauthorized access through cold-boot attacks. Although other countermeasures like PIN-based unlock are available, they aren't as user-friendly; depending on the devices’ configuration they may not offer additional security when it comes to key protection. For more information, see [BitLocker Countermeasures](bitlocker-countermeasures.md).
## Manage passwords and PINs
-When BitLocker is enabled on a system drive and the PC has a TPM, you can choose to require that users type a PIN before BitLocker will unlock the drive. Such a PIN requirement can prevent an attacker who has physical access to a PC from even getting to the Windows logon, which makes it virtually impossible for the attacker to access or modify user data and system files.
+When BitLocker is enabled on a system drive and the PC has a TPM, you can choose to require that users type a PIN before BitLocker will unlock the drive. Such a PIN requirement can prevent an attacker who has physical access to a PC from even getting to the Windows sign in, which makes it virtually impossible for the attacker to access or modify user data and system files.
-Requiring a PIN at startup is a useful security feature because it acts as a second authentication factor (a second “something you know”). This configuration comes with some costs, however. One of the most significant is the need to change the PIN regularly. In enterprises that used BitLocker with Windows 7 and the Windows Vista operating system, users had to contact systems administrators to update their BitLocker PIN or password. This requirement not only increased management costs but made users less willing to change their BitLocker PIN or password on a regular basis.
-Windows 11 and Windows 10 users can update their BitLocker PINs and passwords themselves, without administrator credentials. Not only will this feature reduce support costs, but it could improve security, too, because it encourages users to change their PINs and passwords more often. In addition, Modern Standby devices do not require a PIN for startup: They are designed to start infrequently and have other mitigations in place that further reduce the attack surface of the system.
+Requiring a PIN at startup is a useful security feature because it acts as a second authentication factor (a second “something you know”). This configuration comes with some costs, however. One of the most significant is the need to change the PIN regularly. In enterprises that used BitLocker with Windows 7 and the Windows Vista operating system, users had to contact systems administrators to update their BitLocker PIN or password. This requirement not only increased management costs but made users less willing to change their BitLocker PIN or password regularly.
+Windows 11 and Windows 10 users can update their BitLocker PINs and passwords themselves, without administrator credentials. Not only will this feature reduce support costs, but it could improve security, too, because it encourages users to change their PINs and passwords more often. In addition, Modern Standby devices don't require a PIN for startup: They're designed to start infrequently and have other mitigations in place that further reduce the attack surface of the system.
For more information about how startup security works and the countermeasures that Windows 11 and Windows 10 provide, see [Protect BitLocker from pre-boot attacks](./bitlocker-countermeasures.md).
## Configure Network Unlock
-Some organizations have location-specific data security requirements. This is most common in environments where high-value data is stored on PCs. The network environment may provide crucial data protection and enforce mandatory authentication; therefore, policy states that those PCs should not leave the building or be disconnected from the corporate network. Safeguards like physical security locks and geofencing may help enforce this policy as reactive controls. Beyond these, a proactive security control that grants data access only when the PC is connected to the corporate network is necessary.
+Some organizations have location-specific data security requirements. This is most common in environments where high-value data is stored on PCs. The network environment may provide crucial data protection and enforce mandatory authentication; therefore, policy states that those PCs shouldn't leave the building or be disconnected from the corporate network. Safeguards like physical security locks and geofencing may help enforce this policy as reactive controls. Beyond these, a proactive security control that grants data access only when the PC is connected to the corporate network is necessary.
-Network Unlock enables BitLocker-protected PCs to start automatically when connected to a wired corporate network on which Windows Deployment Services runs. Anytime the PC is not connected to the corporate network, a user must type a PIN to unlock the drive (if PIN-based unlock is enabled).
+Network Unlock enables BitLocker-protected PCs to start automatically when connected to a wired corporate network on which Windows Deployment Services runs. Anytime the PC isn't connected to the corporate network, a user must type a PIN to unlock the drive (if PIN-based unlock is enabled).
Network Unlock requires the following infrastructure:
* Client PCs that have Unified Extensible Firmware Interface (UEFI) firmware version 2.3.1 or later, which supports Dynamic Host Configuration Protocol (DHCP)
@@ -143,11 +143,11 @@ Part of the Microsoft Desktop Optimization Pack, Microsoft BitLocker Administrat
* Enforces the BitLocker encryption policy options that you set for your enterprise.
* Integrates with existing management tools, such as Microsoft Endpoint Configuration Manager.
* Offers an IT-customizable recovery user experience.
-* Supports Windows 10.
+* Supports Windows 11 and Windows 10.
> [!IMPORTANT]
> Enterprises could use MBAM to manage client computers with BitLocker that are domain-joined on-premises until mainstream support ended in July 2019, or they could receive extended support until April 2026.
-Going forward, the functionality of MBAM will be incorporated into Configuration Manager. For more details, see [Features in Configuration Manager technical preview version 1909](/mem/configmgr/core/get-started/2019/technical-preview-1909#bkmk_bitlocker).
+Going forward, the functionality of MBAM will be incorporated into Configuration Manager. For more information, see [Features in Configuration Manager technical preview version 1909](/mem/configmgr/core/get-started/2019/technical-preview-1909#bkmk_bitlocker).
-Enterprises not using Configuration Manager can use the built-in features of Azure AD and Microsoft Intune in Microsoft Endpoint Manager for administration and monitoring. For more details, see [Monitor device encryption with Intune](/mem/intune/protect/encryption-monitor).
+Enterprises not using Configuration Manager can use the built-in features of Azure AD and Microsoft Intune in Microsoft Endpoint Manager for administration and monitoring. For more information, see [Monitor device encryption with Intune](/mem/intune/protect/encryption-monitor).
diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-network-unlock-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-network-unlock-issues.md
index f5f495064d..df10782087 100644
--- a/windows/security/information-protection/bitlocker/ts-bitlocker-network-unlock-issues.md
+++ b/windows/security/information-protection/bitlocker/ts-bitlocker-network-unlock-issues.md
@@ -1,89 +1,90 @@
---
-title: BitLocker Network Unlock known issues
-description: Describes several known issues that you may encounter while using Network Unlock, and provided guidance for addressing those issues.
-ms.reviewer: kaushika
+title: BitLocker network unlock known issues
+description: Describes several known issues that you may encounter while using network unlock, and provided guidance for addressing those issues.
ms.technology: windows-sec
ms.prod: m365-security
-ms.sitesec: library
ms.localizationpriority: medium
author: Teresa-Motiv
ms.author: v-tappelgate
manager: kaushika
-audience: ITPro
+ms.reviewer: kaushika
ms.collection: Windows Security Technologies\BitLocker
ms.topic: troubleshooting
-ms.date: 10/7/2019
ms.custom: bitlocker
---
-# BitLocker Network Unlock: known issues
+# BitLocker network unlock: known issues
-By using the BitLocker Network Unlock feature, you can manage computers remotely without having to enter a BitLocker PIN when each computer starts up. To do this, You have to configure your environment to meet the following requirements:
+By using the BitLocker network unlock feature, you can manage computers remotely without having to enter a BitLocker PIN when each computer starts up. To configure this behavior, your environment needs to meet the following requirements:
-- Each computer belongs to a domain
-- Each computer has a wired connection to the corporate network
-- The corporate network uses DHCP to manage IP addresses
-- Each computer has a DHCP driver implemented in its Unified Extensible Firmware Interface (UEFI) firmware
+- Each computer belongs to a domain.
+- Each computer has a wired connection to the internal network.
+- The internal network uses DHCP to manage IP addresses.
+- Each computer has a DHCP driver implemented in its Unified Extensible Firmware Interface (UEFI) firmware.
-For general guidelines about how to troubleshoot Network Unlock, see [How to enable Network Unlock: Troubleshoot Network Unlock](./bitlocker-how-to-enable-network-unlock.md#troubleshoot-network-unlock).
+For general guidelines about how to troubleshoot network unlock, see [How to enable network unlock: Troubleshoot network unlock](./bitlocker-how-to-enable-network-unlock.md#troubleshoot-network-unlock).
-This article describes several known issues that you may encounter when you use Network Unlock, and provides guidance to address these issues.
+This article describes several known issues that you may encounter when you use network unlock, and provides guidance to address these issues.
-## Tip: Detect whether BitLocker Network Unlock is enabled on a specific computer
+## Tip: Detect whether BitLocker network unlock is enabled on a specific computer
-You can use the following steps on computers that have either x64 or x32 UEFI systems. You can also script these commands.
+You can use the following steps on computers with either x64 or x32 UEFI firmware. You can also script these commands.
-1. Open an elevated Command Prompt window and run the following command:
+1. Open an elevated command prompt window and run the following command:
```cmd
- manage-bde protectors get
Specify the DNS suffixes used in your environment. All traffic to the fully-qualified domains appearing in this list will be protected. For more info about where this area is and how to add your suffixes, see the table that appears in the **Choose where apps can access enterprise data** section of the policy creation topics.|
diff --git a/windows/security/information-protection/windows-information-protection/wip-learning.md b/windows/security/information-protection/windows-information-protection/wip-learning.md
index 0cf382492f..f243b85b06 100644
--- a/windows/security/information-protection/windows-information-protection/wip-learning.md
+++ b/windows/security/information-protection/windows-information-protection/wip-learning.md
@@ -1,18 +1,12 @@
---
title: Fine-tune Windows Information Policy (WIP) with WIP Learning
description: How to access the WIP Learning report to monitor and apply Windows Information Protection in your company.
-ms.assetid: 53db29d2-d99d-4db6-b494-90e2b4872ca2
ms.reviewer:
-keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection, WIP Learning
ms.prod: m365-security
-ms.mktglfcycl:
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: aczechowski
ms.author: aaroncz
manager: dougeby
-audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 02/26/2019
diff --git a/windows/security/threat-protection/auditing/advanced-security-auditing-faq.yml b/windows/security/threat-protection/auditing/advanced-security-auditing-faq.yml
index aa92e85a9c..58035d8f4d 100644
--- a/windows/security/threat-protection/auditing/advanced-security-auditing-faq.yml
+++ b/windows/security/threat-protection/auditing/advanced-security-auditing-faq.yml
@@ -1,61 +1,21 @@
### YamlMime:FAQ
metadata:
title: Advanced security auditing FAQ (Windows 10)
- description: This topic for the IT professional lists questions and answers about understanding, deploying, and managing security audit policies.
- ms.assetid: 80f8f187-0916-43c2-a7e8-ea712b115a06
- ms.reviewer:
- ms.author: dansimp
+ description: This article lists common questions and answers about understanding, deploying, and managing security audit policies.
ms.prod: m365-security
- ms.mktglfcycl: deploy
- ms.sitesec: library
- ms.pagetype: security
+ ms.technology: mde
ms.localizationpriority: none
author: dansimp
+ ms.author: dansimp
manager: dansimp
- audience: ITPro
+ ms.reviewer:
ms.collection: M365-security-compliance
ms.topic: faq
- ms.date: 11/10/2021
- ms.technology: mde
+ ms.date: 05/24/2022
+
title: Advanced security auditing FAQ
-summary: This topic for the IT professional lists questions and answers about understanding, deploying, and managing security audit policies.
-
- - [What is Windows security auditing and why might I want to use it?](#what-is-windows-security-auditing-and-why-might-i-want-to-use-it-)
- - [What is the difference between audit policies located in Local Policies\\Audit Policy and audit policies located in Advanced Audit Policy Configuration?](#what-is-the-difference-between-audit-policies-located-in-local-policies--audit-policy-and-audit-policies-located-in-advanced-audit-policy-configuration-)
-
- - [What is the interaction between basic audit policy settings and advanced audit policy settings?](#what-is-the-interaction-between-basic-audit-policy-settings-and-advanced-audit-policy-settings-)
-
- - [How are audit settings merged by Group Policy?](#how-are-audit-settings-merged-by-group-policy-)
-
- - [What is the difference between an object DACL and an object SACL?](#what-is-the-difference-between-an-object-dacl-and-an-object-sacl-)
-
- - [Why are audit policies applied on a per-computer basis rather than per user?](#why-are-audit-policies-applied-on-a-per-computer-basis-rather-than-per-user-)
-
- - [What are the differences in auditing functionality between versions of Windows?](#what-are-the-differences-in-auditing-functionality-between-versions-of-windows-)
-
- - [Can I use advanced audit policy from a domain controller running Windows Server 2003 or Windows 2000 Server?](#can-i-use-advanced-audit-policies-from-a-domain-controller-running-windows-server-2003-or-windows-2000-server-)
-
- - [What is the difference between success and failure events? Is something wrong if I get a failure audit?](#what-is-the-difference-between-success-and-failure-events--is-something-wrong-if-i-get-a-failure-audit-)
-
- - [How can I set an audit policy that affects all objects on a computer?](#how-can-i-set-an-audit-policy-that-affects-all-objects-on-a-computer-)
-
- - [How do I ascertain the purpose for accessing a resource?](#how-do-i-figure-out-why-someone-was-able-to-access-a-resource-)
-
- - [How do I know when changes are made to access control settings, by whom, and what the changes were?](#how-do-i-know-when-changes-are-made-to-access-control-settings--by-whom--and-what-the-changes-were-)
-
- - [How can I roll back security audit policies from the advanced audit policy to the basic audit policy?](#how-can-i-roll-back-security-audit-policies-from-the-advanced-audit-policy-to-the-basic-audit-policy-)
-
- - [How can I monitor if changes are made to audit policy settings?](#how-can-i-monitor-if-changes-are-made-to-audit-policy-settings-)
-
- - [How can I minimize the number of events that are generated?](#how-can-i-minimize-the-number-of-events-that-are-generated-)
-
- - [What are the best tools to model and manage audit policy?](#what-are-the-best-tools-to-model-and-manage-audit-policies-)
-
- - [Where can I find information about all the possible events that I might receive?](#where-can-i-find-information-about-all-the-possible-events-that-i-might-receive-)
-
- - [Where can I find more detailed information?](#where-can-i-find-more-detailed-information-)
-
+summary: This article for the IT professional lists questions and answers about understanding, deploying, and managing security audit policies.
sections:
- name: Ignored
@@ -70,36 +30,37 @@ sections:
- question: |
What is the difference between audit policies located in Local Policies\\Audit Policy and audit policies located in Advanced Audit Policy Configuration?
answer: |
- The basic security audit policy settings in **Security Settings\\Local Policies\\Audit Policy** and the advanced security audit policy settings in **Security Settings\\Advanced Audit Policy Configuration\\System Audit Policies** appear to overlap, but they are recorded and applied differently. When you apply basic audit policy settings to the local computer by using the Local Security Policy snap-in (secpol.msc), you are editing the effective audit policy, so changes made to basic audit policy settings will appear exactly as configured in Auditpol.exe.
+ The basic security audit policy settings in **Security Settings\\Local Policies\\Audit Policy** and the advanced security audit policy settings in **Security Settings\\Advanced Audit Policy Configuration\\System Audit Policies** appear to overlap, but they're recorded and applied differently. When you apply basic audit policy settings to the local computer by using the Local Security Policy snap-in (secpol.msc), you're editing the effective audit policy. Changes made to basic audit policy settings will appear exactly as configured in Auditpol.exe.
- There are a number of additional differences between the security audit policy settings in these two locations.
+ There are several other differences between the security audit policy settings in these two locations.
There are nine basic audit policy settings under **Security Settings\\Local Policies\\Audit Policy** and settings under **Advanced Audit Policy Configuration**. The settings available in **Security Settings\\Advanced Audit Policy
- Configuration** address similar issues as the nine basic settings in **Local Policies\\Audit Policy**, but they allow administrators to be more selective in the number and types of events to audit. For example, the basic audit policy provides a single setting for account logon, and the advanced audit policy provides four. Enabling the single basic account logon setting would be the equivalent of setting all four advanced account logon settings. In comparison, setting a single advanced audit policy setting does not generate audit events for activities that you are not interested in tracking.
+ Configuration** address similar issues as the nine basic settings in **Local Policies\\Audit Policy**, but they allow administrators to be more selective in the number and types of events to audit. For example, the basic audit policy provides a single setting for account sign-in, and the advanced audit policy provides four. Enabling the single basic setting would be the equivalent of setting all four advanced settings. In comparison, setting a single advanced audit policy setting doesn't generate audit events for activities that you aren't interested in tracking.
- In addition, if you enable success auditing for the basic **Audit account logon events** setting, only success events will be logged for all account logon–related behaviors. In comparison, depending on the needs of your organization, you can configure success auditing for one advanced account logon setting, failure auditing for a second advanced account logon setting, success and failure auditing for a third advanced account logon setting, or no auditing.
+ In addition, if you enable success auditing for the basic **Audit account logon events** setting, only success events will be logged for all account sign-in activities. In comparison, depending on the needs of your organization, you can configure success auditing for one advanced account logon setting, failure auditing for a second advanced account logon setting, success and failure auditing for a third advanced account logon setting, or no auditing.
- The nine basic settings under **Security Settings\\Local Policies\\Audit Policy** were introduced in Windows 2000. Therefore, they are available in all versions of Windows released since then. The advanced audit policy settings were introduced in Windows Vista and Windows Server 2008. The advanced settings can only be used on computers running Windows 7, Windows Server 2008, and later.
+ The nine basic settings under **Security Settings\\Local Policies\\Audit Policy** and the advanced audit policy settings are available in all supported versions of Windows.
- question: |
What is the interaction between basic audit policy settings and advanced audit policy settings?
answer: |
- Basic audit policy settings are not compatible with advanced audit policy settings that are applied by using Group Policy. When advanced audit policy settings are applied by using Group Policy, the current computer's audit policy settings are cleared before the resulting advanced audit policy settings are applied. After you apply advanced audit policy settings by using Group Policy, you can only reliably set system audit policy for the computer by using the advanced audit policy settings.
+ Basic audit policy settings aren't compatible with advanced audit policy settings that are applied by using group policy. When advanced audit policy settings are applied by using group policy, the current computer's audit policy settings are cleared before the resulting advanced audit policy settings are applied. After you apply advanced audit policy settings by using group policy, you can only reliably set system audit policy for the computer by using the advanced audit policy settings.
- Editing and applying the advanced audit policy settings in Local Security Policy modifies the local Group Policy Object (GPO), so changes made here may not be exactly reflected in Auditpol.exe if there are policies from other domain GPOs or logon scripts. Both types of policies can be edited and applied by using domain GPOs, and these settings will override any conflicting local audit policy settings. However, because the basic audit policy is recorded in the effective audit policy, that audit policy must be explicitly removed when a change is desired, or it will remain in the effective audit policy. Policy changes that are applied by using local or domain Group Policy settings are reflected as soon as the new policy is applied.
+ Editing and applying the advanced audit policy settings in Local Security Policy modifies the local group policy object (GPO). If there are policies from other domain GPOs or logon scripts, changes made here may not be exactly reflected in Auditpol.exe. Both types of policies can be edited and applied by using domain GPOs, and these settings will override any conflicting local audit policy settings. Because the basic audit policy is recorded in the effective audit policy, that audit policy must be explicitly removed when a change is desired, or it will remain in the effective audit policy. Policy changes that are applied by using local or domain group policy settings are reflected as soon as the new policy is applied.
- > **Important** Whether you apply advanced audit policies by using Group Policy or by using logon scripts, do not use both the basic audit policy settings under **Local Policies\\Audit Policy** and the advanced settings under **Security Settings\\Advanced Audit Policy Configuration**. Using both advanced and basic audit policy settings can cause unexpected results in audit reporting.
+ > [!Important]
+ > Whether you apply advanced audit policies by using group policy or by using logon scripts, don't use both the basic audit policy settings under **Local Policies\\Audit Policy** and the advanced settings under **Security Settings\\Advanced Audit Policy Configuration**. Using both advanced and basic audit policy settings can cause unexpected results in audit reporting.
- If you use Advanced Audit Policy Configuration settings or use logon scripts to apply advanced audit policies, be sure to enable the **Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings** policy setting under **Local Policies\\Security Options**. This setting prevents conflicts between similar settings by forcing basic security auditing to be ignored.
-
+ If you use Advanced Audit Policy Configuration settings or use logon scripts to apply advanced audit policies, be sure to enable the **Audit: Force audit policy subcategory settings to override audit policy category settings** policy setting under **Local Policies\\Security Options**. This setting prevents conflicts between similar settings by forcing basic security auditing to be ignored.
+
- question: |
- How are audit settings merged by Group Policy?
+ How are audit settings merged by group policy?
answer: |
By default, policy options that are set in GPOs and linked to higher levels of Active Directory sites, domains, and OUs are inherited by all OUs at lower levels. However, an inherited policy can be overridden by a GPO that is linked at a lower level.
- For example, you might use a domain GPO to assign an organization-wide group of audit settings, but want a certain OU to get a defined group of extra settings. To accomplish this customization, you can link a second GPO to that specific lower-level OU. Therefore, a logon audit setting that is applied at the OU level will override a conflicting logon audit setting that is applied at the domain level (unless you have taken special steps to apply Group Policy loopback processing).
+ For example, you might use a domain GPO to assign an organization-wide group of audit settings, but want a certain OU to get a defined group of extra settings. To accomplish this customization, you can link a second GPO to that specific lower-level OU. Therefore, a logon audit setting that is applied at the OU level will override a conflicting logon audit setting that is applied at the domain level. The only exception is if you take special steps to apply group policy loopback processing.
- The rules that govern how Group Policy settings are applied propagate to the subcategory level of audit policy settings. This coverage means that audit policy settings configured in different GPOs will be merged if no policy settings configured at a lower level exist. The following table illustrates this behavior.
+ The rules that govern how group policy settings are applied propagate to the subcategory level of audit policy settings. This coverage means that audit policy settings configured in different GPOs will be merged if no policy settings configured at a lower level exist. The following table illustrates this behavior.
| Auditing subcategory | Setting configured in an OU GPO (higher priority) | Setting configured in a domain GPO (lower priority) | Resulting policy for the target computer |
@@ -111,74 +72,68 @@ sections:
- question: |
What is the difference between an object DACL and an object SACL?
answer: |
- All objects in Active Directory Domain Services (AD DS), and all securable objects on a local computer or on the network, have security descriptors to help control access to the objects. Security descriptors include information about who owns an object, who can access it and in what way, and what types of access are audited. Security descriptors contain the access control list (ACL) of an object, which includes all of the security permissions that apply to that object. An object's security descriptor can contain two types of ACLs:
+ All objects in Active Directory Domain Services (AD DS), and all securable objects on a local computer or on the network, have security descriptors to help control access to the objects. Security descriptors include information about who owns an object, who can access it and in what way, and what types of access are audited. Security descriptors contain the access control list (ACL) of an object, which includes all of the security permissions that apply to that object. An object's security descriptor can contain two types of ACLs:
- A discretionary access control list (DACL) that identifies the users and groups who are allowed or denied access
- A system access control list (SACL) that controls how access is audited
The access control model that is used in Windows is administered at the object level by setting different levels of access, or permissions, to objects. If permissions are configured for an object, its security descriptor contains a DACL with security identifiers (SIDs) for the users and groups that are allowed or denied access.
- If auditing is configured for the object, its security descriptor also contains a SACL that controls how the security subsystem audits attempts to access the object. However, auditing is not configured entirely unless a SACL has been configured for an object and a corresponding **Object Access** audit policy setting has been configured and applied.
+ If auditing is configured for the object, its security descriptor also contains a SACL that controls how the security subsystem audits attempts to access the object. However, auditing isn't configured entirely unless a SACL has been configured for an object and a corresponding **Object Access** audit policy setting has been configured and applied.
- question: |
Why are audit policies applied on a per-computer basis rather than per user?
answer: |
In security auditing in Windows, the computer, objects on the computer, and related resources are the primary recipients of actions by clients including applications, other computers, and users. In a security breach, malicious users can use alternate credentials to hide their identity, or malicious applications can impersonate legitimate users to perform undesired tasks. Therefore, the most consistent way to apply an audit policy is to focus on the computer and the objects and resources on that computer.
- In addition, because audit policy capabilities can vary between computers running different versions of Windows, the best way to ensure that the audit policy is applied correctly is to base these settings on the computer instead of the user.
+ Audit policy capabilities can vary between computers running different versions of Windows. The best way to make sure that the audit policy is applied correctly is to base these settings on the computer instead of the user.
- However, when you want audit settings to apply only to specified groups of users, you can accomplish this customization by configuring SACLs on the relevant objects to enable auditing for a security group that contains only the users you specify. For example, you can configure a SACL for a folder called Payroll Data on Accounting Server 1. This configuration results in an audit of attempts by members of the Payroll Processors OU to delete objects from this folder. The **Object Access\\Audit File System** audit policy setting applies to Accounting Server 1, but because it requires a corresponding resource SACL, only actions by members of the Payroll Processors OU on the Payroll Data folder generates audit events.
+ However, when you want audit settings to apply only to specified groups of users, you can accomplish this customization by configuring SACLs on the relevant objects to enable auditing for a security group that contains only the users you specify. For example, you can configure a SACL for a folder called Payroll Data on Accounting Server 1. This configuration results in an audit of attempts by members of the Payroll Processors OU to delete objects from this folder. The **Object Access\\Audit File System** audit policy setting applies to Accounting Server 1. Because it requires a corresponding resource SACL, only actions by members of the Payroll Processors OU on the Payroll Data folder generates audit events.
- question: |
- What are the differences in auditing functionality between versions of Windows?
+ Are there any differences in auditing functionality between versions of Windows?
answer: |
- Basic audit policy settings are available in all versions of Windows since Windows 2000, and they can be applied locally or by using Group Policy. Advanced audit policy settings were introduced in Windows Vista and Windows Server 2008, but the settings can only be applied by using logon scripts in those versions. Advanced audit policy settings, which were introduced in Windows 7 and Windows Server 2008 R2, can be configured and applied by using local and domain Group Policy settings.
-
- - question: |
- Can I use advanced audit policies from a domain controller running Windows Server 2003 or Windows 2000 Server?
- answer: |
- To use advanced audit policy settings, your domain controller must be installed on a computer running Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, or Windows Server 2003 with Service Pack 2 (SP2). Windows 2000 Server is not supported.
+ No. Basic and advanced audit policy settings are available in all supported versions of Windows. They can be configured and applied by local or domain group policy settings.
- question: |
What is the difference between success and failure events? Is something wrong if I get a failure audit?
answer: |
A success audit event is triggered when a defined action, such as accessing a file share, is completed successfully.
- A failure audit event is triggered when a defined action, such as a user logon, is not completed successfully.
+ A failure audit event is triggered when a defined action, such as a user sign-in, isn't completed successfully.
- The appearance of failure audit events in the event log does not necessarily mean that something is wrong with your system. For example, if you configure Audit Logon events, a failure event may mean that a user mistyped the password.
+ The appearance of failure audit events in the event log doesn't necessarily mean that something is wrong with your system. For example, if you configure Audit Logon events, a failure event may mean that a user mistyped the password.
- question: |
How can I set an audit policy that affects all objects on a computer?
answer: |
System administrators and auditors increasingly want to verify that an auditing policy is applied to all objects on a system. This requirement has been difficult to accomplish because the system access control lists (SACLs) that govern auditing are applied on a per-object basis. Thus, to verify that an audit policy has been applied to all objects, you would have to check every object to be sure that no changes have been made—even temporarily to a single SACL.
- Introduced in Windows Server 2008 R2 and Windows 7, security auditing allows administrators to define global object access auditing policies for the entire file system or for the registry on a computer. The specified SACL is then automatically applied to every object of that type. This application of SACL can be useful for verifying that all critical files, folders, and registry settings on a computer are protected, and for identifying when an issue with a system resource occurs. If a file or folder SACL and a global object access auditing policy (or a single registry setting SACL and a global object access auditing policy) are configured on a computer, the effective SACL is derived from combining the file or folder SACL and the global object access auditing policy. This resultant SACL from the combination means that an audit event is generated if an activity matches either the file or folder SACL or the global object access auditing policy.
+
+ Security auditing allows administrators to define global object access auditing policies for the entire file system or for the registry on a computer. The specified SACL is then automatically applied to every object of that type. This application of SACL can be useful for verifying that all critical files, folders, and registry settings on a computer are protected. It's also useful to identify when an issue with a system resource occurs. If a file or folder SACL and a global object access auditing policy are configured on a computer, the effective SACL is derived from combining the file or folder SACL and the global object access auditing policy. This behavior also applies to a single registry setting SACL and a global object access auditing policy. This resultant SACL from the combination means that an audit event is generated if an activity matches either the file or folder SACL or the global object access auditing policy.
- question: |
How do I figure out why someone was able to access a resource?
answer: |
- Often it is not enough to know simply that an object such as a file or folder was accessed. You may also want to know why the user was able to access this resource. You can obtain this forensic data by configuring the **Audit Handle Manipulation** setting with the **Audit File System** or with the **Audit Registry** audit setting.
+ Often it isn't enough to know simply that an object such as a file or folder was accessed. You may also want to know why the user was able to access this resource. You can obtain this forensic data by configuring the **Audit Handle Manipulation** setting with the **Audit File System** or with the **Audit Registry** audit setting.
- question: |
How do I know when changes are made to access control settings, by whom, and what the changes were?
answer: |
- To track access control changes on computers running Windows Server 2016, Windows Server 2012 R2, Windows Server 2012 Windows 7, Windows Server 2008 R2, Windows Vista, or Windows Server 2008, you need to enable the following settings, which track changes to DACLs:
+ To track access control changes, you need to enable the following settings, which track changes to DACLs:
- **Audit File System** subcategory: Enable for success, failure, or success and failure
- **Audit Authorization Policy Change** setting: Enable for success, failure, or success and failure
- A SACL with **Write** and **Take ownership** permissions: Apply to the object that you want to monitor
-
- In Windows XP and Windows Server 2003, you need to use the **Audit policy change** subcategory.
-
+
- question: |
How can I roll back security audit policies from the advanced audit policy to the basic audit policy?
answer: |
Applying advanced audit policy settings replaces any comparable basic security audit policy settings. If you later change the advanced audit policy setting to **Not configured**, you need to complete the following steps to restore the original basic security audit policy settings:
1. Set all Advanced Audit Policy subcategories to **Not configured**.
- 2. Delete all audit.csv files from the %SYSVOL% folder on the domain controller.
+ 2. Delete all audit.csv files from the `%SYSVOL%` folder on the domain controller.
3. Reconfigure and apply the basic audit policy settings.
- Unless you complete all of these steps, the basic audit policy settings will not be restored.
+ Unless you complete all of these steps, the basic audit policy settings won't be restored.
- question: |
How can I monitor if changes are made to audit policy settings?
@@ -201,27 +156,25 @@ sections:
- question: |
What are the best tools to model and manage audit policies?
answer: |
- The integration of advanced audit policy settings with domain Group Policy, introduced in Windows 7 and Windows Server 2008 R2, is designed to simplify the management and implementation of security audit policies in an organization's network. As such, tools used to plan and deploy Group Policy Objects for a domain can also be used to plan and deploy security audit policies.
- On an individual computer, the Auditpol command-line tool can be used to complete many important audit policy–related management tasks.
+ The integration of advanced audit policy settings with domain is designed to simplify the management and implementation of security audit policies in an organization's network. As such, tools used to plan and deploy group policy objects for a domain can also be used to plan and deploy security audit policies.
+ On an individual computer, the `Auditpol` command-line tool can be used to complete many important audit policy-related management tasks.
- In addition, there are a number of computer management products, such as the Audit Collection Services in the Microsoft System Center Operations Manager products, which can be used to collect and filter event data.
+ There are also other computer management products, such as the Audit Collection Services in System Center Operations Manager, which can be used to collect and filter event data. For more information, see [How to install an Audit Collection Services (ACS) collector and database](/system-center/scom/deploy-install-acs).
- question: |
Where can I find information about all the possible events that I might receive?
answer: |
- Users who examine the security event log for the first time can be a bit overwhelmed by the number of audit events that are stored there (which can quickly number in the thousands) and by the structured information that is included for each audit event. Additional information about these events, and the settings used to generate them, can be obtained from the following resources:
+ Users who examine the security event log for the first time can be a bit overwhelmed. The number of audit events that are stored there can quickly number in the thousands. The structured information that's included for each audit event can also be confusing. For more information about these events, and the settings used to generate them, see the following resources:
- - [Windows 8 and Windows Server 2012 Security Event Details](https://www.microsoft.com/download/details.aspx?id=35753)
- - [Security Audit Events for Windows 7 and Windows Server 2008 R2](https://go.microsoft.com/fwlink/p/?linkid=157780)
- - [Security Audit Events for Windows Server 2008 and Windows Vista](https://go.microsoft.com/fwlink/p/?linkid=121868)
- - [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
+ - [Windows security audit events](https://www.microsoft.com/download/details.aspx?id=50034)
+ - [Windows 10 and Windows Server 2016 security auditing and monitoring reference](https://www.microsoft.com/download/details.aspx?id=52630)
+ - [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
- question: |
Where can I find more detailed information?
answer: |
To learn more about security audit policies, see the following resources:
- - [Planning and deploying advanced security audit policies](planning-and-deploying-advanced-security-audit-policies.md)
- - [Security Monitoring and Attack Detection Planning Guide](https://social.technet.microsoft.com/wiki/contents/articles/325.advanced-security-auditing-in-windows-7-and-windows-server-2008-r2.aspx)
- - [Security Audit Events for Windows 7 and Windows Server 2008 R2](https://go.microsoft.com/fwlink/p/?linkid=157780)
- - [Security Audit Events for Windows Server 2008 and Windows Vista](https://go.microsoft.com/fwlink/p/?LinkId=121868)
+ - [Planning and deploying advanced security audit policies](planning-and-deploying-advanced-security-audit-policies.md)
+ - [Windows 8 and Windows Server 2012 security event details](https://www.microsoft.com/download/details.aspx?id=35753)
+ - [Security audit events for Windows 7 and Windows Server 2008 R2](https://www.microsoft.com/download/details.aspx?id=21561)
diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md
index 8b9946ec0d..576cbdac19 100644
--- a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md
+++ b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md
@@ -12,6 +12,7 @@ ms.localizationpriority: high
ms.reviewer:
manager: dansimp
ms.technology: windows-sec
+adobe-target: true
---
# Microsoft Defender SmartScreen
diff --git a/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md b/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md
index 68bc7639b6..1b90bf0d1c 100644
--- a/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md
+++ b/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md
@@ -164,7 +164,7 @@ To add this CLSID to the existing policy, follow these steps:
```
### Default COM Object Allow List
-
+The table below describes the list of COM objects that are inherently trusted in Windows Defender Application Control. Objects in this list do not need to be allowlisted in your WDAC policies. They can be denied by creating explicit deny rules in your WDAC policy.
| File Name | CLSID |
|--------|-----------|
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/delete-an-applocker-rule.md b/windows/security/threat-protection/windows-defender-application-control/applocker/delete-an-applocker-rule.md
index a644bac95c..0add3ed41f 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/delete-an-applocker-rule.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/delete-an-applocker-rule.md
@@ -79,3 +79,15 @@ C:\Users\Administrator> Set-AppLockerPolicy -XMLPolicy .\clear.xml
```
This will remove all AppLocker Policies on a machine and could be potentially scripted to use on multiple machines using remote execution tools with accounts with proper access.
+
+The following PowerShell commands must also be run to stop the AppLocker services and the effects of the former AppLocker policy.
+
+```powershell
+appidtel.exe stop [-mionly]
+sc.exe config appid start=demand
+sc.exe config appidsvc start=demand
+sc.exe config applockerfltr start=demand
+sc stop applockerfltr
+sc stop appidsvc
+sc stop appid
+```
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md b/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md
index fca1d484e0..7f1f74be4f 100644
--- a/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md
+++ b/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md
@@ -14,7 +14,7 @@ author: jsuther1974
ms.reviewer: jogeurte
ms.author: dansimp
manager: dansimp
-ms.date: 10/19/2021
+ms.date: 05/12/2022
ms.technology: windows-sec
---
@@ -230,6 +230,10 @@ Below are steps to create a WDAC policy that allows Windows to boot and enables
> [!NOTE]
> Your WDAC policy must include rules for all system/boot components, kernel drivers, and any other authorized applications that can't be deployed through a managed installer.
+## Remove Managed Installer feature
+
+To remove the Managed Installer feature from the device, you will need to remove the Managed Installer AppLocker policy from the device by following the instructions at [Delete an AppLocker rule: Clear AppLocker policies on a single system or remote systems](applocker/delete-an-applocker-rule.md#to-clear-applocker-policies-on-a-single-system-or-remote-systems).
+
## Related articles
- [Managed installer and ISG technical reference and troubleshooting guide](configure-wdac-managed-installer.md)
diff --git a/windows/security/threat-protection/windows-defender-application-control/configure-wdac-managed-installer.md b/windows/security/threat-protection/windows-defender-application-control/configure-wdac-managed-installer.md
index bc7f23ee67..92f944b419 100644
--- a/windows/security/threat-protection/windows-defender-application-control/configure-wdac-managed-installer.md
+++ b/windows/security/threat-protection/windows-defender-application-control/configure-wdac-managed-installer.md
@@ -90,7 +90,3 @@ Once you've completed configuring your chosen Managed Installer, by specifying w
```
This command will show the raw XML to verify the individual rules that were set.
-
-## Remove Managed Installer feature
-
-To remove the Managed Installed from the device, you will need to remove the Managed Installer AppLocker policy from the device by following the instructions at [Delete an AppLocker rule - To clear AppLocker policies on a single system or remote systems](applocker/delete-an-applocker-rule.md#to-clear-applocker-policies-on-a-single-system-or-remote-systems).
diff --git a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md
index 1b9d67ff10..bfdae01ad9 100644
--- a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md
+++ b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md
@@ -1,63 +1,64 @@
---
title: Understanding Application Control event IDs (Windows)
description: Learn what different Windows Defender Application Control event IDs signify.
-keywords: security, malware
-ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
+ms.technology: windows-sec
ms.localizationpriority: medium
-audience: ITPro
ms.collection: M365-security-compliance
author: jsuther1974
ms.reviewer: jogeurte
ms.author: dansimp
manager: dansimp
-ms.date: 04/30/2022
-ms.technology: windows-sec
+ms.date: 05/09/2022
+ms.topic: reference
---
# Understanding Application Control events
-A Windows Defender Application Control (WDAC) policy logs events locally in Windows Event Viewer in either enforced or audit mode. These events are generated under two locations:
+**Applies to**
-- Events about WDAC policy activation and the control of executables, dlls, and drivers appear in **Applications and Services logs** > **Microsoft** > **Windows** > **CodeIntegrity** > **Operational**
+- Windows 10
+- Windows 11
+- Windows Server 2016 and later (limited events)
+
+A Windows Defender Application Control policy logs events locally in Windows Event Viewer in either enforced or audit mode. These events are generated under two locations:
+
+- Events about Application Control policy activation and the control of executables, dlls, and drivers appear in **Applications and Services logs** > **Microsoft** > **Windows** > **CodeIntegrity** > **Operational**
- Events about the control of MSI installers, scripts, and COM objects appear in **Applications and Services logs** > **Microsoft** > **Windows** > **AppLocker** > **MSI and Script**
> [!NOTE]
> These event IDs are not included on Windows Server Core edition.
-## WDAC events found in the Microsoft Windows CodeIntegrity Operational log
+## Windows CodeIntegrity Operational log
| Event ID | Explanation |
|--------|-----------|
-| 3004 | This event isn't common and may occur with or without a WDAC policy present. It typically indicates a kernel driver tried to load with an invalid signature. For example, the file may not be WHQL-signed on a system where WHQL is required. |
-| 3033 | This event isn't common. It often means the file's signature is revoked or expired. Try using option *20 Enabled:Revoked Expired As Unsigned* in your policy along with a non-signature rule (for example, hash) to address issues with revoked or expired certs. |
-| 3034 | This event isn't common. It is the audit mode equivalent of event 3033 described above. |
-| 3076 | This event is the main WDAC block event for audit mode policies. It indicates that the file would have been blocked if the WDAC policy was enforced. |
-| 3077 | This event is the main WDAC block event for enforced policies. It indicates that the file did not pass your WDAC policy and was blocked. |
-| 3089 | This event contains signature information for files that were blocked or would have been blocked by WDAC. One 3089 event is created for each signature of a file. The event shows the total number of signatures found and an index value to identify the current signature. Unsigned files produce a single 3089 event with TotalSignatureCount 0. 3089 events are correlated with 3004, 3033, 3034, 3076 and 3077 events. You can match the events using the "Correlation ActivityID" found in the "System" portion of the event. |
-| 3099 | Indicates that a policy has been loaded. This event also includes information about the WDAC policy options that were specified by the WDAC policy. |
+| 3004 | This event isn't common and may occur with or without an Application Control policy present. It typically indicates a kernel driver tried to load with an invalid signature. For example, the file may not be WHQL-signed on a system where WHQL is required. |
+| 3033 | This event isn't common. It often means the file's signature is revoked or expired. Try using option `20 Enabled:Revoked Expired As Unsigned` in your policy along with a non-signature rule (for example, hash) to address issues with revoked or expired certs. |
+| 3034 | This event isn't common. It's the audit mode equivalent of event 3033 described above. |
+| 3076 | This event is the main Application Control block event for audit mode policies. It indicates that the file would have been blocked if the policy was enforced. |
+| 3077 | This event is the main Application Control block event for enforced policies. It indicates that the file didn't pass your policy and was blocked. |
+| 3089 | This event contains signature information for files that were blocked or would have been blocked by Application Control. One 3089 event is created for each signature of a file. The event shows the total number of signatures found and an index value to identify the current signature. Unsigned files produce a single 3089 event with TotalSignatureCount 0. 3089 events are correlated with 3004, 3033, 3034, 3076 and 3077 events. You can match the events using the `Correlation ActivityID` found in the **System** portion of the event. |
+| 3099 | Indicates that a policy has been loaded. This event also includes information about the Application Control policy options that were specified by the policy. |
-## WDAC events found in the Microsoft Windows AppLocker MSI and Script log
+## Windows AppLocker MSI and Script log
| Event ID | Explanation |
|--------|-----------|
-| 8028 | This event indicates that a script host, such as PowerShell, queried WDAC about a file the script host was about to run. Since the WDAC policy was in audit mode, the script or MSI file should have run. Some script hosts may have additional information in their logs. Note: Most third-party script hosts do not integrate with WDAC. Consider the risks from unverified scripts when choosing which script hosts you allow to run. |
+| 8028 | This event indicates that a script host, such as PowerShell, queried Application Control about a file the script host was about to run. Since the policy was in audit mode, the script or MSI file should have run. Some script hosts may have additional information in their logs. Note: Most third-party script hosts don't integrate with Application Control. Consider the risks from unverified scripts when choosing which script hosts you allow to run. |
| 8029 | This event is the enforcement mode equivalent of event 8028 described above. Note: While this event says that a script was blocked, the actual script enforcement behavior is implemented by the script host. The script host may allow the file to run with restrictions and not block the file outright. For example, PowerShell will allow a script to run but only in [Constrained Language Mode](/powershell/module/microsoft.powershell.core/about/about_language_modes.md). |
| 8036| COM object was blocked. To learn more about COM object authorization, see [Allow COM object registration in a Windows Defender Application Control policy](allow-com-object-registration-in-windows-defender-application-control-policy.md). |
-| 8038 | Signing information event correlated with either an 8028 or 8029 event. One 8038 event is generated for each signature of a script file. Contains the total number of signatures on a script file and an index as to which signature it is. Unsigned script files will generate a single 8038 event with TotalSignatureCount 0. 8038 events are correlated with 8028 and 8029 events and can be matched using the "Correlation ActivityID" found in the "System" portion of the event. |
+| 8038 | Signing information event correlated with either an 8028 or 8029 event. One 8038 event is generated for each signature of a script file. Contains the total number of signatures on a script file and an index as to which signature it is. Unsigned script files will generate a single 8038 event with TotalSignatureCount 0. 8038 events are correlated with 8028 and 8029 events and can be matched using the `Correlation ActivityID` found in the **System** portion of the event. |
## Diagnostic events for Intelligent Security Graph (ISG) and Managed Installer (MI)
-Events 3090, 3091 and 3092 prove helpful diagnostic information when the ISG or MI option is enabled by any WDAC policy. These events can help you debug why something was allowed/denied based on managed installer or ISG. These events do not necessarily indicate a problem but should be reviewed in context with other events like 3076 or 3077 described above.
+Events 3090, 3091 and 3092 prove helpful diagnostic information when the ISG or MI option is enabled by any Application Control policy. These events can help you debug why something was allowed/denied based on managed installer or ISG. These events don't necessarily indicate a problem but should be reviewed in context with other events like 3076 or 3077 described above.
| Event ID | Explanation |
|--------|---------|
| 3090 | *Optional* This event indicates that a file was allowed to run based purely on ISG or managed installer. |
-| 3091 | This event indicates that a file did not have ISG or managed installer authorization and the WDAC policy is in audit mode. |
+| 3091 | This event indicates that a file didn't have ISG or managed installer authorization and the Application Control policy is in audit mode. |
| 3092 | This event is the enforcement mode equivalent of 3091. |
The above events are reported per active policy on the system, so you may see multiple events for the same file.
@@ -72,8 +73,8 @@ The following information is found in the details for 3090, 3091, and 3092 event
| PassesManagedInstaller | Indicates whether the file originated from a MI |
| SmartlockerEnabled | Indicates whether the specified policy enables ISG trust |
| PassesSmartlocker | Indicates whether the file had positive reputation according to the ISG |
-| AuditEnabled | True if the WDAC policy is in audit mode, otherwise it is in enforce mode |
-| PolicyName | The name of the WDAC policy to which the event applies |
+| AuditEnabled | True if the Application Control policy is in audit mode, otherwise it is in enforce mode |
+| PolicyName | The name of the Application Control policy to which the event applies |
### Enabling ISG and MI diagnostic events
@@ -87,29 +88,30 @@ reg add hklm\system\currentcontrolset\control\ci -v TestFlags -t REG_DWORD -d 0x
## Event ID 3099 Options
-The WDAC policy rule-option values can be derived from the "Options" field in the Details section of the Code integrity 3099 event. To parse the values, first convert the hex value to binary. To derive and parse these values, follow the below workflow.
+The Application Control policy rule-option values can be derived from the "Options" field in the Details section of the Code integrity 3099 event. To parse the values, first convert the hex value to binary. To derive and parse these values, follow the below workflow.
- Access Event Viewer.
- Access the Code integrity 3099 event.
- Access the details pane.
-- Identify the hex code listed in the “Options” field.
-- Convert the hex code to binary
+- Identify the hex code listed in the "Options" field.
+- Convert the hex code to binary.
-:::image type="content" source="images/event-3099-options.png" alt-text="Event 3099 Policy Rule Options":::
+:::image type="content" source="images/event-3099-options.png" alt-text="Event 3099 policy rule options.":::
-For a simple solution for converting hex to binary, follow these steps.
-- Open the Calculator app
-- Click on the menu icon :::image type="content" source="images/calculator-menu-icon.png" alt-text="calculator menu icon example":::
-- Click Programmer mode
-- Click HEX :::image type="content" source="images/hex-icon.png" alt-text="HEX icon example":::
-- Enter your hex code
-- Click Bit Toggling Keyboard :::image type="content" source="images/bit-toggling-keyboard-icon.png" alt-text="Bit Toggling Keyboard icon example":::
+For a simple solution for converting hex to binary, follow these steps:
-:::image type="content" source="images/calculator-with-hex-in-binary.png" alt-text="An example of the calculator app in programmer mode, with a hex code converted into binary":::
+1. Open the Calculator app.
+1. Select the menu icon. :::image type="icon" source="images/calculator-menu-icon.png" border="false":::
+1. Select **Programmer** mode.
+1. Select **HEX**. :::image type="icon" source="images/hex-icon.png" border="false":::
+1. Enter your hex code. For example, `80881000`.
+1. Switch to the **Bit Toggling Keyboard**. :::image type="icon" source="images/bit-toggling-keyboard-icon.png" border="false":::
+
+:::image type="content" source="images/calculator-with-hex-in-binary.png" alt-text="An example of the calculator app in programmer mode, with a hex code converted into binary.":::
This view will provide the hex code in binary form, with each bit address shown separately. The bit addresses start at 0 in the bottom right. Each bit address correlates to a specific event policy-rule option. If the bit address holds a value of 1, the setting is in the policy.
-Next, use the bit addresses and their values from the table below to determine the state of each [policy rule-option](select-types-of-rules-to-create.md#table-1-windows-defender-application-control-policy---policy-rule-options). For example, if the bit address of 16 holds a value of 1, then the “Enabled:Audit Mode (Default)” is in the policy meaning the policy is in audit mode.
+Next, use the bit addresses and their values from the table below to determine the state of each [policy rule-option](select-types-of-rules-to-create.md#table-1-windows-defender-application-control-policy---policy-rule-options). For example, if the bit address of 16 holds a value of 1, then the **Enabled: Audit Mode (Default)** option is in the policy. This setting means that the policy is in audit mode.
| Bit Address | Policy Rule Option |
|-------|------|
@@ -141,46 +143,46 @@ A list of other relevant event IDs and their corresponding description.
| Event ID | Description |
|-------|------|
| 3001 | An unsigned driver was attempted to load on the system. |
-| 3002 | Code Integrity could not verify the boot image as the page hash could not be found. |
-| 3004 | Code Integrity could not verify the file as the page hash could not be found. |
+| 3002 | Code Integrity couldn't verify the boot image as the page hash couldn't be found. |
+| 3004 | Code Integrity couldn't verify the file as the page hash couldn't be found. |
| 3010 | The catalog containing the signature for the file under validation is invalid. |
| 3011 | Code Integrity finished loading the signature catalog. |
| 3012 | Code Integrity started loading the signature catalog. |
-| 3023 | The driver file under validation did not meet the requirements to pass the application control policy. |
+| 3023 | The driver file under validation didn't meet the requirements to pass the application control policy. |
| 3024 | Windows application control was unable to refresh the boot catalog file. |
| 3026 | The catalog loaded is signed by a signing certificate that has been revoked by Microsoft and/or the certificate issuing authority. |
-| 3032 | The file under validation is revoked by the system or the file has a signature that has been revoked.
-| 3033 | The file under validation did not meet the requirements to pass the application control policy. |
-| 3034 | The file under validation would not meet the requirements to pass the application control policy if the WDAC policy was enforced. The file was allowed since the WDAC policy is in audit mode. |
-| 3036 | The signed file under validation is signed by a code signing certificate that has been revoked by Microsoft or the certificate issuing authority. |
-| 3064 | If the WDAC policy was enforced, a user mode DLL under validation would not meet the requirements to pass the application control policy. The DLL was allowed since the WDAC policy is in audit mode. |
-| 3065 | If the WDAC policy was enforced, a user mode DLL under validation would not meet the requirements to pass the application control policy. |
+| 3032 | The file under validation is revoked by the system or the file has a signature that has been revoked.
+| 3033 | The file under validation didn't meet the requirements to pass the application control policy. |
+| 3034 | The file under validation wouldn't meet the requirements to pass the Application Control policy if it was enforced. The file was allowed since the policy is in audit mode. |
+| 3036 | The signed file under validation is signed by a code signing certificate that has been revoked by Microsoft or the certificate issuing authority. |
+| 3064 | If the Application Control policy was enforced, a user mode DLL under validation wouldn't meet the requirements to pass the application control policy. The DLL was allowed since the policy is in audit mode. |
+| 3065 | If the Application Control policy was enforced, a user mode DLL under validation wouldn't meet the requirements to pass the application control policy. |
| 3074 | Page hash failure while hypervisor-protected code integrity was enabled. |
-| 3075 | This event measures the performance of the WDAC policy check during file validation. |
-| 3076 | This event is the main WDAC block event for audit mode policies. It indicates that the file would have been blocked if the WDAC policy was enforced. |
-| 3077 | This event is the main WDAC block event for enforced policies. It indicates that the file did not pass your WDAC policy and was blocked. |
-| 3079 | The file under validation did not meet the requirements to pass the application control policy. |
-| 3080 | If the WDAC policy was in enforced mode, the file under validation would not have met the requirements to pass the application control policy. |
-| 3081 | The file under validation did not meet the requirements to pass the application control policy. |
-| 3082 | If the WDAC policy was in enforced mode, the non-WHQL driver would have been denied by the WDAC policy. |
+| 3075 | This event measures the performance of the Application Control policy check during file validation. |
+| 3076 | This event is the main Application Control block event for audit mode policies. It indicates that the file would have been blocked if the policy was enforced. |
+| 3077 | This event is the main Application Control block event for enforced policies. It indicates that the file didn't pass your policy and was blocked. |
+| 3079 | The file under validation didn't meet the requirements to pass the application control policy. |
+| 3080 | If the Application Control policy was in enforced mode, the file under validation wouldn't have met the requirements to pass the application control policy. |
+| 3081 | The file under validation didn't meet the requirements to pass the application control policy. |
+| 3082 | If the Application Control policy was in enforced mode, the non-WHQL driver would have been denied by the policy. |
| 3084 | Code Integrity will enforce the WHQL driver signing requirements on this boot session. |
-| 3085 | Code Integrity will not enforce the WHQL driver signing requirements on this boot session. |
-| 3086 | The file under validation does not meet the signing requirements for an isolated user mode (IUM) process. |
-| 3089 | This event contains signature information for files that were blocked or would have been blocked by WDAC. One 3089 event is created for each signature of a file. |
+| 3085 | Code Integrity won't enforce the WHQL driver signing requirements on this boot session. |
+| 3086 | The file under validation doesn't meet the signing requirements for an isolated user mode (IUM) process. |
+| 3089 | This event contains signature information for files that were blocked or would have been blocked by Application Control. One 3089 event is created for each signature of a file. |
| 3090 | *Optional* This event indicates that a file was allowed to run based purely on ISG or managed installer. |
-| 3091 | This event indicates that a file did not have ISG or managed installer authorization and the WDAC policy is in audit mode. |
+| 3091 | This event indicates that a file didn't have ISG or managed installer authorization and the Application Control policy is in audit mode. |
| 3092 | This event is the enforcement mode equivalent of 3091. |
-| 3095 | The WDAC policy cannot be refreshed and must be rebooted instead. |
-| 3096 | The WDAC policy was not refreshed since it is already up-to-date. |
-| 3097 | The WDAC policy cannot be refreshed. |
-| 3099 | Indicates that a policy has been loaded. This event also includes information about the WDAC policy options that were specified by the WDAC policy. |
+| 3095 | The Application Control policy can't be refreshed and must be rebooted instead. |
+| 3096 | The Application Control policy wasn't refreshed since it's already up-to-date. |
+| 3097 | The Application Control policy can't be refreshed. |
+| 3099 | Indicates that a policy has been loaded. This event also includes information about the options that were specified by the Application Control policy. |
| 3100 | The application control policy was refreshed but was unsuccessfully activated. Retry. |
-| 3101 | The system started refreshing the WDAC policy. |
-| 3102 | The system finished refreshing the WDAC policy. |
-| 3103 | The system is ignoring the WDAC policy refresh. |
-| 3104 | The file under validation does not meet the signing requirements for a PPL (protected process light) process. |
-| 3105 | The system is attempting to refresh the WDAC policy. |
+| 3101 | The system started refreshing the Application Control policy. |
+| 3102 | The system finished refreshing the Application Control policy. |
+| 3103 | The system is ignoring the Application Control policy refresh. |
+| 3104 | The file under validation doesn't meet the signing requirements for a PPL (protected process light) process. |
+| 3105 | The system is attempting to refresh the Application Control policy. |
| 3108 | Windows mode change event was successful. |
| 3110 | Windows mode change event was unsuccessful. |
-| 3111 | The file under validation did not meet the hypervisor-protected code integrity (HVCI) policy. |
+| 3111 | The file under validation didn't meet the hypervisor-protected code integrity (HVCI) policy. |
| 3112 | The file under validation is signed by a certificate that has been explicitly revoked by Windows. |
diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
index c3bdab9f89..0fbd505f00 100644
--- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
+++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
@@ -142,11 +142,9 @@ Select the correct version of each .dll for the Windows release you plan to supp
-
+
| October 2021
|[SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
-| Windows 10 | [21H2](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-for-windows-10-version-21h2/ba-p/3042703)
[21H1](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-final-for-windows-10-version-21h1/ba-p/2362353)
[20H2](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-final-for-windows-10-and-windows-server/ba-p/1999393)
[1909](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-final-for-windows-10-v1909-and-windows-server/ba-p/1023093)
[1809](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-final-for-windows-10-v1809-and-windows-server/ba-p/701082)
[1607](/archive/blogs/secguide/security-baseline-for-windows-10-v1607-anniversary-edition-and-windows-server-2016)
[1507](/archive/blogs/secguide/security-baseline-for-windows-10-v1507-build-10240-th1-ltsb-update)| December 2021
May 2021
December 2020
November 2019
October 2018
October 2016
January 2016 |[SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
+| Windows 10 | [21H2](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-for-windows-10-version-21h2/ba-p/3042703)
[21H1](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-final-for-windows-10-version-21h1/ba-p/2362353)
[20H2](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-final-for-windows-10-and-windows-server/ba-p/1999393)
[1809](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-final-for-windows-10-v1809-and-windows-server/ba-p/701082)
[1607](/archive/blogs/secguide/security-baseline-for-windows-10-v1607-anniversary-edition-and-windows-server-2016)
[1507](/archive/blogs/secguide/security-baseline-for-windows-10-v1507-build-10240-th1-ltsb-update)| December 2021
May 2021
December 2020
October 2018
October 2016
January 2016 |[SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
Windows 8.1 |[9600 (April Update)](/archive/blogs/secguide/security-baselines-for-windows-8-1-windows-server-2012-r2-and-internet-explorer-11-final)| October 2013| [SCM 4.0](/previous-versions/tn-archive/cc936627(v=technet.10)) |
diff --git a/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md b/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md
index 689b70bef4..eec2742b4c 100644
--- a/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md
+++ b/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md
@@ -33,7 +33,6 @@ The Security Compliance Toolkit consists of:
- Windows 10 Version 21H2
- Windows 10 Version 21H1
- Windows 10 Version 20H2
- - Windows 10 Version 1909
- Windows 10 Version 1809
- Windows 10 Version 1607
- Windows 10 Version 1507