deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 05:17:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'main' into vp-csp-pilot

Browse Source
This commit is contained in:
Vinay Pamnani 2022-11-29 10:35:43 -05:00 committed by GitHub
commit b6bf030c85
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
141 changed files with 1754 additions and 1944 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
education/windows/index.yml
View File

@ -7,7 +7,8 @@ metadata:
title: Windows for Education documentation
description: Learn about how to plan, deploy and manage Windows devices in an education environment with Microsoft Intune
ms.topic: landing-page
ms.prod: windows
ms.prod: windows-client
ms.technology: itpro-edu
ms.collection:
- education
- highpri

BIN
images/grouppolicy-paste.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 12 KiB

22
windows/application-management/index.yml
View File

@ -1,25 +1,19 @@
### YamlMime:Landing
title: Windows application management # < 60 chars
summary: Learn about managing applications in Windows client, including how to remove background task resource restrictions. # < 160 chars
title: Windows application management
summary: Learn about managing applications in Windows client, including how to remove background task resource restrictions.
metadata:
title: Windows application management # Required; page title displayed in search results. Include the brand. < 60 chars.
description: Learn about managing applications in Windows 10 and Windows 11. # Required; article description that is displayed in search results. < 160 chars.
services: windows-10
ms.service: windows-10 #Required; service per approved list. service slug assigned to your service by ACOM.
ms.subservice: subservice
ms.topic: landing-page # Required
ms.collection:
- windows-10
title: Windows application management
description: Learn about managing applications in Windows 10 and Windows 11.
ms.topic: landing-page
ms.prod: windows-client
ms.collection:
- highpri
author: nicholasswhite
ms.author: nwhite
manager: aaroncz
ms.date: 08/24/2021 #Required; mm/dd/yyyy format.
ms.localizationpriority : medium
# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new
ms.date: 08/24/2021
landingContent:
# Cards and links should be based on top customer tasks or top subjects

8
windows/client-management/index.yml
View File

@ -6,12 +6,10 @@ summary: Find out how to apply custom configurations to Windows client devices.
metadata:
title: Manage Windows client # Required; page title displayed in search results. Include the brand. < 60 chars.
description: Learn about the administrative tools, tasks, and best practices for managing Windows clients across your enterprise. # Required; article description that is displayed in search results. < 160 chars.
services: windows-10
ms.service: windows-10 #Required; service per approved list. service slug assigned to your service by ACOM.
ms.subservice: subservice
ms.topic: landing-page # Required
ms.topic: landing-page
ms.prod: windows-client
ms.technology: itpro-manage
ms.collection:
- windows-10
- highpri
author: aczechowski
ms.author: aaroncz

7
windows/client-management/mdm/index.yml
View File

@ -6,11 +6,10 @@ summary: Learn more about the configuration service provider (CSP) policies avai
metadata:
title: Configuration Service Provider # Required; page title displayed in search results. Include the brand. < 60 chars.
description: Learn more about the configuration service provider (CSP) policies available on Windows 10 and Windows 11. # Required; article description that is displayed in search results. < 160 chars.
ms.topic: landing-page # Required
services: windows-10
ms.prod: windows
ms.topic: landing-page
ms.technology: itpro-manage
ms.prod: windows-client
ms.collection:
- windows-10
- highpri
ms.custom: intro-hub-or-landing
author: vinaypamnani-msft

5
windows/configuration/index.yml
View File

@ -6,12 +6,9 @@ summary: Find out how to apply custom configurations to Windows 10 and Windows 1
metadata:
title: Configure Windows client # Required; page title displayed in search results. Include the brand. < 60 chars.
description: Find out how to apply custom configurations to Windows client devices. # Required; article description that is displayed in search results. < 160 chars.
services: windows-10
ms.service: windows-10 #Required; service per approved list. service slug assigned to your service by ACOM.
ms.subservice: subservice
ms.topic: landing-page # Required
ms.prod: windows-client
ms.collection:
- windows-10
- highpri
author: aczechowski
ms.author: aaroncz

6
windows/deployment/TOC.yml
View File

@ -221,7 +221,11 @@
- name: UCClientUpdateStatus
href: update/wufb-reports-schema-ucclientupdatestatus.md
- name: UCDeviceAlert
href: update/wufb-reports-schema-ucdevicealert.md
href: update/wufb-reports-schema-ucdevicealert.md
- name: UCDOAggregatedStatus
href: update/wufb-reports-schema-ucdoaggregatedstatus.md
- name: UCDOStatus
href: update/wufb-reports-schema-ucdostatus.md
- name: UCServiceUpdateStatus
href: update/wufb-reports-schema-ucserviceupdatestatus.md
- name: UCUpdateAlert

6
windows/deployment/Windows-AutoPilot-EULA-note.md
View File

@ -3,7 +3,7 @@ title: Windows Autopilot EULA dismissal important information
description: A notice about EULA dismissal through Windows Autopilot
ms.prod: windows-client
ms.localizationpriority: medium
ms.date: 10/31/2022
ms.date: 11/23/2022
author: frankroj
ms.author: frankroj
manager: aaroncz
@ -13,8 +13,8 @@ ms.technology: itpro-deploy
---
# Windows Autopilot EULA dismissal important information
>[!IMPORTANT]
>The information below isn't the EULA. It is a notice of awareness to the administrator that's configuring to skip End User License Agreement (EULA) during the OOBE (Out-of-Box Experience).
> [!IMPORTANT]
> The information below isn't the EULA. It is a notice of awareness to the administrator that's configuring to skip End User License Agreement (EULA) during the OOBE (Out-of-Box Experience).
Using this tool allows you to configure individual installations of Windows on devices managed by your organization. You may choose to suppress or hide certain set-up screens that are normally presented to users when setting up Windows, including the EULA acceptance screen.

63
windows/deployment/add-store-apps-to-image.md
View File

@ -9,72 +9,83 @@ ms.reviewer:
manager: aaroncz
ms.topic: article
ms.custom: seo-marvel-apr2020
ms.date: 10/31/2022
ms.date: 11/23/2022
ms.technology: itpro-deploy
---
# Add Microsoft Store for Business applications to a Windows 10 image
**Applies to**
*Applies to:*
- Windows 10
- Windows 10
This article describes the correct way to add Microsoft Store for Business applications to a Windows 10 image. Adding Microsoft Store for Business applications to a Windows 10 image will enable you to deploy Windows 10 with pre-installed Microsoft Store for Business apps.
>[!IMPORTANT]
>In order for Microsoft Store for Business applications to persist after image deployment, these applications need to be pinned to Start prior to image deployment.
> [!IMPORTANT]
> In order for Microsoft Store for Business applications to persist after image deployment, these applications need to be pinned to Start prior to image deployment.
## Prerequisites
* [Windows Assessment and Deployment Kit (Windows ADK)](windows-adk-scenarios-for-it-pros.md) for the tools required to mount and edit Windows images.
- [Windows Assessment and Deployment Kit (Windows ADK)](windows-adk-scenarios-for-it-pros.md) for the tools required to mount and edit Windows images.
* Download an offline signed app package and license of the application you would like to add through [Microsoft Store for Business](/microsoft-store/distribute-offline-apps#download-an-offline-licensed-app).
* A Windows Image. For instructions on image creation, see [Create a Windows 10 reference image](deploy-windows-mdt/create-a-windows-10-reference-image.md).
- Download an offline signed app package and license of the application you would like to add through [Microsoft Store for Business](/microsoft-store/distribute-offline-apps#download-an-offline-licensed-app).
- A Windows Image. For instructions on image creation, see [Create a Windows 10 reference image](deploy-windows-mdt/create-a-windows-10-reference-image.md).
>[!NOTE]
> [!NOTE]
> If you'd like to add an internal LOB Microsoft Store application, please follow the instructions on **[Sideload line of business (LOB) apps in Windows client devices](/windows/application-management/sideload-apps-in-windows-10)**.
## Adding a Store application to your image
On a machine where your image file is accessible:
1. Open Windows PowerShell with administrator privileges.
2. Mount the image. At the Windows PowerShell prompt, type:
2. Mount the image. At the Windows PowerShell prompt, enter:
`Mount-WindowsImage -ImagePath c:\images\myimage.wim -Index 1 -Path C:\test`
3. Use the Add-AppxProvisionedPackage cmdlet in Windows PowerShell to preinstall the app. Use the /PackagePath option to specify the location of the Store package and /LicensePath to specify the location of the license .xml file. In Windows PowerShell, type:
3. Use the Add-AppxProvisionedPackage cmdlet in Windows PowerShell to preinstall the app. Use the /PackagePath option to specify the location of the Store package and /LicensePath to specify the location of the license .xml file. In Windows PowerShell, enter:
`Add-AppxProvisionedPackage -Path C:\test -PackagePath C:\downloads\appxpackage -LicensePath C:\downloads\appxpackage\license.xml`
>[!NOTE]
>Paths and file names are examples. Use your paths and file names where appropriate.
> [!NOTE]
> Paths and file names are examples. Use your paths and file names where appropriate.
>
>Do not dismount the image, as you will return to it later.
> Do not dismount the image, as you will return to it later.
## Editing the Start Layout
In order for Microsoft Store for Business applications to persist after image deployment, these applications need to be pinned to Start prior to image deployment.
On a test machine:
1. **Install the Microsoft Store for Business application you previously added** to your image.
2. **Pin these apps to the Start screen**, by typing the name of the app, right-clicking and selecting **Pin to Start**.
3. Open Windows PowerShell with administrator privileges.
4. Use `Export-StartLayout -path <path><file name>.xml` where *\<path>\<file name>* is the path and name of the xml file your will later import into your Windows Image.
5. Copy the XML file you created to a location accessible by the machine you previously used to add Store applications to your image.
Now, on the machine where your image file is accessible:
1. Import the Start layout. At the Windows PowerShell prompt, type:
1. Import the Start layout. At the Windows PowerShell prompt, enter:
`Import-StartLayout -LayoutPath "<path><file name>.xml" -MountPath "C:\test\"`
2. Save changes and dismount the image. At the Windows PowerShell prompt, type:
2. Save changes and dismount the image. At the Windows PowerShell prompt, enter:
`Dismount-WindowsImage -Path c:\test -Save`
>[!NOTE]
>Paths and file names are examples. Use your paths and file names where appropriate.
> [!NOTE]
> Paths and file names are examples. Use your paths and file names where appropriate.
>
>For more information on Start customization, see [Windows 10 Start Layout Customization](/archive/blogs/deploymentguys/windows-10-start-layout-customization)
> For more information on Start customization, see [Windows 10 Start Layout Customization](/archive/blogs/deploymentguys/windows-10-start-layout-customization)
## Related articles
* [Customize and export Start layout](/windows/configuration/customize-and-export-start-layout)
* [Export-StartLayout](/powershell/module/startlayout/export-startlayout)
* [Import-StartLayout](/powershell/module/startlayout/import-startlayout)
* [Sideload line of business (LOB) apps in Windows client devices](/windows/application-management/sideload-apps-in-windows-10)
* [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
* [Deploy Windows 10 with the Microsoft Deployment Toolkit](./deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md)
* [Windows Assessment and Deployment Kit (Windows ADK)](windows-adk-scenarios-for-it-pros.md)
- [Customize and export Start layout](/windows/configuration/customize-and-export-start-layout)
- [Export-StartLayout](/powershell/module/startlayout/export-startlayout)
- [Import-StartLayout](/powershell/module/startlayout/import-startlayout)
- [Sideload line of business (LOB) apps in Windows client devices](/windows/application-management/sideload-apps-in-windows-10)
- [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
- [Deploy Windows 10 with the Microsoft Deployment Toolkit](./deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md)
- [Windows Assessment and Deployment Kit (Windows ADK)](windows-adk-scenarios-for-it-pros.md)

154
windows/deployment/configure-a-pxe-server-to-load-windows-pe.md
View File

@ -8,15 +8,15 @@ manager: aaroncz
ms.author: frankroj
ms.topic: article
ms.custom: seo-marvel-apr2020
ms.date: 10/31/2022
ms.date: 11/23/2022
ms.technology: itpro-deploy
---
# Configure a PXE server to load Windows PE
**Applies to**
*Applies to:*
- Windows 10
- Windows 10
This walkthrough describes how to configure a PXE server to load Windows PE by booting a client computer from the network. Using the Windows PE tools and a Windows 10 image file, you can install Windows 10 from the network.
@ -37,107 +37,122 @@ All four of the roles specified above can be hosted on the same computer or each
3. Run the following command to copy the base Windows PE files into a new folder. The script requires two arguments: hardware architecture and destination location. The value of **&lt;architecture&gt;** can be **x86**, **amd64**, or **arm** and **&lt;destination&gt;** is a path to a local directory. If the directory doesn't already exist, it will be created.
```
```cmd
copype.cmd <architecture> <destination>
```
For example, the following command copies **amd64** architecture files to the **C:\winpe_amd64** directory:
```
```cmd
copype.cmd amd64 C:\winpe_amd64
```
The script creates the destination directory structure and copies all the necessary files for that architecture. In the previous example, the following directories are created:
```
```cmd
C:\winpe_amd64
C:\winpe_amd64\fwfiles
C:\winpe_amd64\media
C:\winpe_amd64\mount
```
4. Mount the base Windows PE image (winpe.wim) to the \mount directory using the DISM tool. Mounting an image file unpacks the file contents into a folder so that you can make changes directly or by using tools such as DISM. See the following example.
```cmd
dism.exe /mount-image /imagefile:c:\winpe_amd64\media\sources\boot.wim /index:1 /mountdir:C:\winpe_amd64\mount
```
Dism /mount-image /imagefile:c:\winpe_amd64\media\sources\boot.wim /index:1 /mountdir:C:\winpe_amd64\mount
```
Verify that "The operation completed successfully" is displayed. Note: To view currently mounted images, type **dism /get-MountedWiminfo**.
Verify that the message **The operation completed successfully** is displayed.
> [!NOTE]
> To view currently mounted images, enter **`dism.exe /get-MountedWiminfo`**.
5. Map a network share to the root TFTP directory on the PXE/TFTP server and create a \Boot folder. Consult your TFTP server documentation to determine the root TFTP server directory, then enable sharing for this directory, and verify it can be accessed on the network. In the following example, the PXE server name is PXE-1 and the TFTP root directory is shared using a network path of **\\\PXE-1\TFTPRoot**:
```
net use y: \\PXE-1\TFTPRoot
```cmd
net.exe use y: \\PXE-1\TFTPRoot
y:
md Boot
```
6. Copy the PXE boot files from the mounted directory to the \boot folder. For example:
```
```cmd
copy c:\winpe_amd64\mount\windows\boot\pxe\*.* y:\Boot
```
7. Copy the boot.sdi file to the PXE/TFTP server.
```
7. Copy the boot.sdi file to the PXE/TFTP server.
```cmd
copy C:\winpe_amd64\media\boot\boot.sdi y:\Boot
```
8. Copy the bootable Windows PE image (boot.wim) to the \boot folder.
```
8. Copy the bootable Windows PE image (boot.wim) to the \boot folder.
```cmd
copy C:\winpe_amd64\media\sources\boot.wim y:\Boot
```
9. (Optional) Copy true type fonts to the \boot folder
```
9. (Optional) Copy TrueType fonts to the \boot folder
```cmd
copy C:\winpe_amd64\media\Boot\Fonts y:\Boot\Fonts
```
## Step 2: Configure boot settings and copy the BCD file
1. Create a BCD store using bcdedit.exe:
1. Create a BCD store using bcdedit.exe:
```cmd
bcdedit.exe /createstore c:\BCD
```
bcdedit /createstore c:\BCD
```
2. Configure RAMDISK settings:
2. Configure RAMDISK settings:
```cmd
bcdedit.exe /store c:\BCD /create {ramdiskoptions} /d "Ramdisk options"
bcdedit.exe /store c:\BCD /set {ramdiskoptions} ramdisksdidevice boot
bcdedit.exe /store c:\BCD /set {ramdiskoptions} ramdisksdipath \Boot\boot.sdi
bcdedit.exe /store c:\BCD /create /d "winpe boot image" /application osloader
```
bcdedit /store c:\BCD /create {ramdiskoptions} /d "Ramdisk options"
bcdedit /store c:\BCD /set {ramdiskoptions} ramdisksdidevice boot
bcdedit /store c:\BCD /set {ramdiskoptions} ramdisksdipath \Boot\boot.sdi
bcdedit /store c:\BCD /create /d "winpe boot image" /application osloader
```
The last command will return a GUID, for example:
```
```console
The entry {a4f89c62-2142-11e6-80b6-00155da04110} was successfully created.
```
Copy this GUID for use in the next set of commands. In each command shown, replace "GUID1" with your GUID.
3. Create a new boot application entry for the Windows PE image:
3. Create a new boot application entry for the Windows PE image:
```cmd
bcdedit.exe /store c:\BCD /set {GUID1} device ramdisk=[boot]\Boot\boot.wim,{ramdiskoptions}
bcdedit.exe /store c:\BCD /set {GUID1} path \windows\system32\winload.exe
bcdedit.exe /store c:\BCD /set {GUID1} osdevice ramdisk=[boot]\Boot\boot.wim,{ramdiskoptions}
bcdedit.exe /store c:\BCD /set {GUID1} systemroot \windows
bcdedit.exe /store c:\BCD /set {GUID1} detecthal Yes
bcdedit.exe /store c:\BCD /set {GUID1} winpe Yes
```
bcdedit /store c:\BCD /set {GUID1} device ramdisk=[boot]\Boot\boot.wim,{ramdiskoptions}
bcdedit /store c:\BCD /set {GUID1} path \windows\system32\winload.exe
bcdedit /store c:\BCD /set {GUID1} osdevice ramdisk=[boot]\Boot\boot.wim,{ramdiskoptions}
bcdedit /store c:\BCD /set {GUID1} systemroot \windows
bcdedit /store c:\BCD /set {GUID1} detecthal Yes
bcdedit /store c:\BCD /set {GUID1} winpe Yes
```
4. Configure BOOTMGR settings (remember to replace GUID1 in the third command with your GUID):
```
bcdedit /store c:\BCD /create {bootmgr} /d "boot manager"
bcdedit /store c:\BCD /set {bootmgr} timeout 30
bcdedit /store c:\BCD -displayorder {GUID1} -addlast
```
5. Copy the BCD file to your TFTP server:
4. Configure BOOTMGR settings (remember to replace GUID1 in the third command with your GUID):
```cmd
bcdedit.exe /store c:\BCD /create {bootmgr} /d "boot manager"
bcdedit.exe /store c:\BCD /set {bootmgr} timeout 30
bcdedit.exe /store c:\BCD -displayorder {GUID1} -addlast
```
5. Copy the BCD file to your TFTP server:
```cmd
copy c:\BCD \\PXE-1\TFTPRoot\Boot\BCD
```
Your PXE/TFTP server is now configured. You can view the BCD settings that have been configured using the command bcdedit /store &lt;BCD file location&gt; /enum all. See the following example. Note: Your GUID will be different than the one shown below.
Your PXE/TFTP server is now configured. You can view the BCD settings that have been configured using the command bcdedit.exe /store &lt;BCD file location&gt; /enum all. See the following example. Note: Your GUID will be different than the one shown below.
```
C:\>bcdedit /store C:\BCD /enum all
```cmd
C:\>bcdedit.exe /store C:\BCD /enum all
Windows Boot Manager
--------------------
identifier {bootmgr}
@ -163,25 +178,46 @@ ramdisksdidevice boot
ramdisksdipath \Boot\boot.sdi
```
>[!TIP]
>If you start the PXE boot process, but receive the error that "The boot configuration data for your PC is missing or contains errors" then verify that \\boot directory is installed under the correct TFTP server root directory. In the example used here the name of this directory is TFTPRoot, but your TFTP server might be different.
> [!TIP]
> If you start the PXE boot process, but receive the error **The boot configuration data for your PC is missing or contains error**, then verify that `\boot` directory is installed under the correct TFTP server root directory. In the example used here the name of this directory is TFTPRoot, but your TFTP server might be different.
## PXE boot process summary
The following process summarizes the PXE client boot.
>The following assumes that you have configured DHCP option 67 (Bootfile Name) to "boot\PXEboot.n12" which enables direct boot to PXE with no user interaction. For more information about DHCP options for network boot, see [Managing Network Boot Programs](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc732351(v=ws.10)).
<!--
1. A client is directed by DHCP options 066 and 067 to download boot\\PXEboot.n12 from the TFTP server.
2. PXEboot.n12 immediately begins a network boot.
3. The client downloads boot\\bootmgr.exe and the boot\\BCD file from the TFTP server. Note: The BCD store must reside in the \\boot directory on the TFTP server and must be named BCD.
5. Bootmgr.exe reads the BCD operating system entries and downloads boot\\boot.sdi and the Windows PE image (boot\\boot.wim). Optional files that can also be downloaded include true type fonts (boot\\Fonts\\wgl4\_boot.ttf) and the hibernation state file (\\hiberfil.sys) if these files are present.
6. Bootmgr.exe starts Windows PE by calling winload.exe within the Windows PE image.
7. Windows PE loads, a command prompt opens and wpeinit.exe is run to initialize Windows PE.
8. The Windows PE client provides access to tools like imagex, diskpart, and bcdboot using the Windows PE command prompt. With the help of these tools accompanied by a Windows 10 image file, the destination computer can be formatted properly to load a full Windows 10 operating system.
DHCP OPTIONS ARE NOT RECOMMENDED AND IN SOME SCENARIOS NOT SUPPORTED. SWITCHING TO IP HELPERS.
## See Also
>The following assumes that you have configured DHCP option 67 (Bootfile Name) to `boot\PXEboot.n12` which enables direct boot to PXE with no user interaction. For more information about DHCP options for network boot, see [Managing Network Boot Programs](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc732351(v=ws.10)).
### Concepts
1. A client is directed by DHCP options 066 and 067 to download `boot\PXEboot.n12` from the TFTP server.
-->
> [!NOTE]
> The following assumes that the client and PXE server are on the same network/subnet/vlan or that PXE requests have been appropriately forwarded from the client to the PXE server using IP helpers configured in the router or switch. For more information about IP helpers, see [Configuring Your Router to Forward Broadcasts](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc732351(v=ws.10)#configuring-your-router-to-forward-broadcasts-recommended).
1. A client contacts the PXE server. When the client is on a different network/subnet/vlan as the PXE server, the client is routed to the PXE server using the IP helpers.
2. The PXE server sends DHCP options 060 (client identifier **PXEClient**), 066 (boot server host name) and 067 (boot file name) to the client.
3. The client downloads `boot\PXEboot.n12` from the TFTP server based on DHCP option 067 boot file name value received from the PXE server.
4. `PXEboot.n12` immediately begins a network boot.
5. The client downloads `boot\bootmgr.exe` and the `boot\BCD` file from the TFTP server.
> [!NOTE]
> The BCD store must reside in the `\boot` directory on the TFTP server and must be named BCD.
6. `Bootmgr.exe` reads the BCD operating system entries and downloads `boot\boot.sdi` and the Windows PE image (`boot\boot.wim`). Optional files that can also be downloaded include TrueType fonts (`boot\Fonts\wgl4_boot.ttf`) and the hibernation state file (`\hiberfil.sys`) if these files are present.
7. `Bootmgr.exe` starts Windows PE by calling `winload.exe` within the Windows PE image.
8. Windows PE loads, a command prompt opens and `wpeinit.exe` is run to initialize Windows PE.
9. The Windows PE client provides access to tools like `imagex.exe`, `diskpart.exe`, and `bcdboot.exe` using the Windows PE command prompt. With the help of these tools accompanied by a Windows 10 image file, the destination computer can be formatted properly to load a full Windows 10 operating system.
### Related articles
[Windows PE Walkthroughs](/previous-versions/windows/it-pro/windows-vista/cc748899(v=ws.10))

4
windows/deployment/deploy-enterprise-licenses.md
View File

@ -12,7 +12,7 @@ ms.collection: highpri
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
ms.date: 10/31/2022
ms.date: 11/23/2022
---
# Deploy Windows Enterprise licenses
@ -252,7 +252,7 @@ Use the following procedures to review whether a particular device meets these r
To determine if the computer has a firmware-embedded activation key, enter the following command at an elevated Windows PowerShell prompt:
```PowerShell
```powershell
(Get-CimInstance -query 'select * from SoftwareLicensingService').OA3xOriginalProductKey
```

22
windows/deployment/deploy-m365.md
View File

@ -10,15 +10,15 @@ author: frankroj
ms.topic: article
ms.collection: M365-modern-desktop
ms.custom: seo-marvel-apr2020
ms.date: 10/31/2022
ms.date: 11/23/2022
ms.technology: itpro-deploy
---
# Deploy Windows 10 with Microsoft 365
**Applies to**
*Applies to:*
- Windows 10
- Windows 10
This article provides a brief overview of Microsoft 365 and describes how to use a free 90-day trial account to review some of the benefits of Microsoft 365.
@ -34,38 +34,40 @@ For Windows 10 deployment, Microsoft 365 includes a fantastic deployment advisor
## Free trial account
**If you already have a Microsoft services subscription account and access to the Microsoft 365 Admin Center**
### If you already have a Microsoft services subscription account and access to the Microsoft 365 Admin Center
From the [Microsoft 365 Admin Center](https://portal.office.com), go to Billing and then Purchase services.
In the Enterprise Suites section of the service offerings, you'll find Microsoft 365 E3 and Microsoft 365 E5 tiles.
There are "Start Free Trial" options available for your selection by hovering your mouse over the tiles.
**If you do not already have a Microsoft services subscription**
### If you do not already have a Microsoft services subscription
You can check out the Microsoft 365 deployment advisor and other resources for free! Just follow the steps below.
You can check out the Microsoft 365 deployment advisor and other resources for free! Just follow the steps below.
>[!NOTE]
>If you have not run a setup guide before, you will see the **Prepare your environment** guide first. This is to make sure you have basics covered like domain verification and a method for adding users. At the end of the "Prepare your environment" guide, there will be a **Ready to continue** button that sends you to the original guide that was selected.
> [!NOTE]
> If you have not run a setup guide before, you will see the **Prepare your environment** guide first. This is to make sure you have basics covered like domain verification and a method for adding users. At the end of the "Prepare your environment" guide, there will be a **Ready to continue** button that sends you to the original guide that was selected.
1. [Obtain a free Microsoft 365 trial](/microsoft-365/commerce/try-or-buy-microsoft-365).
2. Check out the [Microsoft 365 deployment advisor](https://aka.ms/microsoft365setupguide).
3. Also check out the [Windows Analytics deployment advisor](/mem/configmgr/desktop-analytics/overview). This advisor will walk you through deploying [Desktop Analytics](/mem/configmgr/desktop-analytics/overview).
3. Also check out the [Windows Analytics deployment advisor](/mem/configmgr/desktop-analytics/overview). This advisor will walk you through deploying [Desktop Analytics](/mem/configmgr/desktop-analytics/overview).
Examples of these two deployment advisors are shown below.
- [Deploy Windows 10 with Microsoft 365](#deploy-windows-10-with-microsoft-365)
- [Free trial account](#free-trial-account)
- [If you already have a Microsoft services subscription account and access to the Microsoft 365 Admin Center](#if-you-already-have-a-microsoft-services-subscription-account-and-access-to-the-microsoft-365-admin-center)
- [If you do not already have a Microsoft services subscription](#if-you-do-not-already-have-a-microsoft-services-subscription)
- [Microsoft 365 deployment advisor example](#microsoft-365-deployment-advisor-example)
- [Windows Analytics deployment advisor example](#windows-analytics-deployment-advisor-example)
- [Microsoft 365 Enterprise poster](#microsoft-365-enterprise-poster)
- [Related articles](#related-articles)
## Microsoft 365 deployment advisor example
![Microsoft 365 deployment advisor.](images/m365da.png)
## Windows Analytics deployment advisor example
## Microsoft 365 Enterprise poster
[![Microsoft 365 Enterprise poster.](images/m365e.png)](https://aka.ms/m365eposter)

11
windows/deployment/deploy-whats-new.md
View File

@ -9,13 +9,14 @@ author: frankroj
ms.topic: article
ms.custom: seo-marvel-apr2020
ms.collection: highpri
ms.date: 10/31/2022
ms.date: 11/23/2022
ms.technology: itpro-deploy
---
# What's new in Windows client deployment
**Applies to:**
*Applies to:*
- Windows 10
- Windows 11
@ -30,13 +31,14 @@ When you deploy Windows 11 with Autopilot, you can enable users to view addition
## Windows 11
Check out the following new articles about Windows 11:
- [Overview of Windows 11](/windows/whats-new/windows-11)
- [Plan for Windows 11](/windows/whats-new/windows-11-plan)
- [Prepare for Windows 11](/windows/whats-new/windows-11-prepare)
The [Windows ADK for Windows 11](/windows-hardware/get-started/adk-install) is available.<br>
## Deployment tools
## Deployment tools
[SetupDiag](#setupdiag) is included with Windows 10, version 2004 and later, and Windows 11.<br>
New capabilities are available for [Delivery Optimization](#delivery-optimization) and [Windows Update for Business](#windows-update-for-business).<br>
@ -51,6 +53,7 @@ The [Modern Desktop Deployment Center](/microsoft-365/enterprise/desktop-deploym
## Microsoft 365
Microsoft 365 is a new offering from Microsoft that combines
- Windows 10
- Office 365
- Enterprise Mobility and Security (EMS).
@ -68,6 +71,7 @@ Windows PowerShell cmdlets for Delivery Optimization have been improved:
- **Enable-DeliveryOptimizationVerboseLogs** is a new cmdlet that enables a greater level of logging detail to help in troubleshooting.
Other improvements in [Delivery Optimization](./do/waas-delivery-optimization.md) include:
- Enterprise network [throttling is enhanced](/windows-insider/archive/new-for-business#new-download-throttling-options-for-delivery-optimization-build-18917) to optimize foreground vs. background throttling.
- Automatic cloud-based congestion detection is available for PCs with cloud service support.
- Improved peer efficiency for enterprises and educational institutions with complex networks is enabled with [new policies](/windows/client-management/mdm/policy-csp-deliveryoptimization). These policies now support Microsoft 365 Apps for enterprise updates and Intune content.
@ -84,6 +88,7 @@ The following Delivery Optimization policies are removed in the Windows 10, vers
### Windows Update for Business
[Windows Update for Business](./update/waas-manage-updates-wufb.md) enhancements in this release include:
- Intune console updates: target version is now available allowing you to specify which version of Windows 10 you want devices to move to. Additionally, this capability enables you to keep devices on their current version until they reach end of service. Check it out in Intune, also available as a Group Policy and Configuration Service Provider (CSP) policy.
- Validation improvements: To ensure devices and end users stay productive and protected, Microsoft uses safeguard holds to block devices from updating when there are known issues that would impact that device. Also, to better enable IT administrators to validate on the latest release, we've created a new policy that enables admins to opt devices out of the built-in safeguard holds.

301
windows/deployment/deploy-windows-to-go.md
View File

@ -6,16 +6,17 @@ manager: aaroncz
author: frankroj
ms.author: frankroj
ms.prod: windows-client
ms.technology: itpro-deploy
ms.topic: article
ms.custom: seo-marvel-apr2020
ms.date: 10/31/2022
ms.date: 11/23/2022
---
# Deploy Windows To Go in your organization
**Applies to**
*Applies to:*
- Windows 10
- Windows 10
This article helps you to deploy Windows To Go in your organization. Before you begin deployment, make sure that you've reviewed the articles [Windows To Go: feature overview](planning/windows-to-go-overview.md) and [Prepare your organization for Windows To Go](planning/prepare-your-organization-for-windows-to-go.md) to ensure that you have the correct hardware and are prepared to complete the deployment. You can then use the steps in this article to start your Windows To Go deployment.
@ -26,15 +27,15 @@ This article helps you to deploy Windows To Go in your organization. Before you
The below list is items that you should be aware of before you start the deployment process:
* Only use recommended USB drives for Windows To Go. Use of other drives isn't supported. Check the list at [Windows To Go: feature overview](planning/windows-to-go-overview.md) for the latest USB drives certified for use as Windows To Go drives.
- Only use recommended USB drives for Windows To Go. Use of other drives isn't supported. Check the list at [Windows To Go: feature overview](planning/windows-to-go-overview.md) for the latest USB drives certified for use as Windows To Go drives.
* After you provision a new workspace, always eject a Windows To Go drive using the **Safely Remove Hardware and Eject Media** control that can be found in the notification area or in Windows Explorer. Removing the drive from the USB port without ejecting it first can cause the drive to become corrupted.
- After you provision a new workspace, always eject a Windows To Go drive using the **Safely Remove Hardware and Eject Media** control that can be found in the notification area or in Windows Explorer. Removing the drive from the USB port without ejecting it first can cause the drive to become corrupted.
* When running a Windows To Go workspace, always shut down the workspace before unplugging the drive.
- When running a Windows To Go workspace, always shut down the workspace before unplugging the drive.
* Configuration Manager SP1 and later includes support for user self-provisioning of Windows To Go drives. For more information on this deployment option, see [How to Provision Windows To Go in Configuration Manager](/previous-versions/system-center/system-center-2012-R2/jj651035(v=technet.10)).
- Configuration Manager SP1 and later includes support for user self-provisioning of Windows To Go drives. For more information on this deployment option, see [How to Provision Windows To Go in Configuration Manager](/previous-versions/system-center/system-center-2012-R2/jj651035(v=technet.10)).
* If you're planning on using a USB drive duplicator to duplicate Windows To Go drives, don't configure offline domain join or BitLocker on the drive.
- If you're planning on using a USB drive duplicator to duplicate Windows To Go drives, don't configure offline domain join or BitLocker on the drive.
## Basic deployment steps
@ -42,15 +43,15 @@ Unless you're using a customized operating system image, your initial Windows To
Completing these steps will give you a generic Windows To Go drive that can be distributed to your users and then customized for their usage as needed. This drive is also appropriate for use with USB drive duplicators. Your specific deployment scenarios will involve more than just these basic steps but these additional deployment considerations are similar to traditional PC deployment and can be incorporated into your Windows To Go deployment plan. For more information, see [Windows Deployment Options](/previous-versions/windows/it-pro/windows-8.1-and-8/hh825230(v=win.10)).
>[!WARNING]
>If you plan to use the generic Windows To Go drive as the master drive in a USB duplicator, the drive should not be booted. If the drive has been booted inadvertently it should be reprovisioned prior to duplication.
> [!WARNING]
> If you plan to use the generic Windows To Go drive as the master drive in a USB duplicator, the drive should not be booted. If the drive has been booted inadvertently it should be reprovisioned prior to duplication.
### Create the Windows To Go workspace
In this step we're creating the operating system image that will be used on the Windows To Go drives. You can use the Windows To Go Creator Wizard or you can [do this manually](/previous-versions/windows/it-pro/windows-8.1-and-8/jj721578(v=ws.11)) using a combination of Windows PowerShell and command-line tools.
>[!WARNING]
>The preferred method to create a single Windows To Go drive is to use the Windows To Go Creator Wizard included in Windows 10 Enterprise and Windows 10 Education.
> [!WARNING]
> The preferred method to create a single Windows To Go drive is to use the Windows To Go Creator Wizard included in Windows 10 Enterprise and Windows 10 Education.
#### To create a Windows To Go workspace with the Windows To Go Creator Wizard
@ -58,37 +59,31 @@ In this step we're creating the operating system image that will be used on the
2. Insert the USB drive that you want to use as your Windows To Go drive into your PC.
3. Verify that the .wim file location (which can be a network share, a DVD, or a USB drive) is accessible and that it contains a valid Windows 10 Enterprise or Windows 10 Education image that has been generalized using sysprep. Many environments can use the same image for both Windows To Go and desktop deployments.
3. Verify that the `.wim` file location (which can be a network share, a DVD, or a USB drive) is accessible and that it contains a valid Windows 10 Enterprise or Windows 10 Education image that has been generalized using sysprep. Many environments can use the same image for both Windows To Go and desktop deployments.
>[!NOTE]
>For more information about .wim files, see [Windows System Image Manager (Windows SIM) Technical Reference](/previous-versions/windows/it-pro/windows-8.1-and-8/hh824929(v=win.10)). For more information about using sysprep, see [Sysprep Overview](/previous-versions/windows/it-pro/windows-8.1-and-8/hh825209(v=win.10)).
> [!NOTE]
> For more information about `.wim` files, see [Windows System Image Manager (Windows SIM) Technical Reference](/previous-versions/windows/it-pro/windows-8.1-and-8/hh824929(v=win.10)). For more information about using sysprep, see [Sysprep Overview](/previous-versions/windows/it-pro/windows-8.1-and-8/hh825209(v=win.10)).
4. Using Cortana, search for **Windows To Go** and then press **Enter**. If the **User Account Control** dialog box appears, confirm that the action it displays is what you want, and then select **Yes**. The **Windows To Go Creator Wizard** opens.
4. Search for **Windows To Go** and then press **Enter**. If the **User Account Control** dialog box appears, confirm that the action it displays is what you want, and then select **Yes**. The **Windows To Go Creator Wizard** opens.
5. On the **Choose the drive you want to use** page select the drive that represents the USB drive you inserted previously, then select **Next.**
6. On the **Choose a Windows image** page, select **Add Search Location** and then navigate to the .wim file location and select select folder. The wizard will display the installable images present in the folder; select the Windows 10 Enterprise or Windows 10 Education image you wish to use and then select **Next**.
6. On the **Choose a Windows image** page, select **Add Search Location** and then navigate to the `.wim` file location and select folder. The wizard will display the installable images present in the folder; select the Windows 10 Enterprise or Windows 10 Education image you wish to use and then select **Next**.
7. (Optional) On the **Set a BitLocker password (optional)** page, you can select **Use BitLocker with my Windows To Go Workspace** to encrypt your Windows To Go drive. If you don't wish to encrypt the drive at this time, select **Skip**. If you decide you want to add BitLocker protection later, see [Enable BitLocker protection for your Windows To Go drive](/previous-versions/windows/it-pro/windows-8.1-and-8/jj721578(v=ws.11)) for instructions.
r
7. (Optional) On the **Set a BitLocker password (optional)** page, you can select **Use BitLocker with my Windows To Go Workspace** to encrypt your Windows To Go drive. If you don't wish to encrypt the drive at this time, select **Skip**. If you decide you want to add BitLocker protection later, for instructions see [Enable BitLocker protection for your Windows To Go drive](/previous-versions/windows/it-pro/windows-8.1-and-8/jj721578(v=ws.11)).
>[!WARNING]
>If you plan to use a USB-Duplicator to create multiple Windows To Go drives, do not enable BitLocker. Drives protected with BitLocker should not be duplicated.
> [!WARNING]
> If you plan to use a USB-Duplicator to create multiple Windows To Go drives, do not enable BitLocker. Drives protected with BitLocker should not be duplicated.
If you choose to encrypt the Windows To Go drive now:
If you choose to encrypt the Windows To Go drive now, enter a password that is at least eight characters long and conforms to your organizations password complexity policy. This password will be provided before the operating system is started so any characters you use must be able to be interpreted by the firmware. Some firmware doesn't support non-ASCII characters.
- Type a password that is at least eight characters long and conforms to your organizations password complexity policy. This password will be provided before the operating system is started so any characters you use must be able to be interpreted by the firmware. Some firmware doesn't support non-ASCII characters.
~~~
>[!IMPORTANT]
>The BitLocker recovery password will be saved in the documents library of the computer used to create the workspace automatically. If your organization is using Active Directory Domain Services (AD DS) to store recovery passwords it will also be saved in AD DS under the computer account of the computer used to create the workspace. This password will be used only if you need to recover access to the drive because the BitLocker password specified in the previous step is not available, such as if a password is lost or forgotten. For more information about BitLocker and AD DS, see [Active Directory Domain Services considerations](/previous-versions/windows/it-pro/windows-8.1-and-8/jj592683(v=ws.11)).
~~~
> [!IMPORTANT]
> The BitLocker recovery password will be saved in the documents library of the computer used to create the workspace automatically. If your organization is using Active Directory Domain Services (AD DS) to store recovery passwords it will also be saved in AD DS under the computer account of the computer used to create the workspace. This password will be used only if you need to recover access to the drive because the BitLocker password specified in the previous step is not available, such as if a password is lost or forgotten. For more information about BitLocker and AD DS, see [Active Directory Domain Services considerations](/previous-versions/windows/it-pro/windows-8.1-and-8/jj592683(v=ws.11)).
8. Verify that the USB drive inserted is the one you want to provision for Windows To Go and then select **Create** to start the Windows To Go workspace creation process.
>[!WARNING]
>The USB drive identified will be reformatted as part of the Windows To Go provisioning process and any data on the drive will be erased.
> [!WARNING]
> The USB drive identified will be reformatted as part of the Windows To Go provisioning process and any data on the drive will be erased.
9. Wait for the creation process to complete, which can take 20 to 30 minutes. A completion page will be displayed that tells you when your Windows To Go workspace is ready to use. From the completion page, you can configure the Windows To Go startup options to configure the current computer as a Windows To Go host computer.
@ -98,11 +93,15 @@ Your Windows To Go workspace is now ready to be started. You can now [prepare a
The following Windows PowerShell cmdlet or cmdlets perform the same function as the preceding procedure. Enter each cmdlet on a single line, even though they may appear word-wrapped across several lines here because of formatting constraints. This procedure can only be used on PCs that are running Windows 10. Before starting, ensure that only the USB drive that you want to provision as a Windows To Go drive is connected to the PC.
1. Using Cortana, search for **powershell**, right-click **Windows PowerShell**, and then select **Run as administrator**.
1. Search for **powershell**, right-click **Windows PowerShell**, and then select **Run as administrator**.
2. In the Windows PowerShell session type, the following commands to partition a master boot record (MBR) disk for use with a FAT32 system partition and an NTFS-formatted operating system partition. This disk layout can support computers that use either UEFI or BIOS firmware:
2. In the Windows PowerShell session, enter the following commands to partition a master boot record (MBR) disk for use with a FAT32 system partition and an NTFS-formatted operating system partition. This disk layout can support computers that use either UEFI or BIOS firmware:
```
<br>
<details>
<summary>Expand to show PowerShell commands to partition an MBR disk</summary>
```powershell
# The following command will set $Disk to all USB drives with >20 GB of storage
$Disk = Get-Disk | Where-Object {$_.Path -match "USBSTOR" -and $_.Size -gt 20Gb -and -not $_.IsBoot }
@ -136,27 +135,31 @@ The following Windows PowerShell cmdlet or cmdlets perform the same function as
Set-Partition -InputObject $OSPartition -NoDefaultDriveLetter $TRUE
```
</details>
3. Next you need to apply the operating system image that you want to use with Windows To Go to the operating system partition you created on the disk (this may take 30 minutes or longer, depending on the size of the image and the speed of your USB connection). The following command shows how this can be accomplished using the [Deployment Image Servicing and Management](/windows-hardware/manufacture/desktop/dism---deployment-image-servicing-and-management-technical-reference-for-windows) command-line tool (DISM):
>[!TIP]
>The index number must be set correctly to a valid Enterprise image in the .WIM file.
> [!TIP]
> The index number must be set correctly to a valid Enterprise image in the `.wim` file.
```
```cmd
#The WIM file must contain a sysprep generalized image.
dism /apply-image /imagefile:n:\imagefolder\deploymentimages\mywtgimage.wim /index:1 /applydir:W:\
dism.exe /apply-image /imagefile:n:\imagefolder\deploymentimages\mywtgimage.wim /index:1 /applydir:W:\
```
4. Now use the [bcdboot](/previous-versions/windows/it-pro/windows-8.1-and-8/hh824874(v=win.10)) command line tool to move the necessary boot components to the system partition on the disk. This helps ensure that the boot components, operating system versions, and architectures match. The `/f ALL` parameter indicates that boot components for UEFI and BIOS should be placed on the system partition of the disk. The following example illustrates this step:
4. Now use the [bcdboot](/previous-versions/windows/it-pro/windows-8.1-and-8/hh824874(v=win.10)) command line tool to move the necessary boot components to the system partition on the disk. This helps ensure that the boot components, operating system versions, and architectures match. The `/f ALL` parameter indicates that boot components for UEFI and BIOS should be placed on the system partition of the disk. The following example illustrates this step:
~~~
```
W:\Windows\System32\bcdboot W:\Windows /f ALL /s S:
```
~~~
```cmd
W:\Windows\System32\bcdboot.exe W:\Windows /f ALL /s S:
```
5. Apply SAN policy—OFFLINE\_INTERNAL - "4" to prevent the operating system from automatically bringing online any internally connected disk. This is done by creating and saving a **san\_policy.xml** file on the disk. The following example illustrates this step:
```
<br>
<details>
<summary>Expand to show example san_policy.xml file</summary>
```xml
<?xml version='1.0' encoding='utf-8' standalone='yes'?>
<unattend xmlns="urn:schemas-microsoft-com:unattend">
<settings pass="offlineServicing">
@ -186,15 +189,21 @@ W:\Windows\System32\bcdboot W:\Windows /f ALL /s S:
</unattend>
```
</details>
6. Place the **san\_policy.xml** file created in the previous step into the root directory of the Windows partition on the Windows To Go drive (W: from the previous examples) and run the following command:
```
```cmd
Dism.exe /Image:W:\ /Apply-Unattend:W:\san_policy.xml
```
7. Create an answer file (unattend.xml) that disables the use of Windows Recovery Environment with Windows To Go. You can use the following code sample to create a new answer file or you can paste it into an existing answer file:
```
<br>
<details>
<summary>Expand to show example san_policy.xml file</summary>
```xml
<?xml version="1.0" encoding="utf-8"?>
<unattend xmlns="urn:schemas-microsoft-com:unattend">
<settings pass="oobeSystem">
@ -218,10 +227,12 @@ W:\Windows\System32\bcdboot W:\Windows /f ALL /s S:
</unattend>
```
After the answer file has been saved, copy unattend.xml into the sysprep folder on the Windows To Go drive (for example, W:\\Windows\\System32\\sysprep\)
</details>
>[!IMPORTANT]
>Setup unattend files are processed based on their location. Setup will place a temporary unattend file into the **%systemroot%\\panther** folder which is the first location that setup will check for installation information. You should make sure that folder does not contain a previous version of an unattend.xml file to ensure that the one you just created is used.
After the answer file has been saved, copy `unattend.xml` into the sysprep folder on the Windows To Go drive (for example, `W:\Windows\System32\sysprep\`)
> [!IMPORTANT]
> Setup unattend files are processed based on their location. Setup will place a temporary unattend file into the **`%systemroot%\panther`** folder which is the first location that setup will check for installation information. You should make sure that folder does not contain a previous version of an unattend.xml file to ensure that the one you just created is used.
If you don't wish to boot your Windows To Go device on this computer and want to remove it to boot it on another PC, be sure to use the **Safely Remove Hardware and Eject Media** option to safely disconnect the drive before physically removing it from the PC.
@ -231,14 +242,14 @@ Your Windows To Go workspace is now ready to be started. You can now [prepare a
Computers running Windows 8 and later can be configured as host computers that use Windows To Go automatically whenever a Windows To Go workspace is available at startup. When the Windows To Go startup options are enabled on a host computer, Windows will divert startup to the Windows To Go drive whenever it's attached to the computer. This makes it easy to switch from using the host computer to using the Windows To Go workspace.
>[!TIP]
>If you will be using a PC running Windows 7 as your host computer, see [Tips for configuring your BIOS settings to work with Windows To Go](https://go.microsoft.com/fwlink/p/?LinkId=618951) for information to help you prepare the host computer.
> [!TIP]
> If you will be using a PC running Windows 7 as your host computer, see [Tips for configuring your BIOS settings to work with Windows To Go](https://go.microsoft.com/fwlink/p/?LinkId=618951) for information to help you prepare the host computer.
If you want to use the Windows To Go workspace, shut down the computer, plug in the Windows To Go drive, and turn on the computer. To use the host computer, shut down the Windows To Go workspace, unplug the Windows To Go drive, and turn on the computer.
To set the Windows To Go Startup options for host computers running Windows 10:
1. Using Cortana, search for **Windows To Go startup options** and then press **Enter**.
1. Search for **Windows To Go startup options** and then press **Enter**.
2. In the **Windows To Go Startup Options** dialog box, select **Yes**, and then select **Save Changes** to configure the computer to boot from USB
@ -250,7 +261,7 @@ For host computers running Windows 8 or Windows 8.1:
You can configure your organization's computers to automatically start from the USB drive by enabling the following Group Policy setting:
**\\\\Computer Configuration\\Administrative Templates\\Windows Components\\Portable Operating System\\Windows To Go Default Startup Options**
**Computer Configuration** > **Administrative Templates** > **Windows Components** > **Portable Operating System** > **Windows To Go Default Startup Options**
After this policy setting is enabled, automatic starting of a Windows To Go workspace will be attempted when a USB drive is connected to the computer when it's started. Users won't be able to use the Windows To Go Startup Options to change this behavior. If you disable this policy setting, booting to Windows To Go when a USB drive is connected won't occur unless a user configures the option manually in the firmware. If you don't configure this policy setting, users who are members of the Administrators group can enable or disable booting from a USB drive using the Windows To Go Startup Options.
@ -260,13 +271,13 @@ Your host computer is now ready to boot directly into Windows To Go workspace wh
After you've configured your host PC to boot from USB, you can use the following procedure to boot your Windows To Go workspace:
**To boot your workspace**
**To boot your workspace:**
1. Make sure that the host PC isn't in a sleep state. If the computer is in a sleep state, either shut it down or hibernate it.
1. Make sure that the host PC isn't in a sleep state. If the computer is in a sleep state, either shut it down or hibernate it.
2. Insert the Windows To Go USB drive directly into a USB 3.0 or USB 2.0 port on the PC. Don't use a USB hub or extender.
2. Insert the Windows To Go USB drive directly into a USB 3.0 or USB 2.0 port on the PC. Don't use a USB hub or extender.
3. Turn on the PC. If your Windows To Go drive is protected with BitLocker you'll be asked to type the password, otherwise the workspace will boot directly into the Windows To Go workspace.
3. Turn on the PC. If your Windows To Go drive is protected with BitLocker you'll be asked to enter the password, otherwise the workspace will boot directly into the Windows To Go workspace.
## Advanced deployment steps
@ -276,26 +287,26 @@ The following steps are used for more advanced deployments where you want to hav
Making sure that Windows To Go workspaces are effective when used off premises is essential to a successful deployment. One of the key benefits of Windows To Go is the ability for your users to use the enterprise managed domain joined workspace on an unmanaged computer that is outside your corporate network. To enable this usage, typically you would provision the USB drive as described in the basic deployment instructions and then add the configuration to support domain joining of the workspace, installation of any line-of-business applications, and configuration of your chosen remote connectivity solution such as a virtual private network client or DirectAccess. Once these configurations have been performed the user can work from the workspace using a computer that is off-premises. The following procedure allows you to provision domain joined Windows To Go workspaces for workers that don't have physical access to your corporate network.
**Prerequisites for remote access scenario**
**Prerequisites for remote access scenario:**
- A domain-joined computer running Windows 8 or later and is configured as a Windows To Go host computer
- A domain-joined computer running Windows 8 or later and is configured as a Windows To Go host computer
- A Windows To Go drive that hasn't been booted or joined to the domain using unattend settings.
- A Windows To Go drive that hasn't been booted or joined to the domain using unattend settings.
- A domain user account with rights to add computer accounts to the domain and is a member of the Administrator group on the Windows To Go host computer
- A domain user account with rights to add computer accounts to the domain and is a member of the Administrator group on the Windows To Go host computer
- [DirectAccess](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831539(v=ws.11)) configured on the domain
- [DirectAccess](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831539(v=ws.11)) configured on the domain
**To configure your Windows To Go workspace for remote access**
**To configure your Windows To Go workspace for remote access:**
1. Start the host computer and sign in using a user account with privileges to add workstations to the domain and then run the following command from an elevated command prompt replacing the example placeholder parameters (denoted by &lt;&gt;) with the ones applicable for your environment:
```
djoin /provision /domain <exampledomain.com> /machine <examplewindowstogo_workspace_name> /certtemplate <WorkstationAuthentication_template> /policynames <DirectAccess Client Policy: {GUID}> /savefile <C:\example\path\domainmetadatafile> /reuse
```cmd
djoin.exe /provision /domain <exampledomain.com> /machine <examplewindowstogo_workspace_name> /certtemplate <WorkstationAuthentication_template> /policynames <DirectAccess Client Policy: {GUID}> /savefile <C:\example\path\domainmetadatafile> /reuse
```
>[!NOTE]
>The **/certtemplate** parameter supports the use of certificate templates for distributing certificates for DirectAccess, if your organization is not using certificate templates you can omit this parameter. Additionally, if are using djoin.exe with Windows Server 2008-based Domain Controllers, append the /downlevel switch during provisioning. For more information, see the [Offline Domain Join Step-by-Step guide](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd392267(v=ws.10)).
> [!NOTE]
> The **/certtemplate** parameter supports the use of certificate templates for distributing certificates for DirectAccess, if your organization is not using certificate templates you can omit this parameter. Additionally, if are using `djoin.exe` with Windows Server 2008-based Domain Controllers, append the /downlevel switch during provisioning. For more information, see the [Offline Domain Join Step-by-Step guide](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd392267(v=ws.10)).
2. Insert the Windows To Go drive.
@ -303,7 +314,11 @@ Making sure that Windows To Go workspaces are effective when used off premises i
4. From the Windows PowerShell command prompt run:
```
<br>
<details>
<summary>Expand this section to show PowerShell commands to run</summary>
```powershell
# The following command will set $Disk to all USB drives with >20 GB of storage
$Disk = Get-Disk | Where-Object {$_.Path -match "USBSTOR" -and $_.Size -gt 20Gb -and -not $_.IsBoot }
@ -337,27 +352,31 @@ Making sure that Windows To Go workspaces are effective when used off premises i
Set-Partition -InputObject $OSPartition -NoDefaultDriveLetter $TRUE
```
</details>
5. Next you need to apply the operating system image that you want to use with Windows To Go to the operating system partition you created on the disk (this may take 30 minutes or longer, depending on the size of the image and the speed of your USB connection). The following command shows how this can be accomplished using the [Deployment Image Servicing and Management](/windows-hardware/manufacture/desktop/dism---deployment-image-servicing-and-management-technical-reference-for-windows) command-line tool (DISM):
~~~
>[!TIP]
>The index number must be set correctly to a valid Enterprise image in the .WIM file.
```cmd
#The WIM file must contain a sysprep generalized image.
dism.exe /apply-image /imagefile:n:\imagefolder\deploymentimages\mywtgimage.wim /index:1 /applydir:W:\
```
```
#The WIM file must contain a sysprep generalized image.
dism /apply-image /imagefile:n:\imagefolder\deploymentimages\mywtgimage.wim /index:1 /applydir:W:\
```
~~~
> [!TIP]
> The index number must be set correctly to a valid Enterprise image in the `.wim` file.
6. After those commands have completed, run the following command:
```
djoin /requestodj /loadfile C:\example\path\domainmetadatafile /windowspath W:\Windows
```cmd
djoin.exe /requestodj /loadfile C:\example\path\domainmetadatafile /windowspath W:\Windows
```
7. Next, we'll need to edit the unattend.xml file to configure the first run (OOBE) settings. In this example we're hiding the Microsoft Software License Terms (EULA) page, configuring automatic updates to install important and recommended updates automatically, and identifying this workspace as part of a private office network. You can use other OOBE settings that you've configured for your organization if desired. For more information about the OOBE settings, see [OOBE](/previous-versions/windows/it-pro/windows-8.1-and-8/ff716016(v=win.10)):
```
<br>
<details>
<summary>Expand this section to show example unattend.xml file</summary>
```xml
<?xml version="1.0" encoding="utf-8"?>
<unattend xmlns="urn:schemas-microsoft-com:unattend">
<settings pass="oobeSystem">
@ -391,16 +410,18 @@ dism /apply-image /imagefile:n:\imagefolder\deploymentimages\mywtgimage.wim /ind
</unattend>
```
</details>
8. Safely remove the Windows To Go drive.
9. From a host computer, either on or off premises, start the computer and boot the Windows To Go workspace.
* If on premises using a host computer with a direct network connection, sign on using your domain credentials.
- If on premises using a host computer with a direct network connection, sign on using your domain credentials.
* If off premises, join a wired or wireless network with internet access and then sign on again using your domain credentials.
- If off premises, join a wired or wireless network with internet access and then sign on again using your domain credentials.
>[!NOTE]
>Depending on your DirectAccess configuration you might be asked to insert your smart card to log on to the domain.
> [!NOTE]
> Depending on your DirectAccess configuration you might be asked to insert your smart card to log on to the domain.
You should now be able to access your organization's network resources and work from your Windows To Go workspace as you would normally work from your standard desktop computer on premises.
@ -410,17 +431,23 @@ Enabling BitLocker on your Windows To Go drive will help ensure that your data i
#### Prerequisites for enabling BitLocker scenario
* A Windows To Go drive that can be successfully provisioned.
- A Windows To Go drive that can be successfully provisioned.
* A computer running Windows 8 configured as a Windows To Go host computer
- A computer running Windows 8 configured as a Windows To Go host computer
* Review the following Group Policy settings for BitLocker Drive Encryption and modify the configuration as necessary:
- Review the following Group Policy settings for BitLocker Drive Encryption and modify the configuration as necessary:
**\\Windows Components\\BitLocker Drive Encryption\\Operating System Drives\\Require additional authentication at startup**. This policy allows the use of a password key protector with an operating system drive; this policy must be enabled to configure BitLocker from within the Windows To Go workspace. This policy setting allows you to configure whether BitLocker requires additional authentication each time the computer starts and whether you're using BitLocker with or without a Trusted Platform Module (TPM). You must enable this setting and select the **Allow BitLocker without a compatible TPM** check box and then enable the **Configure use of passwords for operating system drives** setting.
- **Windows Components** > **BitLocker Drive Encryption** > **Operating System Drives** > **Require additional authentication at startup**
**\\Windows Components\\BitLocker Drive Encryption\\Operating System Drives\\Configure use of passwords for operating system drives**. This policy setting enables passwords to be used to unlock BitLocker-protected operating system drives and provides the means to configure complexity and length requirements on passwords for Windows To Go workspaces. For the complexity requirement setting to be effective the Group Policy setting **Password must meet complexity requirements** located in **Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password Policy\\** must be also enabled.
This policy allows the use of a password key protector with an operating system drive; this policy must be enabled to configure BitLocker from within the Windows To Go workspace. This policy setting allows you to configure whether BitLocker requires additional authentication each time the computer starts and whether you're using BitLocker with or without a Trusted Platform Module (TPM). You must enable this setting and select the **Allow BitLocker without a compatible TPM** check box and then enable the **Configure use of passwords for operating system drives** setting.
**\\Windows Components\\BitLocker Drive Encryption\\Operating System Drives\\Enable use of BitLocker authentication requiring preboot keyboard input on slates**. This policy setting allows users to enable authentication options that require user input from the preboot environment even if the platform indicates a lack of preboot input capability. If this setting isn't enabled, passwords can't be used to unlock BitLocker-protected operating system drives.
- **Windows Components** > **BitLocker Drive Encryption** > **Operating System Drives** > **Configure use of passwords for operating system drives**
This policy setting enables passwords to be used to unlock BitLocker-protected operating system drives and provides the means to configure complexity and length requirements on passwords for Windows To Go workspaces. For the complexity requirement setting to be effective the Group Policy setting **Password must meet complexity requirements** located in **Computer Configuration** > **Windows Settings** > **Security Settings** > **Account Policies** > **Password Policy** must be also enabled.
- **Windows Components** > **BitLocker Drive Encryption** > **Operating System Drives** > **Enable use of BitLocker authentication requiring preboot keyboard input on slates**
This policy setting allows users to enable authentication options that require user input from the preboot environment even if the platform indicates a lack of preboot input capability. If this setting isn't enabled, passwords can't be used to unlock BitLocker-protected operating system drives.
You can choose to enable BitLocker protection on Windows To Go drives before distributing them to users as part of your provisioning process or you can allow your end-users to apply BitLocker protection to them after they have taken possession of the drive. A step-by-step procedure is provided for both scenarios.
@ -432,10 +459,12 @@ Enabling BitLocker after distribution requires that your users turn on BitLocker
BitLocker recovery keys are the keys that can be used to unlock a BitLocker protected drive if the standard unlock method fails. It's recommended that your BitLocker recovery keys be backed up to Active Directory Domain Services (AD DS). If you don't want to use AD DS to store recovery keys you can save recovery keys to a file or print them. How BitLocker recovery keys are managed differs depending on when BitLocker is enabled.
- If BitLocker protection is enabled during provisioning, the BitLocker recovery keys will be stored under the computer account of the computer used for provisioning the drives. If backing up recovery keys to AD DS isn't used, the recovery keys will need to be printed or saved to a file for each drive. The IT administrator must track which keys were assigned to which Windows To Go drive.
- If BitLocker protection is enabled during provisioning, the BitLocker recovery keys will be stored under the computer account of the computer used for provisioning the drives. If backing up recovery keys to AD DS isn't used, the recovery keys will need to be printed or saved to a file for each drive. The IT administrator must track which keys were assigned to which Windows To Go drive.
- **Warning**
If BitLocker is enabled after distribution, the recovery key will be backed up to AD DS under the computer account of the workspace. If backing up recovery keys to AD DS isn't used, they can be printed or saved to a file by the user. If the IT administrator wants a central record of recovery keys, a process by which the user provides the key to the IT department must be put in place.
- If BitLocker is enabled after distribution, the recovery key will be backed up to AD DS under the computer account of the workspace. If backing up recovery keys to AD DS isn't used, they can be printed or saved to a file by the user.
> [!WARNING]
> If backing up recovery keys to AD DS isn't used and the IT administrator wants a central record of recovery keys, a process by which the user provides the key to the IT department must be put in place.
#### To enable BitLocker during provisioning
@ -447,10 +476,14 @@ BitLocker recovery keys are the keys that can be used to unlock a BitLocker prot
4. Provision the Windows To Go drive using the following cmdlets:
>[!NOTE]
>If you used the [manual method for creating a workspace](/previous-versions/windows/it-pro/windows-8.1-and-8/jj721578(v=ws.11)) you should have already provisioned the Windows To Go drive. If so, you can continue on to the next step.
> [!NOTE]
> If you used the [manual method for creating a workspace](/previous-versions/windows/it-pro/windows-8.1-and-8/jj721578(v=ws.11)) you should have already provisioned the Windows To Go drive. If so, you can continue on to the next step.
```
<br>
<details>
<summary>Expand this section to show PowerShell commands to run</summary>
```powershell
# The following command will set $Disk to all USB drives with >20 GB of storage
$Disk = Get-Disk | Where-Object {$_.Path -match "USBSTOR" -and $_.Size -gt 20Gb -and -not $_.IsBoot }
@ -484,25 +517,27 @@ BitLocker recovery keys are the keys that can be used to unlock a BitLocker prot
Set-Partition -InputObject $OSPartition -NoDefaultDriveLetter $TRUE
```
</details>
Next you need to apply the operating system image that you want to use with Windows To Go to the operating system partition you created on the disk (this may take 30 minutes or longer, depending on the size of the image and the speed of your USB connection). The following command shows how this can be accomplished using the [Deployment Image Servicing and Management](/windows-hardware/manufacture/desktop/dism---deployment-image-servicing-and-management-technical-reference-for-windows) command-line tool (DISM):
>[!TIP]
>The index number must be set correctly to a valid Enterprise image in the .WIM file.
> [!TIP]
> The index number must be set correctly to a valid Enterprise image in the `.wim` file.
```
```cmd
#The WIM file must contain a sysprep generalized image.
dism /apply-image /imagefile:n:\imagefolder\deploymentimages\mywtgimage.wim /index:1 /applydir:W:\
dism.exe /apply-image /imagefile:n:\imagefolder\deploymentimages\mywtgimage.wim /index:1 /applydir:W:\
```
5. In the same PowerShell session, use the following cmdlet to add a recovery key to the drive:
```
```powershell
$BitlockerRecoveryProtector = Add-BitLockerKeyProtector W: -RecoveryPasswordProtector
```
6. Next, use the following cmdlets to save the recovery key to a file:
```
```powershell
#The BitLocker Recovery key is essential if for some reason you forget the BitLocker password
#This recovery key can also be backed up into Active Directory using manage-bde.exe or the
#PowerShell cmdlet Backup-BitLockerKeyProtector.
@ -512,35 +547,34 @@ BitLocker recovery keys are the keys that can be used to unlock a BitLocker prot
7. Then, use the following cmdlets to add the password as a secure string. If you omit the password the cmdlet will prompt you for the password before continuing the operation:
```
```powershell
# Create a variable to store the password
$spwd = ConvertTo-SecureString -String <password> -AsplainText -Force
Enable-BitLocker W: -PasswordProtector $spwd
```
>[!WARNING]
>To have BitLocker only encrypt used space on the disk append the parameter `-UsedSpaceOnly` to the `Enable-BitLocker` cmdlet. As data is added to the drive BitLocker will encrypt additional space. Using this parameter will speed up the preparation process as a smaller percentage of the disk will require encryption. If you are in a time critical situation where you cannot wait for encryption to complete you can also safely remove the Windows To Go drive during the encryption process. The next time the drive is inserted in a computer it will request the BitLocker password. Once the password is supplied, the encryption process will continue. If you do this, make sure your users know that BitLocker encryption is still in process and that they will be able to use the workspace while the encryption completes in the background.
> [!WARNING]
> To have BitLocker only encrypt used space on the disk append the parameter `-UsedSpaceOnly` to the `Enable-BitLocker` cmdlet. As data is added to the drive BitLocker will encrypt additional space. Using this parameter will speed up the preparation process as a smaller percentage of the disk will require encryption. If you are in a time critical situation where you cannot wait for encryption to complete you can also safely remove the Windows To Go drive during the encryption process. The next time the drive is inserted in a computer it will request the BitLocker password. Once the password is supplied, the encryption process will continue. If you do this, make sure your users know that BitLocker encryption is still in process and that they will be able to use the workspace while the encryption completes in the background.
8. Copy the numerical recovery password and save it to a file in a safe location. The recovery password will be required if the password is lost or forgotten.
>[!WARNING]
>If the **Choose how BitLocker-protected removable data drives can be recovered** Group Policy setting has been configured to back up recovery information to Active Directory Domain Services, the recovery information for the drive will be stored under the account of the host computer used to apply the recovery key.
> [!WARNING]
> If the **Choose how BitLocker-protected removable data drives can be recovered** Group Policy setting has been configured to back up recovery information to Active Directory Domain Services, the recovery information for the drive will be stored under the account of the host computer used to apply the recovery key.
If you want to have the recovery information stored under the account of the Windows To Go workspace, you can turn BitLocker from within the Windows To Go workspace using the BitLocker Setup Wizard from the BitLocker Control Panel item as described in [To enable BitLocker after distribution](#enable-bitlocker).
If you want to have the recovery information stored under the account of the Windows To Go workspace, you can turn BitLocker from within the Windows To Go workspace using the BitLocker Setup Wizard from the BitLocker Control Panel item as described in [To enable BitLocker after distribution](#to-enable-bitlocker-after-distribution).
9. Safely remove the Windows To Go drive.
The Windows To Go drives are now ready to be distributed to users and are protected by BitLocker. When you distribute the drives, make sure the users know the following information:
* Initial BitLocker password that they'll need to boot the drives.
- Initial BitLocker password that they'll need to boot the drives.
* Current encryption status.
- Current encryption status.
* Instructions to change the BitLocker password after the initial boot.
- Instructions to change the BitLocker password after the initial boot.
* Instructions for how to retrieve the recovery password if necessary. These instructions may be a help desk process, an automated password retrieval site, or a person to contact.
- Instructions for how to retrieve the recovery password if necessary. These instructions may be a help desk process, an automated password retrieval site, or a person to contact.
<a href="" id="enable-bitlocker"></a>
#### To enable BitLocker after distribution
1. Insert your Windows To Go drive into your host computer (that is currently shut down) and then turn on the computer and boot into your Windows To Go workspace
@ -551,8 +585,8 @@ The Windows To Go drives are now ready to be distributed to users and are protec
4. Complete the steps in the **BitLocker Setup Wizard** selecting the password protection option.
>[!NOTE]
>If you have not configured the Group Policy setting **\\Windows Components\\BitLocker Drive Encryption\\Operating System Drives\\Require additional authentication at startup** to specify **Allow BitLocker without a compatible TPM** you will not be able to enable BitLocker from within the Windows To Go workspace.
> [!NOTE]
> If you have not configured the Group Policy setting **Windows Components** > **BitLocker Drive Encryption** > **Operating System Drives** > **Require additional authentication at startup** to specify **Allow BitLocker without a compatible TPM** you will not be able to enable BitLocker from within the Windows To Go workspace.
### Advanced deployment sample script
@ -562,11 +596,11 @@ The sample script creates an unattend file that streamlines the deployment proce
#### Prerequisites for running the advanced deployment sample script
* To run this sample script, you must open a Windows PowerShell session as an administrator from a domain-joined computer using an account that has permission to create domain accounts.
- To run this sample script, you must open a Windows PowerShell session as an administrator from a domain-joined computer using an account that has permission to create domain accounts.
* Using offline domain join is required by this script, since the script doesn't create a local administrator user account. However, domain membership will automatically put "Domain admins" into the local administrators group. Review your domain policies. If you're using DirectAccess, you'll need to modify the djoin.exe command to include the `policynames` and potentially the `certtemplate` parameters.
- Using offline domain join is required by this script, since the script doesn't create a local administrator user account. However, domain membership will automatically put "Domain admins" into the local administrators group. Review your domain policies. If you're using DirectAccess, you'll need to modify the `djoin.exe` command to include the `policynames` and potentially the `certtemplate` parameters.
* The script needs to use drive letters, so you can only provision half as many drives as you have free drive letters.
- The script needs to use drive letters, so you can only provision half as many drives as you have free drive letters.
#### To run the advanced deployment sample script
@ -576,22 +610,26 @@ The sample script creates an unattend file that streamlines the deployment proce
3. Configure the PowerShell execution policy. By default PowerShell's execution policy is set to Restricted; that means that scripts won't run until you have explicitly given them permission to. To configure PowerShell's execution policy to allow the script to run, use the following command from an elevated PowerShell prompt:
```
```powershell
Set-ExecutionPolicy RemoteSigned
```
The RemoteSigned execution policy will prevent unsigned scripts from the internet from running on the computer, but will allow locally created scripts to run. For more information on execution policies, see [Set-ExecutionPolicy](/powershell/module/microsoft.powershell.security/set-executionpolicy).
> [!TIP]
> To get online help for any Windows PowerShell cmdlet, whether or not it is installed locally type the following cmdlet, replacing &lt;cmdlet-name&gt; with the name of the cmdlet you want to see the help for:
>
> To get online help for any Windows PowerShell cmdlet, whether or not it is installed locally, enter the following cmdlet, replacing `<cmdlet-name>` with the name of the cmdlet you want to see the help for:
>
> `Get-Help <cmdlet-name> -Online`
>
>
> This command causes Windows PowerShell to open the online version of the help topic in your default Internet browser.
#### Windows To Go multiple drive provisioning sample script
```
<br>
<details>
<summary>Expand this section to view Windows To Go multiple drive provisioning sample script</summary>
```powershell
<#
.SYNOPSIS
Windows To Go multiple drive provisioning sample script.
@ -959,22 +997,23 @@ write-output "Provsioning completed in: $elapsedTime (hh:mm:ss.000)"
write-output "" "Provisioning script complete."
```
</details>
## Considerations when using different USB keyboard layouts with Windows To Go
In the PowerShell provisioning script, after the image has been applied, you can add the following commands that will correctly set the keyboard settings. The following example uses the Japanese keyboard layout:
```
reg load HKLM\WTG-Keyboard ${OSDriveLetter}:\Windows\System32\config\SYSTEM > info.log
reg add HKLM\WTG-Keyboard\ControlSet001\Services\i8042prt\Parameters /v LayerDriver /d JPN:kbd106dll /t REG_SZ /f
reg add HKLM\WTG-Keyboard\ControlSet001\Services\i8042prt\Parameters /v OverrideKeyboardIdentifier /d PCAT_106KEY /t REG_SZ /f
reg add HKLM\WTG-Keyboard\ControlSet001\Services\i8042prt\Parameters /v OverrideKeyboardSubtype /d 2 /t REG_DWORD /f
reg add HKLM\WTG-Keyboard\ControlSet001\Services\i8042prt\Parameters /v OverrideKeyboardType /d 7 /t REG_DWORD /f
reg unload HKLM\WTG-Keyboard
```cmd
reg.exe load HKLM\WTG-Keyboard ${OSDriveLetter}:\Windows\System32\config\SYSTEM > info.log
reg.exe add HKLM\WTG-Keyboard\ControlSet001\Services\i8042prt\Parameters /v LayerDriver /d JPN:kbd106dll /t REG_SZ /f
reg.exe add HKLM\WTG-Keyboard\ControlSet001\Services\i8042prt\Parameters /v OverrideKeyboardIdentifier /d PCAT_106KEY /t REG_SZ /f
reg.exe add HKLM\WTG-Keyboard\ControlSet001\Services\i8042prt\Parameters /v OverrideKeyboardSubtype /d 2 /t REG_DWORD /f
reg.exe add HKLM\WTG-Keyboard\ControlSet001\Services\i8042prt\Parameters /v OverrideKeyboardType /d 7 /t REG_DWORD /f
reg.exe unload HKLM\WTG-Keyboard
```
## Related articles
[Windows To Go: feature overview](planning/windows-to-go-overview.md)
[Windows 10 forums](https://go.microsoft.com/fwlink/p/?LinkId=618949)

4
windows/deployment/deploy.md
View File

@ -9,7 +9,7 @@ ms.prod: windows-client
ms.localizationpriority: medium
ms.topic: article
ms.custom: seo-marvel-apr2020
ms.date: 10/31/2022
ms.date: 11/23/2022
ms.technology: itpro-deploy
---
@ -23,7 +23,7 @@ Windows 10 upgrade options are discussed and information is provided about plann
|[Windows 10 upgrade paths](upgrade/windows-10-upgrade-paths.md) |This article provides information about support for upgrading directly to Windows 10 from a previous operating system. |
|[Windows 10 edition upgrade](upgrade/windows-10-edition-upgrades.md) |This article provides information about support for upgrading from one edition of Windows 10 to another. |
|[Windows 10 volume license media](windows-10-media.md) |This article provides information about updates to volume licensing media in the current version of Windows 10. |
|[Manage Windows upgrades with Upgrade Readiness](/mem/configmgr/desktop-analytics/overview) |With Upgrade Readiness, enterprises now have the tools to plan and manage the upgrade process end to end, allowing them to adopt new Windows releases more quickly. With Windows diagnostic data enabled, Upgrade Readiness collects system, application, and driver data for analysis. We then identify compatibility issues that can block an upgrade and suggest fixes when they're known to Microsoft. The Upgrade Readiness workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded. |
|[Manage Windows upgrades with Upgrade Readiness](/mem/configmgr/desktop-analytics/overview) |With Upgrade Readiness, enterprises now have the tools to plan and manage the upgrade process end to end, allowing them to adopt new Windows releases more quickly. With Windows diagnostic data enabled, Upgrade Readiness collects system, application, and driver data for analysis. We then identify compatibility issues that can block an upgrade and suggest fixes when they're known to Microsoft. The Upgrade Readiness workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded. |
|[Windows 10 deployment test lab](windows-10-poc.md) |This guide contains instructions to configure a proof of concept (PoC) environment requiring a minimum amount of resources. The guide makes extensive use of Windows PowerShell and Hyper-V. Subsequent companion guides contain steps to deploy Windows 10 using the PoC environment. After you complete this guide, more guides are provided to deploy Windows 10 in the test lab using [Microsoft Deployment Toolkit](windows-10-poc-mdt.md) or [Microsoft Configuration Manager](windows-10-poc-sc-config-mgr.md). |
|[Plan for Windows 10 deployment](planning/index.md) | This section describes Windows 10 deployment considerations and provides information to help Windows 10 deployment planning. |
|[Deploy Windows 10 with the Microsoft Deployment Toolkit](./deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md) |This guide will walk you through the process of deploying Windows 10 in an enterprise environment using the Microsoft Deployment Toolkit (MDT). |

8
windows/deployment/do/index.yml
View File

@ -6,12 +6,10 @@ summary: Set up peer to peer downloads for Windows Updates and learn about Micro
metadata:
title: Delivery Optimization # Required; page title displayed in search results. Include the brand. < 60 chars.
description: Learn about using peer to peer downloads on Windows clients and learn about Microsoft Connected Cache. # Required; article description that is displayed in search results. < 160 chars.
services: windows-10
ms.service: windows-10 #Required; service per approved list. service slug assigned to your service by ACOM.
ms.subservice: subservice
ms.topic: landing-page # Required
ms.topic: landing-page
ms.prod: windows-client
ms.technology: itpro-updates
ms.collection:
- windows-10
- highpri
author: aczechowski
ms.author: aaroncz

8
windows/deployment/index.yml
View File

@ -6,12 +6,10 @@ summary: Learn about deploying and keeping Windows client devices up to date. #
metadata:
title: Windows client deployment resources and documentation # Required; page title displayed in search results. Include the brand. < 60 chars.
description: Learn about deploying Windows 10 and keeping it up to date in your organization. # Required; article description that is displayed in search results. < 160 chars.
services: windows-10
ms.service: windows-10 #Required; service per approved list. service slug assigned to your service by ACOM.
ms.subservice: subservice
ms.topic: landing-page # Required
ms.topic: landing-page
ms.technology: itpro-apps
ms.prod: windows-client
ms.collection:
- windows-10
- highpri
author: frankroj
ms.author: frankroj

125
windows/deployment/mbr-to-gpt.md
View File

@ -4,7 +4,7 @@ description: Use MBR2GPT.EXE to convert a disk from the Master Boot Record (MBR)
ms.prod: windows-client
author: frankroj
ms.author: frankroj
ms.date: 10/31/2022
ms.date: 11/23/2022
manager: aaroncz
ms.localizationpriority: high
ms.topic: article
@ -15,18 +15,19 @@ ms.technology: itpro-deploy
# MBR2GPT.EXE
**Applies to**
- Windows 10
*Applies to:*
**MBR2GPT.EXE** converts a disk from the Master Boot Record (MBR) to the GUID Partition Table (GPT) partition style without modifying or deleting data on the disk. The tool runs from a Windows Preinstallation Environment (Windows PE) command prompt, but can also be run from the full Windows 10 operating system (OS) by using the **/allowFullOS** option.
- Windows 10
MBR2GPT.EXE is located in the **Windows\\System32** directory on a computer running Windows 10 version 1703 (also known as the Creator's Update) or later.
**MBR2GPT.EXE** converts a disk from the Master Boot Record (MBR) to the GUID Partition Table (GPT) partition style without modifying or deleting data on the disk. The tool runs from a Windows Preinstallation Environment (Windows PE) command prompt, but can also be run from the full Windows 10 operating system (OS) by using the **`/allowFullOS`** option.
MBR2GPT.EXE is located in the **`Windows\System32`** directory on a computer running Windows 10 version 1703 or later.
The tool is available in both the full OS environment and Windows PE. To use this tool in a deployment task sequence with Configuration Manager or Microsoft Deployment Toolkit (MDT), you must first update the Windows PE image (winpe.wim, boot.wim) with the [Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit) 1703, or a later version.
See the following video for a detailed description and demonstration of MBR2GPT.
<iframe width="560" height="315" align="center" src="https://www.youtube-nocookie.com/embed/hfJep4hmg9o" frameborder="0" allowfullscreen></iframe>
> [!VIDEO https://www.youtube-nocookie.com/embed/hfJep4hmg9o]
You can use MBR2GPT to:
@ -45,6 +46,7 @@ Offline conversion of system disks with earlier versions of Windows installed, s
## Disk Prerequisites
Before any change to the disk is made, MBR2GPT validates the layout and geometry of the selected disk to ensure that:
- The disk is currently using MBR
- There's enough space not occupied by partitions to store the primary and secondary GPTs:
- 16 KB + 2 sectors at the front of the disk
@ -66,21 +68,21 @@ If any of these checks fails, the conversion won't proceed, and an error will be
| Option | Description |
|----|-------------|
|/validate| Instructs MBR2GPT.exe to perform only the disk validation steps and report whether the disk is eligible for conversion. |
|/convert| Instructs MBR2GPT.exe to perform the disk validation and to proceed with the conversion if all validation tests pass. |
|/disk:\<diskNumber\>| Specifies the disk number of the disk to be converted to GPT. If not specified, the system disk is used. The mechanism used is the same as used by the diskpart.exe tool **SELECT DISK SYSTEM** command.|
|/logs:\<logDirectory\>| Specifies the directory where MBR2GPT.exe logs should be written. If not specified, **%windir%** is used. If specified, the directory must already exist, it will not be automatically created or overwritten.|
|/map:\<source\>=\<destination\>| Specifies other partition type mappings between MBR and GPT. The MBR partition number is specified in decimal notation, not hexadecimal. The GPT GUID can contain brackets, for example: **/map:42={af9b60a0-1431-4f62-bc68-3311714a69ad}**. Multiple /map options can be specified if multiple mappings are required. |
|/allowFullOS| By default, MBR2GPT.exe is blocked unless it's run from Windows PE. This option overrides this block and enables disk conversion while running in the full Windows environment. <br>**Note**: Since the existing MBR system partition is in use while running the full Windows environment, it can't be reused. In this case, a new ESP is created by shrinking the OS partition.|
|**/validate**| Instructs `MBR2GPT.exe` to perform only the disk validation steps and report whether the disk is eligible for conversion. |
|**/convert**| Instructs `MBR2GPT.exe` to perform the disk validation and to proceed with the conversion if all validation tests pass. |
|**/disk:*\<diskNumber\>***| Specifies the disk number of the disk to be converted to GPT. If not specified, the system disk is used. The mechanism used is the same as used by the diskpart.exe tool **SELECT DISK SYSTEM** command.|
|**/logs:*\<logDirectory\>***| Specifies the directory where `MBR2GPT.exe` logs should be written. If not specified, **%windir%** is used. If specified, the directory must already exist, it will not be automatically created or overwritten.|
|**/map:*\<source\>*=*\<destination\>***| Specifies other partition type mappings between MBR and GPT. The MBR partition number is specified in decimal notation, not hexadecimal. The GPT GUID can contain brackets, for example: **/map:42={af9b60a0-1431-4f62-bc68-3311714a69ad}**. Multiple /map options can be specified if multiple mappings are required. |
|**/allowFullOS**| By default, `MBR2GPT.exe` is blocked unless it's run from Windows PE. This option overrides this block and enables disk conversion while running in the full Windows environment. <br>**Note**: Since the existing MBR system partition is in use while running the full Windows environment, it can't be reused. In this case, a new ESP is created by shrinking the OS partition.|
## Examples
### Validation example
In the following example, disk 0 is validated for conversion. Errors and warnings are logged to the default location, **%windir%**.
In the following example, disk 0 is validated for conversion. Errors and warnings are logged to the default location of **`%windir%`**.
```console
X:\>mbr2gpt /validate /disk:0
```cmd
X:\>mbr2gpt.exe /validate /disk:0
MBR2GPT: Attempting to validate disk 0
MBR2GPT: Retrieving layout of disk
MBR2GPT: Validating layout, disk sector size is: 512
@ -92,16 +94,25 @@ MBR2GPT: Validation completed successfully
In the following example:
1. Using DiskPart, the current disk partition layout is displayed prior to conversion - three partitions are present on the MBR disk (disk 0): a system reserved partition, a Windows partition, and a recovery partition. A DVD-ROM is also present as volume 0.
2. The OS volume is selected, partitions are listed, and partition details are displayed for the OS partition. The [MBR partition type](/windows/win32/fileio/disk-partition-types) is **07** corresponding to the installable file system (IFS) type.
2. The MBR2GPT tool is used to convert disk 0.
3. The DiskPart tool displays that disk 0 is now using the GPT format.
4. The new disk layout is displayed - four partitions are present on the GPT disk: three are identical to the previous partitions and one is the new EFI system partition (volume 3).
5. The OS volume is selected again, and detail displays that it has been converted to the [GPT partition type](/windows/win32/api/winioctl/ns-winioctl-partition_information_gpt) of **ebd0a0a2-b9e5-4433-87c0-68b6b72699c7** corresponding to the **PARTITION_BASIC_DATA_GUID** type.
3. The MBR2GPT tool is used to convert disk 0.
4. The DiskPart tool displays that disk 0 is now using the GPT format.
5. The new disk layout is displayed - four partitions are present on the GPT disk: three are identical to the previous partitions and one is the new EFI system partition (volume 3).
6. The OS volume is selected again, and detail displays that it has been converted to the [GPT partition type](/windows/win32/api/winioctl/ns-winioctl-partition_information_gpt) of **ebd0a0a2-b9e5-4433-87c0-68b6b72699c7** corresponding to the **PARTITION_BASIC_DATA_GUID** type.
As noted in the output from the MBR2GPT tool, you must make changes to the computer firmware so that the new EFI system partition will boot properly.
```console
X:\>DiskPart
<br>
<details>
<summary>Expand to show MBR2GPT example</summary>
```cmd
X:\>DiskPart.exe
Microsoft DiskPart version 10.0.15048.0
@ -219,6 +230,8 @@ Offset in Bytes: 524288000
* Volume 1 D Windows NTFS Partition 58 GB Healthy
```
</details>
## Specifications
### Disk conversion workflow
@ -259,17 +272,18 @@ Since GPT partitions use a different set of type IDs than MBR partitions, each p
4. All other MBR partitions recognized by Windows are converted to GPT partitions of type PARTITION_BASIC_DATA_GUID (ebd0a0a2-b9e5-4433-87c0-68b6b72699c7).
In addition to applying the correct partition types, partitions of type PARTITION_MSFT_RECOVERY_GUID also have the following GPT attributes set:
- GPT_ATTRIBUTE_PLATFORM_REQUIRED (0x0000000000000001)
- GPT_BASIC_DATA_ATTRIBUTE_NO_DRIVE_LETTER (0x8000000000000000)
For more information about partition types, see:
- [GPT partition types](/windows/win32/api/winioctl/ns-winioctl-partition_information_gpt)
- [MBR partition types](/windows/win32/fileio/disk-partition-types)
### Persisting drive letter assignments
The conversion tool will attempt to remap all drive letter assignment information contained in the registry that corresponds to the volumes of the converted disk. If a drive letter assignment can't be restored, an error will be displayed at the console and in the log, so that you can manually perform the correct assignment of the drive letter.
The conversion tool will attempt to remap all drive letter assignment information contained in the registry that corresponds to the volumes of the converted disk. If a drive letter assignment can't be restored, an error will be displayed at the console and in the log, so that you can manually perform the correct assignment of the drive letter.
> [!IMPORTANT]
> This code runs after the layout conversion has taken place, so the operation cannot be undone at this stage.
@ -293,7 +307,7 @@ Four log files are created by the MBR2GPT tool:
- setupact.log
- setuperr.log
These files contain errors and warnings encountered during disk validation and conversion. Information in these files can be helpful in diagnosing problems with the tool. The setupact.log and setuperr.log files will have the most detailed information about disk layouts, processes, and other information pertaining to disk validation and conversion.
These files contain errors and warnings encountered during disk validation and conversion. Information in these files can be helpful in diagnosing problems with the tool. The setupact.log and setuperr.log files will have the most detailed information about disk layouts, processes, and other information pertaining to disk validation and conversion.
> [!NOTE]
> The setupact*.log files are different than the Windows Setup files that are found in the %Windir%\Panther directory.
@ -302,12 +316,12 @@ The default location for all these log files in Windows PE is **%windir%**.
### Interactive help
To view a list of options available when using the tool, type **mbr2gpt /?**
To view a list of options available when using the tool, enter **`mbr2gpt.exe /?`**
The following text is displayed:
```console
C:\> mbr2gpt /?
```cmd
C:\> mbr2gpt.exe /?
Converts a disk from MBR to GPT partitioning without modifying or deleting data on the disk.
@ -348,19 +362,18 @@ MBR2GPT has the following associated return codes:
| Return code | Description |
|----|-------------|
|0| Conversion completed successfully.|
|1| Conversion was canceled by the user.|
|2| Conversion failed due to an internal error.|
|3| Conversion failed due to an initialization error.|
|4| Conversion failed due to invalid command-line parameters. |
|5| Conversion failed due to error reading the geometry and layout of the selected disk.|
|6| Conversion failed because one or more volumes on the disk is encrypted.|
|7| Conversion failed because the geometry and layout of the selected disk don't meet requirements.|
|8| Conversion failed due to error while creating the EFI system partition.|
|9| Conversion failed due to error installing boot files.|
|10| Conversion failed due to error while applying GPT layout.|
|100| Conversion to GPT layout succeeded, but some boot configuration data entries couldn't be restored.|
|**0**| Conversion completed successfully.|
|**1**| Conversion was canceled by the user.|
|**2**| Conversion failed due to an internal error.|
|**3**| Conversion failed due to an initialization error.|
|**4**| Conversion failed due to invalid command-line parameters. |
|**5**| Conversion failed due to error reading the geometry and layout of the selected disk.|
|**6**| Conversion failed because one or more volumes on the disk is encrypted.|
|**7**| Conversion failed because the geometry and layout of the selected disk don't meet requirements.|
|**8**| Conversion failed due to error while creating the EFI system partition.|
|**9**| Conversion failed due to error installing boot files.|
|**10**| Conversion failed due to error while applying GPT layout.|
|**100**| Conversion to GPT layout succeeded, but some boot configuration data entries couldn't be restored.|
### Determining the partition type
@ -381,8 +394,8 @@ You can also view the partition type of a disk by opening the Disk Management to
If Windows PowerShell and Disk Management aren't available, such as when you're using Windows PE, you can determine the partition type at a command prompt with the DiskPart tool. To determine the partition style from a command line, type **diskpart** and then type **list disk**. See the following example:
```console
X:\>DiskPart
```cmd
X:\>DiskPart.exe
Microsoft DiskPart version 10.0.15048.0
@ -405,15 +418,15 @@ In this example, Disk 0 is formatted with the MBR partition style, and Disk 1 is
When you start a Windows 10, version 1903-based computer in the Windows Preinstallation Environment (Windows PE), you encounter the following issues:
**Issue 1** When you run the MBR2GPT.exe command, the process exits without converting the drive.
**Issue 1** When you run the `MBR2GPT.exe` command, the process exits without converting the drive.
**Issue 2** When you manually run the MBR2GPT.exe command in a Command Prompt window, there's no output from the tool.
**Issue 2** When you manually run the `MBR2GPT.exe` command in a Command Prompt window, there's no output from the tool.
**Issue 3** When MBR2GPT.exe runs inside an imaging process such as a Microsoft Configuration Manager task sequence, an MDT task sequence, or by using a script, you receive the following exit code: 0xC0000135/3221225781.
**Issue 3** When `MBR2GPT.exe` runs inside an imaging process such as a Microsoft Configuration Manager task sequence, an MDT task sequence, or by using a script, you receive the following exit code: 0xC0000135/3221225781.
#### Cause
This issue occurs because in Windows 10, version 1903 and later versions, MBR2GPT.exe requires access to the ReAgent.dll file. However, this dll file and its associated libraries are currently not included in the Windows PE boot image for Windows 10, version 1903 and later.
This issue occurs because in Windows 10, version 1903 and later versions, `MBR2GPT.exe` requires access to the ReAgent.dll file. However, this dll file and its associated libraries are currently not included in the Windows PE boot image for Windows 10, version 1903 and later.
#### Workaround
@ -430,31 +443,31 @@ To fix this issue, mount the Windows PE image (WIM), copy the missing file from
**Command 1:**
```console
```cmd
copy "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Setup\amd64\Sources\ReAgent*.*" "C:\WinPE_Mount\Windows\System32"
```
This command copies three files:
* ReAgent.admx
* ReAgent.dll
* ReAgent.xml
- ReAgent.admx
- ReAgent.dll
- ReAgent.xml
**Command 2:**
```console
```cmd
copy "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Setup\amd64\Sources\En-Us\ReAgent*.*" "C:\WinPE_Mount\Windows\System32\En-Us"
```
This command copies two files:
* ReAgent.adml
* ReAgent.dll.mui
- ReAgent.adml
- ReAgent.dll.mui
> [!NOTE]
> If you aren't using an English version of Windows, replace "En-Us" in the path with the appropriate string that represents the system language.
3. After you copy all the files, commit the changes and unmount the Windows PE WIM. MBR2GPT.exe now functions as expected in Windows PE. For information about how to unmount WIM files while committing changes, see [Unmounting an image](/windows-hardware/manufacture/desktop/mount-and-modify-a-windows-image-using-dism#unmounting-an-image).
3. After you copy all the files, commit the changes and unmount the Windows PE WIM. `MBR2GPT.exe` now functions as expected in Windows PE. For information about how to unmount WIM files while committing changes, see [Unmounting an image](/windows-hardware/manufacture/desktop/mount-and-modify-a-windows-image-using-dism#unmounting-an-image).
## Related articles

3
windows/deployment/planning/windows-10-enterprise-faq-itpro.yml
View File

@ -3,7 +3,8 @@ metadata:
title: Windows 10 Enterprise FAQ for IT pros (Windows 10)
description: Get answers to common questions around compatibility, installation, and support for Windows 10 Enterprise.
keywords: Windows 10 Enterprise, download, system requirements, drivers, appcompat, manage updates, Windows as a service, servicing channels, deployment tools
ms.prod: w10
ms.prod: windows-client
ms.technology: itpro-deploy
ms.mktglfcycl: plan
ms.localizationpriority: medium
ms.sitesec: library

3
windows/deployment/planning/windows-to-go-frequently-asked-questions.yml
View File

@ -8,7 +8,8 @@ metadata:
ms.author: frankroj
manager: aaroncz
keywords: FAQ, mobile, device, USB
ms.prod: w10
ms.prod: windows-client
ms.technology: itpro-deploy
ms.mktglfcycl: deploy
ms.pagetype: mobility
ms.sitesec: library

12
windows/deployment/s-mode.md
View File

@ -8,7 +8,7 @@ author: frankroj
ms.author: frankroj
ms.topic: article
ms.custom: seo-marvel-apr2020
ms.date: 10/31/2022
ms.date: 11/23/2022
ms.technology: itpro-deploy
---
@ -20,15 +20,15 @@ S mode is an evolution of the S SKU introduced with Windows 10 April 2018 Update
## S mode key features
**Microsoft-verified security**
### Microsoft-verified security
With Windows 10 in S mode, you'll find your favorite applications, such as Office, Evernote, and Spotify in the Microsoft Store where they're Microsoft-verified for security. You can also feel secure when you're online. Microsoft Edge, your default browser, gives you protection against phishing and socially engineered malware.
**Performance that lasts**
### Performance that lasts
Start-ups are quick, and S mode is built to keep them that way. With Microsoft Edge as your browser, your online experience is fast and secure. Plus, you'll enjoy a smooth, responsive experience, whether you're streaming HD video, opening apps, or being productive on the go.
**Choice and flexibility**
### Choice and flexibility
Save your files to your favorite cloud, like OneDrive or Dropbox, and access them from any device you choose. Browse the Microsoft Store for thousands of apps, and if you don't find exactly what you want, you can easily [switch out of S mode](./windows-10-pro-in-s-mode.md) to Windows 10 Home, Pro, or Enterprise editions at any time and search the web for more choices, as shown below.
@ -49,6 +49,6 @@ The [MSIX Packaging Tool](/windows/application-management/msix-app-packaging-too
## Related links
- [Consumer applications for S mode](https://www.microsoft.com/windows/s-mode)
- [S mode devices](https://www.microsoft.com/en-us/windows/view-all-devices)
- [S mode devices](https://www.microsoft.com/windows/view-all-devices)
- [Windows Defender Application Control deployment guide](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide)
- [Microsoft Defender for Endpoint](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp)
- [Microsoft Defender for Endpoint](/microsoft-365/windows/microsoft-defender-atp)

BIN
windows/deployment/update/images/wufb-do-overview.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 149 KiB

35
windows/deployment/update/wufb-reports-schema-ucdoaggregatedstatus.md Normal file
View File

@ -0,0 +1,35 @@
---
title: Windows Update for Business reports Data Schema - UCDOAggregatedStatus
ms.reviewer:
manager: naengler
description: UCDOAggregatedStatus schema
ms.prod: windows-client
author: cmknox
ms.author: carmenf
ms.collection: M365-analytics
ms.topic: reference
ms.date: 11/17/2022
ms.technology: itpro-updates
---
# UCDOAggregatedStatus
<!--37063317, 30141258, 37063041-->
***(Applies to: Windows 11 & Windows 10)***
UCDOAggregatedStatus is an aggregation of all individual UDDOStatus records across the tenant and summarizes bandwidth savings across all devices enrolled using [Delivery Optimization and Microsoft Connected Cache](/windows/deployment/do).
|Field |Type |Example |Description |
|---|---|---|---|
| **AzureADDeviceId** | [string](/azure/kusto/query/scalar-data-types/string) | `71db1a1a-f1a6-4a25-b88f-79c2f513dae0` | Azure AD Device ID |
| **AzureADTenantId** | [string](/azure/kusto/query/scalar-data-types/string) | `69ca04b0-703d-4b3a-9184-c4e3c15d6f5e` | Azure AD Tenant ID |
| **BWOptPercent28Days** | [real](/azure/kusto/query/scalar-data-types/real) | `10.61` | Bandwidth optimization (as a percentage of savings of total bandwidth otherwise incurred) for this device. A rolling 28-day basis.|
| **BytesFromCache** | [long](/azure/kusto/query/scalar-data-types/long) | `285212672` | Total number of bytes that were delivered from Microsoft Connected Cache (MCC). |
| **BytesFromCDN** | [long](/azure/kusto/query/scalar-data-types/long) | `11463008693388` | Total number of bytes that were delivered from a Content Delivery Network (CDN). |
| **BytesFromGroupPeers** | [long](/azure/kusto/query/scalar-data-types/long) | `30830657175` | Total number of bytes that were delivered from Group peers, sharing the same GroupId. |
| **BytesFromIntPeers** | [long](/azure/kusto/query/scalar-data-types/long) | `285212672` | Total number of bytes that were delivered from Internet peers. |
| **BytesFromPeers** | [long](/azure/kusto/query/scalar-data-types/long) | `285212672` | Total number of bytes delivered via all peers. |
| **ContentType** | [string](/azure/kusto/query/scalar-data-types/string) | `Driver Updates` | One of the supported types of content. |
| **DeviceCount** | [long](/azure/kusto/query/scalar-data-types/long) | `27077` | Number of devices. |
| **TenantId** | [string](/azure/kusto/query/scalar-data-types/string) | `6yy5y416-2d35-3yyf-ab5f-aea713e489d2` | Tenant ID |
| **TimeGenerated** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2022-11-17T22:11:40.1132971Z` | The time the snapshot generated this specific record. This is to determine to which batch snapshot this record belongs. |
| **Type** | [string](/azure/kusto/query/scalar-data-types/string) | `UCDOAggregatedStatus` | The entity type. |

55
windows/deployment/update/wufb-reports-schema-ucdostatus.md Normal file
View File

@ -0,0 +1,55 @@
---
title: Windows Update for Business reports Data Schema - UCDOStatus
ms.reviewer:
manager: naengler
description: UCDOStatus schema
ms.prod: windows-client
author: cmknox
ms.author: carmenf
ms.collection: M365-analytics
ms.topic: reference
ms.date: 11/17/2022
ms.technology: itpro-updates
---
# UCDOStatus
<!--37063317, 30141258, 37063041-->
***(Applies to: Windows 11 & Windows 10)***
UCDOStatus provides information, for a single device, on its bandwidth utilization across content types in the event they use Delivery Optimization.
|Field |Type |Example |Description |
|---|---|---|---|
| **AzureADDeviceId** | [string](/azure/kusto/query/scalar-data-types/string) | `71db1a1a-f1a6-4a25-b88f-79c2f513dae0` | Azure AD Device ID |
| **AzureADTenantId** | [string](/azure/kusto/query/scalar-data-types/string) | `69ca04b0-703d-4b3a-9184-c4e3c15d6f5e` | Azure AD Tenant ID |
| **BWOptPercent28Days** | [real](/azure/kusto/query/scalar-data-types/real) | `10.61` | Bandwidth optimization (as a percentage of savings of total bandwidth otherwise incurred) for this device. A rolling 28-day basis.|
| **BWOptPercent7Days** | [real](/azure/kusto/query/scalar-data-types/real) | `10.61` | Bandwidth optimization (as a percentage of savings of total bandwidth otherwise incurred) for this device. A rolling 7-day basis.|
| **BytesFromCache** | [long](/azure/kusto/query/scalar-data-types/long) | `285212672` | Total number of bytes that were delivered from Microsoft Connected Cache (MCC). |
| **BytesFromCDN** | [long](/azure/kusto/query/scalar-data-types/long) | `11463008693388` | Total number of bytes that were delivered from a Content Delivery Network (CDN). |
| **BytesFromGroupPeers** | [long](/azure/kusto/query/scalar-data-types/long) | `30830657175` | Total number of bytes that were delivered from Group peers, sharing the same GroupId. |
| **BytesFromIntPeers** | [long](/azure/kusto/query/scalar-data-types/long) | `285212672` | Total number of bytes that were delivered from Internet peers. |
| **BytesFromPeers** | [long](/azure/kusto/query/scalar-data-types/long) | `285212672` | Total number of bytes delivered via all peers. |
| **City** | [string](/azure/kusto/query/scalar-data-types/string) | `Redmond` | Approximate city where device was located while downloading content, based on IP address. |
| **ContentDownloadMode** | [int](/azure/kusto/query/scalar-data-types/int) | `1` | Device's Delivery Optimization Download Mode used to download content. |
| **ContentType** | [string](/azure/kusto/query/scalar-data-types/string) | `Driver Updates` | One of the supported types of content. |
| **Country** | [string](/azure/kusto/query/scalar-data-types/string) | `US` | Approximate country where device was located while downloading content, based on IP address. |
| **DeviceName** | [string](/azure/kusto/query/scalar-data-types/string) | `DESKTOP-DO` | User or organization provided device name. If the value appears as '#', configure the device to send device name. |
| **DOStatusDescription** | [string](/azure/kusto/query/scalar-data-types/string) | `Downloading` | A short description of Delivery Optimization status, if any. |
| **DownloadMode** | [string](/azure/kusto/query/scalar-data-types/string) | `LAN (1)` | Delivery Optimization Download Mode configured on the device. |
| **DownloadModeSrc** | [string](/azure/kusto/query/scalar-data-types/string) | `MDM` | The source of the Download Mode configuration. |
| **GlobalDeviceId** | [string](/azure/kusto/query/scalar-data-types/string) | `g:9832741921341` | Microsoft global device identifier. This identifier is used by Microsoft internally. |
| **GroupID** | [string](/azure/kusto/query/scalar-data-types/string) | `3suvw1efol0nmy8y9g8tfhtj1onwpsk9g9swpwnvfra=` | Delivery Optimization Group ID GUID value. |
| **ISP** | [string](/azure/kusto/query/scalar-data-types/string) | `Microsoft Corporation` | Internet Service Provider estimation. |
| **LastCensusSeenTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | The last time this device performed a successful census scan, if any. |
| **NoPeersCount** | [long](/azure/kusto/query/scalar-data-types/long) | `4` | Count of peers device interacted with. |
| **OSVersion** | [string](/azure/kusto/query/scalar-data-types/string) | `1909` | The Windows 10/11 operating system version currently installed on the device, such as 20H1, 21H2. |
| **PeerEligibleTransfers** | [long](/azure/kusto/query/scalar-data-types/long) | `5` | Total count of eligible transfers by peers. |
| **PeeringStatus** | [string](/azure/kusto/query/scalar-data-types/string) | `On` | Delivery Optimization peering status. |
| **PeersCannotConnectCount** | [long](/azure/kusto/query/scalar-data-types/long) | `1` | Count of peers Delivery Optimization couldn't connect to. |
| **PeersSuccessCount** | [long](/azure/kusto/query/scalar-data-types/long) | `2` | Count of peers Delivery Optimization successfully connected to. |
| **PeersUnknownCount** | [long](/azure/kusto/query/scalar-data-types/long) | `0` | Count of peers with an unknown relation. |
| **TenantId** | [string](/azure/kusto/query/scalar-data-types/string) |`6yy5y416-2d35-3yyf-ab5f-aea713e489d2` | Tenant ID |
| **TimeGenerated** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2022-11-17T22:11:40.1132971Z` | The time the snapshot generated this specific record. This is to determine to which batch snapshot this record belongs. |
| **TotalTimeForDownload** | [string](/azure/kusto/query/scalar-data-types/string) | `00:02:11` | Total time to download content. |
| **TotalTransfers** | [long](/azure/kusto/query/scalar-data-types/long) | `304` | Total count of data transfers needed to download content. |
| **Type** | [string](/azure/kusto/query/scalar-data-types/string) | `UCDOAggregatedStatus` | The entity type. |

4
windows/deployment/update/wufb-reports-workbook.md
View File

@ -141,7 +141,7 @@ The **Device status** group for feature updates contains the following items:
## <a name="bkmk_do"></a> Delivery Optimization (preview tab)
The **Delivery Optimization** tab provides a summarized view of bandwidth efficiencies. This new revised report also includes Microsoft Connected Cache (MCC) information.
The **Delivery Optimization** tab provides a summarized view of bandwidth efficiencies. This new revised report also includes [Microsoft Connected Cache](/windows/deployment/do/waas-microsoft-connected-cache) information.
At the top of the report, tiles display the following information:
@ -156,6 +156,8 @@ The Delivery Optimization tab is further divided into the following groups:
- **Content Distribution**: Includes charts showing percentage volumes and GB volumes by source by content types. All content types are linked to a table for deeper filtering by **ContentType**, **AzureADTenantId**, and **GroupID**.
- **Efficiency By Group**: This view provides filters commonly used ways of grouping devices. The provided filters include: **GroupID**, **City**, **Country**, and **ISP**.
:::image type="content" source="images/wufb-do-overview.png" alt-text="Screenshot of the summary tab in the Windows Update for Business reports workbook for Delivery Optimization." lightbox="images/wufb-do-overview.png":::
## Customize the workbook
Since the Windows Update for Business reports workbook is an [Azure Workbook template](/azure/azure-monitor/visualize/workbooks-templates), it can be customized to suit your needs. If you open a template, make some adjustments, and save it, the template is saved as a workbook. This workbook appears in green. The original template is left untouched. For more information about workbooks, see [Get started with Azure Workbooks](/azure/azure-monitor/visualize/workbooks-getting-started).

5
windows/deployment/usmt/understanding-migration-xml-files.md
View File

@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
author: frankroj
ms.date: 11/01/2022
ms.date: 11/23/2022
ms.topic: article
ms.technology: itpro-deploy
---
@ -136,6 +136,9 @@ The default `MigUser.xml` file migrates the following data:
> [!NOTE]
> The asterisk (`*`) stands for zero or more characters.
> [!NOTE]
> The OpenDocument extensions (`*.odt`, `*.odp`, `*.ods`) that Microsoft Office applications can use aren't migrated by default.
The default `MigUser.xml` file doesn't migrate the following data:
- Files tagged with both the **Hidden** and **System** attributes.

4
windows/deployment/usmt/usmt-faq.yml
View File

@ -3,11 +3,11 @@ metadata:
title: 'Frequently Asked Questions (Windows 10)'
description: 'Learn about frequently asked questions and recommended solutions for migrations using User State Migration Tool (USMT) 10.0.'
ms.assetid: 813c13a7-6818-4e6e-9284-7ee49493241b
ms.reviewer:
ms.prod: windows-client
ms.technology: itpro-deploy
author: frankroj
ms.author: frankroj
manager: aaroncz
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
audience: itpro

5
windows/deployment/usmt/usmt-what-does-usmt-migrate.md
View File

@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
author: frankroj
ms.date: 11/01/2022
ms.date: 11/23/2022
ms.topic: article
ms.technology: itpro-deploy
---
@ -78,6 +78,9 @@ This section describes the user data that USMT migrates by default, using the `M
> [!NOTE]
> The asterisk (`*`) stands for zero or more characters.
> [!NOTE]
> The OpenDocument extensions (`*.odt`, `*.odp`, `*.ods`) that Microsoft Office applications can use aren't migrated by default.
- **Access control lists.** USMT migrates access control lists (ACLs) for specified files and folders from computers running both Windows® XP and Windows Vista. For example, if you migrate a file named `File1.txt` that is **read-only** for **User1** and **read/write** for **User2**, these settings will still apply on the destination computer after the migration.
> [!IMPORTANT]

86
windows/deployment/vda-subscription-activation.md
View File

@ -11,12 +11,12 @@ ms.technology: itpro-fundamentals
ms.localizationpriority: medium
ms.topic: how-to
ms.collection: M365-modern-desktop
ms.date: 10/31/2022
ms.date: 11/23/2022
---
# Configure VDA for Windows subscription activation
Applies to:
*Applies to:*
- Windows 10
- Windows 11
@ -61,42 +61,55 @@ For examples of activation issues, see [Troubleshoot the user experience](./depl
## Active Directory-joined VMs
1. Use the following instructions to prepare the VM for Azure: [Prepare a Windows VHD or VHDX to upload to Azure](/azure/virtual-machines/windows/prepare-for-upload-vhd-image)
2. (Optional) To disable network level authentication, type the following command at an elevated command prompt:
2. (Optional) To disable network level authentication, enter the following command at an elevated command prompt:
```cmd
REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0 /f
REG.exe ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0 /f
```
3. At an elevated command prompt, type **sysdm.cpl** and press ENTER.
3. At an elevated command prompt, enter **sysdm.cpl**.
4. On the Remote tab, choose **Allow remote connections to this computer** and then select **Select Users**.
5. Select **Add**, type **Authenticated users**, and then select **OK** three times.
5. Select **Add**, enter **Authenticated users**, and then select **OK** three times.
6. Follow the instructions to use sysprep at [Steps to generalize a VHD](/azure/virtual-machines/windows/prepare-for-upload-vhd-image#generalize-a-vhd) and then start the VM again.
7. If you must activate Windows Pro as described for [scenario 3](#scenario-3), complete the following steps to use Windows Configuration Designer and inject an activation key. Otherwise, skip to step 8.
1. [Install Windows Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd).
1. Open Windows Configuration Designer and select **Provision desktop services**.
1. Under **Name**, type **Desktop AD Enrollment Pro GVLK**, select **Finish**, and then on the **Set up device** page enter a device name.
2. Open Windows Configuration Designer and select **Provision desktop services**.
3. Under **Name**, enter **Desktop AD Enrollment Pro GVLK**, select **Finish**, and then on the **Set up device** page enter a device name.
> [!NOTE]
> You can use a different project name, but this name is also used with dism.exe in a later step.
1. Under **Enter product key** type the Pro GVLK key: `W269N-WFGWX-YVC9B-4J6C9-T83GX`.
1. On the Set up network page, choose **Off**.
1. On the Account Management page, choose **Enroll into Active Directory** and then enter the account details.
4. Under **Enter product key** enter the Pro GVLK key: `W269N-WFGWX-YVC9B-4J6C9-T83GX`.
5. On the Set up network page, choose **Off**.
6. On the Account Management page, choose **Enroll into Active Directory** and then enter the account details.
> [!NOTE]
> This step is different for [Azure AD-joined VMs](#azure-active-directory-joined-vms).
1. On the Add applications page, add applications if desired. This step is optional.
1. On the Add certificates page, add certificates if desired. This step is optional.
1. On the Finish page, select **Create**.
1. In file explorer, open the VHD to mount the disk image. Determine the drive letter of the mounted image.
1. Type the following command at an elevated command prompt. Replace the letter `G` with the drive letter of the mounted image, and enter the project name you used if it's different than the one suggested:
7. On the Add applications page, add applications if desired. This step is optional.
8. On the Add certificates page, add certificates if desired. This step is optional.
9. On the Finish page, select **Create**.
10. In file explorer, open the VHD to mount the disk image. Determine the drive letter of the mounted image.
11. Enter the following command at an elevated command prompt. Replace the letter `G` with the drive letter of the mounted image, and enter the project name you used if it's different than the one suggested:
```cmd
Dism.exe /Image=G:\ /Add-ProvisioningPackage /PackagePath: "Desktop AD Enrollment Pro GVLK.ppkg"
```
1. Right-click the mounted image in file explorer and select **Eject**.
12. Right-click the mounted image in file explorer and select **Eject**.
8. See the instructions at [Upload and create VM from generalized VHD](/azure/virtual-machines/windows/upload-generalized-managed#upload-the-vhd) to sign in to Azure, get your storage account details, upload the VHD, and create a managed image.
@ -107,33 +120,50 @@ For examples of activation issues, see [Troubleshoot the user experience](./depl
For Azure AD-joined VMs, follow the same instructions as for [Active Directory-joined VMs](#active-directory-joined-vms) with the following exceptions:
- During setup with Windows Configuration Designer, under **Name**, type a name for the project that indicates it isn't for Active Directory-joined VMs, such as **Desktop Bulk Enrollment Token Pro GVLK**.
- During setup with Windows Configuration Designer, under **Name**, enter a name for the project that indicates it isn't for Active Directory-joined VMs, such as **Desktop Bulk Enrollment Token Pro GVLK**.
- During setup with Windows Configuration Designer, on the Account Management page, instead of enrolling in Active Directory, choose **Enroll in Azure AD**, select **Get Bulk Token**, sign in, and add the bulk token using your organization's credentials.
- When entering the PackagePath, use the project name you previously entered. For example, **Desktop Bulk Enrollment Token Pro GVLK.ppkg**
- When attempting to access the VM using remote desktop, you'll need to create a custom RDP settings file as described below in [Create custom RDP settings for Azure](#create-custom-rdp-settings-for-azure).
## Azure Gallery VMs
1. (Optional) To disable network level authentication, type the following command at an elevated command prompt:
1. (Optional) To disable network level authentication, enter the following command at an elevated command prompt:
```cmd
REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0 /f
REG.exe ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0 /f
```
2. At an elevated command prompt, type `sysdm.cpl` and press ENTER.
2. At an elevated command prompt, enter `sysdm.cpl`.
3. On the Remote tab, choose **Allow remote connections to this computer** and then select **Select Users**.
4. Select **Add**, type **Authenticated users**, and then select **OK** three times.
4. Select **Add**, enter **Authenticated users**, and then select **OK** three times.
5. [Install Windows Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd).
6. Open Windows Configuration Designer and select **Provision desktop services**.
7. If you must activate Windows Pro as described for [scenario 3](#scenario-3), complete the following steps. Otherwise, skip to step 8.
1. Under **Name**, type **Desktop Bulk Enrollment Token Pro GVLK**, select **Finish**, and then on the **Set up device** page enter a device name.
2. Under **Enter product key** type the Pro GVLK key: `W269N-WFGWX-YVC9B-4J6C9-T83GX`.
8. Under **Name**, type **Desktop Bulk Enrollment**, select **Finish**, and then on the **Set up device** page enter a device name.
1. Under **Name**, enter **Desktop Bulk Enrollment Token Pro GVLK**, select **Finish**, and then on the **Set up device** page enter a device name.
2. Under **Enter product key** enter the Pro GVLK key: `W269N-WFGWX-YVC9B-4J6C9-T83GX`.
8. Under **Name**, enter **Desktop Bulk Enrollment**, select **Finish**, and then on the **Set up device** page enter a device name.
9. On the Set up network page, choose **Off**.
10. On the Account Management page, choose **Enroll in Azure AD**, select **Get Bulk Token**, sign in, and add the bulk token using your organizations credentials.
11. On the Add applications page, add applications if desired. This step is optional.
12. On the Add certificates page, add certificates if desired. This step is optional.
13. On the Finish page, select **Create**.
14. Copy the PPKG file to the remote virtual machine. Open the provisioning package to install it. This process will restart the system.
> [!NOTE]
@ -142,9 +172,13 @@ For Azure AD-joined VMs, follow the same instructions as for [Active Directory-j
## Create custom RDP settings for Azure
1. Open Remote Desktop Connection and enter the IP address or DNS name for the remote host.
2. Select **Show Options**, and then under Connection settings select **Save As**. Save the RDP file to the location where you'll use it.
3. Close the Remote Desktop Connection window and open Notepad.
4. Open the RDP file in Notepad to edit it.
5. Enter or replace the line that specifies authentication level with the following two lines of text:
```text
@ -162,4 +196,4 @@ For Azure AD-joined VMs, follow the same instructions as for [Active Directory-j
[Recommended settings for VDI desktops](/windows-server/remote/remote-desktop-services/rds-vdi-recommendations)
[Whitepaper on licensing the Windows desktop for VDI environments](https://download.microsoft.com/download/9/8/d/98d6a56c-4d79-40f4-8462-da3ecba2dc2c/licensing_windows_desktop_os_for_virtual_machines.pdf)
[Whitepaper on licensing the Windows desktop for VDI environments](https://download.microsoft.com/download/9/8/d/98d6a56c-4d79-40f4-8462-da3ecba2dc2c/licensing_windows_desktop_os_for_virtual_machines.pdf)

11
windows/deployment/wds-boot-support.md
View File

@ -8,14 +8,15 @@ ms.author: frankroj
manager: aaroncz
ms.topic: article
ms.custom: seo-marvel-apr2020
ms.date: 10/31/2022
ms.date: 11/23/2022
ms.technology: itpro-deploy
---
# Windows Deployment Services (WDS) boot.wim support
Applies to:
- Windows 10
*Applies to:*
- Windows 10
- Windows 11
The operating system deployment functionality of [Windows Deployment Services](/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh831764(v=ws.11)) (WDS) is being partially deprecated. Starting with Windows 11, workflows that rely on **boot.wim** from installation media or on running Windows Setup in WDS mode will no longer be supported.
@ -38,7 +39,7 @@ The table below provides support details for specific deployment scenarios (Boot
## Reason for the change
Alternatives to WDS, such as [Microsoft Configuration Manager](/mem/configmgr/) and [Microsoft Deployment Toolkit](/mem/configmgr/mdt/) (MDT) provide a better, more flexible, and feature-rich experience for deploying Windows images.
Alternatives to WDS, such as [Microsoft Configuration Manager](/mem/configmgr/) and [Microsoft Deployment Toolkit](/mem/configmgr/mdt/) (MDT) provide a better, more flexible, and feature-rich experience for deploying Windows images.
## Not affected
@ -53,7 +54,7 @@ You can still run Windows Setup from a network share. Workflows that use a custo
- Windows Server 2022 workflows that rely on **boot.wim** from installation media will show a non-blocking deprecation notice. The notice can be dismissed, and currently the workflow isn't blocked.
- Windows Server workflows after Windows Server 2022 that rely on **boot.wim** from installation media are blocked.
If you currently use WDS with **boot.wim** from installation media for end-to-end operating system deployment, and your OS version isn't supported, deprecated, or blocked, it's recommended that you use deployment tools such as MDT, Configuration Manager, or a non-Microsoft solution with a custom boot.wim image.
If you currently use WDS with **boot.wim** from installation media for end-to-end operating system deployment, and your OS version isn't supported, deprecated, or blocked, it's recommended that you use deployment tools such as MDT, Configuration Manager, or a non-Microsoft solution with a custom boot.wim image.
## Also see

7
windows/deployment/windows-10-deployment-posters.md
View File

@ -9,13 +9,14 @@ ms.prod: windows-client
ms.technology: itpro-deploy
ms.localizationpriority: medium
ms.topic: reference
ms.date: 10/31/2022
ms.date: 11/23/2022
---
# Windows 10 deployment process posters
**Applies to**
- Windows 10
*Applies to:*
- Windows 10
The following posters step through various options for deploying Windows 10 with Windows Autopilot or Microsoft Configuration Manager.

62
windows/deployment/windows-10-deployment-scenarios.md
View File

@ -7,15 +7,15 @@ author: frankroj
ms.prod: windows-client
ms.localizationpriority: medium
ms.topic: article
ms.date: 10/31/2022
ms.date: 11/23/2022
ms.technology: itpro-deploy
---
# Windows 10 deployment scenarios
**Applies to**
*Applies to:*
- Windows 10
- Windows 10
To successfully deploy the Windows 10 operating system in your organization, it's important to understand the different ways that it can be deployed, especially now that there are new scenarios to consider. Key tasks include choosing among these scenarios and understanding the capabilities and limitations of each.
@ -55,9 +55,9 @@ The following tables summarize various Windows 10 deployment scenarios. The scen
|[Refresh](#computer-refresh)|Also called wipe and load. Redeploy a device by saving the user state, wiping the disk, then restoring the user state. | [Refresh a Windows 7 computer with Windows 10](/windows/deployment/deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10)<br>[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](/windows/deployment/deploy-windows-cm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager)|
|[Replace](#computer-replace)|Replace an existing device with a new one by saving the user state on the old device and then restoring it to the new device.| [Replace a Windows 7 computer with a Windows 10 computer](/windows/deployment/deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer)<br>[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](/windows/deployment/deploy-windows-cm/replace-a-windows-7-client-with-windows-10-using-configuration-manager)|
>[!IMPORTANT]
>The Windows Autopilot and Subscription Activation scenarios require that the beginning OS be Windows 10 version 1703, or later.<br>
>Except for clean install scenarios such as traditional bare metal and Windows Autopilot, all the methods described can optionally migrate apps and settings to the new OS.
> [!IMPORTANT]
> The Windows Autopilot and Subscription Activation scenarios require that the beginning OS be Windows 10 version 1703, or later.<br>
> Except for clean install scenarios such as traditional bare metal and Windows Autopilot, all the methods described can optionally migrate apps and settings to the new OS.
## Modern deployment methods
@ -86,19 +86,19 @@ Scenarios that support in-place upgrade with some other procedures include chang
- **Legacy BIOS to UEFI booting**: To perform an in-place upgrade on a UEFI-capable system that currently boots using legacy BIOS, first perform the in-place upgrade to Windows 10, maintaining the legacy BIOS boot mode. Windows 10 doesn't require UEFI, so it will work fine to upgrade a system using legacy BIOS emulation. After the upgrade, if you wish to enable Windows 10 features that require UEFI (such as Secure Boot), you can convert the system disk to a format that supports UEFI boot using the [MBR2GPT](./mbr-to-gpt.md) tool. Note: [UEFI specification](http://www.uefi.org/specifications) requires GPT disk layout. After the disk has been converted, you must also configure the firmware to boot in UEFI mode.
- **Non-Microsoft disk encryption software**: While devices encrypted with BitLocker can easily be upgraded, more work is necessary for non-Microsoft disk encryption tools. Some ISVs will provide instructions on how to integrate their software into the in-place upgrade process. Check with your ISV to see if they have instructions. The following articles provide details on how to provision encryption drivers for use during Windows Setup via the ReflectDrivers setting:
- [Windows Setup Automation Overview](/windows-hardware/manufacture/desktop/windows-setup-automation-overview)
- [Windows Setup Command-Line Options](/windows-hardware/manufacture/desktop/windows-setup-command-line-options)
- **Non-Microsoft disk encryption software**: While devices encrypted with BitLocker can easily be upgraded, more work is necessary for non-Microsoft disk encryption tools. Some ISVs will provide instructions on how to integrate their software into the in-place upgrade process. Check with your ISV to see if they have instructions. The following articles provide details on how to provision encryption drivers for use during Windows Setup via the ReflectDrivers setting:
- [Windows Setup Automation Overview](/windows-hardware/manufacture/desktop/windows-setup-automation-overview)
- [Windows Setup Command-Line Options](/windows-hardware/manufacture/desktop/windows-setup-command-line-options)
There are some situations where you can't use in-place upgrade; in these situations, you can use traditional deployment (wipe-and-load) instead. Examples of these situations include:
- Changing from Windows 7, Windows 8, or Windows 8.1 x86 to Windows 10 x64. The upgrade process can't change from a 32-bit operating system to a 64-bit operating system, because of possible complications with installed applications and drivers.
- Changing from Windows 7, Windows 8, or Windows 8.1 x86 to Windows 10 x64. The upgrade process can't change from a 32-bit operating system to a 64-bit operating system, because of possible complications with installed applications and drivers.
- Windows To Go and Boot from VHD installations. The upgrade process is unable to upgrade these installations. Instead, new installations would need to be performed.
- Windows To Go and Boot from VHD installations. The upgrade process is unable to upgrade these installations. Instead, new installations would need to be performed.
- Updating existing images. It can be tempting to try to upgrade existing Windows 7, Windows 8, or Windows 8.1 images to Windows 10 by installing the old image, upgrading it, and then recapturing the new Windows 10 image. But, it's not supported. Preparing an upgraded OS via `Sysprep.exe` before capturing an image isn't supported and won't work. When `Sysprep.exe` detects the upgraded OS, it will fail.
- Updating existing images. It can be tempting to try to upgrade existing Windows 7, Windows 8, or Windows 8.1 images to Windows 10 by installing the old image, upgrading it, and then recapturing the new Windows 10 image. But, it's not supported. Preparing an upgraded OS via `Sysprep.exe` before capturing an image isn't supported and won't work. When `Sysprep.exe` detects the upgraded OS, it will fail.
- Dual-boot and multi-boot systems. The upgrade process is designed for devices running a single OS. If you use dual-boot or multi-boot systems with multiple operating systems (not using virtual machines for the second and subsequent operating systems), then extra care should be taken.
- Dual-boot and multi-boot systems. The upgrade process is designed for devices running a single OS. If you use dual-boot or multi-boot systems with multiple operating systems (not using virtual machines for the second and subsequent operating systems), then extra care should be taken.
## Dynamic provisioning
@ -106,7 +106,7 @@ For new PCs, organizations have historically replaced the version of Windows inc
The goal of dynamic provisioning is to take a new PC out of the box, turn it on, and transform it into a productive organization device, with minimal time and effort. The types of transformations that are available include:
### Windows 10 Subscription Activation<A ID="windows-10-subscription-activation"></A>
### Windows 10 Subscription Activation
Windows 10 Subscription Activation is a dynamic deployment method that enables you to change the SKU from Pro to Enterprise with no keys and no reboots. For more information about Subscription Activation, see [Windows 10 Subscription Activation](/windows/deployment/windows-10-enterprise-subscription-activation).
@ -122,17 +122,17 @@ These scenarios can be used to enable "choose your own device" (CYOD) programs.
While the initial Windows 10 release includes various provisioning settings and deployment mechanisms, provisioning settings and deployment mechanisms will continue to be enhanced and extended based on feedback from organizations. As with all Windows features, organizations can submit suggestions for more features through the Windows Feedback app or through their Microsoft Support contacts.
## Traditional deployment:
## Traditional deployment
New versions of Windows have typically been deployed by organizations using an image-based process built on top of tools provided in the [Windows Assessment and Deployment Kit](windows-adk-scenarios-for-it-pros.md), Windows Deployment Services, the [Deploy Windows 10 with the Microsoft Deployment Toolkit](./deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md), and [Microsoft Configuration Manager](deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md).
New versions of Windows have typically been deployed by organizations using an image-based process built on top of tools provided in the [Windows Assessment and Deployment Kit](windows-adk-scenarios-for-it-pros.md), Windows Deployment Services, the [Microsoft Deployment Toolkit](./deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md), and [Microsoft Configuration Manager](deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md).
With the release of Windows 10, all of these tools are being updated to fully support Windows 10. Although newer scenarios such as in-place upgrade and dynamic provisioning may reduce the need for traditional deployment capabilities in some organizations, these traditional methods remain important, and will continue to be available to organizations that need them.
The traditional deployment scenario can be divided into different sub-scenarios. These sub-scenarios are explained in detail in the following sections, but the following list provides a brief summary:
- **New computer.** A bare-metal deployment of a new machine.
- **Computer refresh.** A reinstall of the same machine (with user-state migration and an optional full Windows Imaging (WIM) image backup).
- **Computer replace.** A replacement of the old machine with a new machine (with user-state migration and an optional full WIM image backup).
- **New computer**: A bare-metal deployment of a new machine.
- **Computer refresh**: A reinstall of the same machine (with user-state migration and an optional full Windows Imaging (WIM) image backup).
- **Computer replace**: A replacement of the old machine with a new machine (with user-state migration and an optional full WIM image backup).
### New computer
@ -140,13 +140,13 @@ Also called a "bare metal" deployment. This scenario occurs when you have a blan
The deployment process for the new machine scenario is as follows:
1. Start the setup from boot media (CD, USB, ISO, or PXE).
1. Start the setup from boot media (CD, USB, ISO, or PXE).
2. Wipe the hard disk clean and create new volume(s).
2. Wipe the hard disk clean and create new volume(s).
3. Install the operating system image.
3. Install the operating system image.
4. Install other applications (as part of the task sequence).
4. Install other applications (as part of the task sequence).
After you follow these steps, the computer is ready for use.
@ -156,17 +156,17 @@ A refresh is sometimes called wipe-and-load. The process is normally initiated i
The deployment process for the wipe-and-load scenario is as follows:
1. Start the setup on a running operating system.
1. Start the setup on a running operating system.
2. Save the user state locally.
2. Save the user state locally.
3. Wipe the hard disk clean (except for the folder containing the backup).
3. Wipe the hard disk clean (except for the folder containing the backup).
4. Install the operating system image.
4. Install the operating system image.
5. Install other applications.
5. Install other applications.
6. Restore the user state.
6. Restore the user state.
After you follow these steps, the machine is ready for use.
@ -176,9 +176,9 @@ A computer replace is similar to the refresh scenario. However, since we're repl
The deployment process for the replace scenario is as follows:
1. Save the user state (data and settings) on the server through a backup job on the running operating system.
1. Save the user state (data and settings) on the server through a backup job on the running operating system.
2. Deploy the new computer as a bare-metal deployment.
2. Deploy the new computer as a bare-metal deployment.
> [!NOTE]
> In some situations, you can use the replace scenario even if the target is the same machine. For example, you can use replace if you want to modify the disk layout from the master boot record (MBR) to the GUID partition table (GPT), which will allow you to take advantage of the Unified Extensible Firmware Interface (UEFI) functionality. You can also use replace if the disk needs to be repartitioned since user data needs to be transferred off the disk.

102
windows/deployment/windows-10-enterprise-e3-overview.md
View File

@ -3,7 +3,7 @@ title: Windows 10/11 Enterprise E3 in CSP
description: Describes Windows 10/11 Enterprise E3, an offering that delivers, by subscription, the features of Windows 10/11 Enterprise edition.
ms.prod: windows-client
ms.localizationpriority: medium
ms.date: 10/31/2022
ms.date: 11/23/2022
author: frankroj
ms.author: frankroj
manager: aaroncz
@ -15,16 +15,17 @@ ms.technology: itpro-deploy
# Windows 10/11 Enterprise E3 in CSP
Applies to:
*Applies to:*
- Windows 10
- Windows 11
Windows 10 Enterprise E3 launched in the Cloud Solution Provider (CSP) channel on September 1, 2016. With the release of Windows 11, Windows 10/11 Enterprise E3 in CSP is available.
Windows 10 Enterprise E3 launched in the Cloud Solution Provider (CSP) channel on September 1, 2016. With the release of Windows 11, Windows 10/11 Enterprise E3 in CSP is available.
Windows 10/11 Enterprise E3 in CSP delivers, by subscription, exclusive features reserved for Windows 10 or Windows 11 Enterprise editions. This offering is available through the Cloud Solution Provider (CSP) channel via the Partner Center as an online service. Windows 10/11 Enterprise E3 in CSP provides a flexible, per-user subscription for small and medium-sized organizations (from one to hundreds of users). To take advantage of this offering, you must have the following prerequisites:
- Windows 10 Pro, version 1607 (Windows 10 Anniversary Update) or later (or Windows 11), installed and activated, on the devices to be upgraded.
- Azure Active Directory (Azure AD) available for identity management
- Windows 10 Pro, version 1607 (Windows 10 Anniversary Update) or later (or Windows 11), installed and activated, on the devices to be upgraded.
- Azure Active Directory (Azure AD) available for identity management
You can move from Windows 10 Pro or Windows 11 Pro to Windows 10 Enterprise or Windows 11 Enterprise more easily than ever before with no keys and no reboots. After one of your users enters the Azure AD credentials associated with a Windows 10/11 Enterprise E3 license, the operating system turns from Windows 10 Pro to Windows 10 Enterprise or Windows 11 Pro to Windows 11 Enterprise, and all the appropriate Enterprise features are unlocked. When a subscription license expires or is transferred to another user, the Enterprise device seamlessly steps back down to Windows 10 Pro or Windows 11 Pro.
@ -32,22 +33,22 @@ Previously, only organizations with a Microsoft Volume Licensing Agreement could
When you purchase Windows 10/11 Enterprise E3 via a partner, you get the following benefits:
- **Windows 10/11 Enterprise edition**. Devices currently running Windows 10 Pro or Windows 11 Pro can get Windows 10/11 Enterprise Current Branch (CB) or Current Branch for Business (CBB). This benefit doesn't include Long Term Service Branch (LTSB).
- **Support from one to hundreds of users**. Although the Windows 10/11 Enterprise E3 in CSP program doesn't have a limitation on the number of licenses an organization can have, the program is designed for small- and medium-sized organizations.
- **Deploy on up to five devices**. For each user covered by the license, you can deploy Windows 10 Enterprise edition on up to five devices.
- **Roll back to Windows 10/11 Pro at any time**. When a user's subscription expires or is transferred to another user, the Windows 10/11 Enterprise device reverts seamlessly to Windows 10/11 Pro edition (after a grace period of up to 90 days).
- **Monthly, per-user pricing model**. This makes Windows 10/11 Enterprise E3 affordable for any organization.
- **Move licenses between users**. Licenses can be quickly and easily reallocated from one user to another user, allowing you to optimize your licensing investment against changing needs.
- **Windows 10/11 Enterprise edition**. Devices currently running Windows 10 Pro or Windows 11 Pro can get Windows 10/11 Enterprise Current Branch (CB) or Current Branch for Business (CBB). This benefit doesn't include Long Term Service Branch (LTSB).
- **Support from one to hundreds of users**. Although the Windows 10/11 Enterprise E3 in CSP program doesn't have a limitation on the number of licenses an organization can have, the program is designed for small- and medium-sized organizations.
- **Deploy on up to five devices**. For each user covered by the license, you can deploy Windows 10 Enterprise edition on up to five devices.
- **Roll back to Windows 10/11 Pro at any time**. When a user's subscription expires or is transferred to another user, the Windows 10/11 Enterprise device reverts seamlessly to Windows 10/11 Pro edition (after a grace period of up to 90 days).
- **Monthly, per-user pricing model**. This makes Windows 10/11 Enterprise E3 affordable for any organization.
- **Move licenses between users**. Licenses can be quickly and easily reallocated from one user to another user, allowing you to optimize your licensing investment against changing needs.
How does the Windows 10/11 Enterprise E3 in CSP program compare with Microsoft Volume Licensing Agreements and Software Assurance?
- [Microsoft Volume Licensing](https://www.microsoft.com/licensing/default.aspx) programs are broader in scope, providing organizations with access to licensing for all Microsoft products.
- [Software Assurance](https://www.microsoft.com/Licensing/licensing-programs/software-assurance-default.aspx) provides organizations with the following categories of benefits:
- [Microsoft Volume Licensing](https://www.microsoft.com/licensing/default.aspx) programs are broader in scope, providing organizations with access to licensing for all Microsoft products.
- [Software Assurance](https://www.microsoft.com/Licensing/licensing-programs/software-assurance-default.aspx) provides organizations with the following categories of benefits:
- **Deployment and management**. These benefits include planning services, Microsoft Desktop Optimization (MDOP), Windows Virtual Desktop Access Rights, Windows-To-Go Rights, Windows Roaming Use Rights, Windows Thin PC, Windows RT Companion VDA Rights, and other benefits.
- **Training**. These benefits include training vouchers, online e-learning, and a home use program.
- **Support**. These benefits include 24x7 problem resolution support, backup capabilities for disaster recovery, System Center Global Service Monitor, and a passive secondary instance of SQL Server.
- **Specialized**. These benefits include step-up licensing availability (which enables you to migrate software from an earlier edition to a higher-level edition) and to spread license and Software Assurance payments across three equal, annual sums.
- **Deployment and management**. These benefits include planning services, Microsoft Desktop Optimization (MDOP), Windows Virtual Desktop Access Rights, Windows-To-Go Rights, Windows Roaming Use Rights, Windows Thin PC, Windows RT Companion VDA Rights, and other benefits.
- **Training**. These benefits include training vouchers, online e-learning, and a home use program.
- **Support**. These benefits include 24x7 problem resolution support, backup capabilities for disaster recovery, System Center Global Service Monitor, and a passive secondary instance of SQL Server.
- **Specialized**. These benefits include step-up licensing availability (which enables you to migrate software from an earlier edition to a higher-level edition) and to spread license and Software Assurance payments across three equal, annual sums.
In addition, in Windows 10/11 Enterprise E3 in CSP, a partner can manage your licenses for you. With Software Assurance, you, the customer, manage your own licenses.
@ -60,15 +61,15 @@ In summary, the Windows 10/11 Enterprise E3 in CSP program is an upgrade offerin
Windows 10 Enterprise edition has many features that are unavailable in Windows 10 Pro. Table 1 lists the Windows 10 Enterprise features not found in Windows 10 Pro. Many of these features are security-related, whereas others enable finer-grained device management.
*Table 1. Windows 10 Enterprise features not found in Windows 10 Pro*
### Table 1. Windows 10 Enterprise features not found in Windows 10 Pro
|Feature|Description|
|--- |--- |
|Credential Guard|Credential Guard uses virtualization-based security to help protect security secrets so that only privileged system software can access them. Examples of security secrets that can be protected include NTLM password hashes and Kerberos Ticket Granting Tickets. This protection helps prevent Pass-the-Hash or Pass-the-Ticket attacks.<p>Credential Guard has the following features:<li>**Hardware-level security**. Credential Guard uses hardware platform security features (such as Secure Boot and virtualization) to help protect derived domain credentials and other secrets.<li>**Virtualization-based security**. Windows services that access derived domain credentials and other secrets run in a virtualized, protected environment that is isolated.<li>**Improved protection against persistent threats**. Credential Guard works with other technologies (for example, Device Guard) to help provide further protection against attacks, no matter how persistent.<li>**Improved manageability**. Credential Guard can be managed through Group Policy, Windows Management Instrumentation (WMI), or Windows PowerShell.<p>For more information, see [Protect derived domain credentials with Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard).<p>*Credential Guard requires UEFI 2.3.1 or greater with Trusted Boot; Virtualization Extensions such as Intel VT-x, AMD-V, and SLAT must be enabled; x64 version of Windows; IOMMU, such as Intel VT-d, AMD-Vi; BIOS Lockdown; TPM 2.0 recommended for device health attestation (will use software if TPM 2.0 not present)*|
|Device Guard|This feature is a combination of hardware and software security features that allows only trusted applications to run on a device. Even if an attacker manages to get control of the Windows kernel, they'll be much less likely to run executable code. Device Guard can use virtualization-based security (VBS) in Windows 10 Enterprise edition to isolate the Code Integrity service from the Windows kernel itself. With VBS, even if malware gains access to the kernel, the effects can be severely limited, because the hypervisor can prevent the malware from executing code.<p>Device Guard protects in the following ways:<li>Helps protect against malware<li>Helps protect the Windows system core from vulnerability and zero-day exploits<li>Allows only trusted apps to run<p>For more information, see [Introduction to Device Guard](/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control).|
|AppLocker management|This feature helps IT pros determine which applications and files users can run on a device. The applications and files that can be managed include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers.<p>For more information, see [AppLocker](/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview).|
|Application Virtualization (App-V)|This feature makes applications available to end users without installing the applications directly on users' devices. App-V transforms applications into centrally managed services that are never installed and don't conflict with other applications. This feature also helps ensure that applications are kept current with the latest security updates.<p>For more information, see [Getting Started with App-V for Windows 10](/windows/application-management/app-v/appv-getting-started).|
|User Experience Virtualization (UE-V)|With this feature, you can capture user-customized Windows and application settings and store them on a centrally managed network file share.<p>When users log on, their personalized settings are applied to their work session, regardless of which device or virtual desktop infrastructure (VDI) sessions they log on to.<p>UE-V provides the following features:<li>Specify which application and Windows settings synchronize across user devices<li>Deliver the settings anytime and anywhere users work throughout the enterprise<li>Create custom templates for your third-party or line-of-business applications<li>Recover settings after hardware replacement or upgrade, or after re-imaging a virtual machine to its initial state<p>For more information, see [User Experience Virtualization (UE-V) for Windows 10 overview](/windows/configuration/ue-v/uev-for-windows).|
|Credential Guard|Credential Guard uses virtualization-based security to help protect security secrets so that only privileged system software can access them. Examples of security secrets that can be protected include NTLM password hashes and Kerberos Ticket Granting Tickets. This protection helps prevent Pass-the-Hash or Pass-the-Ticket attacks.<br><br>Credential Guard has the following features:<li>**Hardware-level security** - Credential Guard uses hardware platform security features (such as Secure Boot and virtualization) to help protect derived domain credentials and other secrets.<li>**Virtualization-based security** - Windows services that access derived domain credentials and other secrets run in a virtualized, protected environment that is isolated.<li>**Improved protection against persistent threats** - Credential Guard works with other technologies (for example, Device Guard) to help provide further protection against attacks, no matter how persistent.<li>**Improved manageability** - Credential Guard can be managed through Group Policy, Windows Management Instrumentation (WMI), or Windows PowerShell.<br><br>For more information, see [Protect derived domain credentials with Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard).<br><br>*Credential Guard requires UEFI 2.3.1 or greater with Trusted Boot; Virtualization Extensions such as Intel VT-x, AMD-V, and SLAT must be enabled; x64 version of Windows; IOMMU, such as Intel VT-d, AMD-Vi; BIOS Lockdown; TPM 2.0 recommended for device health attestation (will use software if TPM 2.0 not present)*|
|Device Guard|This feature is a combination of hardware and software security features that allows only trusted applications to run on a device. Even if an attacker manages to get control of the Windows kernel, they'll be much less likely to run executable code. Device Guard can use virtualization-based security (VBS) in Windows 10 Enterprise edition to isolate the Code Integrity service from the Windows kernel itself. With VBS, even if malware gains access to the kernel, the effects can be severely limited, because the hypervisor can prevent the malware from executing code.<br><br>Device Guard protects in the following ways:<li>Helps protect against malware<li>Helps protect the Windows system core from vulnerability and zero-day exploits<li>Allows only trusted apps to run<br><br>For more information, see [Introduction to Device Guard](/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control).|
|AppLocker management|This feature helps IT pros determine which applications and files users can run on a device. The applications and files that can be managed include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers.<br><br>For more information, see [AppLocker](/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview).|
|Application Virtualization (App-V)|This feature makes applications available to end users without installing the applications directly on users' devices. App-V transforms applications into centrally managed services that are never installed and don't conflict with other applications. This feature also helps ensure that applications are kept current with the latest security updates.<br><br>For more information, see [Getting Started with App-V for Windows 10](/windows/application-management/app-v/appv-getting-started).|
|User Experience Virtualization (UE-V)|With this feature, you can capture user-customized Windows and application settings and store them on a centrally managed network file share.<br><br>When users log on, their personalized settings are applied to their work session, regardless of which device or virtual desktop infrastructure (VDI) sessions they log on to.<br><br>UE-V provides the following features:<li>Specify which application and Windows settings synchronize across user devices<li>Deliver the settings anytime and anywhere users work throughout the enterprise<li>Create custom templates for your third-party or line-of-business applications<li>Recover settings after hardware replacement or upgrade, or after re-imaging a virtual machine to its initial state<br><br>For more information, see [User Experience Virtualization (UE-V) for Windows 10 overview](/windows/configuration/ue-v/uev-for-windows).|
|Managed User Experience|This feature helps customize and lock down a Windows device's user interface to restrict it to a specific task. For example, you can configure a device for a controlled scenario such as a kiosk or classroom device. The user experience would be automatically reset once a user signs off. You can also restrict access to services including Cortana or the Windows Store, and manage Start layout options, such as:<li>Removing and preventing access to the Shut Down, Restart, Sleep, and Hibernate commands<li>Removing Log Off (the User tile) from the Start menu<li>Removing frequent programs from the Start menu<li>Removing the All Programs list from the Start menu<li>Preventing users from customizing their Start screen<li>Forcing Start menu to be either full-screen size or menu size<li>Preventing changes to Taskbar and Start menu settings|
## Deployment of Windows 10/11 Enterprise E3 licenses
@ -88,41 +89,39 @@ The following sections provide you with the high-level tasks that need to be per
You can implement Credential Guard on Windows 10 Enterprise devices by turning on Credential Guard on these devices. Credential Guard uses Windows 10/11 virtualization-based security features (Hyper-V features) that must be enabled on each device before you can turn on Credential Guard. You can turn on Credential Guard by using one of the following methods:
- **Automated**. You can automatically turn on Credential Guard for one or more devices by using Group Policy. The Group Policy settings automatically add the virtualization-based security features and configure the Credential Guard registry settings on managed devices.
- **Automated**. You can automatically turn on Credential Guard for one or more devices by using Group Policy. The Group Policy settings automatically add the virtualization-based security features and configure the Credential Guard registry settings on managed devices.
- **Manual**. You can manually turn on Credential Guard by taking one of the following actions:
- **Manual**. You can manually turn on Credential Guard by taking one of the following actions:
- Add the virtualization-based security features by using Programs and Features or Deployment Image Servicing and Management (DISM).
- Add the virtualization-based security features by using Programs and Features or Deployment Image Servicing and Management (DISM).
- Configure Credential Guard registry settings by using the Registry Editor or the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337).
- Configure Credential Guard registry settings by using the Registry Editor or the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337).
You can automate these manual steps by using a management tool such as Microsoft Configuration Manager.
For more information about implementing Credential Guard, see the following resources:
- [Protect derived domain credentials with Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard)
- [PC OEM requirements for Device Guard and Credential Guard](/windows-hardware/design/device-experiences/oem-security-considerations)
- [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337)
- [Protect derived domain credentials with Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard)
- [PC OEM requirements for Device Guard and Credential Guard](/windows-hardware/design/device-experiences/oem-security-considerations)
- [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337)
### Device Guard
Now that the devices have Windows 10/11 Enterprise, you can implement Device Guard on the Windows 10 Enterprise devices by performing the following steps:
1. **Optionally, create a signing certificate for code integrity policies**. As you deploy code integrity policies, you might need to sign catalog files or code integrity policies internally. To sign catalog files or code integrity policies internally, you'll either need a publicly issued code signing certificate (that you purchase) or an internal certificate authority (CA). If you choose to use an internal CA, you'll need to create a code signing certificate.
1. **Optionally, create a signing certificate for code integrity policies**. As you deploy code integrity policies, you might need to sign catalog files or code integrity policies internally. To sign catalog files or code integrity policies internally, you'll either need a publicly issued code signing certificate (that you purchase) or an internal certificate authority (CA). If you choose to use an internal CA, you'll need to create a code signing certificate.
2. **Create code integrity policies from "golden" computers**. When you have identified departments or roles that use distinctive or partly distinctive sets of hardware and software, you can set up "golden" computers containing that software and hardware. In this respect, creating and managing code integrity policies to align with the needs of roles or departments can be similar to managing corporate images. From each "golden" computer, you can create a code integrity policy and decide how to manage that policy. You can merge code integrity policies to create a broader policy or a master policy, or you can manage and deploy each policy individually.
2. **Create code integrity policies from "golden" computers**. When you have identified departments or roles that use distinctive or partly distinctive sets of hardware and software, you can set up "golden" computers containing that software and hardware. In this respect, creating and managing code integrity policies to align with the needs of roles or departments can be similar to managing corporate images. From each "golden" computer, you can create a code integrity policy and decide how to manage that policy. You can merge code integrity policies to create a broader policy or a master policy, or you can manage and deploy each policy individually.
3. **Audit the code integrity policy and capture information about applications that are outside the policy**. We recommend that you use "audit mode" to carefully test each code integrity policy before you enforce it. With audit mode, no application is blocked—the policy just logs an event whenever an application outside the policy is started. Later, you can expand the policy to allow these applications, as needed.
3. **Audit the code integrity policy and capture information about applications that are outside the policy**. We recommend that you use "audit mode" to carefully test each code integrity policy before you enforce it. With audit mode, no application is blocked—the policy just logs an event whenever an application outside the policy is started. Later, you can expand the policy to allow these applications, as needed.
4. **Create a "catalog file" for unsigned line-of-business (LOB) applications**. Use the Package Inspector tool to create and sign a catalog file for your unsigned LOB applications. In later steps, you can merge the catalog file's signature into your code integrity policy so that applications in the catalog will be allowed by the policy.
4. **Create a "catalog file" for unsigned line-of-business (LOB) applications**. Use the Package Inspector tool to create and sign a catalog file for your unsigned LOB applications. In later steps, you can merge the catalog file's signature into your code integrity policy so that applications in the catalog will be allowed by the policy.
5. **Capture needed policy information from the event log, and merge information into the existing policy as needed**. After a code integrity policy has been running for a time in audit mode, the event log will contain information about applications that are outside the policy. To expand the policy so that it allows for these applications, use Windows PowerShell commands to capture the needed policy information from the event log, and then merge that information into the existing policy. You can merge code integrity policies from other sources also, for flexibility in how you create your final code integrity policies.
5. **Capture needed policy information from the event log, and merge information into the existing policy as needed**. After a code integrity policy has been running for a time in audit mode, the event log will contain information about applications that are outside the policy. To expand the policy so that it allows for these applications, use Windows PowerShell commands to capture the needed policy information from the event log, and then merge that information into the existing policy. You can merge code integrity policies from other sources also, for flexibility in how you create your final code integrity policies.
6. **Deploy code integrity policies and catalog files**. After you confirm that you've completed all the preceding steps, you can begin deploying catalog files and taking code integrity policies out of audit mode. We strongly recommend that you begin this process with a test group of users. This provides a final quality-control validation before you deploy the catalog files and code integrity policies more broadly.
6. **Deploy code integrity policies and catalog files**. After you confirm that you've completed all the preceding steps, you can begin deploying catalog files and taking code integrity policies out of audit mode. We strongly recommend that you begin this process with a test group of users. This provides a final quality-control validation before you deploy the catalog files and code integrity policies more broadly.
7. **Enable desired hardware security features**. Hardware-based security features—also called virtualization-based security (VBS) features—strengthen the protections offered by code integrity policies.
7. **Enable desired hardware security features**. Hardware-based security features—also called virtualization-based security (VBS) features—strengthen the protections offered by code integrity policies.
For more information about implementing Device Guard, see:
@ -139,19 +138,20 @@ For more information about AppLocker management by using Group Policy, see [AppL
App-V requires an App-V server infrastructure to support App-V clients. The primary App-V components that you must have are as follows:
- **App-V server**. The App-V server provides App-V management, virtualized app publishing, app streaming, and reporting services. Each of these services can be run on one server or can be run individually on multiple servers. For example, you could have multiple streaming servers. App-V clients contact App-V servers to determine which apps are published to the user or device, and then run the virtualized app from the server.
- **App-V server**. The App-V server provides App-V management, virtualized app publishing, app streaming, and reporting services. Each of these services can be run on one server or can be run individually on multiple servers. For example, you could have multiple streaming servers. App-V clients contact App-V servers to determine which apps are published to the user or device, and then run the virtualized app from the server.
- **App-V sequencer**. The App-V sequencer is a typical client device that is used to sequence (capture) apps and prepare them for hosting from the App-V server. You install apps on the App-V sequencer, and the App-V sequencer software determines the files and registry settings that are changed during app installation. Then the sequencer captures these settings to create a virtualized app.
- **App-V sequencer**. The App-V sequencer is a typical client device that is used to sequence (capture) apps and prepare them for hosting from the App-V server. You install apps on the App-V sequencer, and the App-V sequencer software determines the files and registry settings that are changed during app installation. Then the sequencer captures these settings to create a virtualized app.
- **App-V client**. The App-V client must be enabled on any client device on which apps will be run from the App-V server. These will be the Windows 10/11 Enterprise E3 devices.
- **App-V client**. The App-V client must be enabled on any client device on which apps will be run from the App-V server. These will be the Windows 10/11 Enterprise E3 devices.
For more information about implementing the App-V server, App-V sequencer, and App-V client, see the following resources:
- [Getting Started with App-V for Windows 10](/windows/application-management/app-v/appv-getting-started)
- [Deploying the App-V server](/windows/application-management/app-v/appv-deploying-the-appv-server)
- [Deploying the App-V Sequencer and Configuring the Client](/windows/application-management/app-v/appv-deploying-the-appv-sequencer-and-client)
- [Getting Started with App-V for Windows 10](/windows/application-management/app-v/appv-getting-started)
- [Deploying the App-V server](/windows/application-management/app-v/appv-deploying-the-appv-server)
- [Deploying the App-V Sequencer and Configuring the Client](/windows/application-management/app-v/appv-deploying-the-appv-sequencer-and-client)
### UE-V
UE-V requires server and client-side components that you'll need to download, activate, and install. These components include:
- **UE-V service**. The UE-V service (when enabled on devices) monitors registered applications and Windows for any settings changes, then synchronizes those settings between devices.
@ -174,16 +174,16 @@ For more information about deploying UE-V, see the following resources:
The Managed User Experience feature is a set of Windows 10 Enterprise edition features and corresponding settings that you can use to manage user experience. Table 2 describes the Managed User Experience settings (by category), which are only available in Windows 10 Enterprise edition. The management methods used to configure each feature depend on the feature. Some features are configured by using Group Policy, while others are configured by using Windows PowerShell, Deployment Image Servicing and Management (DISM), or other command-line tools. For the Group Policy settings, you must have AD DS with the Windows 10 Enterprise devices joined to your AD DS domain.
*Table 2. Managed User Experience features*
#### Table 2. Managed User Experience features
| Feature | Description |
|------------------|-----------------|
| Start layout customization | You can deploy a customized Start layout to users in a domain. No reimaging is required, and the Start layout can be updated simply by overwriting the .xml file that contains the layout. The XML file enables you to customize Start layouts for different departments or organizations, with minimal management overhead.<br>For more information on these settings, see [Customize Windows 10 Start and taskbar with Group Policy](/windows/configuration/customize-windows-10-start-screens-by-using-group-policy). |
| Unbranded boot | You can suppress Windows elements that appear when Windows starts or resumes and can suppress the crash screen when Windows encounters an error from which it can't recover.<br>For more information on these settings, see [Unbranded Boot](/windows-hardware/customize/enterprise/unbranded-boot). |
| Custom logon | You can use the Custom Logon feature to suppress Windows 10 UI elements that relate to the Welcome screen and shutdown screen. For example, you can suppress all elements of the Welcome screen UI and provide a custom logon UI. You can also suppress the Blocked Shutdown Resolver (BSDR) screen and automatically end applications while the OS waits for applications to close before a shutdown.<br>For more information on these settings, see [Custom Logon](/windows-hardware/customize/enterprise/custom-logon). |
| Shell launcher | Enables Assigned Access to run only a classic Windows app via Shell Launcher to replace the shell.<br>For more information on these settings, see [Shell Launcher](/windows-hardware/customize/enterprise/shell-launcher). |
| Keyboard filter | You can use Keyboard Filter to suppress undesirable key presses or key combinations. Normally, users can use certain Windows key combinations like Ctrl+Alt+Delete or Ctrl+Shift+Tab to control a device by locking the screen or using Task Manager to close a running application. This isn't desirable on devices intended for a dedicated purpose.<br>For more information on these settings, see [Keyboard Filter](/windows-hardware/customize/enterprise/keyboardfilter). |
| Unified write filter | You can use Unified Write Filter (UWF) on your device to help protect your physical storage media, including most standard writable storage types that are supported by Windows, such as physical hard disks, solid-state drives, internal USB devices, external SATA devices, and so on. You can also use UWF to make read-only media appear to the OS as a writable volume.<br>For more information on these settings, see [Unified Write Filter](/windows-hardware/customize/enterprise/unified-write-filter). |
| Unbranded boot | You can suppress Windows elements that appear when Windows starts or resumes and can suppress the crash screen when Windows encounters an error from which it can't recover.<br>For more information on these settings, see [Unbranded Boot](/windows-hardware/customize/enterprise/unbranded-boot). |
| Custom logon | You can use the Custom Logon feature to suppress Windows 10 UI elements that relate to the Welcome screen and shutdown screen. For example, you can suppress all elements of the Welcome screen UI and provide a custom logon UI. You can also suppress the Blocked Shutdown Resolver (BSDR) screen and automatically end applications while the OS waits for applications to close before a shutdown.<br>For more information on these settings, see [Custom Logon](/windows-hardware/customize/enterprise/custom-logon). |
| Shell launcher | Enables Assigned Access to run only a classic Windows app via Shell Launcher to replace the shell.<br>For more information on these settings, see [Shell Launcher](/windows-hardware/customize/enterprise/shell-launcher). |
| Keyboard filter | You can use Keyboard Filter to suppress undesirable key presses or key combinations. Normally, users can use certain Windows key combinations like Ctrl+Alt+Delete or Ctrl+Shift+Tab to control a device by locking the screen or using Task Manager to close a running application. This isn't desirable on devices intended for a dedicated purpose.<br>For more information on these settings, see [Keyboard Filter](/windows-hardware/customize/enterprise/keyboardfilter). |
| Unified write filter | You can use Unified Write Filter (UWF) on your device to help protect your physical storage media, including most standard writable storage types that are supported by Windows, such as physical hard disks, solid-state drives, internal USB devices, external SATA devices, and so on. You can also use UWF to make read-only media appear to the OS as a writable volume.<br>For more information on these settings, see [Unified Write Filter](/windows-hardware/customize/enterprise/unified-write-filter). |
## Related articles

10
windows/deployment/windows-10-media.md
View File

@ -3,7 +3,7 @@ title: Windows 10 volume license media
description: Learn about volume license media in Windows 10, and channels such as the Volume License Service Center (VLSC).
ms.prod: windows-client
ms.localizationpriority: medium
ms.date: 10/31/2022
ms.date: 11/23/2022
ms.reviewer:
manager: aaroncz
ms.author: frankroj
@ -14,9 +14,9 @@ ms.technology: itpro-deploy
# Windows 10 volume license media
**Applies to**
*Applies to:*
- Windows 10
- Windows 10
With each release of Windows 10, volume license media is made available on the [Volume Licensing Service Center](https://www.microsoft.com/vlsc) (VLSC) and other relevant channels such as Windows Update for Business, Windows Server Update Services (WSUS), and Visual Studio Subscriptions. This article provides a description of volume license media, and describes some of the changes that have been implemented with the current release of Windows 10.
@ -29,7 +29,7 @@ When you select a product, for example "Windows 10 Enterprise" or "Windows 10 Ed
> [!NOTE]
> If you do not see a Windows 10 release available in the list of downloads, verify the [release date](https://technet.microsoft.com/windows/release-info.aspx).
Instead of having separate media and packages for Windows 10 Pro (volume licensing version), Windows 10 Enterprise, and Windows 10 Education, all three are bundled together.
Instead of having separate media and packages for Windows 10 Pro (volume licensing version), Windows 10 Enterprise, and Windows 10 Education, all three are bundled together.
### Language packs
@ -47,4 +47,4 @@ Features on demand is a method for adding features to your Windows 10 image that
<br>[Volume Activation for Windows 10](./volume-activation/volume-activation-windows-10.md)
<br>[Plan for volume activation](./volume-activation/plan-for-volume-activation-client.md)
<br>[VLSC downloads FAQ](https://www.microsoft.com/Licensing/servicecenter/Help/FAQDetails.aspx?id=150)
<br>[Download and burn an ISO file on the volume licensing site (VLSC)](/troubleshoot/windows-client/deployment/iso-file-on-vlsc)
<br>[Download and burn an ISO file on the volume licensing site (VLSC)](/troubleshoot/windows-client/deployment/iso-file-on-vlsc)

8
windows/deployment/windows-10-missing-fonts.md
View File

@ -7,12 +7,12 @@ author: frankroj
ms.author: frankroj
manager: aaroncz
ms.topic: article
ms.date: 10/31/2022
ms.date: 11/23/2022
ms.technology: itpro-deploy
---
# How to install fonts that are missing after upgrading to Windows client
**Applies to**
*Applies to:*
- Windows 10
- Windows 11
@ -36,7 +36,7 @@ For example, if you've an English, French, German, or Spanish version of Windows
If you want to use these fonts, you can enable the optional feature to add them back to your system. The removal of these fonts is a permanent change in behavior for Windows client, and it will remain this way in future releases.
## Installing language-associated features via language settings:
## Installing language-associated features via language settings
If you want to use the fonts from the optional feature and you know that you'll want to view Web pages, edit documents, or use apps in the language associated with that feature, add that language into your user profile. Use the Settings app.
@ -57,7 +57,7 @@ Once you've added Hebrew to your language list, then the optional Hebrew font fe
> [!NOTE]
> The optional features are installed by Windows Update. You need to be online for the Windows Update service to work.
## Install optional fonts manually without changing language settings:
## Install optional fonts manually without changing language settings
If you want to use fonts in an optional feature but don't need to search web pages, edit documents, or use apps in the associated language, you can install the optional font features manually without changing your language settings.

160
windows/deployment/windows-10-poc-mdt.md
View File

@ -3,7 +3,7 @@ title: Step by step - Deploy Windows 10 in a test lab using MDT
description: In this article, you'll learn how to deploy Windows 10 in a test lab using Microsoft Deployment Toolkit (MDT).
ms.prod: windows-client
ms.localizationpriority: medium
ms.date: 10/31/2022
ms.date: 11/23/2022
ms.reviewer:
manager: aaroncz
ms.author: frankroj
@ -14,23 +14,26 @@ ms.technology: itpro-deploy
# Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit
**Applies to**
*Applies to:*
- Windows 10
- Windows 10
> [!IMPORTANT]
> This guide leverages the proof of concept (PoC) environment configured using procedures in the following guide:
- [Step by step guide: Configure a test lab to deploy Windows 10](windows-10-poc.md)
Complete all steps in the prerequisite guide before starting this guide. This guide requires about 5 hours to complete, but can require less time or more time depending on the speed of the Hyper-V host. After completing the current guide, also see the companion guide:
- [Deploy Windows 10 in a test lab using Microsoft Configuration Manager](windows-10-poc-sc-config-mgr.md)
> This guide leverages the proof of concept (PoC) environment configured using procedures in the following guide:
>
> [Step by step guide: Configure a test lab to deploy Windows 10](windows-10-poc.md)
>
> Complete all steps in the prerequisite guide before starting this guide. This guide requires about 5 hours to complete, but can require less time or more time depending on the speed of the Hyper-V host. After completing the current guide, also see the companion guide:
>
> [Deploy Windows 10 in a test lab using Microsoft Configuration Manager](windows-10-poc-sc-config-mgr.md)
The PoC environment is a virtual network running on Hyper-V with three virtual machines (VMs):
- **DC1**: A contoso.com domain controller, DNS server, and DHCP server.
- **SRV1**: A dual-homed contoso.com domain member server, DNS server, and default gateway providing NAT service for the PoC network.
- **PC1**: A contoso.com member computer running Windows 7, Windows 8, or Windows 8.1 that has been shadow-copied from a physical computer on your corporate network.
This guide uses the Hyper-V server role. If you don't complete all steps in a single session, consider using [checkpoints](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn818483(v=ws.11)) and [saved states](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee247418(v=ws.10)) to pause, resume, or restart your work.
This guide uses the Hyper-V server role. If you don't complete all steps in a single session, consider using [checkpoints](/virtualization/hyper-v-on-windows/user-guide/checkpoints) to pause, resume, or restart your work.
## In this guide
@ -50,10 +53,13 @@ Topics and procedures in this guide are summarized in the following table. An es
## About MDT
MDT performs deployments by using the Lite Touch Installation (LTI), Zero Touch Installation (ZTI), and User-Driven Installation (UDI) deployment methods.
MDT performs deployments by using the Lite Touch Installation (LTI), Zero Touch Installation (ZTI), and User-Driven Installation (UDI) deployment methods.
- LTI is the deployment method used in the current guide, requiring only MDT and performed with a minimum amount of user interaction.
- ZTI is fully automated, requiring no user interaction and is performed using MDT and Microsoft Configuration Manager. After completing the steps in the current guide, see [Step by step: Deploy Windows 10 in a test lab using Microsoft Configuration Manager](windows-10-poc-sc-config-mgr.md) to use the ZTI deployment method in the PoC environment.
- UDI requires manual intervention to respond to installation prompts such as machine name, password and language settings. UDI requires MDT and Microsoft Configuration Manager.
- UDI requires manual intervention to respond to installation prompts such as machine name, password and language settings. UDI requires MDT and Microsoft Configuration Manager.
## Install MDT
@ -80,11 +86,12 @@ MDT performs deployments by using the Lite Touch Installation (LTI), Zero Touch
A reference image serves as the foundation for Windows 10 devices in your organization.
1. In [Step by step guide: Configure a test lab to deploy Windows 10](windows-10-poc.md), the Windows 10 Enterprise .iso file was saved to the c:\VHD directory as **c:\VHD\w10-enterprise.iso**. The first step in creating a deployment share is to mount this file on SRV1. To mount the Windows 10 Enterprise DVD on SRV1, open an elevated Windows PowerShell prompt on the Hyper-V host computer and type the following command:
1. In [Step by step guide: Configure a test lab to deploy Windows 10](windows-10-poc.md), the Windows 10 Enterprise .iso file was saved to the c:\VHD directory as **c:\VHD\w10-enterprise.iso**. The first step in creating a deployment share is to mount this file on SRV1. To mount the Windows 10 Enterprise DVD on SRV1, open an elevated Windows PowerShell prompt on the Hyper-V host computer and enter the following command:
```powershell
Set-VMDvdDrive -VMName SRV1 -Path c:\VHD\w10-enterprise.iso
```
2. On SRV1, verify that the Windows Enterprise installation DVD is mounted as drive letter D.
3. The Windows 10 Enterprise installation files will be used to create a deployment share on SRV1 using the MDT deployment workbench. To open the deployment workbench, select **Start**, type **deployment**, and then select **Deployment Workbench**.
@ -108,7 +115,7 @@ A reference image serves as the foundation for Windows 10 devices in your organi
9. Right-click the **Windows 10** folder created in the previous step, and then select **Import Operating System**.
10. Use the following settings for the Import Operating System Wizard:
10. Use the following settings for the Import Operating System Wizard:
- OS Type: **Full set of source files**<BR>
- Source: **D:\\** <BR>
- Destination: **W10Ent_x64**<BR>
@ -119,6 +126,7 @@ A reference image serves as the foundation for Windows 10 devices in your organi
For purposes of this test lab, we'll only add the prerequisite .NET Framework feature. Commercial applications (ex: Microsoft Office) won't be added to the deployment share. For information about adding applications, see the [Add applications](./deploy-windows-mdt/create-a-windows-10-reference-image.md#add-applications) section of the [Create a Windows 10 reference image](deploy-windows-mdt/create-a-windows-10-reference-image.md) article.
11. The next step is to create a task sequence to reference the operating system that was imported. To create a task sequence, right-click the **Task Sequences** node and then select **New Task Sequence**. Use the following settings for the New Task Sequence Wizard:
- Task sequence ID: **REFW10X64-001**<BR>
- Task sequence name: **Windows 10 Enterprise x64 Default Image** <BR>
- Task sequence comments: **Reference Build**<BR>
@ -143,7 +151,7 @@ A reference image serves as the foundation for Windows 10 devices in your organi
16. Under **Select the roles and features that should be installed**, select **.NET Framework 3.5 (includes .NET 2.0 and 3.0)** and then select **Apply**.
17. Enable Windows Update in the task sequence by clicking the **Windows Update (Post-Application Installation)** step, clicking the **Options** tab, and clearing the **Disable this step** checkbox.
> [!NOTE]
> Since we are not installing applications in this test lab, there is no need to enable the Windows Update Pre-Application Installation step. However, you should enable this step if you are also installing applications.
@ -153,7 +161,7 @@ A reference image serves as the foundation for Windows 10 devices in your organi
20. Replace the default rules with the following text:
```text
```ini
[Settings]
Priority=Default
@ -188,7 +196,7 @@ A reference image serves as the foundation for Windows 10 devices in your organi
21. Select **Apply** and then select **Edit Bootstrap.ini**. Replace the contents of the Bootstrap.ini file with the following text, and save the file:
```text
```ini
[Settings]
Priority=Default
@ -211,7 +219,7 @@ A reference image serves as the foundation for Windows 10 devices in your organi
> [!TIP]
> To copy the file, right-click the **LiteTouchPE_x86.iso** file and click **Copy** on SRV1, then open the **c:\VHD** folder on the Hyper-V host, right-click inside the folder and click **Paste**.
26. Open a Windows PowerShell prompt on the Hyper-V host computer and type the following commands:
26. Open a Windows PowerShell prompt on the Hyper-V host computer and enter the following commands:
```powershell
New-VM REFW10X64-001 -SwitchName poc-internal -NewVHDPath "c:\VHD\REFW10X64-001.vhdx" -NewVHDSizeBytes 60GB
@ -221,21 +229,21 @@ A reference image serves as the foundation for Windows 10 devices in your organi
vmconnect localhost REFW10X64-001
```
The VM will require a few minutes to prepare devices and boot from the LiteTouchPE_x86.iso file.
The VM will require a few minutes to prepare devices and boot from the LiteTouchPE_x86.iso file.
27. In the Windows Deployment Wizard, select **Windows 10 Enterprise x64 Default Image**, and then select **Next**.
28. Accept the default values on the Capture Image page, and select **Next**. Operating system installation will complete after 5 to 10 minutes, and then the VM will reboot automatically. Allow the system to boot normally (don't press a key). The process is fully automated.
Additional system restarts will occur to complete updating and preparing the operating system. Setup will complete the following procedures:
Additional system restarts will occur to complete updating and preparing the operating system. Setup will complete the following procedures:
- Install the Windows 10 Enterprise operating system.
- Install added applications, roles, and features.
- Update the operating system using Windows Update (or WSUS if optionally specified).
- Stage Windows PE on the local disk.
- Run System Preparation (Sysprep) and reboot into Windows PE.
- Capture the installation to a Windows Imaging (WIM) file.
- Turn off the virtual machine.<BR><BR>
- Install the Windows 10 Enterprise operating system.
- Install added applications, roles, and features.
- Update the operating system using Windows Update (or WSUS if optionally specified).
- Stage Windows PE on the local disk.
- Run System Preparation (Sysprep) and reboot into Windows PE.
- Capture the installation to a Windows Imaging (WIM) file.
- Turn off the virtual machine.<BR><BR>
This step requires from 30 minutes to 2 hours, depending on the speed of the Hyper-V host. After some time, you'll have a Windows 10 Enterprise x64 image that is fully patched and has run through Sysprep. The image is located in the C:\MDTBuildLab\Captures folder on your deployment server (SRV1). The file name is **REFW10X64-001.wim**.
@ -244,6 +252,7 @@ A reference image serves as the foundation for Windows 10 devices in your organi
This procedure will demonstrate how to deploy the reference image to the PoC environment using MDT.
1. On SRV1, open the MDT Deployment Workbench console, right-click **Deployment Shares**, and then select **New Deployment Share**. Use the following values in the New Deployment Share Wizard:
- **Deployment share path**: C:\MDTProd
- **Share name**: MDTProd$
- **Deployment share description**: MDT Production
@ -259,7 +268,7 @@ This procedure will demonstrate how to deploy the reference image to the PoC env
6. On the Image page, browse to the **C:\MDTBuildLab\Captures\REFW10X64-001.wim** file created in the previous procedure, select **Open**, and then select **Next**.
7. On the Setup page, select **Copy Windows 7, Windows Server 2008 R2, or later setup files from the specified path**.
7. On the Setup page, select **Copy Windows 7, Windows Server 2008 R2, or later setup files from the specified path**.
8. Under **Setup source directory**, browse to **C:\MDTBuildLab\Operating Systems\W10Ent_x64** select **OK** and then select **Next**.
@ -274,6 +283,7 @@ This procedure will demonstrate how to deploy the reference image to the PoC env
1. Using the Deployment Workbench, right-click **Task Sequences** under the **MDT Production** node, select **New Folder** and create a folder with the name: **Windows 10**.
2. Right-click the **Windows 10** folder created in the previous step, and then select **New Task Sequence**. Use the following settings for the New Task Sequence Wizard:
- Task sequence ID: W10-X64-001
- Task sequence name: Windows 10 Enterprise x64 Custom Image
- Task sequence comments: Production Image
@ -282,22 +292,23 @@ This procedure will demonstrate how to deploy the reference image to the PoC env
- Specify Product Key: Don't specify a product key at this time
- Full Name: Contoso
- Organization: Contoso
- Internet Explorer home page: http://www.contoso.com
- Admin Password: pass@word1
- Internet Explorer home page: `http://www.contoso.com`
- Admin Password: pass@word1
### Configure the MDT production deployment share
1. On SRV1, open an elevated Windows PowerShell prompt and type the following commands:
1. On SRV1, open an elevated Windows PowerShell prompt and enter the following commands:
```powershell
copy-item "C:\Program Files\Microsoft Deployment Toolkit\Templates\Bootstrap.ini" C:\MDTProd\Control\Bootstrap.ini -Force
copy-item "C:\Program Files\Microsoft Deployment Toolkit\Templates\CustomSettings.ini" C:\MDTProd\Control\CustomSettings.ini -Force
```
```
2. In the Deployment Workbench console on SRV1, right-click the **MDT Production** deployment share and then select **Properties**.
3. Select the **Rules** tab and replace the rules with the following text (don't select OK yet):
```text
```ini
[Settings]
Priority=Default
@ -341,13 +352,13 @@ This procedure will demonstrate how to deploy the reference image to the PoC env
If desired, edit the following line to include or exclude other users when migrating settings. Currently, the command is set to user exclude (`ue`) all users except for CONTOSO users specified by the user include option (ui):
```console
```cmd
ScanStateArgs=/ue:*\* /ui:CONTOSO\*
```
For example, to migrate **all** users on the computer, replace this line with the following line:
```console
```cmd
ScanStateArgs=/all
```
@ -355,7 +366,7 @@ This procedure will demonstrate how to deploy the reference image to the PoC env
4. Select **Edit Bootstap.ini** and replace text in the file with the following text:
```text
```ini
[Settings]
Priority=Default
@ -367,7 +378,7 @@ This procedure will demonstrate how to deploy the reference image to the PoC env
SkipBDDWelcome=YES
```
5. Select **OK** when finished.
5. Select **OK** when finished.
### Update the deployment share
@ -391,9 +402,9 @@ This procedure will demonstrate how to deploy the reference image to the PoC env
1. Initialize Windows Deployment Services (WDS) by typing the following command at an elevated Windows PowerShell prompt on SRV1:
```powershell
WDSUTIL /Verbose /Progress /Initialize-Server /Server:SRV1 /RemInst:"C:\RemoteInstall"
WDSUTIL /Set-Server /AnswerClients:All
```cmd
WDSUTIL.exe /Verbose /Progress /Initialize-Server /Server:SRV1 /RemInst:"C:\RemoteInstall"
WDSUTIL.exe /Set-Server /AnswerClients:All
```
2. Select **Start**, type **Windows Deployment**, and then select **Windows Deployment Services**.
@ -404,12 +415,12 @@ This procedure will demonstrate how to deploy the reference image to the PoC env
### Deploy the client image
1. Before using WDS to deploy a client image, you must temporarily disable the external network adapter on SRV1. This configuration is just an artifact of the lab environment. In a typical deployment environment WDS wouldn't be installed on the default gateway.
1. Before using WDS to deploy a client image, you must temporarily disable the external network adapter on SRV1. This configuration is just an artifact of the lab environment. In a typical deployment environment WDS wouldn't be installed on the default gateway.
> [!NOTE]
> Do not disable the *internal* network interface. To quickly view IP addresses and interface names configured on the VM, type **Get-NetIPAddress | ft interfacealias, ipaddress**
> Do not disable the *internal* network interface. To quickly view IP addresses and interface names configured on the VM, enter **`Get-NetIPAddress | ft interfacealias, ipaddress** in a PowerShell prompt.
Assuming the external interface is named "Ethernet 2", to disable the *external* interface on SRV1, open a Windows PowerShell prompt on SRV1 and type the following command:
Assuming the external interface is named "Ethernet 2", to disable the *external* interface on SRV1, open a Windows PowerShell prompt on SRV1 and enter the following command:
```powershell
Disable-NetAdapter "Ethernet 2" -Confirm:$false
@ -417,7 +428,7 @@ This procedure will demonstrate how to deploy the reference image to the PoC env
>Wait until the disable-netadapter command completes before proceeding.
2. Next, switch to the Hyper-V host and open an elevated Windows PowerShell prompt. Create a generation 2 VM on the Hyper-V host that will load its OS using PXE. To create this VM, type the following commands at an elevated Windows PowerShell prompt:
2. Next, switch to the Hyper-V host and open an elevated Windows PowerShell prompt. Create a generation 2 VM on the Hyper-V host that will load its OS using PXE. To create this VM, enter the following commands at an elevated Windows PowerShell prompt:
```powershell
New-VM -Name "PC2" -NewVHDPath "c:\vhd\pc2.vhdx" -NewVHDSizeBytes 60GB -SwitchName poc-internal -BootDevice NetworkAdapter -Generation 2
@ -437,7 +448,7 @@ This procedure will demonstrate how to deploy the reference image to the PoC env
5. In the Windows Deployment Wizard, choose the **Windows 10 Enterprise x64 Custom Image** and then select **Next**.
6. After MDT lite touch installation has started, be sure to re-enable the external network adapter on SRV1. Re-enabling the external network adapter is needed so the client can use Windows Update after operating system installation is complete. To re-enable the external network interface, open an elevated Windows PowerShell prompt on SRV1 and type the following command:
6. After MDT lite touch installation has started, be sure to re-enable the external network adapter on SRV1. Re-enabling the external network adapter is needed so the client can use Windows Update after operating system installation is complete. To re-enable the external network interface, open an elevated Windows PowerShell prompt on SRV1 and enter the following command:
```powershell
Enable-NetAdapter "Ethernet 2"
@ -453,7 +464,7 @@ This completes the demonstration of how to deploy a reference image to the netwo
## Refresh a computer with Windows 10
This section will demonstrate how to export user data from an existing client computer, wipe the computer, install a new operating system, and then restore user data and settings. The scenario will use PC1, a computer that was cloned from a physical device to a VM, as described in [Step by step guide: Deploy Windows 10 in a test lab](windows-10-poc.md).
This section will demonstrate how to export user data from an existing client computer, wipe the computer, install a new operating system, and then restore user data and settings. The scenario will use PC1, a computer that was cloned from a physical device to a VM, as described in [Step by step guide: Deploy Windows 10 in a test lab](windows-10-poc.md).
1. If the PC1 VM isn't already running, then start and connect to it:
@ -462,7 +473,7 @@ This section will demonstrate how to export user data from an existing client co
vmconnect localhost PC1
```
2. Switch back to the Hyper-V host and create a checkpoint for the PC1 VM so that it can easily be reverted to its current state for troubleshooting purposes and performing additional scenarios. Checkpoints are also known as snapshots. To create a checkpoint for the PC1 VM, type the following command at an elevated Windows PowerShell prompt on the Hyper-V host:
2. Switch back to the Hyper-V host and create a checkpoint for the PC1 VM so that it can easily be reverted to its current state for troubleshooting purposes and performing additional scenarios. Checkpoints are also known as snapshots. To create a checkpoint for the PC1 VM, enter the following command at an elevated Windows PowerShell prompt on the Hyper-V host:
```powershell
Checkpoint-VM -Name PC1 -SnapshotName BeginState
@ -472,10 +483,10 @@ This section will demonstrate how to export user data from an existing client co
Specify **contoso\administrator** as the user name to ensure you don't sign on using the local administrator account. You must sign in with this account so that you have access to the deployment share.
4. Open an elevated command prompt on PC1 and type the following command:
4. Open an elevated command prompt on PC1 and enter the following command:
```console
cscript \\SRV1\MDTProd$\Scripts\Litetouch.vbs
```cmd
cscript.exe \\SRV1\MDTProd$\Scripts\Litetouch.vbs
```
> [!NOTE]
@ -498,13 +509,13 @@ This section will demonstrate how to export user data from an existing client co
8. Sign in with the CONTOSO\Administrator account and verify that all CONTOSO domain user accounts and data have been migrated to the new operating system, or other user accounts as specified [previously](#configure-the-mdt-production-deployment-share).
9. Create another checkpoint for the PC1 VM so that you can review results of the computer refresh later. To create a checkpoint, type the following command at an elevated Windows PowerShell prompt on the Hyper-V host:
9. Create another checkpoint for the PC1 VM so that you can review results of the computer refresh later. To create a checkpoint, enter the following command at an elevated Windows PowerShell prompt on the Hyper-V host:
```powershell
Checkpoint-VM -Name PC1 -SnapshotName RefreshState
```
10. Restore the PC1 VM to its previous state in preparation for the replace procedure. To restore a checkpoint, type the following command at an elevated Windows PowerShell prompt on the Hyper-V host:
10. Restore the PC1 VM to its previous state in preparation for the replace procedure. To restore a checkpoint, enter the following command at an elevated Windows PowerShell prompt on the Hyper-V host:
```powershell
Restore-VMSnapshot -VMName PC1 -Name BeginState -Confirm:$false
@ -516,15 +527,18 @@ This section will demonstrate how to export user data from an existing client co
## Replace a computer with Windows 10
At a high level, the computer replace process consists of:<BR>
At a high level, the computer replace process consists of:
- A special replace task sequence that runs the USMT backup and an optional full Windows Imaging (WIM) backup.<BR>
- A standard OS deployment on a new computer. At the end of the deployment, the USMT backup from the old computer is restored.
### Create a backup-only task sequence
1. On SRV1, in the deployment workbench console, right-click the MDT Production deployment share, select **Properties**, select the **Rules** tab, and change the line **SkipUserData=YES** to **SkipUserData=NO**.
2. Select **OK**, right-click **MDT Production**, select **Update Deployment Share** and accept the default options in the wizard to update the share.
3. Type the following commands at an elevated Windows PowerShell prompt on SRV1:
3. enter the following commands at an elevated Windows PowerShell prompt on SRV1:
```powershell
New-Item -Path C:\MigData -ItemType directory
@ -533,45 +547,56 @@ At a high level, the computer replace process consists of:<BR>
```
4. On SRV1 in the deployment workbench, under **MDT Production**, right-click the **Task Sequences** node, and select **New Folder**.
5. Name the new folder **Other**, and complete the wizard using default options.
6. Right-click the **Other** folder and then select **New Task Sequence**. Use the following values in the wizard:
- **Task sequence ID**: REPLACE-001
- **Task sequence name**: Backup Only Task Sequence
- **Task sequence comments**: Run USMT to back up user data and settings
- **Template**: Standard Client Replace Task Sequence (note: this template isn't the default template)
7. Accept defaults for the rest of the wizard and then select **Finish**. The replace task sequence will skip OS selection and settings.
8. Open the new task sequence that was created and review it. Note the type of capture and backup tasks that are present. Select **OK** when you're finished reviewing the task sequence.
8. Open the new task sequence that was created and review it. Note the enter of capture and backup tasks that are present. Select **OK** when you're finished reviewing the task sequence.
### Run the backup-only task sequence
1. If you aren't already signed on to PC1 as **contoso\administrator**, sign in using this account. To verify the currently signed in account, type the following command at an elevated command prompt:
1. If you aren't already signed on to PC1 as **contoso\administrator**, sign in using this account. To verify the currently signed in account, enter the following command at an elevated command prompt:
```console
whoami
```cmd
whoami.exe
```
2. To ensure a clean environment before running the backup task sequence, type the following commands at an elevated Windows PowerShell prompt on PC1:
2. To ensure a clean environment before running the backup task sequence, enter the following commands at an elevated Windows PowerShell prompt on PC1:
```powershell
Remove-Item c:\minint -recurse
Remove-Item c:\_SMSTaskSequence -recurse
Restart-Computer
```
3. Sign in to PC1 using the contoso\administrator account, and then type the following command at an elevated command prompt:
```console
cscript \\SRV1\MDTProd$\Scripts\Litetouch.vbs
3. Sign in to PC1 using the contoso\administrator account, and then enter the following command at an elevated command prompt:
```cmd
cscript.exe \\SRV1\MDTProd$\Scripts\Litetouch.vbs
```
4. Complete the deployment wizard using the following settings:
- **Task Sequence**: Backup Only Task Sequence
- **User Data**: Specify a location: **\\\\SRV1\MigData$\PC1**
- **Computer Backup**: Don't back up the existing computer.
5. While the task sequence is running on PC1, open the deployment workbench console on SRV1 and select the **Monitoring* node. Press F5 to refresh the console, and view the status of current tasks.
6. On PC1, verify that **The user state capture was completed successfully** is displayed, and select **Finish** when the capture is complete.
7. On SRV1, verify that the file **USMT.MIG** was created in the **C:\MigData\PC1\USMT** directory. See the following example:
```powershell
PS C:\> dir C:\MigData\PC1\USMT
```cmd
dir C:\MigData\PC1\USMT
Directory: C:\MigData\PC1\USMT
@ -580,16 +605,16 @@ At a high level, the computer replace process consists of:<BR>
-a--- 9/6/2016 11:34 AM 14248685 USMT.MIG
```
### Deploy PC3
### Deploy PC3
1. On the Hyper-V host, type the following commands at an elevated Windows PowerShell prompt:
1. On the Hyper-V host, enter the following commands at an elevated Windows PowerShell prompt:
```powershell
New-VM -Name "PC3" -NewVHDPath "c:\vhd\pc3.vhdx" -NewVHDSizeBytes 60GB -SwitchName poc-internal -BootDevice NetworkAdapter -Generation 2
Set-VMMemory -VMName "PC3" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes 2048MB -Buffer 20
```
2. Temporarily disable the external network adapter on SRV1 again, so that we can successfully boot PC3 from WDS. To disable the adapter, type the following command at an elevated Windows PowerShell prompt on SRV1:
2. Temporarily disable the external network adapter on SRV1 again, so that we can successfully boot PC3 from WDS. To disable the adapter, enter the following command at an elevated Windows PowerShell prompt on SRV1:
```powershell
Disable-NetAdapter "Ethernet 2" -Confirm:$false
@ -628,6 +653,7 @@ At a high level, the computer replace process consists of:<BR>
## Troubleshooting logs, events, and utilities
Deployment logs are available on the client computer in the following locations:
- Before the image is applied: X:\MININT\SMSOSD\OSDLOGS
- After the system drive has been formatted: C:\MININT\SMSOSD\OSDLOGS
- After deployment: %WINDIR%\TEMP\DeploymentLogs

411
windows/deployment/windows-10-poc-sc-config-mgr.md
View File

@ -9,16 +9,16 @@ manager: aaroncz
ms.author: frankroj
author: frankroj
ms.topic: tutorial
ms.date: 10/31/2022
ms.date: 11/23/2022
---
# Deploy Windows 10 in a test lab using Configuration Manager
*Applies to*
*Applies to:*
- Windows 10
> [!Important]
> [!IMPORTANT]
> This guide uses the proof of concept (PoC) environment, and some settings that are configured in the following guides:
>
> - [Step by step guide: Deploy Windows 10 in a test lab](windows-10-poc.md)
@ -59,7 +59,7 @@ The procedures in this guide are summarized in the following table. An estimate
## Install prerequisites
1. Before installing Microsoft Configuration Manager, we must install prerequisite services and features. Type the following command at an elevated Windows PowerShell prompt on SRV1:
1. Before installing Microsoft Configuration Manager, we must install prerequisite services and features. Enter the following command at an elevated Windows PowerShell prompt on SRV1:
```powershell
Install-WindowsFeature Web-Windows-Auth,Web-ISAPI-Ext,Web-Metabase,Web-WMI,BITS,RDC,NET-Framework-Features,Web-Asp-Net,Web-Asp-Net45,NET-HTTP-Activation,NET-Non-HTTP-Activ
@ -69,7 +69,7 @@ The procedures in this guide are summarized in the following table. An estimate
> If the request to add features fails, retry the installation by typing the command again.
2. Download [SQL Server 2014 SP2](https://www.microsoft.com/evalcenter/evaluate-sql-server-2014-sp2) from the Microsoft Evaluation Center as an .ISO file on the Hyper-V host computer. Save the file to the **C:\VHD** directory.
3. When you've downloaded the file **SQLServer2014SP2-FullSlipstream-x64-ENU.iso** and placed it in the C:\VHD directory, type the following command at an elevated Windows PowerShell prompt on the Hyper-V host:
3. When you've downloaded the file **SQLServer2014SP2-FullSlipstream-x64-ENU.iso** and placed it in the C:\VHD directory, enter the following command at an elevated Windows PowerShell prompt on the Hyper-V host:
```powershell
Set-VMDvdDrive -VMName SRV1 -Path c:\VHD\SQLServer2014SP2-FullSlipstream-x64-ENU.iso
@ -77,15 +77,15 @@ The procedures in this guide are summarized in the following table. An estimate
This command mounts the .ISO file to drive D on SRV1.
4. Type the following command at an elevated Windows PowerShell prompt on SRV1 to install SQL Server:
4. Enter the following command at an elevated Windows PowerShell prompt on SRV1 to install SQL Server:
```powershell
```cmd
D:\setup.exe /q /ACTION=Install /ERRORREPORTING="False" /FEATURES=SQLENGINE,RS,IS,SSMS,TOOLS,ADV_SSMS,CONN /INSTANCENAME=MSSQLSERVER /INSTANCEDIR="C:\Program Files\Microsoft SQL Server" /SQLSVCACCOUNT="NT AUTHORITY\System" /SQLSYSADMINACCOUNTS="BUILTIN\ADMINISTRATORS" /SQLSVCSTARTUPTYPE=Automatic /AGTSVCACCOUNT="NT AUTHORITY\SYSTEM" /AGTSVCSTARTUPTYPE=Automatic /RSSVCACCOUNT="NT AUTHORITY\System" /RSSVCSTARTUPTYPE=Automatic /ISSVCACCOUNT="NT AUTHORITY\System" /ISSVCSTARTUPTYPE=Disabled /ASCOLLATION="Latin1_General_CI_AS" /SQLCOLLATION="SQL_Latin1_General_CP1_CI_AS" /TCPENABLED="1" /NPENABLED="1" /IAcceptSQLServerLicenseTerms
```
Installation will take several minutes. When installation is complete, the following output will be displayed:
```dos
```console
Microsoft (R) SQL Server 2014 12.00.5000.00
Copyright (c) Microsoft Corporation. All rights reserved.
@ -99,10 +99,9 @@ The procedures in this guide are summarized in the following table. An estimate
Success
One or more affected files have operations pending.
You should restart your computer to complete this process.
PS C:\>
```
5. Type the following commands at an elevated Windows PowerShell prompt on SRV1:
5. Enter the following commands at an elevated Windows PowerShell prompt on SRV1:
```powershell
New-NetFirewallRule -DisplayName "SQL Server" -Direction Inbound -Protocol TCP -LocalPort 1433 -Action allow
@ -124,13 +123,13 @@ The procedures in this guide are summarized in the following table. An estimate
Stop-Process -Name Explorer
```
1. Download [Microsoft Configuration Manager (current branch)](https://www.microsoft.com/evalcenter/evaluate-microsoft-endpoint-configuration-manager) and extract the contents on SRV1.
2. Download [Microsoft Configuration Manager (current branch)](https://www.microsoft.com/evalcenter/evaluate-microsoft-endpoint-configuration-manager) and extract the contents on SRV1.
1. Open the file, enter **C:\configmgr** for **Unzip to folder**, and select **Unzip**. The `C:\configmgr` directory will be automatically created. Select **OK** and then close the **WinZip Self-Extractor** dialog box when finished.
3. Open the file, enter **C:\configmgr** for **Unzip to folder**, and select **Unzip**. The `C:\configmgr` directory will be automatically created. Select **OK** and then close the **WinZip Self-Extractor** dialog box when finished.
1. Before starting the installation, verify that WMI is working on SRV1. See the following examples. Verify that **Running** is displayed under **Status** and **True** is displayed next to **TcpTestSucceeded**:
4. Before starting the installation, verify that WMI is working on SRV1. See the following examples. Verify that **Running** is displayed under **Status** and **True** is displayed next to **TcpTestSucceeded**:
```dos
```powershell
Get-Service Winmgmt
Status Name DisplayName
@ -157,36 +156,48 @@ The procedures in this guide are summarized in the following table. An estimate
If the WMI service isn't started, attempt to start it or reboot the computer. If WMI is running but errors are present, see [WMIDiag](https://blogs.technet.microsoft.com/askperf/2015/05/12/wmidiag-2-2-is-here/) for troubleshooting information.
1. To extend the Active Directory schema, type the following command at an elevated Windows PowerShell prompt:
5. To extend the Active Directory schema, enter the following command at an elevated Windows PowerShell prompt:
```powershell
cmd /c C:\configmgr\SMSSETUP\BIN\X64\extadsch.exe
```cmd
C:\configmgr\SMSSETUP\BIN\X64\extadsch.exe
```
1. Temporarily switch to the DC1 VM, and type the following command at an elevated command prompt on DC1:
6. Temporarily switch to the DC1 VM, and enter the following command at an elevated command prompt on DC1:
```dos
```cmd
adsiedit.msc
```
1. Right-click **ADSI Edit**, select **Connect to**, select **Default (Domain or server that you logged in to)** under **Computer** and then select **OK**.
1. Expand **Default naming context**>**DC=contoso,DC=com**, and then in the console tree right-click **CN=System**, point to **New**, and then select **Object**.
1. Select **container** and then select **Next**.
1. Next to **Value**, type **System Management**, select **Next**, and then select **Finish**.
1. Right-click **CN=system Management** and then select **Properties**.
1. On the **Security** tab, select **Add**, select **Object Types**, select **Computers**, and select **OK**.
1. Under **Enter the object names to select**, type **SRV1** and select **OK**.
1. The **SRV1** computer account will be highlighted, select **Allow** next to **Full control**.
1. Select **Advanced**, select **SRV1 (CONTOSO\SRV1$)** and select **Edit**.
1. Next to **Applies to**, choose **This object and all descendant objects**, and then select **OK** three times.
1. Close the ADSI Edit console and switch back to SRV1.
1. To start Configuration Manager installation, type the following command at an elevated Windows PowerShell prompt on SRV1:
7. Right-click **ADSI Edit**, select **Connect to**, select **Default (Domain or server that you logged in to)** under **Computer** and then select **OK**.
```powershell
cmd /c C:\configmgr\SMSSETUP\BIN\X64\Setup.exe
8. Expand **Default naming context**>**DC=contoso,DC=com**, and then in the console tree right-click **CN=System**, point to **New**, and then select **Object**.
9. Select **container** and then select **Next**.
10. Next to **Value**, enter **System Management**, select **Next**, and then select **Finish**.
11. Right-click **CN=system Management** and then select **Properties**.
12. On the **Security** tab, select **Add**, select **Object Types**, select **Computers**, and select **OK**.
13. Under **Enter the object names to select**, enter **SRV1** and select **OK**.
14. The **SRV1** computer account will be highlighted, select **Allow** next to **Full control**.
15. Select **Advanced**, select **SRV1 (CONTOSO\SRV1$)** and select **Edit**.
16. Next to **Applies to**, choose **This object and all descendant objects**, and then select **OK** three times.
17. Close the ADSI Edit console and switch back to SRV1.
18. To start Configuration Manager installation, enter the following command at an elevated Windows PowerShell prompt on SRV1:
```cmd
C:\configmgr\SMSSETUP\BIN\X64\Setup.exe
```
1. Provide the following information in the Configuration Manager Setup Wizard:
19. Provide the following information in the Configuration Manager Setup Wizard:
- **Before You Begin**: Read the text and select *Next*.
- **Getting Started**: Choose **Install a Configuration Manager primary site** and select the **Use typical installation options for a stand-alone primary site** checkbox.
- Select **Yes** in response to the popup window.
@ -206,7 +217,7 @@ The procedures in this guide are summarized in the following table. An estimate
Depending on the speed of the Hyper-V host and resources allocated to SRV1, installation can require approximately one hour. Select **Close** when installation is complete.
1. If desired, re-enable IE Enhanced Security Configuration at this time on SRV1:
20. If desired, re-enable IE Enhanced Security Configuration at this time on SRV1:
```powershell
Set-ItemProperty -Path $AdminKey -Name "IsInstalled" -Value 1
@ -217,24 +228,30 @@ The procedures in this guide are summarized in the following table. An estimate
> [!IMPORTANT]
> This step requires an MSDN subscription or volume licence agreement. For more information, see [Ready for Windows 10: MDOP 2015 and more tools are now available](https://blogs.technet.microsoft.com/windowsitpro/2015/08/17/ready-for-windows-10-mdop-2015-and-more-tools-are-now-available/).
<!--
THE LINK REFERENCED IN THE BELOW URL IS DEAD SO COMMENTING OUT
> If your organization qualifies and does not already have an MSDN subscription, you can obtain a [free MSDN subscription with BizSpark](/archive/blogs/zainnab/bizspark-free-msdn-subscription-for-start-up-companies/).
-->
1. Download the [Microsoft Desktop Optimization Pack 2015](https://msdn.microsoft.com/subscriptions/downloads/#ProductFamilyId=597) to the Hyper-V host using an MSDN subscription. Download the .ISO file (mu_microsoft_desktop_optimization_pack_2015_x86_x64_dvd_5975282.iso, 2.79 GB) to the C:\VHD directory on the Hyper-V host.
2. Type the following command at an elevated Windows PowerShell prompt on the Hyper-V host to mount the MDOP file on SRV1:
2. Enter the following command at an elevated Windows PowerShell prompt on the Hyper-V host to mount the MDOP file on SRV1:
```powershell
Set-VMDvdDrive -VMName SRV1 -Path c:\VHD\mu_microsoft_desktop_optimization_pack_2015_x86_x64_dvd_5975282.iso
```
3. Type the following command at an elevated Windows PowerShell prompt on SRV1:
3. Enter the following command at an elevated Windows PowerShell prompt on SRV1:
```powershell
cmd /c "D:\DaRT\DaRT 10\Installers\en-us\x64\MSDaRT100.msi"
```cmd
D:\DaRT\DaRT 10\Installers\en-us\x64\MSDaRT100.msi
```
4. Install DaRT 10 using default settings.
5. Type the following commands at an elevated Windows PowerShell prompt on SRV1:
5. Enter the following commands at an elevated Windows PowerShell prompt on SRV1:
```powershell
Copy-Item "C:\Program Files\Microsoft DaRT\v10\Toolsx64.cab" -Destination "C:\Program Files\Microsoft Deployment Toolkit\Templates\Distribution\Tools\x64"
@ -247,7 +264,7 @@ This section contains several procedures to support Zero Touch installation with
### Create a folder structure
1. Type the following commands at a Windows PowerShell prompt on SRV1:
1. Enter the following commands at a Windows PowerShell prompt on SRV1:
```powershell
New-Item -ItemType Directory -Path "C:\Sources\OSD\Boot"
@ -262,56 +279,78 @@ This section contains several procedures to support Zero Touch installation with
### Enable MDT ConfigMgr integration
1. On SRV1, select **Start**, type `configmgr`, and then select **Configure ConfigMgr Integration**.
2. Type `PS1` as the **Site code**, and then select **Next**.
1. On SRV1, select **Start**, enter `configmgr`, and then select **Configure ConfigMgr Integration**.
2. Enter `PS1` as the **Site code**, and then select **Next**.
3. Verify **The process completed successfully** is displayed, and then select **Finish**.
### Configure client settings
1. On SRV1, select **Start**, type **configuration manager**, right-click **Configuration Manager Console**, and then select **Pin to Taskbar**.
1. On SRV1, select **Start**, enter **configuration manager**, right-click **Configuration Manager Console**, and then select **Pin to Taskbar**.
2. Select **Desktop**, and then launch the Configuration Manager console from the taskbar.
3. If the console notifies you that an update is available, select **OK**. It isn't necessary to install updates to complete this lab.
4. In the console tree, open the **Administration** workspace (in the lower left corner) and select **Client Settings**.
5. In the display pane, double-click **Default Client Settings**.
6. Select **Computer Agent**, next to **Organization name displayed in Software Center** type **Contoso**, and then select **OK**.
6. Select **Computer Agent**, next to **Organization name displayed in Software Center** enter **Contoso**, and then select **OK**.
### Configure the network access account
1. in the **Administration** workspace, expand **Site Configuration** and select **Sites**.
2. On the **Home** ribbon at the top of the console window, select **Configure Site Components** and then select **Software Distribution**.
3. On the **Network Access Account** tab, choose **Specify the account that accesses network locations**.
4. Select the yellow starburst and then select **New Account**.
5. Select **Browse** and then under **Enter the object name to select**, type **CM_NAA** and select **OK**.
6. Next to **Password** and **Confirm Password**, type **pass\@word1**, and then select **OK** twice.
5. Select **Browse** and then under **Enter the object name to select**, enter **CM_NAA** and select **OK**.
6. Next to **Password** and **Confirm Password**, enter **pass\@word1**, and then select **OK** twice.
### Configure a boundary group
1. in the **Administration** workspace, expand **Hierarchy Configuration**, right-click **Boundaries** and then select **Create Boundary**.
2. Next to **Description**, type **PS1**, next to **Type** choose **Active Directory Site**, and then select **Browse**.
2. Next to **Description**, enter **PS1**, next to **Type** choose **Active Directory Site**, and then select **Browse**.
3. Choose **Default-First-Site-Name** and then select **OK** twice.
4. in the **Administration** workspace, right-click **Boundary Groups** and then select **Create Boundary Group**.
5. Next to **Name**, type **PS1 Site Assignment and Content Location**, select **Add**, select the **Default-First-Site-Name** boundary and then select **OK**.
5. Next to **Name**, enter **PS1 Site Assignment and Content Location**, select **Add**, select the **Default-First-Site-Name** boundary and then select **OK**.
6. On the **References** tab in the **Create Boundary Group** window, select the **Use this boundary group for site assignment** checkbox.
7. Select **Add**, select the **\\\SRV1.contoso.com** checkbox, and then select **OK** twice.
### Add the state migration point role
1. in the **Administration** workspace, expand **Site Configuration**, select **Sites**, and then in on the **Home** ribbon at the top of the console select **Add Site System Roles**.
2. In the Add site System Roles Wizard, select **Next** twice and then on the Specify roles for this server page, select the **State migration point** checkbox.
3. Select **Next**, select the yellow starburst, type **C:\MigData** for the **Storage folder**, and select **OK**.
3. Select **Next**, select the yellow starburst, enter **C:\MigData** for the **Storage folder**, and select **OK**.
4. Select **Next**, and then verify under **Boundary groups** that **PS1 Site Assignment and Content Location** is displayed.
5. Select **Next** twice and then select **Close**.
### Enable PXE on the distribution point
> [!IMPORTANT]
> Before enabling PXE in Configuration Manager, ensure that any previous installation of WDS does not cause conflicts. Configuration Manager will automatically configure the WDS service to manage PXE requests. To disable a previous installation, if it exists, type the following commands at an elevated Windows PowerShell prompt on SRV1:
> Before enabling PXE in Configuration Manager, ensure that any previous installation of WDS does not cause conflicts. Configuration Manager will automatically configure the WDS service to manage PXE requests. To disable a previous installation, if it exists, enter the following commands at an elevated Windows PowerShell prompt on SRV1:
```powershell
WDSUTIL /Set-Server /AnswerClients:None
```cmd
WDSUTIL.exe /Set-Server /AnswerClients:None
```
1. Determine the MAC address of the internal network adapter on SRV1. Type the following command at an elevated Windows PowerShell prompt on SRV1:
1. Determine the MAC address of the internal network adapter on SRV1. Enter the following command at an elevated Windows PowerShell prompt on SRV1:
```powershell
(Get-NetAdapter "Ethernet").MacAddress
@ -321,8 +360,11 @@ WDSUTIL /Set-Server /AnswerClients:None
> If the internal network adapter, assigned an IP address of 192.168.0.2, isn't named "Ethernet" then replace the name "Ethernet" in the previous command with the name of this network adapter. You can review the names of network adapters and the IP addresses assigned to them by typing **ipconfig**.
2. In the Configuration Manager console, in the **Administration** workspace, select **Distribution Points**.
3. In the display pane, right-click **SRV1.CONTOSO.COM** and then select **Properties**.
4. On the PXE tab, select the following settings:
- **Enable PXE support for clients**. Select **Yes** in the popup that appears.
- **Allow this distribution point to respond to incoming PXE requests**
- **Enable unknown computer support**. Select **OK** in the popup that appears.
@ -334,10 +376,11 @@ WDSUTIL /Set-Server /AnswerClients:None
![Config Mgr PXE.](images/configmgr-pxe.png)
5. Select **OK**.
6. Wait for a minute, then type the following command at an elevated Windows PowerShell prompt on SRV1, and verify that the files displayed are present:
```powershell
cmd /c dir /b C:\RemoteInstall\SMSBoot\x64
6. Wait for a minute, then enter the following command at an elevated Windows PowerShell prompt on SRV1, and verify that the files displayed are present:
```cmd
dir /b C:\RemoteInstall\SMSBoot\x64
abortpxe.com
bootmgfw.efi
@ -349,12 +392,12 @@ WDSUTIL /Set-Server /AnswerClients:None
```
> [!NOTE]
> If these files aren't present in the C:\RemoteInstall directory, verify that the REMINST share is configured as C:\RemoteInstall. You can view the properties of this share by typing `net share REMINST` at a command prompt. If the share path is set to a different value, then replace C:\RemoteInstall with your REMINST share path.
> If these files aren't present in the C:\RemoteInstall directory, verify that the REMINST share is configured as C:\RemoteInstall. You can view the properties of this share by typing `net.exe share REMINST` at a command prompt. If the share path is set to a different value, then replace C:\RemoteInstall with your REMINST share path.
>
> You can also type the following command at an elevated Windows PowerShell prompt to open the CMTrace. In the tool, select **File**, select **Open**, and then open the **distmgr.log** file. If errors are present, they will be highlighted in red:
> You can also enter the following command at an elevated Windows PowerShell prompt to open CMTrace. In the tool, select **File**, select **Open**, and then open the **distmgr.log** file. If errors are present, they will be highlighted in red:
>
> ```powershell
> Invoke-Item 'C:\Program Files\Microsoft Configuration Manager\tools\cmtrace.exe'
> ```cmd
> "C:\Program Files\Microsoft Configuration Manager\tools\cmtrace.exe"
> ```
>
> The log file is updated continuously while Configuration Manager is running. Wait for Configuration Manager to repair any issues that are present, and periodically recheck that the files are present in the REMINST share location. Close CMTrace when done. You'll see the following line in distmgr.log that indicates the REMINST share is being populated with necessary files:
@ -366,7 +409,8 @@ WDSUTIL /Set-Server /AnswerClients:None
### Create a branding image file
1. If you have a bitmap (.BMP) image for suitable use as a branding image, copy it to the C:\Sources\OSD\Branding folder on SRV1. Otherwise, use the following step to copy a branding image.
2. Type the following command at an elevated Windows PowerShell prompt:
2. Enter the following command at an elevated Windows PowerShell prompt:
```powershell
Copy-Item -Path "C:\ProgramData\Microsoft\User Account Pictures\user.bmp" -Destination "C:\Sources\OSD\Branding\contoso.bmp"
@ -378,16 +422,26 @@ WDSUTIL /Set-Server /AnswerClients:None
### Create a boot image for Configuration Manager
1. In the Configuration Manager console, in the **Software Library** workspace, expand **Operating Systems**, right-click **Boot Images**, and then select **Create Boot Image using MDT**.
2. On the Package Source page, under **Package source folder to be created (UNC Path):**, type **\\\SRV1\Sources$\OSD\Boot\Zero Touch WinPE x64**, and then select **Next**.
2. On the Package Source page, under **Package source folder to be created (UNC Path):**, enter **\\\SRV1\Sources$\OSD\Boot\Zero Touch WinPE x64**, and then select **Next**.
- The Zero Touch WinPE x64 folder doesn't yet exist. The folder will be created later.
3. On the General Settings page, type **Zero Touch WinPE x64** next to **Name**, and select **Next**.
3. On the General Settings page, enter **Zero Touch WinPE x64** next to **Name**, and select **Next**.
4. On the Options page, under **Platform** choose **x64**, and select **Next**.
5. On the Components page, in addition to the default selection of **Microsoft Data Access Components (MDAC/ADO) support**, select the **Microsoft Diagnostics and Recovery Toolkit (DaRT)** checkbox, and select **Next**.
6. On the Customization page, select the **Use a custom background bitmap file** checkbox, and under **UNC path**, type or browse to **\\\SRV1\Sources$\OSD\Branding\contoso.bmp**, and then select **Next** twice. It will take a few minutes to generate the boot image.
6. On the Customization page, select the **Use a custom background bitmap file** checkbox, and under **UNC path**, enter or browse to **\\\SRV1\Sources$\OSD\Branding\contoso.bmp**, and then select **Next** twice. It will take a few minutes to generate the boot image.
7. Select **Finish**.
8. In the console display pane, right-click the **Zero Touch WinPE x64** boot image, and then select **Distribute Content**.
9. In the Distribute Content Wizard, select **Next**, select **Add** and select **Distribution Point**, select the **SRV1.CONTOSO.COM** checkbox, select **OK**, select **Next** twice, and then select **Close**.
10. Use the CMTrace application to view the **distmgr.log** file again and verify that the boot image has been distributed. To open CMTrace, type the following command at an elevated Windows PowerShell prompt on SRV1:
10. Use the CMTrace application to view the **distmgr.log** file again and verify that the boot image has been distributed. To open CMTrace, enter the following command at an elevated Windows PowerShell prompt on SRV1:
```powershell
Invoke-Item 'C:\Program Files\Microsoft Configuration Manager\tools\cmtrace.exe'
@ -400,12 +454,15 @@ WDSUTIL /Set-Server /AnswerClients:None
```
11. You can also review status by clicking the **Zero Touch WinPE x64** image, and then clicking **Content Status** under **Related Objects** in the bottom right-hand corner of the console, or by entering **\Monitoring\Overview\Distribution Status\Content Status** on the location bar in the console. Double-click **Zero Touch WinPE x64** under **Content Status** in the console tree and verify that a status of **Successfully distributed content** is displayed on the **Success** tab.
12. Next, in the **Software Library** workspace, double-click **Zero Touch WinPE x64** and then select the **Data Source** tab.
13. Select the **Deploy this boot image from the PXE-enabled distribution point** checkbox, and select **OK**.
14. Review the distmgr.log file again for "**STATMSG: ID=2301**" and verify that there are three folders under **C:\RemoteInstall\SMSImages** with boot images. See the following example:
```console
cmd /c dir /s /b C:\RemoteInstall\SMSImages
```cmd
dir /s /b C:\RemoteInstall\SMSImages
C:\RemoteInstall\SMSImages\PS100004
C:\RemoteInstall\SMSImages\PS100005
@ -422,19 +479,19 @@ WDSUTIL /Set-Server /AnswerClients:None
If you've already completed steps in [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md) then you've already created a Windows 10 reference image. In this case, skip to the next procedure in this guide: [Add a Windows 10 OS image](#add-a-windows-10-os-image). If you've not yet created a Windows 10 reference image, complete the steps in this section.
1. In [Step by step guide: Deploy Windows 10 in a test lab](windows-10-poc.md) the Windows 10 Enterprise .iso file was saved to the c:\VHD directory as **c:\VHD\w10-enterprise.iso**. The first step in creating a deployment share is to mount this file on SRV1. To mount the Windows 10 Enterprise DVD on SRV1, open an elevated Windows PowerShell prompt on the Hyper-V host computer and type the following command:
1. In [Step by step guide: Deploy Windows 10 in a test lab](windows-10-poc.md) the Windows 10 Enterprise .iso file was saved to the c:\VHD directory as **c:\VHD\w10-enterprise.iso**. The first step in creating a deployment share is to mount this file on SRV1. To mount the Windows 10 Enterprise DVD on SRV1, open an elevated Windows PowerShell prompt on the Hyper-V host computer and enter the following command:
```powershell
Set-VMDvdDrive -VMName SRV1 -Path c:\VHD\w10-enterprise.iso
```
1. Verify that the Windows Enterprise installation DVD is mounted on SRV1 as drive letter D.
2. Verify that the Windows Enterprise installation DVD is mounted on SRV1 as drive letter D.
1. The Windows 10 Enterprise installation files will be used to create a deployment share on SRV1 using the MDT deployment workbench. To open the deployment workbench, select **Start**, type **deployment**, and then select **Deployment Workbench**.
3. The Windows 10 Enterprise installation files will be used to create a deployment share on SRV1 using the MDT deployment workbench. To open the deployment workbench, select **Start**, enter **deployment**, and then select **Deployment Workbench**.
1. In the Deployment Workbench console, right-click **Deployment Shares** and select **New Deployment Share**.
4. In the Deployment Workbench console, right-click **Deployment Shares** and select **New Deployment Share**.
1. Use the following settings for the New Deployment Share Wizard:
5. Use the following settings for the New Deployment Share Wizard:
- Deployment share path: **C:\MDTBuildLab**
- Share name: **MDTBuildLab$**
- Deployment share description: **MDT build lab**
@ -443,22 +500,23 @@ If you've already completed steps in [Deploy Windows 10 in a test lab using Micr
- Progress: settings will be applied
- Confirmation: Select **Finish**
1. Expand the **Deployment Shares** node, and then expand **MDT build lab**.
6. Expand the **Deployment Shares** node, and then expand **MDT build lab**.
1. Right-click the **Operating Systems** node, and then select **New Folder**. Name the new folder **Windows 10**. Complete the wizard using default values and select **Finish**.
7. Right-click the **Operating Systems** node, and then select **New Folder**. Name the new folder **Windows 10**. Complete the wizard using default values and select **Finish**.
1. Right-click the **Windows 10** folder created in the previous step, and then select **Import Operating System**.
8. Right-click the **Windows 10** folder created in the previous step, and then select **Import Operating System**.
1. Use the following settings for the Import Operating System Wizard:
9. Use the following settings for the Import Operating System Wizard:
- OS Type: **Full set of source files**
- Source: **D:\\**
- Destination: **W10Ent_x64**
- Summary: Select **Next**
- Confirmation: Select **Finish**
1. For purposes of this test lab, we won't add applications, such as Microsoft Office, to the deployment share. For more information about adding applications, see [Add applications](deploy-windows-mdt/create-a-windows-10-reference-image.md#add-applications).
10. For purposes of this test lab, we won't add applications, such as Microsoft Office, to the deployment share. For more information about adding applications, see [Add applications](deploy-windows-mdt/create-a-windows-10-reference-image.md#add-applications).
11. The next step is to create a task sequence to reference the OS that was imported. To create a task sequence, right-click the **Task Sequences** node under **MDT Build Lab** and then select **New Task Sequence**. Use the following settings for the New Task Sequence Wizard:
1. The next step is to create a task sequence to reference the OS that was imported. To create a task sequence, right-click the **Task Sequences** node under **MDT Build Lab** and then select **New Task Sequence**. Use the following settings for the New Task Sequence Wizard:
- Task sequence ID: **REFW10X64-001**
- Task sequence name: **Windows 10 Enterprise x64 Default Image**
- Task sequence comments: **Reference Build**
@ -467,31 +525,31 @@ If you've already completed steps in [Deploy Windows 10 in a test lab using Micr
- Specify Product Key: **Do not specify a product key at this time**
- Full Name: **Contoso**
- Organization: **Contoso**
- Internet Explorer home page: **http://www.contoso.com**
- Internet Explorer home page: **`http://www.contoso.com`**
- Admin Password: **Do not specify an Administrator password at this time**
- Summary: Select **Next**
- Confirmation: Select **Finish**
1. Edit the task sequence to add the Microsoft NET Framework 3.5, which is required by many applications. To edit the task sequence, double-click **Windows 10 Enterprise x64 Default Image** that was created in the previous step.
12. Edit the task sequence to add the Microsoft NET Framework 3.5, which is required by many applications. To edit the task sequence, double-click **Windows 10 Enterprise x64 Default Image** that was created in the previous step.
1. Select the **Task Sequence** tab. Under **State Restore**, select **Tattoo** to highlight it, then select **Add** and choose **New Group**. A new group will be added under Tattoo.
13. Select the **Task Sequence** tab. Under **State Restore**, select **Tattoo** to highlight it, then select **Add** and choose **New Group**. A new group will be added under Tattoo.
1. On the Properties tab of the group that was created in the previous step, change the Name from New Group to **Custom Tasks (Pre-Windows Update)** and then select **Apply**. To see the name change, select **Tattoo**, then select the new group again.
14. On the Properties tab of the group that was created in the previous step, change the Name from New Group to **Custom Tasks (Pre-Windows Update)** and then select **Apply**. To see the name change, select **Tattoo**, then select the new group again.
1. Select the **Custom Tasks (Pre-Windows Update)** group again, select **Add**, point to **Roles**, and then select **Install Roles and Features**.
15. Select the **Custom Tasks (Pre-Windows Update)** group again, select **Add**, point to **Roles**, and then select **Install Roles and Features**.
1. Under **Select the roles and features that should be installed**, select **.NET Framework 3.5 (includes .NET 2.0 and 3.0)** and then select **Apply**.
16. Under **Select the roles and features that should be installed**, select **.NET Framework 3.5 (includes .NET 2.0 and 3.0)** and then select **Apply**.
1. Enable Windows Update in the task sequence by clicking the **Windows Update (Post-Application Installation)** step, clicking the **Options** tab, and clearing the **Disable this step** checkbox.
17. Enable Windows Update in the task sequence by clicking the **Windows Update (Post-Application Installation)** step, clicking the **Options** tab, and clearing the **Disable this step** checkbox.
> [!NOTE]
> Since we aren't installing applications in this test lab, there's no need to enable the Windows Update Pre-Application Installation step. However, you should enable this step if you're also installing applications.
1. Select **OK** to complete editing the task sequence.
18. Select **OK** to complete editing the task sequence.
1. The next step is to configure the MDT deployment share rules. To configure rules in the Deployment Workbench, right-click MDT build lab (C:\MDTBuildLab) and select **Properties**, and then select the **Rules** tab.
19. The next step is to configure the MDT deployment share rules. To configure rules in the Deployment Workbench, right-click MDT build lab (C:\MDTBuildLab) and select **Properties**, and then select the **Rules** tab.
1. Replace the default rules with the following text:
20. Replace the default rules with the following text:
```ini
[Settings]
@ -526,7 +584,7 @@ If you've already completed steps in [Deploy Windows 10 in a test lab using Micr
SkipFinalSummary=NO
```
1. Select **Apply** and then select **Edit Bootstrap.ini**. Replace the contents of the Bootstrap.ini file with the following text, and save the file:
21. Select **Apply** and then select **Edit Bootstrap.ini**. Replace the contents of the Bootstrap.ini file with the following text, and save the file:
```ini
[Settings]
@ -540,18 +598,18 @@ If you've already completed steps in [Deploy Windows 10 in a test lab using Micr
SkipBDDWelcome=YES
```
1. Select **OK** to complete the configuration of the deployment share.
22. Select **OK** to complete the configuration of the deployment share.
1. Right-click **MDT build lab (C:\MDTBuildLab)** and then select **Update Deployment Share**.
23. Right-click **MDT build lab (C:\MDTBuildLab)** and then select **Update Deployment Share**.
1. Accept all default values in the Update Deployment Share Wizard by clicking **Next**. The update process will take 5 to 10 minutes. When it has completed, select **Finish**.
24. Accept all default values in the Update Deployment Share Wizard by clicking **Next**. The update process will take 5 to 10 minutes. When it has completed, select **Finish**.
1. Copy **c:\MDTBuildLab\Boot\LiteTouchPE_x86.iso** on SRV1 to the **c:\VHD** directory on the Hyper-V host computer. In MDT, the x86 boot image can deploy both x86 and x64 operating systems, except on computers based on Unified Extensible Firmware Interface (UEFI).
25. Copy **c:\MDTBuildLab\Boot\LiteTouchPE_x86.iso** on SRV1 to the **c:\VHD** directory on the Hyper-V host computer. In MDT, the x86 boot image can deploy both x86 and x64 operating systems, except on computers based on Unified Extensible Firmware Interface (UEFI).
> [!TIP]
> To copy the file, right-click the **LiteTouchPE_x86.iso** file, and select **Copy** on SRV1. Then open the **c:\VHD** folder on the Hyper-V host, right-click inside the folder, and select **Paste**.
1. Open a Windows PowerShell prompt on the Hyper-V host computer and type the following commands:
26. Open a Windows PowerShell prompt on the Hyper-V host computer and enter the following commands:
```powershell
New-VM -Name REFW10X64-001 -SwitchName poc-internal -NewVHDPath "c:\VHD\REFW10X64-001.vhdx" -NewVHDSizeBytes 60GB
@ -561,9 +619,9 @@ If you've already completed steps in [Deploy Windows 10 in a test lab using Micr
vmconnect localhost REFW10X64-001
```
1. In the Windows Deployment Wizard, select **Windows 10 Enterprise x64 Default Image**, and then select **Next**.
27. In the Windows Deployment Wizard, select **Windows 10 Enterprise x64 Default Image**, and then select **Next**.
1. Accept the default values on the Capture Image page, and select **Next**. OS installation will complete after 5 to 10 minutes and then the VM will reboot automatically. Allow the system to boot normally, don't press a key. The process is fully automated.
28. Accept the default values on the Capture Image page, and select **Next**. OS installation will complete after 5 to 10 minutes and then the VM will reboot automatically. Allow the system to boot normally, don't press a key. The process is fully automated.
Other system restarts will occur to complete updating and preparing the OS. Setup will complete the following procedures:
@ -579,7 +637,7 @@ If you've already completed steps in [Deploy Windows 10 in a test lab using Micr
### Add a Windows 10 OS image
1. Type the following commands at an elevated Windows PowerShell prompt on SRV1:
1. Enter the following commands at an elevated Windows PowerShell prompt on SRV1:
```powershell
New-Item -ItemType Directory -Path "C:\Sources\OSD\OS\Windows 10 Enterprise x64"
@ -588,9 +646,9 @@ If you've already completed steps in [Deploy Windows 10 in a test lab using Micr
2. In the Configuration Manager console, in the **Software Library** workspace, expand **Operating Systems**, right-click **Operating System Images**, and then select **Add Operating System Image**.
3. On the Data Source page, under **Path:**, type or browse to **\\\SRV1\Sources$\OSD\OS\Windows 10 Enterprise x64\REFW10X64-001.wim**, and select **Next**.
3. On the Data Source page, under **Path:**, enter or browse to **\\\SRV1\Sources$\OSD\OS\Windows 10 Enterprise x64\REFW10X64-001.wim**, and select **Next**.
4. On the General page, next to **Name:**, type **Windows 10 Enterprise x64**, select **Next** twice, and then select **Close**.
4. On the General page, next to **Name:**, enter **Windows 10 Enterprise x64**, select **Next** twice, and then select **Close**.
5. Distribute the OS image to the SRV1 distribution point by right-clicking the **Windows 10 Enterprise x64** OS image and then clicking **Distribute Content**.
@ -610,9 +668,10 @@ If you've already completed steps in [Deploy Windows 10 in a test lab using Micr
2. On the Choose Template page, select the **Client Task Sequence** template and select **Next**.
3. On the General page, type **Windows 10 Enterprise x64** under **Task sequence name:** and then select **Next**.
3. On the General page, enter **Windows 10 Enterprise x64** under **Task sequence name:** and then select **Next**.
4. On the Details page, enter the following settings:
- Join a domain: **contoso.com**
- Account: Select **Set**
- User name: **contoso\CM_JD**
@ -632,9 +691,9 @@ If you've already completed steps in [Deploy Windows 10 in a test lab using Micr
6. On the Boot Image page, browse and select the **Zero Touch WinPE x64** boot image package, select **OK**, and then select **Next**.
7. On the MDT Package page, select **Create a new Microsoft Deployment Toolkit Files package**, under **Package source folder to be created (UNC Path):**, type **\\\SRV1\Sources$\OSD\MDT\MDT** (MDT is repeated here, not a typo), and then select **Next**.
7. On the MDT Package page, select **Create a new Microsoft Deployment Toolkit Files package**, under **Package source folder to be created (UNC Path):**, enter **\\\SRV1\Sources$\OSD\MDT\MDT** (MDT is repeated here, not a typo), and then select **Next**.
8. On the MDT Details page, next to **Name:** type **MDT** and then select **Next**.
8. On the MDT Details page, next to **Name:** enter **MDT** and then select **Next**.
9. On the OS Image page, browse and select the **Windows 10 Enterprise x64** package, select **OK**, and then select **Next**.
@ -644,9 +703,9 @@ If you've already completed steps in [Deploy Windows 10 in a test lab using Micr
12. On the USMT Package page, browse and select the **Microsoft Corporation User State Migration Tool for Windows 10.0.14393.0** package, select **OK**, and then select **Next**.
13. On the Settings Package page, select **Create a new settings package**, and under **Package source folder to be created (UNC Path):**, type **\\\SRV1\Sources$\OSD\Settings\Windows 10 x64 Settings**, and then select **Next**.
13. On the Settings Package page, select **Create a new settings package**, and under **Package source folder to be created (UNC Path):**, enter **\\\SRV1\Sources$\OSD\Settings\Windows 10 x64 Settings**, and then select **Next**.
14. On the Settings Details page, next to **Name:**, type **Windows 10 x64 Settings**, and select **Next**.
14. On the Settings Details page, next to **Name:**, enter **Windows 10 x64 Settings**, and select **Next**.
15. On the Sysprep Package page, select **Next** twice.
@ -663,6 +722,7 @@ If you've already completed steps in [Deploy Windows 10 in a test lab using Micr
4. In the **State Restore** group, select the **Set Status 5** action, select **Add** in the upper left corner, point to **User State**, and select **Request State Store**. This action adds a new step immediately after **Set Status 5**.
5. Configure this **Request State Store** step with the following settings:
- Request state storage location to: **Restore state from another computer**
- Select the **If computer account fails to connect to state store, use the Network Access account** checkbox.
- Options tab: Select the **Continue on error** checkbox.
@ -676,6 +736,7 @@ If you've already completed steps in [Deploy Windows 10 in a test lab using Micr
6. In the **State Restore** group, select **Restore User State**, select **Add**, point to **User State**, and select **Release State Store**.
7. Configure this **Release State Store** step with the following settings:
- Options tab: Select the **Continue on error** checkbox.
- Add Condition: **Task Sequence Variable**:
- Variable: **USMTLOCAL**
@ -704,10 +765,10 @@ If you've already completed steps in [Deploy Windows 10 in a test lab using Micr
4. Select the **Monitoring** tab, select the **Enable monitoring for this deployment share** checkbox, and then select **OK**.
5. Type the following command at an elevated Windows PowerShell prompt on SRV1:
5. Enter the following command at an elevated Windows PowerShell prompt on SRV1:
```powershell
notepad "C:\Sources\OSD\Settings\Windows 10 x64 Settings\CustomSettings.ini"
```cmd
notepad.exe "C:\Sources\OSD\Settings\Windows 10 x64 Settings\CustomSettings.ini"
```
6. Replace the contents of the file with the following text, and then save the file:
@ -735,9 +796,9 @@ If you've already completed steps in [Deploy Windows 10 in a test lab using Micr
> OSDMigrateAdditionalCaptureOptions=/all
> ```
7. Return to the Configuration Manager console, and in the Software Library workspace, expand **Application Management**, select **Packages**, right-click **Windows 10 x64 Settings**, and then select **Update Distribution Points**. Select **OK** in the popup that appears.
7. Return to the Configuration Manager console, and in the **Software Library** workspace, expand **Application Management**, select **Packages**, right-click **Windows 10 x64 Settings**, and then select **Update Distribution Points**. Select **OK** in the popup that appears.
8. In the Software Library workspace, expand **Operating Systems**, select **Task Sequences**, right-click **Windows 10 Enterprise x64**, and then select **Distribute Content**.
8. In the **Software Library** workspace, expand **Operating Systems**, select **Task Sequences**, right-click **Windows 10 Enterprise x64**, and then select **Distribute Content**.
9. In the Distribute Content Wizard, select **Next** twice, select **Add**, select **Distribution Point**, select the **SRV1.CONTOSO.COM** distribution point, select **OK**, select **Next** twice and then select **Close**.
@ -745,7 +806,7 @@ If you've already completed steps in [Deploy Windows 10 in a test lab using Micr
### Create a deployment for the task sequence
1. In the Software Library workspace, expand **Operating Systems**, select **Task Sequences**, right-click **Windows 10 Enterprise x64**, and then select **Deploy**.
1. In the **Software Library** workspace, expand **Operating Systems**, select **Task Sequences**, right-click **Windows 10 Enterprise x64**, and then select **Deploy**.
2. On the General page, next to **Collection**, select **Browse**, select the **All Unknown Computers** collection, select **OK**, and then select **Next**.
@ -761,7 +822,7 @@ If you've already completed steps in [Deploy Windows 10 in a test lab using Micr
In this first deployment scenario, you'll deploy Windows 10 using PXE. This scenario creates a new computer that doesn't have any migrated users or settings.
1. Type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host:
1. Enter the following commands at an elevated Windows PowerShell prompt on the Hyper-V host:
```powershell
New-VM -Name "PC4" -NewVHDPath "c:\vhd\pc4.vhdx" -NewVHDSizeBytes 40GB -SwitchName poc-internal -BootDevice NetworkAdapter -Generation 2
@ -776,7 +837,7 @@ In this first deployment scenario, you'll deploy Windows 10 using PXE. This scen
4. Before you select **Next** in the Task Sequence Wizard, press the **F8** key. A command prompt will open.
5. At the command prompt, type **explorer.exe** and review the Windows PE file structure.
5. At the command prompt, enter **explorer.exe** and review the Windows PE file structure.
6. The smsts.log file is critical for troubleshooting any installation problems that might be encountered. Depending on the deployment phase, the smsts.log file is created in different locations:
- X:\Windows\temp\SMSTSLog\smsts.log before disks are formatted.
@ -796,6 +857,7 @@ In this first deployment scenario, you'll deploy Windows 10 using PXE. This scen
10. The **Windows 10 Enterprise x64** task sequence is selected in the Task Sequence Wizard. Select **Next** to continue with the deployment.
11. The task sequence will require several minutes to complete. You can monitor progress of the task sequence using the MDT Deployment Workbench under Deployment Shares > MDTProduction > Monitoring. The task sequence will:
- Install Windows 10
- Install the Configuration Manager client and hotfix
- Join the computer to the contoso.com domain
@ -803,7 +865,7 @@ In this first deployment scenario, you'll deploy Windows 10 using PXE. This scen
12. When Windows 10 installation has completed, sign in to PC4 using the **contoso\administrator** account.
13. Right-click **Start**, select **Run**, type **control appwiz.cpl**, press ENTER, select **Turn Windows features on or off**, and verify that **.NET Framework 3.5 (includes .NET 2.0 and 3.0)** is installed. This feature is included in the reference image.
13. Right-click **Start**, select **Run**, enter **control appwiz.cpl**, press ENTER, select **Turn Windows features on or off**, and verify that **.NET Framework 3.5 (includes .NET 2.0 and 3.0)** is installed. This feature is included in the reference image.
14. Shut down the PC4 VM.
@ -821,19 +883,25 @@ In the replace procedure, PC1 won't be migrated to a new OS. It's simplest to pe
### Create a replace task sequence
1. On SRV1, in the Configuration Manager console, in the Software Library workspace, expand **Operating Systems**, right-click **Task Sequences**, and then select **Create MDT Task Sequence**.
1. On SRV1, in the Configuration Manager console, in the **Software Library** workspace, expand **Operating Systems**, right-click **Task Sequences**, and then select **Create MDT Task Sequence**.
2. On the Choose Template page, select **Client Replace Task Sequence** and select **Next**.
3. On the General page, type the following information:
3. On the General page, enter the following information:
- Task sequence name: **Replace Task Sequence**
- Task sequence comments: **USMT backup only**
4. Select **Next**, and on the Boot Image page, browse and select the **Zero Touch WinPE x64** boot image package. Select **OK** and then select **Next** to continue.
5. On the MDT Package page, browse and select the **MDT** package. Select **OK** and then select **Next** to continue.
6. On the USMT Package page, browse and select the **Microsoft Corporation User State Migration Tool for Windows** package. Select **OK** and then select **Next** to continue.
7. On the Settings Package page, browse and select the **Windows 10 x64 Settings** package. Select **OK** and then select **Next** to continue.
8. On the Summary page, review the details and then select **Next**.
9. On the Confirmation page, select **Finish**.
> [!NOTE]
@ -841,7 +909,7 @@ In the replace procedure, PC1 won't be migrated to a new OS. It's simplest to pe
### Deploy PC4
Create a VM named PC4 to receive the applications and settings from PC1. This VM represents a new computer that will replace PC1. To create this VM, type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host:
Create a VM named PC4 to receive the applications and settings from PC1. This VM represents a new computer that will replace PC1. To create this VM, enter the following commands at an elevated Windows PowerShell prompt on the Hyper-V host:
```powershell
New-VM -Name "PC4" -NewVHDPath "c:\vhd\pc4.vhdx" -NewVHDSizeBytes 60GB -SwitchName poc-internal -BootDevice NetworkAdapter -Generation 2
@ -856,61 +924,66 @@ Set-VMNetworkAdapter -VMName PC4 -StaticMacAddress 00-15-5D-83-26-FF
1. Verify that the PC1 VM is running and in its original state, which was saved as a checkpoint and then restored in [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md).
1. If you haven't already saved a checkpoint for PC1, then do it now. Type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host:
2. If you haven't already saved a checkpoint for PC1, then do it now. Enter the following commands at an elevated Windows PowerShell prompt on the Hyper-V host:
```powershell
Checkpoint-VM -Name PC1 -SnapshotName BeginState
```
1. On SRV1, in the Configuration Manager console, in the **Administration** workspace, expand **Hierarchy Configuration** and select on **Discovery Methods**.
1. Double-click **Active Directory System Discovery** and on the **General** tab select the **Enable Active Directory System Discovery** checkbox.
1. Select the yellow starburst, select **Browse**, select **contoso\Computers**, and then select **OK** three times.
1. When a popup dialog box asks if you want to run full discovery, select **Yes**.
1. In the Assets and Compliance workspace, select **Devices** and verify that the computer account names for SRV1 and PC1 are displayed. See the following example (GREGLIN-PC1 is the computer account name of PC1 in this example):
3. On SRV1, in the Configuration Manager console, in the **Administration** workspace, expand **Hierarchy Configuration** and select on **Discovery Methods**.
4. Double-click **Active Directory System Discovery** and on the **General** tab select the **Enable Active Directory System Discovery** checkbox.
5. Select the yellow starburst, select **Browse**, select **contoso\Computers**, and then select **OK** three times.
6. When a popup dialog box asks if you want to run full discovery, select **Yes**.
7. In the **Assets and Compliance** workspace, select **Devices** and verify that the computer account names for SRV1 and PC1 are displayed. See the following example (GREGLIN-PC1 is the computer account name of PC1 in this example):
> [!TIP]
> If you don't see the computer account for PC1, select **Refresh** in the upper right corner of the console.
The **Client** column indicates that the Configuration Manager client isn't currently installed. This procedure will be carried out next.
1. Sign in to PC1 using the contoso\administrator account and type the following command at an elevated command prompt to remove any pre-existing client configuration, if it exists.
8. Sign in to PC1 using the contoso\administrator account and enter the following command at an elevated command prompt to remove any pre-existing client configuration, if it exists.
> [!Note]
> This command requires an elevated _command prompt_, not an elevated Windows PowerShell prompt.
> This command requires an elevated command prompt, not an elevated Windows PowerShell prompt.
```dos
sc stop ccmsetup
```cmd
sc.exe stop ccmsetup
"\\SRV1\c$\Program Files\Microsoft Configuration Manager\Client\CCMSetup.exe" /Uninstall
```
> [!NOTE]
> If PC1 still has Configuration Manager registry settings that were applied by Group Policy, startup scripts, or other policies in its previous domain, these might not all be removed by `CCMSetup /Uninstall` and can cause problems with installation or registration of the client in its new environment. It might be necessary to manually remove these settings if they are present. For more information, see [Manual removal of the Configuration Manager client](/archive/blogs/michaelgriswold/manual-removal-of-the-sccm-client).
1. On PC1, temporarily stop Windows Update from queuing items for download and clear all BITS jobs from the queue. From an elevated command prompt, type:
9. On PC1, temporarily stop Windows Update from queuing items for download and clear all BITS jobs from the queue. From an elevated command prompt, enter:
```dos
net stop wuauserv
net stop BITS
```cmd
net.exe stop wuauserv
net.exe stop BITS
```
Verify that both services were stopped successfully, then type the following command at an elevated command prompt:
Verify that both services were stopped successfully, then enter the following command at an elevated command prompt:
```dos
```cmd
del "%ALLUSERSPROFILE%\Application Data\Microsoft\Network\Downloader\qmgr*.dat"
net start BITS
bitsadmin /list /allusers
net.exe start BITS
bitsadmin.exe /list /allusers
```
Verify that BITSAdmin displays zero jobs.
1. To install the Configuration Manager client as a standalone process, type the following command at an elevated command prompt:
10. To install the Configuration Manager client as a standalone process, enter the following command at an elevated command prompt:
```dos
```cmd
"\\SRV1\c$\Program Files\Microsoft Configuration Manager\Client\CCMSetup.exe" /mp:SRV1.contoso.com /logon SMSSITECODE=PS1
```
1. On PC1, using file explorer, open the **C:\Windows\ccmsetup** directory. During client installation, files will be downloaded here.
1. Installation progress will be captured in the file: **c:\windows\ccmsetup\logs\ccmsetup.log**. You can periodically open this file in notepad, or you can type the following command at an elevated Windows PowerShell prompt to monitor installation progress:
11. On PC1, using file explorer, open the **C:\Windows\ccmsetup** directory. During client installation, files will be downloaded here.
12. Installation progress will be captured in the file: **c:\windows\ccmsetup\logs\ccmsetup.log**. You can periodically open this file in notepad, or you can enter the following command at an elevated Windows PowerShell prompt to monitor installation progress:
```powershell
Get-Content -Path c:\windows\ccmsetup\logs\ccmsetup.log -Wait
@ -918,21 +991,21 @@ Set-VMNetworkAdapter -VMName PC4 -StaticMacAddress 00-15-5D-83-26-FF
Installation might require several minutes, and display of the log file will appear to hang while some applications are installed. This behavior is normal. When setup is complete, verify that **CcmSetup is existing with return code 0** is displayed on the last line of the ccmsetup.log file. Then press **CTRL-C** to break out of the Get-Content operation. If you're viewing the log file in Windows PowerShell, the last line will be wrapped. A return code of `0` indicates that installation was successful and you should now see a directory created at **C:\Windows\CCM** that contains files used in registration of the client with its site.
1. On PC1, open the Configuration Manager control panel applet by typing the following command from a command prompt:
13. On PC1, open the Configuration Manager control panel applet by typing the following command from a command prompt:
```dos
control smscfgrc
```cmd
control.exe smscfgrc
```
1. Select the **Site** tab, select **Configure Settings**, and select **Find Site**. The client will report that it has found the PS1 site. See the following example:
14. Select the **Site** tab, select **Configure Settings**, and select **Find Site**. The client will report that it has found the PS1 site. See the following example:
![site.](images/configmgr-site.png)
If the client isn't able to find the PS1 site, review any error messages that are displayed in **C:\Windows\CCM\Logs\ClientIDManagerStartup.log** and **LocationServices.log**. A common reason the client can't locate the site code is because a previous configuration exists. For example, if a previous site code is configured at **HKLM\SOFTWARE\Microsoft\SMS\Mobile Client\GPRequestedSiteAssignmentCode**, delete or update this entry.
1. On SRV1, in the Assets and Compliance workspace, select **Device Collections** and then double-click **All Desktop and Server Clients**. This node will be added under **Devices**.
15. On SRV1, in the **Assets and Compliance** workspace, select **Device Collections** and then double-click **All Desktop and Server Clients**. This node will be added under **Devices**.
1. Select **All Desktop and Server Clients** and verify that the computer account for PC1 is displayed here with **Yes** and **Active** in the **Client** and **Client Activity** columns, respectively. You might have to refresh the view and wait few minutes for the client to appear here. See the following example:
16. Select **All Desktop and Server Clients** and verify that the computer account for PC1 is displayed here with **Yes** and **Active** in the **Client** and **Client Activity** columns, respectively. You might have to refresh the view and wait few minutes for the client to appear here. See the following example:
![client.](images/configmgr-client.png)
@ -941,9 +1014,10 @@ Set-VMNetworkAdapter -VMName PC4 -StaticMacAddress 00-15-5D-83-26-FF
### Create a device collection and deployment
1. On SRV1, in the Configuration Manager console, in the Asset and Compliance workspace, right-click **Device Collections** and then select **Create Device Collection**.
1. On SRV1, in the Configuration Manager console, in the **Assets and Compliance** workspace, right-click **Device Collections** and then select **Create Device Collection**.
2. Use the following settings in the **Create Device Collection Wizard**:
- General > Name: **Install Windows 10 Enterprise x64**
- General > Limiting collection: **All Systems**
- Membership Rules > Add Rule: **Direct Rule**
@ -956,7 +1030,7 @@ Set-VMNetworkAdapter -VMName PC4 -StaticMacAddress 00-15-5D-83-26-FF
3. Double-click the Install Windows 10 Enterprise x64 device collection and verify that the PC1 computer account is displayed.
4. In the Software Library workspace, expand **Operating Systems**, select **Task Sequences**, right-click **Windows 10 Enterprise x64** and then select **Deploy**.
4. In the **Software Library** workspace, expand **Operating Systems**, select **Task Sequences**, right-click **Windows 10 Enterprise x64** and then select **Deploy**.
5. Use the following settings in the Deploy Software wizard:
- General > Collection: Select Browse and select **Install Windows 10 Enterprise x64**
@ -971,24 +1045,25 @@ Set-VMNetworkAdapter -VMName PC4 -StaticMacAddress 00-15-5D-83-26-FF
### Associate PC4 with PC1
1. On SRV1 in the Configuration Manager console, in the Assets and Compliance workspace, right-click **Devices** and then select **Import Computer Information**.
1. On SRV1 in the Configuration Manager console, in the **Assets and Compliance** workspace, right-click **Devices** and then select **Import Computer Information**.
2. On the Select Source page, choose **Import single computer** and select **Next**.
3. On the Single Computer page, use the following settings:
- Computer Name: **PC4**
- MAC Address: **00:15:5D:83:26:FF**
- Source Computer: \<type the hostname of PC1, or select **Search** twice, select the hostname, and select **OK**\>
- Source Computer: \<enter the hostname of PC1, or select **Search** twice, select the hostname, and select **OK**\>
4. Select **Next**, and on the User Accounts page choose **Capture and restore specified user accounts**, then select the yellow starburst next to **User accounts to migrate**.
5. Select **Browse** and then under Enter the object name to select type **user1** and select OK twice.
5. Select **Browse** and then under **Enter the object name to select** enter **user1** and select **OK** twice.
6. Select the yellow starburst again and repeat the previous step to add the **contoso\administrator** account.
7. Select **Next** twice, and on the Choose Target Collection page, choose **Add computers to the following collection**, select **Browse**, choose **Install Windows 10 Enterprise x64**, select **OK**, select **Next** twice, and then select **Close**.
8. In the Assets and Compliance workspace, select **User State Migration** and review the computer association in the display pane. The source computer will be the computername of PC1 (GREGLIN-PC1 in this example), the destination computer will be **PC4**, and the migration type will be **side-by-side**.
8. In the **Assets and Compliance** workspace, select **User State Migration** and review the computer association in the display pane. The source computer will be the computername of PC1 (GREGLIN-PC1 in this example), the destination computer will be **PC4**, and the migration enter will be **side-by-side**.
9. Right-click the association in the display pane and then select **Specify User Accounts**. You can add or remove user account here. Select **OK**.
@ -1000,9 +1075,10 @@ Set-VMNetworkAdapter -VMName PC4 -StaticMacAddress 00-15-5D-83-26-FF
### Create a device collection for PC1
1. On SRV1, in the Configuration Manager console, in the Assets and Compliance workspace, right-click **Device Collections** and then select **Create Device Collection**.
1. On SRV1, in the Configuration Manager console, in the **Assets and Compliance** workspace, right-click **Device Collections** and then select **Create Device Collection**.
2. Use the following settings in the **Create Device Collection Wizard**:
- General > Name: **USMT Backup (Replace)**
- General > Limiting collection: **All Systems**
- Membership Rules > Add Rule: **Direct Rule**
@ -1032,15 +1108,15 @@ In the Configuration Manager console, in the **Software Library** workspace, und
1. On PC1, open the Configuration Manager control panel applet by typing the following command in a command prompt:
```dos
control smscfgrc
```cmd
control.exe smscfgrc
```
2. On the **Actions** tab, select **Machine Policy Retrieval & Evaluation Cycle**, select **Run Now**, select **OK**, and then select **OK** again. This method is one that you can use to run a task sequence in addition to the Client Notification method that will be demonstrated in the computer refresh procedure.
3. Type the following command at an elevated command prompt to open the Software Center:
3. Enter the following command at an elevated command prompt to open the Software Center:
```dos
```cmd
C:\Windows\CCM\SCClient.exe
```
@ -1052,26 +1128,30 @@ In the Configuration Manager console, in the **Software Library** workspace, und
> If you don't see any available software, try running step #2 again to start the Machine Policy Retrieval & Evaluation Cycle. You should see an alert that new software is available.
5. Select **INSTALL SELECTED** and then select **INSTALL OPERATING SYSTEM**.
6. Allow the **Replace Task Sequence** to complete, then verify that the C:\MigData folder on SRV1 contains the USMT backup.
### Deploy the new computer
1. Start PC4 and press ENTER for a network boot when prompted. To start PC4, type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host:
1. Start PC4 and press ENTER for a network boot when prompted. To start PC4, enter the following commands at an elevated Windows PowerShell prompt on the Hyper-V host:
```powershell
Start-VM PC4
vmconnect localhost PC4
```
1. In the **Welcome to the Task Sequence Wizard**, enter **pass@word1** and select **Next**.
1. Choose the **Windows 10 Enterprise X64** image.
1. Setup will install the OS using the Windows 10 Enterprise x64 reference image, install the configuration manager client, join PC4 to the domain, and restore users and settings from PC1.
1. Save checkpoints for all VMs if you wish to review their status at a later date. This action isn't required, as checkpoints do take up space on the Hyper-V host.
2. In the **Welcome to the Task Sequence Wizard**, enter **pass@word1** and select **Next**.
3. Choose the **Windows 10 Enterprise X64** image.
4. Setup will install the OS using the Windows 10 Enterprise x64 reference image, install the configuration manager client, join PC4 to the domain, and restore users and settings from PC1.
5. Save checkpoints for all VMs if you wish to review their status at a later date. This action isn't required, as checkpoints do take up space on the Hyper-V host.
> [!Note]
> The next procedure will install a new OS on PC1, and update its status in Configuration Manager and in Active Directory as a Windows 10 device. So you can't return to a previous checkpoint only on the PC1 VM without a conflict. Therefore, if you do create a checkpoint, you should do this action for all VMs.
To save a checkpoint for all VMs, type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host:
To save a checkpoint for all VMs, enter the following commands at an elevated Windows PowerShell prompt on the Hyper-V host:
```powershell
Checkpoint-VM -Name DC1 -SnapshotName cm-refresh
@ -1083,14 +1163,17 @@ In the Configuration Manager console, in the **Software Library** workspace, und
### Initiate the computer refresh
1. On SRV1, in the Assets and Compliance workspace, select **Device Collections** and then double-click **Install Windows 10 Enterprise x64**.
1. On SRV1, in the **Assets and Compliance** workspace, select **Device Collections** and then double-click **Install Windows 10 Enterprise x64**.
2. Right-click the computer account for PC1, point to **Client Notification**, select **Download Computer Policy**, and select **OK** in the popup dialog box.
3. On PC1, in the notification area, select **New software is available** and then select **Open Software Center**.
4. In the Software Center, select **Operating Systems**, select **Windows 10 Enterprise x64**, select **Install** and then select **INSTALL OPERATING SYSTEM**. See the following example:
![installOS.](images/configmgr-install-os.png)
The computer will restart several times during the installation process. Installation includes downloading updates, reinstalling the Configuration Manager Client Agent, and restoring the user state. You can view status of the installation in the Configuration Manager console by accessing the Monitoring workspace, clicking **Deployments**, and then double-clicking the deployment associated with the **Install Windows 10 Enterprise x64** collection. Under **Asset Details**, right-click the device and then select **More Details**. Select the **Status** tab to see a list of tasks that have been performed. See the following example:
The computer will restart several times during the installation process. Installation includes downloading updates, reinstalling the Configuration Manager Client Agent, and restoring the user state. You can view status of the installation in the Configuration Manager console by accessing the **Monitoring** workspace, clicking **Deployments**, and then double-clicking the deployment associated with the **Install Windows 10 Enterprise x64** collection. Under **Asset Details**, right-click the device and then select **More Details**. Select the **Status** tab to see a list of tasks that have been performed. See the following example:
![asset.](images/configmgr-asset.png)

151
windows/deployment/windows-10-poc.md
View File

@ -9,12 +9,12 @@ ms.prod: windows-client
ms.technology: itpro-deploy
ms.localizationpriority: medium
ms.topic: tutorial
ms.date: 10/31/2022
ms.date: 11/23/2022
---
# Step by step guide: Configure a test lab to deploy Windows 10
*Applies to*
*Applies to:*
- Windows 10
@ -69,6 +69,7 @@ The procedures in this guide are summarized in the following table. An estimate
One computer that meets the hardware and software specifications below is required to complete the guide; A second computer is recommended to validate the upgrade process.
- **Computer 1**: the computer you'll use to run Hyper-V and host virtual machines. This computer should have 16 GB or more of installed RAM and a multi-core processor.
- **Computer 2**: a client computer from your network. It's shadow-copied to create a VM that can be added to the PoC environment, enabling you to test a mirror image of a computer on your network. If you don't have a computer to use for this simulation, you can download an evaluation VHD and use it to represent this computer. Subsequent guides use this computer to simulate Windows 10 replace and refresh scenarios, so the VM is required even if you can't create this VM using computer 2.
Hardware requirements are displayed below:
@ -92,7 +93,9 @@ The lab architecture is summarized in the following diagram:
![PoC diagram.](images/poc.png)
- Computer 1 is configured to host four VMs on a private, PoC network.
- Two VMs are running Windows Server 2012 R2 with required network services and tools installed.
- Two VMs are client systems: One VM is intended to mirror a host on your network (computer 2) and one VM is running Windows 10 Enterprise to demonstrate the hardware replacement scenario.
> [!NOTE]
@ -120,8 +123,8 @@ Starting with Windows 8, the host computer's microprocessor must support second
1. To verify your computer supports SLAT, open an administrator command prompt, type **systeminfo**, press ENTER, and review the section displayed at the bottom of the output, next to Hyper-V Requirements. See the following example:
```console
C:\>systeminfo
```cmd
C:\>systeminfo.exe
...
Hyper-V Requirements: VM Monitor Mode Extensions: Yes
@ -136,8 +139,8 @@ Starting with Windows 8, the host computer's microprocessor must support second
You can also identify Hyper-V support using [tools](/archive/blogs/taylorb/hyper-v-will-my-computer-run-hyper-v-detecting-intel-vt-and-amd-v) provided by the processor manufacturer, the [msinfo32](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc731397(v=ws.11)) tool, or you can download the [coreinfo](/sysinternals/downloads/coreinfo) utility and run it, as shown in the following example:
```console
C:\>coreinfo -v
```cmd
C:\>coreinfo.exe -v
Coreinfo v3.31 - Dump information on system CPU and memory topology
Copyright (C) 2008-2014 Mark Russinovich
@ -205,7 +208,7 @@ When you have completed installation of Hyper-V on the host computer, begin conf
The following example displays the procedures described in this section, both before and after downloading files:
```console
```cmd
C:>mkdir VHD
C:>cd VHD
C:\VHD&gt;ren 9600*.vhd 2012R2-poc-1.vhd
@ -225,13 +228,23 @@ When you have completed installation of Hyper-V on the host computer, begin conf
If you don't have a PC available to convert to VM, do the following steps to download an evaluation VM:
1. Open the [Download virtual machines](https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/) page.<!-- only works with locale :( -->
1. Open the [Download virtual machines](https://developer.microsoft.com/microsoft-edge/tools/vms/) page.
> [!NOTE]
> The above link may not be available in all locales.
2. Under **Virtual machine**, choose **IE11 on Win7**.
3. Under **Select platform**, choose **HyperV (Windows)**.
4. Select **Download .zip**. The download is 3.31 GB.
5. Extract the zip file. Three directories are created.
6. Open the **Virtual Hard Disks** directory and then copy **IE11 - Win7.vhd** to the **C:\VHD** directory.
7. Rename **IE11 - Win7.vhd** to **w7.vhd** (don't rename the file to w7.vhdx).
8. In step 5 of the [Configure Hyper-V](#configure-hyper-v) section, replace the VHD file name **w7.vhdx** with **w7.vhd**.
If you have a PC available to convert to VM (computer 2):
@ -242,6 +255,7 @@ If you have a PC available to convert to VM (computer 2):
> The account used in this step must have local administrator privileges. You can use a local computer account, or a domain account with administrative rights if domain policy allows the use of cached credentials. After converting the computer to a VM, you must be able to sign in on this VM with administrator rights while the VM is disconnected from the network.
2. [Determine the VM generation and partition type](#determine-the-vm-generation-and-partition-type) that is required.
3. Based on the VM generation and partition type, perform one of the following procedures: [Prepare a generation 1 VM](#prepare-a-generation-1-vm), [Prepare a generation 2 VM](#prepare-a-generation-2-vm), or [prepare a generation 1 VM from a GPT disk](#prepare-a-generation-1-vm-from-a-gpt-disk).
#### Determine the VM generation and partition type
@ -256,6 +270,7 @@ When creating a VM in Hyper-V, you must specify either generation 1 or generatio
If the PC is running a 32-bit OS or the OS is Windows 7, it must be converted to a generation 1 VM. Otherwise, it can be converted to a generation 2 VM.
- To determine the OS and architecture of a PC, type **systeminfo** at a command prompt and review the output next to **OS Name** and **System Type**.
- To determine the partition style, open a Windows PowerShell prompt on the PC and type the following command:
```powershell
@ -265,7 +280,7 @@ If the PC is running a 32-bit OS or the OS is Windows 7, it must be converted to
If the **Type** column doesn't indicate GPT, then the disk partition format is MBR ("Installable File System" = MBR). In the following example, the disk is GPT:
```powershell
PS C:> Get-WmiObject -Class Win32_DiskPartition | Select-Object -Property SystemName,Caption,Type
Get-WmiObject -Class Win32_DiskPartition | Select-Object -Property SystemName,Caption,Type
SystemName Caption Type
---------- ------- ----
@ -276,7 +291,7 @@ USER-PC1 Disk #0, Partition #1 GPT
On a computer running Windows 8 or later, you can also type **Get-Disk** at a Windows PowerShell prompt to discover the partition style. The default output of this cmdlet displays the partition style for all attached disks. Both commands are displayed below. In this example, the client computer is running Windows 8.1 and uses a GPT style partition format:
```powershell
PS C:> Get-WmiObject -Class Win32_DiskPartition | Select-Object -Property SystemName,Caption,Type
Get-WmiObject -Class Win32_DiskPartition | Select-Object -Property SystemName,Caption,Type
SystemName Caption Type
---------- ------- ----
@ -293,34 +308,32 @@ Number Friendly Name OperationalStatus Tota
0 INTEL SSDSCMMW240A3L Online 223.57 GB GPT
```
<span id="determine-vm-generation"/>
**Choosing a VM generation**
##### Choosing a VM generation
The following tables display the Hyper-V VM generation to choose based on the OS, architecture, and partition style. Links to procedures to create the corresponding VMs are included.
**Windows 7 MBR**
###### Windows 7 MBR
|Architecture|VM generation|Procedure|
|--- |--- |--- |
|32|1|[Prepare a generation 1 VM](#prepare-a-generation-1-vm)|
|64|1|[Prepare a generation 1 VM](#prepare-a-generation-1-vm)|
**Windows 7 GPT**
###### Windows 7 GPT
|Architecture|VM generation|Procedure|
|--- |--- |--- |
|32|N/A|N/A|
|64|1|[Prepare a generation 1 VM from a GPT disk](#prepare-a-generation-1-vm-from-a-gpt-disk)|
**Windows 8 or later MBR**
###### Windows 8 or later MBR
|Architecture|VM generation|Procedure|
|--- |--- |--- |
|32|1|[Prepare a generation 1 VM](#prepare-a-generation-1-vm)|
|64|1, 2|[Prepare a generation 1 VM](#prepare-a-generation-1-vm)|
**Windows 8 or later GPT**
###### Windows 8 or later GPT
|Architecture|VM generation|Procedure|
|--- |--- |--- |
@ -347,7 +360,7 @@ The following tables display the Hyper-V VM generation to choose based on the OS
3. Select the checkboxes next to the `C:\` and the **system reserved** (BIOS/MBR) volumes. The system volume isn't assigned a drive letter, but will be displayed in the Disk2VHD tool with a volume label similar to `\?\Volume{`. See the following example.
> [!IMPORTANT]
> You must include the system volume in order to create a bootable VHD. If this volume isn't displayed in the disk2vhd tool, then the computer is likely to be using the GPT partition style. For more information, see [Determine VM generation](#determine-vm-generation).
> You must include the system volume in order to create a bootable VHD. If this volume isn't displayed in the disk2vhd tool, then the computer is likely to be using the GPT partition style. For more information, see [Choosing a VM generation](#choosing-a-vm-generation).
4. Specify a location to save the resulting VHD or VHDX file (F:\VHD\w7.vhdx in the following example) and select **Create**. See the following example:
@ -374,13 +387,14 @@ The following tables display the Hyper-V VM generation to choose based on the OS
2. On the computer you wish to convert, open an elevated command prompt and type the following command:
```console
mountvol s: /s
```cmd
mountvol.exe s: /s
```
This command temporarily assigns a drive letter of S to the system volume and mounts it. If the letter S is already assigned to a different volume on the computer, then choose one that is available (ex: mountvol z: /s).
3. On the computer you wish to convert, double-click the disk2vhd utility to start the graphical user interface.
4. Select the checkboxes next to the **C:\\** and the **S:\\** volumes, and clear the **Use Volume Shadow Copy checkbox**. Volume shadow copy won't work if the EFI system partition is selected.
> [!IMPORTANT]
@ -394,7 +408,7 @@ The following tables display the Hyper-V VM generation to choose based on the OS
6. When the Disk2vhd utility has completed converting the source computer to a VHD, copy the VHDX file (PC1.vhdx) to your Hyper-V host in the C:\VHD directory. There should now be four files in this directory:
```console
```cmd
C:\vhd>dir /B
2012R2-poc-1.vhd
2012R2-poc-2.vhd
@ -409,6 +423,7 @@ The following tables display the Hyper-V VM generation to choose based on the OS
You might experience timeouts if you attempt to run Disk2vhd from a network share, or specify a network share for the destination. To avoid timeouts, use local, portable media such as a USB drive.
2. On the computer you wish to convert, double-click the disk2vhd utility to start the graphical user interface.
3. Select the checkbox next to the **C:\\** volume and clear the checkbox next to **Use Vhdx**.
> [!NOTE]
@ -524,7 +539,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40 GB to
> [!NOTE]
> The RAM values assigned to VMs in this step are not permanent, and can be easily increased or decreased later if needed to address performance issues.
5. Using the same elevated Windows PowerShell prompt that was used in the previous step, type one of the following sets of commands, depending on the type of VM that was prepared in the [Determine VM generation](#determine-vm-generation) section, either generation 1, generation 2, or generation 1 with GPT.
5. Using the same elevated Windows PowerShell prompt that was used in the previous step, type one of the following sets of commands, depending on the type of VM that was prepared in the [Choosing a VM generation](#choosing-a-vm-generation) section, either generation 1, generation 2, or generation 1 with GPT.
To create a generation 1 VM (using c:\vhd\w7.vhdx):
@ -574,19 +589,23 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40 GB to
The VM will automatically boot into Windows Setup. In the PC1 window:
1. Select **Next**.
2. Select **Repair your computer**.
3. Select **Troubleshoot**.
4. Select **Command Prompt**.
5. Type the following command to save an image of the OS drive:
```console
dism /Capture-Image /ImageFile:D:\c.wim /CaptureDir:C:\ /Name:Drive-C
```cmd
dism.exe /Capture-Image /ImageFile:D:\c.wim /CaptureDir:C:\ /Name:Drive-C
```
6. Wait for the OS image to complete saving, and then type the following commands to convert the C: drive to MBR:
```console
diskpart
```cmd
diskpart.exe
select disk 0
clean
convert MBR
@ -601,14 +620,16 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40 GB to
7. Type the following commands to restore the OS image and boot files:
```console
dism /Apply-Image /ImageFile:D:\c.wim /Index:1 /ApplyDir:C:\
bcdboot c:\windows
```cmd
dism.exe /Apply-Image /ImageFile:D:\c.wim /Index:1 /ApplyDir:C:\
bcdboot.exe c:\windows
exit
```
8. Select **Continue** and verify the VM boots successfully. Don't boot from DVD.
9. Select **Ctrl+Alt+Del**, and then in the bottom right corner, select **Shut down**.
10. Type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host to remove the temporary disks and drives from PC1:
```powershell
@ -626,8 +647,14 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40 GB to
```
2. Select **Next** to accept the default settings, read the license terms and select **I accept**, provide a strong administrator password, and select **Finish**.
3. Select **Ctrl+Alt+Del** in the upper left corner of the virtual machine connection window, and then sign in to DC1 using the Administrator account.
4. Right-click **Start**, point to **Shut down or sign out**, and select **Sign out**. The VM connection will reset and a new connection dialog box will appear enabling you to choose a custom display configuration. Select a desktop size, select **Connect** and sign in again with the local Administrator account. Note: Signing in this way ensures that [enhanced session mode](/windows-server/virtualization/hyper-v/learn-more/Use-local-resources-on-Hyper-V-virtual-machine-with-VMConnect) is enabled. It's only necessary to do this action the first time you sign in to a new VM.
4. Right-click **Start**, point to **Shut down or sign out**, and select **Sign out**. The VM connection will reset and a new connection dialog box will appear enabling you to choose a custom display configuration. Select a desktop size, select **Connect** and sign in again with the local Administrator account.
> [!NOTE]
> Signing in this way ensures that [enhanced session mode](/windows-server/virtualization/hyper-v/learn-more/Use-local-resources-on-Hyper-V-virtual-machine-with-VMConnect) is enabled. It's only necessary to do this action the first time you sign in to a new VM.
5. If DC1 is configured as described in this guide, it will currently be assigned an APIPA address, have a randomly generated hostname, and a single network adapter named "Ethernet." Open an elevated Windows PowerShell prompt on DC1 and type or paste the following commands to provide a new hostname and configure a static IP address and gateway:
```powershell
@ -690,7 +717,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40 GB to
The following output should be displayed:
```powershell
```console
UseRootHint : True
Timeout(s) : 3
EnableReordering : True
@ -752,8 +779,8 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40 GB to
To open Windows PowerShell on Windows 7, select **Start**, and search for "**power**." Right-click **Windows PowerShell** and then select **Pin to Taskbar** so that it's simpler to use Windows PowerShell during this lab. Select **Windows PowerShell** on the taskbar, and then type `ipconfig` at the prompt to see the client's current IP address. Also type `ping dc1.contoso.com` and `nltest /dsgetdc:contoso.com` to verify that it can reach the domain controller. See the following examples of a successful network connection:
```console
ipconfig
```cmd
ipconfig.exe
Windows IP Configuration
@ -909,8 +936,8 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40 GB to
33. In most cases, this process completes configuration of the PoC network. However, if your network has a firewall that filters queries from local DNS servers, you'll also need to configure a server-level DNS forwarder on SRV1 to resolve internet names. To test whether or not DNS is working without this forwarder, try to reach a name on the internet from DC1 or PC1, which are only using DNS services on the PoC network. You can test DNS with the ping command, for example:
```powershell
ping www.microsoft.com
```cmd
ping.exe www.microsoft.com
```
If you see "Ping request couldn't find host `www.microsoft.com`" on PC1 and DC1, but not on SRV1, then you'll need to configure a server-level DNS forwarder on SRV1. To do this action, open an elevated Windows PowerShell prompt on SRV1 and type the following command.
@ -924,8 +951,8 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40 GB to
34. If DNS and routing are both working correctly, you'll see the following output on DC1 and PC1 (the IP address might be different, but that's OK):
```powershell
PS C:\> ping www.microsoft.com
```cmd
ping www.microsoft.com
Pinging e2847.dspb.akamaiedge.net [23.222.146.170] with 32 bytes of data:
Reply from 23.222.146.170: bytes=32 time=3ms TTL=51
@ -943,7 +970,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40 GB to
36. Lastly, because the client computer has different hardware after copying it to a VM, its Windows activation will be invalidated and you might receive a message that you must activate Windows in three days. To extend this period to 30 days, type the following commands at an elevated Windows PowerShell prompt on PC1:
```powershell
runas /noprofile /env /user:administrator@contoso.com "cmd /c slmgr -rearm"
runas.exe /noprofile /env /user:administrator@contoso.com "cmd.exe /c slmgr -rearm"
Restart-Computer
```
@ -963,7 +990,7 @@ Use the following procedures to verify that the PoC environment is configured pr
Resolve-DnsName -Server dc1.contoso.com -Name www.microsoft.com
Get-DhcpServerInDC
Get-DhcpServerv4Statistics
ipconfig /all
ipconfig.exe /all
```
**Get-Service** displays a status of "Running" for all three services.
@ -988,8 +1015,8 @@ Use the following procedures to verify that the PoC environment is configured pr
Get-Service DNS,RemoteAccess
Get-DnsServerForwarder
Resolve-DnsName -Server dc1.contoso.com -Name www.microsoft.com
ipconfig /all
netsh int ipv4 show address
ipconfig.exe /all
netsh.exe int ipv4 show address
```
**Get-Service** displays a status of "Running" for both services.
@ -1004,38 +1031,38 @@ Use the following procedures to verify that the PoC environment is configured pr
3. On PC1, open an elevated Windows PowerShell prompt and type the following commands:
```powershell
whoami
hostname
nslookup www.microsoft.com
ping -n 1 dc1.contoso.com
tracert www.microsoft.com
```cmd
whoami.exe
hostname.exe
nslookup.exe www.microsoft.com
ping.exe -n 1 dc1.contoso.com
tracert.exe www.microsoft.com
```
**whoami** displays the current user context, for example in an elevated Windows PowerShell prompt, contoso\administrator is displayed.
**whoami.exe** displays the current user context, for example in an elevated Windows PowerShell prompt, contoso\administrator is displayed.
**hostname** displays the name of the local computer, for example W7PC-001.
**hostname.exe** displays the name of the local computer, for example W7PC-001.
**nslookup** displays the DNS server used for the query, and the results of the query. For example, server `dc1.contoso.com`, address 192.168.0.1, Name `e2847.dspb.akamaiedge.net`.
**nslookup.exe** displays the DNS server used for the query, and the results of the query. For example, server `dc1.contoso.com`, address 192.168.0.1, Name `e2847.dspb.akamaiedge.net`.
**ping** displays if the source can resolve the target name, and whether or not the target responds to ICMP. If it can't be resolved, "couldn't find host" will be displayed. If the target is found and also responds to ICMP, you'll see "Reply from" and the IP address of the target.
**ping.exe** displays if the source can resolve the target name, and whether or not the target responds to ICMP. If it can't be resolved, "couldn't find host" will be displayed. If the target is found and also responds to ICMP, you'll see "Reply from" and the IP address of the target.
**tracert** displays the path to reach the destination, for example `srv1.contoso.com` [192.168.0.2] followed by a list of hosts and IP addresses corresponding to subsequent routing nodes between the source and the destination.
**tracert.exe** displays the path to reach the destination, for example `srv1.contoso.com` [192.168.0.2] followed by a list of hosts and IP addresses corresponding to subsequent routing nodes between the source and the destination.
## Appendix B: Terminology used in this guide
|Term|Definition|
|--- |--- |
|GPT|GUID partition table (GPT) is an updated hard-disk formatting scheme that enables the use of newer hardware. GPT is one of the partition formats that can be chosen when first initializing a hard drive, prior to creating and formatting partitions.|
|Hyper-V|Hyper-V is a server role introduced with Windows Server 2008 that lets you create a virtualized computing environment. Hyper-V can also be installed as a Windows feature on Windows client operating systems, starting with Windows 8.|
|Hyper-V host|The computer where Hyper-V is installed.|
|Hyper-V Manager|The user-interface console used to view and configure Hyper-V.|
|MBR|Master Boot Record (MBR) is a legacy hard-disk formatting scheme that limits support for newer hardware. MBR is one of the partition formats that can be chosen when first initializing a hard drive, prior to creating and formatting partitions. MBR is in the process of being replaced by the GPT partition format.|
|Proof of concept (PoC)|Confirmation that a process or idea works as intended. A PoC is carried out in a test environment to learn about and verify a process.|
|Shadow copy|A copy or "snapshot" of a computer at a point in time, created by the Volume Shadow Copy Service (VSS), typically for backup purposes.|
|Virtual machine (VM)|A VM is a virtual computer with its own operating system, running on the Hyper-V host.|
|Virtual switch|A virtual network connection used to connect VMs to each other and to physical network adapters on the Hyper-V host.|
|VM snapshot|A point in time image of a VM that includes its disk, memory and device state. It can be used to return a virtual machine to a former state corresponding to the time the snapshot was taken.|
|**GPT**|GUID partition table (GPT) is an updated hard-disk formatting scheme that enables the use of newer hardware. GPT is one of the partition formats that can be chosen when first initializing a hard drive, prior to creating and formatting partitions.|
|**Hyper-V**|Hyper-V is a server role introduced with Windows Server 2008 that lets you create a virtualized computing environment. Hyper-V can also be installed as a Windows feature on Windows client operating systems, starting with Windows 8.|
|**Hyper-V host**|The computer where Hyper-V is installed.|
|**Hyper-V Manager**|The user-interface console used to view and configure Hyper-V.|
|**MBR**|Master Boot Record (MBR) is a legacy hard-disk formatting scheme that limits support for newer hardware. MBR is one of the partition formats that can be chosen when first initializing a hard drive, prior to creating and formatting partitions. MBR is in the process of being replaced by the GPT partition format.|
|**Proof of concept (PoC)**|Confirmation that a process or idea works as intended. A PoC is carried out in a test environment to learn about and verify a process.|
|**Shadow copy**|A copy or "snapshot" of a computer at a point in time, created by the Volume Shadow Copy Service (VSS), typically for backup purposes.|
|**Virtual machine (VM)**|A VM is a virtual computer with its own operating system, running on the Hyper-V host.|
|**Virtual switch**|A virtual network connection used to connect VMs to each other and to physical network adapters on the Hyper-V host.|
|**VM snapshot**|A point in time image of a VM that includes its disk, memory and device state. It can be used to return a virtual machine to a former state corresponding to the time the snapshot was taken.|
## Next steps

25
windows/deployment/windows-10-pro-in-s-mode.md
View File

@ -9,13 +9,13 @@ ms.prod: windows-client
ms.collection:
- M365-modern-desktop
ms.topic: article
ms.date: 10/31/2022
ms.date: 11/23/2022
ms.technology: itpro-deploy
---
# Switch to Windows 10 Pro or Enterprise from S mode
We recommend staying in S mode. However, in some limited scenarios, you might need to switch to Windows 10 Pro, Home, or Enterprise (not in S mode). You can switch devices running Windows 10, version 1709 or later.
We recommend staying in S mode. However, in some limited scenarios, you might need to switch to Windows 10 Pro, Home, or Enterprise (not in S mode). You can switch devices running Windows 10, version 1709 or later.
Many other transformations are possible depending on which version and edition of Windows 10 you're starting with. Depending on the details, you might *switch* between S mode and the ordinary version or *convert* between different editions while staying in or out of S mode. The following quick reference table summarizes all of the switches or conversions that are supported by various means:
@ -37,20 +37,26 @@ Many other transformations are possible depending on which version and edition o
| | Home | Not by any method | Not by any method | Not by any method |
Use the following information to switch to Windows 10 Pro through the Microsoft Store.
> [!IMPORTANT]
> While it's free to switch to Windows 10 Pro, it's not reversible. The only way to rollback this kind of switch is through a [bare-metal recovery (BMR)](/windows-hardware/manufacture/desktop/create-media-to-run-push-button-reset-features-s14) reset. This restores a Windows device to the factory state, even if the user needs to replace the hard drive or completely wipe the drive clean. If a device is switched out of S mode via the Microsoft Store, it will remain out of S mode even after the device is reset.
## Switch one device through the Microsoft Store
Use the following information to switch to Windows 10 Pro through the Microsoft Store or by navigating to **Settings** and then **Activation** on the device.
Note these differences affecting switching modes in various releases of Windows 10:
- In Windows 10, version 1709, you can switch devices one at a time from Windows 10 Pro in S mode to Windows 10 Pro by using the Microsoft Store or **Settings**. No other switches are possible.
- In Windows 10, version 1803, you can switch devices running any S mode edition to the equivalent non-S mode edition one at a time by using the Microsoft Store or **Settings**.
- Windows 10, version 1809, you can switch devices running any S mode edition to the equivalent non-S mode edition one at a time by using the Microsoft Store, **Settings**, or you can switch multiple devices in bulk by using Intune. You can also block users from switching devices themselves.
1. Sign into the Microsoft Store using your Microsoft account.
- In Windows 10, version 1803, you can switch devices running any S mode edition to the equivalent non-S mode edition one at a time by using the Microsoft Store or **Settings**.
- Windows 10, version 1809, you can switch devices running any S mode edition to the equivalent non-S mode edition one at a time by using the Microsoft Store, **Settings**, or you can switch multiple devices in bulk by using Intune. You can also block users from switching devices themselves.
1. Sign into the Microsoft Store using your Microsoft account.
2. Search for "S mode".
3. In the offer, select **Buy**, **Get**, or **Learn more.**
You'll be prompted to save your files before the switch starts. Follow the prompts to switch to Windows 10 Pro.
@ -60,13 +66,14 @@ You'll be prompted to save your files before the switch starts. Follow the promp
Starting with Windows 10, version 1809, if you need to switch multiple devices in your environment from Windows 10 Pro in S mode to Windows 10 Pro, you can use Microsoft Intune or any other supported mobile device management software. You can configure devices to switch out of S mode during OOBE or post-OOBE. Switching out of S mode gives you flexibility to manage Windows 10 in S mode devices at any point during the device lifecycle.
1. Start Microsoft Intune.
2. Navigate to **Device configuration > Profiles > Windows 10 and later > Edition upgrade and mode switch**.
2. Navigate to **Device configuration** > **Profiles** > **Windows 10 and later** > **Edition upgrade and mode switch**.
3. Follow the instructions to complete the switch.
## Block users from switching
You can control which devices or users can use the Microsoft Store to switch out of S mode in Windows 10.
To set this policy, go to **Device configuration > Profiles > Windows 10 and later > Edition upgrade and mode switch in Microsoft Intune**, and then choose **Keep in S mode**.
You can control which devices or users can use the Microsoft Store to switch out of S mode in Windows 10. To set this policy, go to **Device configuration** > **Profiles** > **Windows 10 and later** > **Edition upgrade and mode switch in Microsoft Intune**, and then choose **Keep in S mode**.
## S mode management with CSPs
@ -77,4 +84,4 @@ In addition to using Microsoft Intune or another modern device management tool t
[FAQs](https://support.microsoft.com/help/4020089/windows-10-in-s-mode-faq)<br>
[Compare Windows 10 editions](https://www.microsoft.com/WindowsForBusiness/Compare)<BR>
[Windows 10 Pro Education](/education/windows/test-windows10s-for-edu)<BR>
[Introduction to Microsoft Intune in the Azure portal](/intune/what-is-intune)
[Introduction to Microsoft Intune in the Azure portal](/intune/what-is-intune)

6
windows/deployment/windows-10-subscription-activation.md
View File

@ -13,7 +13,7 @@ ms.collection:
search.appverid:
- MET150
ms.topic: conceptual
ms.date: 10/31/2022
ms.date: 11/23/2022
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
@ -98,7 +98,7 @@ The following list illustrates how deploying Windows client has evolved with eac
> The following requirements don't apply to general Windows client activation on Azure. Azure activation requires a connection to Azure KMS only. It supports workgroup, hybrid, and Azure AD-joined VMs. In most scenarios, activation of Azure VMs happens automatically. For more information, see [Understanding Azure KMS endpoints for Windows product activation of Azure virtual machines](/troubleshoot/azure/virtual-machines/troubleshoot-activation-problems).
> [!IMPORTANT]
> As of October 1, 2022, subscription activation is available for _commercial_ and _GCC_ tenants. It's currently not available on GCC High or DoD tenants.<!-- 6783128 --> For more information, see [Enable subscription activation with an existing EA](deploy-enterprise-licenses.md#enable-subscription-activation-with-an-existing-ea).
> As of October 1, 2022, subscription activation is available for *commercial* and *GCC* tenants. It's currently not available on GCC High or DoD tenants.<!-- 6783128 --> For more information, see [Enable subscription activation with an existing EA](deploy-enterprise-licenses.md#enable-subscription-activation-with-an-existing-ea).
For Microsoft customers with Enterprise Agreements (EA) or Microsoft Products & Services Agreements (MPSA), you must have the following requirements:
@ -144,7 +144,7 @@ You can benefit by moving to Windows as an online service in the following ways:
> [!NOTE]
> The following examples use Windows 10 Pro to Enterprise edition. The examples also apply to Windows 11, and Education editions.
The device is Azure AD-joined from **Settings > Accounts > Access work or school**.
The device is Azure AD-joined from **Settings** > **Accounts** > **Access work or school**.
You assign Windows 10 Enterprise to a user:

48
windows/deployment/windows-adk-scenarios-for-it-pros.md
View File

@ -6,7 +6,7 @@ ms.author: frankroj
manager: aaroncz
ms.prod: windows-client
ms.localizationpriority: medium
ms.date: 10/31/2022
ms.date: 11/23/2022
ms.topic: article
ms.technology: itpro-deploy
---
@ -19,50 +19,50 @@ In previous releases of Windows, the Windows ADK docs were published on both Tec
Here are some key scenarios that will help you find the content on the MSDN Hardware Dev Center.
### Create a Windows image using command-line tools
## Create a Windows image using command-line tools
[DISM](/windows-hardware/manufacture/desktop/dism---deployment-image-servicing-and-management-technical-reference-for-windows) is used to mount and service Windows images.
Here are some things you can do with DISM:
- [Mount an offline image](/windows-hardware/manufacture/desktop/mount-and-modify-a-windows-image-using-dism)
- [Add drivers to an offline image](/windows-hardware/manufacture/desktop/add-and-remove-drivers-to-an-offline-windows-image)
- [Enable or disable Windows features](/windows-hardware/manufacture/desktop/enable-or-disable-windows-features-using-dism)
- [Add or remove packages](/windows-hardware/manufacture/desktop/add-or-remove-packages-offline-using-dism)
- [Add language packs](/windows-hardware/manufacture/desktop/add-language-packs-to-windows)
- [Add Universal Windows apps](/windows-hardware/manufacture/desktop/preinstall-apps-using-dism)
- [Upgrade the Windows edition](/windows-hardware/manufacture/desktop/change-the-windows-image-to-a-higher-edition-using-dism)
- [Mount an offline image](/windows-hardware/manufacture/desktop/mount-and-modify-a-windows-image-using-dism)
- [Add drivers to an offline image](/windows-hardware/manufacture/desktop/add-and-remove-drivers-to-an-offline-windows-image)
- [Enable or disable Windows features](/windows-hardware/manufacture/desktop/enable-or-disable-windows-features-using-dism)
- [Add or remove packages](/windows-hardware/manufacture/desktop/add-or-remove-packages-offline-using-dism)
- [Add language packs](/windows-hardware/manufacture/desktop/add-language-packs-to-windows)
- [Add Universal Windows apps](/windows-hardware/manufacture/desktop/preinstall-apps-using-dism)
- [Upgrade the Windows edition](/windows-hardware/manufacture/desktop/change-the-windows-image-to-a-higher-edition-using-dism)
[Sysprep](/windows-hardware/manufacture/desktop/sysprep--system-preparation--overview) prepares a Windows installation for imaging and allows you to capture a customized installation.
Here are some things you can do with Sysprep:
- [Generalize a Windows installation](/windows-hardware/manufacture/desktop/sysprep--generalize--a-windows-installation)
- [Customize the default user profile](/windows-hardware/manufacture/desktop/customize-the-default-user-profile-by-using-copyprofile)
- [Use answer files](/windows-hardware/manufacture/desktop/use-answer-files-with-sysprep)
- [Generalize a Windows installation](/windows-hardware/manufacture/desktop/sysprep--generalize--a-windows-installation)
- [Customize the default user profile](/windows-hardware/manufacture/desktop/customize-the-default-user-profile-by-using-copyprofile)
- [Use answer files](/windows-hardware/manufacture/desktop/use-answer-files-with-sysprep)
[Windows PE (WinPE)](/windows-hardware/manufacture/desktop/winpe-intro) is a small operating system used to boot a computer that doesn't have an operating system. You can boot to Windows PE and then install a new operating system, recover data, or repair an existing operating system.
Here are ways you can create a WinPE image:
- [Create a bootable USB drive](/windows-hardware/manufacture/desktop/winpe-create-usb-bootable-drive)
- [Create a Boot CD, DVD, ISO, or VHD](/windows-hardware/manufacture/desktop/winpe-create-usb-bootable-drive)
- [Create a bootable USB drive](/windows-hardware/manufacture/desktop/winpe-create-usb-bootable-drive)
- [Create a Boot CD, DVD, ISO, or VHD](/windows-hardware/manufacture/desktop/winpe-create-usb-bootable-drive)
[Windows Recovery Environment (Windows RE)](/windows-hardware/manufacture/desktop/windows-recovery-environment--windows-re--technical-reference) is a recovery environment that can repair common operating system problems.
Here are some things you can do with Windows RE:
- [Customize Windows RE](/windows-hardware/manufacture/desktop/customize-windows-re)
- [Push-button reset](/windows-hardware/manufacture/desktop/push-button-reset-overview)
- [Customize Windows RE](/windows-hardware/manufacture/desktop/customize-windows-re)
- [Push-button reset](/windows-hardware/manufacture/desktop/push-button-reset-overview)
[Windows System Image Manager (Windows SIM)](/windows-hardware/customize/desktop/wsim/windows-system-image-manager-technical-reference) helps you create answer files that change Windows settings and run scripts during installation.
Here are some things you can do with Windows SIM:
- [Create answer file](/windows-hardware/customize/desktop/wsim/create-or-open-an-answer-file)
- [Add a driver path to an answer file](/windows-hardware/customize/desktop/wsim/add-a-device-driver-path-to-an-answer-file)
- [Add a package to an answer file](/windows-hardware/customize/desktop/wsim/add-a-package-to-an-answer-file)
- [Add a custom command to an answer file](/windows-hardware/customize/desktop/wsim/add-a-custom-command-to-an-answer-file)
- [Create answer file](/windows-hardware/customize/desktop/wsim/create-or-open-an-answer-file)
- [Add a driver path to an answer file](/windows-hardware/customize/desktop/wsim/add-a-device-driver-path-to-an-answer-file)
- [Add a package to an answer file](/windows-hardware/customize/desktop/wsim/add-a-package-to-an-answer-file)
- [Add a custom command to an answer file](/windows-hardware/customize/desktop/wsim/add-a-custom-command-to-an-answer-file)
For a list of settings you can change, see [Unattended Windows Setup Reference](/windows-hardware/customize/desktop/unattend/) on the MSDN Hardware Dev Center.
@ -72,12 +72,12 @@ Introduced in Windows 10, [Windows Imaging and Configuration Designer (ICD)](/wi
Here are some things you can do with Windows ICD:
- [Build and apply a provisioning package](/windows/configuration/provisioning-packages/provisioning-create-package)
- [Export a provisioning package](/windows/configuration/provisioning-packages/provisioning-create-package)
- [Build and apply a provisioning package](/windows/configuration/provisioning-packages/provisioning-create-package)
- [Export a provisioning package](/windows/configuration/provisioning-packages/provisioning-create-package)
### IT Pro Windows deployment tools
There are also a few tools included in the Windows ADK that are specific to IT Pros and this documentation is available on TechNet:
- [Volume Activation Management Tool (VAMT) Technical Reference](volume-activation/volume-activation-management-tool.md)
- [User State Migration Tool (USMT) Technical Reference](usmt/usmt-technical-reference.md)
- [Volume Activation Management Tool (VAMT) Technical Reference](volume-activation/volume-activation-management-tool.md)
- [User State Migration Tool (USMT) Technical Reference](usmt/usmt-technical-reference.md)

28
windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md
View File

@ -14,9 +14,7 @@ msreviewer: hathind
# Fix issues found by the Readiness assessment tool
Seeing issues with your tenant? This article details how to remediate issues found with your tenant.
If you need more assistance with tenant enrollment, you can submit a [tenant enrollment support request](#submit-a-support-request).
Seeing issues with your tenant? This article details how to remediate issues found with your tenant.
## Check results
@ -72,27 +70,3 @@ Windows Autopatch requires the following licenses:
| Result | Meaning |
| ----- | ----- |
| Not ready | Windows Autopatch requires Windows 10/11 Enterprise E3 (or higher) to be assigned to your users. Additionally, Azure Active Directory Premium, and Microsoft Intune are required. For more information, see [more about licenses](../prepare/windows-autopatch-prerequisites.md#more-about-licenses). |
## Submit a support request
> [!IMPORTANT]
> Make sure you've [added and verified your admin contacts](../deploy/windows-autopatch-admin-contacts.md). The Windows Autopatch Service Engineering Team will contact these individuals for assistance with troubleshooting issues.
If you need more assistance with tenant enrollment, you can submit support tickets to the Windows Autopatch Service Engineering Team in the Windows Autopatch enrollment tool. Email is the recommended approach to interact with the Windows Autopatch Service Engineering Team.
**To submit a new support request:**
1. If the Readiness assessment tool fails, remediation steps can be found by selecting **View details** under **Management settings** and then selecting the individual check. The **Contact Support** button will be available below remediation instructions in the fly-in-pane.
2. Enter your question(s) and/or a description of the problem.
3. Review all the information you provided for accuracy.
4. When you're ready, select **Create**.
### Manage an active support request
The primary contact for the support request will receive email notifications when a case is created, assigned to a service engineer to investigate, and mitigated. If you have a question about the case, the best way to get in touch is to reply directly to one of the emails. If we have questions about your request or need more details, we'll email the primary contact listed in the support request.
**To view all your active pre-enrollment support requests:**
1. Sign into the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and navigate to the **Tenant Administration** menu.
1. In the **Windows Autopatch** section, select **Tenant Enrollment**.
1. Select the **Support history** tab. You can view the list of all support cases, or select an individual case to view the details.

8
windows/deployment/windows-autopilot/index.yml
View File

@ -6,12 +6,10 @@ summary: 'Note: Windows Autopilot documentation has moved! A few more resources
metadata:
title: Windows Autopilot deployment resources and documentation # Required; page title displayed in search results. Include the brand. < 60 chars.
description: Learn about deploying Windows 10 and keeping it up to date in your organization. # Required; article description that is displayed in search results. < 160 chars.
services: windows-10
ms.service: windows-10 #Required; service per approved list. service slug assigned to your service by ACOM.
ms.subservice: subservice
ms.topic: landing-page # Required
ms.topic: landing-page
ms.prod: windows-client
ms.technology: itpro-deploy
ms.collection:
- windows-10
- highpri
author: frankroj
ms.author: frankroj

149
windows/deployment/windows-deployment-scenarios-and-tools.md
View File

@ -6,7 +6,7 @@ ms.author: frankroj
author: frankroj
ms.prod: windows-client
ms.topic: article
ms.date: 10/31/2022
ms.date: 11/23/2022
ms.technology: itpro-deploy
---
@ -32,13 +32,13 @@ DISM is one of the deployment tools included in the Windows ADK and is used for
DISM services online and offline images. For example, with DISM you can install the Microsoft .NET Framework 3.5.1 in Windows 10 online, which means that you can start the installation in the running operating system, not that you get the software online. The /LimitAccess switch configures DISM to get the files only from a local source:
``` syntax
```cmd
Dism.exe /Online /Enable-Feature /FeatureName:NetFX3 /All /Source:D:\Sources\SxS /LimitAccess
```
In Windows 10, you can use Windows PowerShell for many of the functions done by DISM.exe. The equivalent command in Windows 10 using PowerShell is:
``` syntax
```powershell
Enable-WindowsOptionalFeature -Online -FeatureName NetFx3 -All
-Source D:\Sources\SxS -LimitAccess
```
@ -55,15 +55,15 @@ USMT is a backup and restore tool that allows you to migrate user state, data, a
USMT includes several command-line tools, the most important of which are ScanState and LoadState:
- **ScanState.exe.** This tool performs the user-state backup.
- **LoadState.exe.** This tool performs the user-state restore.
- **UsmtUtils.exe.** This tool supplements the functionality in ScanState.exe and LoadState.exe.
- **ScanState.exe**: This tool performs the user-state backup.
- **LoadState.exe**: This tool performs the user-state restore.
- **UsmtUtils.exe**: This tool supplements the functionality in ScanState.exe and LoadState.exe.
In addition to these tools, there are also XML templates that manage which data is migrated. You can customize the templates, or create new ones, to manage the backup process at a high level of detail. USMT uses the following terms for its templates:
- **Migration templates.** The default templates in USMT.
- **Custom templates.** Custom templates that you create.
- **Config template.** An optional template called Config.xml which you can use to exclude or include components in a migration without modifying the other standard XML templates.
- **Migration templates**: The default templates in USMT.
- **Custom templates**: Custom templates that you create.
- **Config template**: An optional template called Config.xml which you can use to exclude or include components in a migration without modifying the other standard XML templates.
![A sample USMT migration file that will exclude .MP3 files on all local drives and include the folder C:\\Data and all its files, including its subdirectories and their files..](images/mdt-11-fig06.png)
@ -73,60 +73,21 @@ USMT supports capturing data and settings from Windows Vista and later, and rest
By default USMT migrates many settings, most of which are related to the user profile but also to Control Panel configurations, file types, and more. The default templates that are used in Windows 10 deployments are MigUser.xml and MigApp.xml. These two default templates migrate the following data and settings:
- Folders from each profile, including those folders from user profiles, and shared and public profiles. For example, the My Documents, My Video, My Music, My Pictures, desktop files, Start menu, Quick Launch settings, and Favorites folders are migrated.
- Specific file types.
<details>
<summary>USMT templates migrate the following file types:</summary>
- Folders from each profile, including those folders from user profiles, and shared and public profiles. For example, the My Documents, My Video, My Music, My Pictures, desktop files, Start menu, Quick Launch settings, and Favorites folders are migrated.
- `.accdb`
- `.ch3`
- `.csv`
- `.dif`
- `.doc*`
- `.dot*`
- `.dqy`
- `.iqy`
- `.mcw`
- `.mdb*`
- `.mpp`
- `.one*`
- `.oqy`
- `.or6`
- `.pot*`
- `.ppa`
- `.pps*`
- `.ppt*`
- `.pre`
- `.pst`
- `.pub`
- `.qdf`
- `.qel`
- `.qph`
- `.qsd`
- `.rqy`
- `.rtf`
- `.scd`
- `.sh3`
- `.slk`
- `.txt`
- `.vl*`
- `.vsd`
- `.wk*`
- `.wpd`
- `.wps`
- `.wq1`
- `.wri`
- `.xl*`
- `.xla`
- `.xlb`
- `.xls*`
</details>
- The following specific file types:
`.accdb`, `.ch3`, `.csv`, `.dif`, `.doc*`, `.dot*`, `.dqy`, `.iqy`, `.mcw`, `.mdb*`, `.mpp`, `.one*`, `.oqy`, `.or6`, `.pot*`, `.ppa`, `.pps*`, `.ppt*`, `.pre`, `.pst`, `.pub`, `.qdf`, `.qel`, `.qph`, `.qsd`, `.rqy`, `.rtf`, `.scd`, `.sh3`, `.slk`, `.txt`, `.vl*`, `.vsd`, `.wk*`, `.wpd`, `.wps`, `.wq1`, `.wri`, `.xl*`, `.xla`, `.xlb`, `.xls*`
> [!NOTE]
> The asterisk (`*`) stands for zero or more characters.
> [!NOTE]
> The OpenDocument extensions (`*.odt`, `*.odp`, `*.ods`) that Microsoft Office applications can use aren't migrated by default.
- Operating system component settings
- Application settings
- Operating system component settings
- Application settings
These settings are migrated by the default MigUser.xml and MigApp.xml templates. For more information, see [What does USMT migrate?](./usmt/usmt-what-does-usmt-migrate.md) For more general information on USMT, see [USMT technical reference](./usmt/usmt-reference.md).
@ -160,7 +121,7 @@ The updated Volume Activation Management Tool.
VAMT also can be used to create reports, switch from MAK to KMS, manage Active Directory-based activation, and manage Office 2010 and Office 2013 volume activation. VAMT also supports PowerShell (instead of the old command-line tool). For example, if you want to get information from the VAMT database, you can type:
``` syntax
```powershell
Get-VamtProduct
```
@ -178,7 +139,7 @@ A machine booted with the Windows ADK default Windows PE boot image.
For more information on Windows PE, see [Windows PE (WinPE)](/windows-hardware/manufacture/desktop/winpe-intro).
## <a href="" id="sec07"></a>Windows Recovery Environment
## Windows Recovery Environment
Windows Recovery Environment (Windows RE) is a diagnostics and recovery toolset included in Windows Vista and later operating systems. The latest version of Windows RE is based on Windows PE. You can also extend Windows RE and add your own tools if needed. If a Windows installation fails to start and Windows RE is installed, you'll see an automatic failover into Windows RE.
@ -204,9 +165,9 @@ In some cases, you need to modify TFTP Maximum Block Size settings for performan
Also, there are a few new features related to TFTP performance:
- **Scalable buffer management.** Allows buffering an entire file instead of a fixed-size buffer for each client, enabling different sessions to read from the same shared buffer.
- **Scalable port management.** Provides the capability to service clients with shared UDP port allocation, increasing scalability.
- **Variable-size transmission window (Variable Windows Extension).** Improves TFTP performance by allowing the client and server to determine the largest workable window size.
- **Scalable buffer management**: Allows buffering an entire file instead of a fixed-size buffer for each client, enabling different sessions to read from the same shared buffer.
- **Scalable port management**: Provides the capability to service clients with shared UDP port allocation, increasing scalability.
- **Variable-size transmission window (Variable Windows Extension)**: Improves TFTP performance by allowing the client and server to determine the largest workable window size.
![TFTP changes are now easy to perform.](images/mdt-11-fig12.png)
@ -214,7 +175,6 @@ TFTP changes are now easy to perform.
## Microsoft Deployment Toolkit
MDT is a free deployment solution from Microsoft. It provides end-to-end guidance, best practices, and tools for planning, building, and deploying Windows operating systems. MDT builds on top of the core deployment tools in the Windows ADK by contributing guidance, reducing complexity, and adding critical features for an enterprise-ready deployment solution.
MDT has two main parts: the first is Lite Touch, which is a stand-alone deployment solution; the second is Zero Touch, which is an extension to Configuration Manager.
@ -242,16 +202,20 @@ MDOP is a suite of technologies available to Software Assurance customers throug
The following components are included in the MDOP suite:
- **Microsoft Application Virtualization (App-V).** App-V 5.0 provides an integrated platform, more flexible virtualization, and powerful management for virtualized applications. With the release of App-V 5.0 SP3, you have support to run virtual applications on Windows 10.
- **Microsoft Application Virtualization (App-V).** App-V 5.0 provides an integrated platform, more flexible virtualization, and powerful management for virtualized applications. With the release of App-V 5.0 SP3, you have support to run virtual applications on Windows 10.
- **Microsoft User Experience Virtualization (UE-V).** UE-V monitors the changes that are made by users to application settings and Windows operating system settings. The user settings are captured and centralized to a settings storage location. These settings can then be applied to the different computers that are accessed by the user, including desktop computers, laptop computers, and virtual desktop infrastructure (VDI) sessions.
- **Microsoft User Experience Virtualization (UE-V).** UE-V monitors the changes that are made by users to application settings and Windows operating system settings. The user settings are captured and centralized to a settings storage location. These settings can then be applied to the different computers that are accessed by the user, including desktop computers, laptop computers, and virtual desktop infrastructure (VDI) sessions.
- **Microsoft Advanced Group Policy Management (AGPM).** AGPM enables advanced management of Group Policy objects by providing change control, offline editing, and role-based delegation.
- **Microsoft Diagnostics and Recovery Toolset (DaRT).** DaRT provides additional tools that extend Windows RE to help you troubleshoot and repair your machines.
- **Microsoft BitLocker Administration and Monitoring (MBAM).** MBAM is an administrator interface used to manage BitLocker drive encryption. It allows you to configure your enterprise with the correct BitLocker encryption policy options, and monitor compliance with these policies.
- **Microsoft Advanced Group Policy Management (AGPM).** AGPM enables advanced management of Group Policy objects by providing change control, offline editing, and role-based delegation.
- **Microsoft Diagnostics and Recovery Toolset (DaRT).** DaRT provides additional tools that extend Windows RE to help you troubleshoot and repair your machines.
- **Microsoft BitLocker Administration and Monitoring (MBAM).** MBAM is an administrator interface used to manage BitLocker drive encryption. It allows you to configure your enterprise with the correct BitLocker encryption policy options, and monitor compliance with these policies.
For more information on the benefits of an MDOP subscription, see [Microsoft Desktop Optimization Pack](/microsoft-desktop-optimization-pack/).
<!--
REMOVING SECTION SINCE INTERNET EXPLORER IS NO LONGER SUPPORTED
## Internet Explorer Administration Kit 11
There has been a version of IEAK for every version of Internet Explorer since 3.0. It gives you the capability to customize Internet Explorer as you would like. The end result of using IEAK is an Internet Explorer package that can be deployed unattended. The wizard creates one .exe file and one .msi file.
@ -262,6 +226,8 @@ The User Experience selection screen in IEAK 11.
To download IEAK 11, see the [Internet Explorer Administration Kit (IEAK) Information and Downloads](/internet-explorer/ie11-ieak/ieak-information-and-downloads) page.
-->
## Windows Server Update Services
WSUS is a server role in Windows Server 2012 R2 that enables you to maintain a local repository of Microsoft updates and then distribute them to machines on your network. WSUS offers approval control and reporting of update status in your environment.
@ -274,32 +240,31 @@ For more information on WSUS, see the [Windows Server Update Services Overview](
## Unified Extensible Firmware Interface
For many years, BIOS has been the industry standard for booting a PC. BIOS has served us well, but it's time to replace it with something better. **UEFI** is the replacement for BIOS, so it's important to understand the differences between BIOS and UEFI. In this section, you learn the major differences between the two and how they affect operating system deployment.
### Introduction to UEFI
BIOS has been in use for approximately 30 years. Even though it clearly has proven to work, it has some limitations, including:
- 16-bit code
- 1-MB address space
- Poor performance on ROM initialization
- MBR maximum bootable disk size of 2.2 TB
- 16-bit code
- 1-MB address space
- Poor performance on ROM initialization
- MBR maximum bootable disk size of 2.2 TB
As the replacement to BIOS, UEFI has many features that Windows can and will use.
With UEFI, you can benefit from:
- **Support for large disks.** UEFI requires a GUID Partition Table (GPT) based disk, which means a limitation of roughly 16.8 million TB in disk size and more than 100 primary disks.
- **Faster boot time.** UEFI doesn't use INT 13, and that improves boot time, especially when it comes to resuming from hibernate.
- **Multicast deployment.** UEFI firmware can use multicast directly when it boots up. In WDS, MDT, and Configuration Manager scenarios, you need to first boot up a normal Windows PE in unicast and then switch into multicast. With UEFI, you can run multicast from the start.
- **Compatibility with earlier BIOS.** Most of the UEFI implementations include a compatibility support module (CSM) that emulates BIOS.
- **CPU-independent architecture.** Even if BIOS can run both 32-bit and 64-bit versions of firmware, all firmware device drivers on BIOS systems must also be 16-bit, and this affects performance. One of the reasons is the limitation in addressable memory, which is only 64 KB with BIOS.
- **CPU-independent drivers.** On BIOS systems, PCI add-on cards must include a ROM that contains a separate driver for all supported CPU architectures. That isn't needed for UEFI because UEFI has the ability to use EFI Byte Code (EBC) images, which allow for a processor-independent device driver environment.
- **Flexible pre-operating system environment.** UEFI can perform many functions for you. You just need an UEFI application, and you can perform diagnostics and automatic repairs, and call home to report errors.
- **Secure boot.** Windows 8 and later can use the UEFI firmware validation process, called secure boot, which is defined in UEFI 2.3.1. Using this process, you can ensure that UEFI launches only a verified operating system loader and that malware can't switch the boot loader.
- **Support for large disks.** UEFI requires a GUID Partition Table (GPT) based disk, which means a limitation of roughly 16.8 million TB in disk size and more than 100 primary disks.
- **Faster boot time.** UEFI doesn't use INT 13, and that improves boot time, especially when it comes to resuming from hibernate.
- **Multicast deployment.** UEFI firmware can use multicast directly when it boots up. In WDS, MDT, and Configuration Manager scenarios, you need to first boot up a normal Windows PE in unicast and then switch into multicast. With UEFI, you can run multicast from the start.
- **Compatibility with earlier BIOS.** Most of the UEFI implementations include a compatibility support module (CSM) that emulates BIOS.
- **CPU-independent architecture.** Even if BIOS can run both 32-bit and 64-bit versions of firmware, all firmware device drivers on BIOS systems must also be 16-bit, and this affects performance. One of the reasons is the limitation in addressable memory, which is only 64 KB with BIOS.
- **CPU-independent drivers.** On BIOS systems, PCI add-on cards must include a ROM that contains a separate driver for all supported CPU architectures. That isn't needed for UEFI because UEFI has the ability to use EFI Byte Code (EBC) images, which allow for a processor-independent device driver environment.
- **Flexible pre-operating system environment.** UEFI can perform many functions for you. You just need an UEFI application, and you can perform diagnostics and automatic repairs, and call home to report errors.
- **Secure boot.** Windows 8 and later can use the UEFI firmware validation process, called secure boot, which is defined in UEFI 2.3.1. Using this process, you can ensure that UEFI launches only a verified operating system loader and that malware can't switch the boot loader.
### Versions
### UEFI versions
UEFI Version 2.3.1B is the version required for Windows 8 and later logo compliance. Later versions have been released to address issues; a few machines may need to upgrade their firmware to fully support the UEFI implementation in Windows 8 and later.
@ -307,10 +272,10 @@ UEFI Version 2.3.1B is the version required for Windows 8 and later logo complia
In regard to UEFI, hardware is divided into four device classes:
- **Class 0 devices.** The device of this class is the UEFI definition for a BIOS, or non-UEFI, device.
- **Class 1 devices.** The devices of this class behave like a standard BIOS machine, but they run EFI internally. They should be treated as normal BIOS-based machines. Class 1 devices use a CSM to emulate BIOS. These older devices are no longer manufactured.
- **Class 2 devices.** The devices of this class have the capability to behave as a BIOS- or a UEFI-based machine, and the boot process or the configuration in the firmware/BIOS determines the mode. Class 2 devices use a CSM to emulate BIOS. These are the most common type of devices currently available.
- **Class 3 devices.** The devices of this class are UEFI-only devices, which means you must run an operating system that supports only UEFI. Those operating systems include Windows 8, Windows 8.1, Windows Server 2012, and Windows Server 2012 R2. Windows 7 isn't supported on these class 3 devices. Class 3 devices don't have a CSM to emulate BIOS.
- **Class 0 devices.** The device of this class is the UEFI definition for a BIOS, or non-UEFI, device.
- **Class 1 devices.** The devices of this class behave like a standard BIOS machine, but they run EFI internally. They should be treated as normal BIOS-based machines. Class 1 devices use a CSM to emulate BIOS. These older devices are no longer manufactured.
- **Class 2 devices.** The devices of this class have the capability to behave as a BIOS- or a UEFI-based machine, and the boot process or the configuration in the firmware/BIOS determines the mode. Class 2 devices use a CSM to emulate BIOS. These are the most common type of devices currently available.
- **Class 3 devices.** The devices of this class are UEFI-only devices, which means you must run an operating system that supports only UEFI. Those operating systems include Windows 8, Windows 8.1, Windows Server 2012, and Windows Server 2012 R2. Windows 7 isn't supported on these class 3 devices. Class 3 devices don't have a CSM to emulate BIOS.
### Windows support for UEFI
@ -322,14 +287,14 @@ With UEFI 2.3.1, there are both x86 and x64 versions of UEFI. Windows 10 support
There are many things that affect operating system deployment as soon as you run on UEFI/EFI-based hardware. Here are considerations to keep in mind when working with UEFI devices:
- Switching from BIOS to UEFI in the hardware is easy, but you also need to reinstall the operating system because you need to switch from MBR/NTFS to GPT/FAT32 and NTFS.
- When you deploy to a Class 2 device, make sure the boot option you select matches the setting you want to have. It's common for old machines to have several boot options for BIOS but only a few for UEFI, or vice versa.
- When deploying from media, remember the media has to be FAT32 for UEFI, and FAT32 has a file-size limitation of 4 GB.
- UEFI doesn't support cross-platform booting; therefore, you need to have the correct boot media (32-bit or 64-bit).
- Switching from BIOS to UEFI in the hardware is easy, but you also need to reinstall the operating system because you need to switch from MBR/NTFS to GPT/FAT32 and NTFS.
- When you deploy to a Class 2 device, make sure the boot option you select matches the setting you want to have. It's common for old machines to have several boot options for BIOS but only a few for UEFI, or vice versa.
- When deploying from media, remember the media has to be FAT32 for UEFI, and FAT32 has a file-size limitation of 4 GB.
- UEFI doesn't support cross-platform booting; therefore, you need to have the correct boot media (32-bit or 64-bit).
For more information on UEFI, see the [UEFI firmware](/previous-versions/windows/it-pro/windows-8.1-and-8/hh824898(v=win.10)) overview and related resources.
## Related articles
[Sideload apps in Windows 10](/windows/application-management/sideload-apps-in-windows-10)<br>
[Windows ADK for Windows 10 scenarios for IT pros](windows-adk-scenarios-for-it-pros.md)
[Windows ADK for Windows 10 scenarios for IT pros](windows-adk-scenarios-for-it-pros.md)

7
windows/hub/index.yml
View File

@ -8,12 +8,9 @@ brand: windows
metadata:
title: Windows client documentation for IT Pros # Required; page title displayed in search results. Include the brand. < 60 chars.
description: Evaluate, plan, deploy, secure, and manage devices running Windows 10 and Windows 11. # Required; article description that is displayed in search results. < 160 chars.
services: windows-10
ms.service: subservice #Required; service per approved list. service slug assigned to your service by ACOM.
ms.subservice: subservice # Optional; Remove if no subservice is used.
ms.topic: hub-page # Required
ms.topic: hub-page
ms.prod: windows-client
ms.collection:
- windows-10
- highpri
author: dougeby #Required; your GitHub user alias, with correct capitalization.
ms.author: dougeby #Required; microsoft alias of author; optional team alias.

6
windows/security/docfx.json
View File

@ -65,13 +65,13 @@
},
"fileMetadata": {
"author":{
"/identity-protection/hello-for-business/*.md": "paolomatarazzo"
"identity-protection/hello-for-business/**/*.md": "paolomatarazzo"
},
"ms.author":{
"/identity-protection/hello-for-business/*.md": "paoloma"
"identity-protection/hello-for-business/**/*.md": "paoloma"
},
"ms.reviewer":{
"/identity-protection/hello-for-business/*.md": "erikdau"
"identity-protection/hello-for-business/**/*.md": "erikdau"
}
},
"template": [],

32
windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md
View File

@ -1,37 +1,23 @@
---
title: Multi-factor Unlock
description: Learn how Windows 10 and Windows 11 offer multi-factor device unlock by extending Windows Hello with trusted signals.
ms.prod: windows-client
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 03/20/2018
author: paolomatarazzo
ms.author: paoloma
ms.reviewer: prsriva
manager: aaroncz
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
ms.technology: itpro-security
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
ms.topic: article
---
# Multi-factor Unlock
**Requirements:**
* Windows Hello for Business deployment (Cloud, Hybrid or On-premises)
* Azure AD, Hybrid Azure AD, or Domain Joined (Cloud, Hybrid, or On-Premises deployments)
* Windows 10, version 1709 or newer, or Windows 11
* Bluetooth, Bluetooth capable phone - optional
Windows Hello for Business supports the use of a single credential (PIN and biometrics) for unlocking a device. Therefore, if any of those credentials are compromised (shoulder surfed), an attacker could gain access to the system.
Windows, today, natively only supports the use of a single credential (password, PIN, fingerprint, face, etc.) for unlocking a device. Therefore, if any of those credentials are compromised (shoulder surfed), an attacker could gain access to the system.
Windows 10 and Windows 11 offer multi-factor device unlock by extending Windows Hello with trusted signals. Administrators can configure their Windows to request a combination of factors and trusted signals to unlock their devices.
Windows Hello for Business can be configured with multi-factor device unlock, by extending Windows Hello with trusted signals. Administrators can configure devices to request a combination of factors and trusted signals to unlock theim.
Which organizations can take advantage of Multi-factor unlock? Those who:
* Have expressed that PINs alone do not meet their security needs.
* Want to prevent Information Workers from sharing credentials.
* Want their organizations to comply with regulatory two-factor authentication policy.
* Want to retain the familiar Windows sign-in user experience and not settle for a custom solution.
- Have expressed that PINs alone do not meet their security needs
- Want to prevent Information Workers from sharing credentials
- Want their organizations to comply with regulatory two-factor authentication policy
- Want to retain the familiar Windows sign-in user experience and not settle for a custom solution
You enable multi-factor unlock using Group Policy. The **Configure device unlock factors** policy setting is located under **Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business**.

23
windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md
View File

@ -1,25 +1,18 @@
---
title: Azure Active Directory join cloud only deployment
description: Use this deployment guide to successfully use Azure Active Directory to join a Windows 10 or Windows 11 device.
ms.prod: windows-client
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 06/23/2021
author: paolomatarazzo
ms.author: paoloma
ms.reviewer: prsriva
manager: aaroncz
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
ms.technology: itpro-security
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
ms.topic: article
---
# Azure Active Directory join cloud only deployment
[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-cloud.md)]
## Introduction
When you Azure Active Directory (Azure AD) join a Windows 10 or Windows 11 device, the system prompts you to enroll in Windows Hello for Business by default. If you want to use Windows Hello for Business in your cloud only environment, then there's no additional configuration needed.
When you Azure Active Directory (Azure AD) join a Windows device, the system prompts you to enroll in Windows Hello for Business by default. If you want to use Windows Hello for Business in your cloud-only environment, then there's no additional configuration needed.
You may wish to disable the automatic Windows Hello for Business enrollment prompts if you aren't ready to use it in your environment. Instructions on how to disable Windows Hello for Business enrollment in a cloud only environment are included below.
@ -71,7 +64,11 @@ If you don't use Intune in your organization, then you can disable Windows Hello
Intune uses the following registry keys: **`HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Policies\PassportForWork\<Tenant-ID>\Device\Policies`**
To look up your Tenant ID, see [How to find your Azure Active Directory tenant ID](/azure/active-directory/fundamentals/active-directory-how-to-find-tenant)
To look up your Tenant ID, see [How to find your Azure Active Directory tenant ID](/azure/active-directory/fundamentals/active-directory-how-to-find-tenant) or try the following, ensuring to sign-in with your organization's account:
```msgraph-interactive
GET https://graph.microsoft.com/v1.0/organization?$select=id
```
These registry settings are pushed from Intune for user policies:

17
windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md
View File

@ -1,22 +1,11 @@
---
title: Having enough Domain Controllers for Windows Hello for Business deployments
description: Guide for planning to have an adequate number of Windows Server 2016 or later Domain Controllers for Windows Hello for Business deployments
ms.prod: windows-client
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 08/20/2018
author: paolomatarazzo
ms.author: paoloma
ms.reviewer: prsriva
manager: aaroncz
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
- ✅ <b>Windows Server 2016 or later</b>
- ✅ <b>Hybrid or On-Premises deployment</b>
- ✅ <b>Key trust</b>
ms.technology: itpro-security
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
- ✅ <a href=https://learn.microsoft.com/en-us/windows/release-health/windows-server-release-info target=_blank>Windows Server 2016 and later</a>
ms.topic: article
---
# Planning an adequate number of Windows Server 2016 or later Domain Controllers for Windows Hello for Business deployments

13
windows/security/identity-protection/hello-for-business/hello-and-password-changes.md
View File

@ -1,19 +1,10 @@
---
title: Windows Hello and password changes (Windows)
description: When you change your password on a device, you may need to sign in with a password on other devices to reset Hello.
ms.prod: windows-client
ms.collection: M365-identity-device-management
ms.topic: article
ms.localizationpriority: medium
ms.date: 07/27/2017
author: paolomatarazzo
ms.author: paoloma
ms.reviewer: prsriva
manager: aaroncz
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
ms.technology: itpro-security
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
ms.topic: article
---
# Windows Hello and password changes

15
windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md
View File

@ -1,21 +1,10 @@
---
title: Windows Hello biometrics in the enterprise (Windows)
description: Windows Hello uses biometrics to authenticate users and guard against potential spoofing, through fingerprint matching and facial recognition.
ms.prod: windows-client
ms.collection:
- M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 01/12/2021
author: paolomatarazzo
ms.author: paoloma
ms.reviewer: prsriva
manager: aaroncz
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
- ✅ <b>Windows Holographic for Business</b>
ms.technology: itpro-security
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
ms.topic: article
---
# Windows Hello biometrics in the enterprise

22
windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md
View File

@ -1,25 +1,15 @@
---
title: Prepare and Deploy Windows AD FS certificate trust (Windows Hello for Business)
description: Learn how to Prepare and Deploy Windows Server 2016 Active Directory Federation Services (AD FS) for Windows Hello for Business, using certificate trust.
ms.prod: windows-client
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 01/14/2021
author: paolomatarazzo
ms.author: paoloma
ms.reviewer: prsriva
manager: aaroncz
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
- ✅ <b>On-premises deployments</b>
- ✅ <b>Certificate trust</b>
ms.technology: itpro-security
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
- ✅ <a href=https://learn.microsoft.com/en-us/windows/release-health/windows-server-release-info target=_blank>Windows Server 2016 and later</a>
ms.topic: article
---
# Prepare and Deploy Windows Server 2016 Active Directory Federation Services - Certificate Trust
# Prepare and Deploy Active Directory Federation Services (AD FS)
Windows Hello for Business works exclusively with the Active Directory Federation Service role included with Windows Server 2016 and requires an additional server update. The on-premises certificate trust deployment uses Active Directory Federation Services roles for key registration, device registration, and as a certificate registration authority.
Windows Hello for Business works exclusively with the Active Directory Federation Service (AD FS). The on-premises certificate trust deployment uses Active Directory Federation Services roles for key registration, device registration, and as a certificate registration authority.
The following guidance describes deploying a new instance of Active Directory Federation Services 2016 using the Windows Information Database as the configuration database, which is ideal for environments with no more than 30 federation servers and no more than 100 relying party trusts.
@ -120,6 +110,8 @@ Sign-in the federation server with _Enterprise Admin_ equivalent credentials.
## Review & validate
[!INCLUDE [hello-on-premises-cert-trust](../../includes/hello-on-premises-cert-trust.md)]
Before you continue with the deployment, validate your deployment progress by reviewing the following items:
- Confirm the AD FS farm uses the correct database configuration.

21
windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md
View File

@ -1,28 +1,21 @@
---
title: Configure Windows Hello for Business Policy settings - certificate trust
description: Configure Windows Hello for Business Policy settings for Windows Hello for Business. Certificate-based deployments need three group policy settings.
ms.prod: windows-client
ms.collection:
- M365-identity-device-management
- highpri
ms.topic: article
localizationpriority: medium
ms.date: 08/20/2018
author: paolomatarazzo
ms.author: paoloma
ms.reviewer: prsriva
manager: aaroncz
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
- ✅ <b>On-premises deployments</b>
- ✅ <b>Certificate trust</b>
ms.technology: itpro-security
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
- ✅ <a href=https://learn.microsoft.com/en-us/windows/release-health/windows-server-release-info target=_blank>Windows Server 2016 and later</a>
ms.topic: article
---
# Configure Windows Hello for Business Policy settings - Certificate Trust
You need at least a Windows 10, version 1703 workstation to run the Group Policy Management Console, which provides the latest Windows Hello for Business and PIN Complexity Group Policy settings. To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows. You can download these tools from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=45520).
Install the Remote Server Administration Tools for Windows on a computer running Windows 10, version 1703 or later.
[!INCLUDE [hello-on-premises-cert-trust](../../includes/hello-on-premises-cert-trust.md)]
To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows. You can download these tools from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=45520).
Install the Remote Server Administration Tools for Windows on a computer running Windows 10 or later.
On-premises certificate-based deployments of Windows Hello for Business needs three Group Policy settings:
* Enable Windows Hello for Business

24
windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md
View File

@ -1,25 +1,17 @@
---
title: Update Active Directory schema for cert-trust deployment (Windows Hello for Business)
description: How to Validate Active Directory prerequisites for Windows Hello for Business when deploying with the certificate trust model.
ms.prod: windows-client
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 08/19/2018
author: paolomatarazzo
ms.author: paoloma
ms.reviewer: prsriva
manager: aaroncz
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
- ✅ <b>On-premises deployments</b>
- ✅ <b>Certificate trust</b>
ms.technology: itpro-security
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
- ✅ <a href=https://learn.microsoft.com/en-us/windows/release-health/windows-server-release-info target=_blank>Windows Server 2016 and later</a>
ms.topic: article
---
# Validate Active Directory prerequisites for cert-trust deployment
The key registration process for the on-premises deployment of Windows Hello for Business needs the Windows Server 2016 Active Directory or later schema. The key-trust model receives the schema extension when the first Windows Server 2016 or later domain controller is added to the forest. The certificate trust model requires manually updating the current schema to the Windows Server 2016 or later schema.
[!INCLUDE [hello-on-premises-cert-trust](../../includes/hello-on-premises-cert-trust.md)]
The key registration process for the on-premises deployment of Windows Hello for Business needs the Windows Server 2016 Active Directory or later schema. The key-trust model receives the schema extension when the first Windows Server 2016 or later domain controller is added to the forest. The certificate trust model requires manually updating the current schema to the Windows Server 2016 or later schema.
> [!NOTE]
> If you already have a Windows Server 2016 or later domain controller in your forest, you can skip the "Updating the Schema" and "Create the KeyCredential Admins Security Global Group" steps that follow.
@ -30,7 +22,9 @@ Manually updating Active Directory uses the command-line utility **adprep.exe**
To locate the schema master role holder, open and command prompt and type:
```Netdom query fsmo | findstr -i “schema”```
```cmd
netdom.exe query fsmo | findstr.exe -i "schema"
```
![Netdom example output.](images/hello-cmd-netdom.png)

18
windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md
View File

@ -1,24 +1,16 @@
---
title: Validate and Deploy MFA for Windows Hello for Business with certificate trust
description: How to Validate and Deploy Multi-factor Authentication (MFA) Services for Windows Hello for Business with certificate trust
ms.prod: windows-client
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 08/19/2018
author: paolomatarazzo
ms.author: paoloma
ms.reviewer: prsriva
manager: aaroncz
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
- ✅ <b>On-premises deployments</b>
- ✅ <b>Certificate trust</b>
ms.technology: itpro-security
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
- ✅ <a href=https://learn.microsoft.com/en-us/windows/release-health/windows-server-release-info target=_blank>Windows Server 2016 and later</a>
ms.topic: article
---
# Validate and Deploy Multi-Factor Authentication feature
[!INCLUDE [hello-on-premises-cert-trust](../../includes/hello-on-premises-cert-trust.md)]
Windows Hello for Business requires all users perform multi-factor authentication prior to creating and registering a Windows Hello for Business credential. On-premises deployments can use certificates, third-party authentication providers for AD FS, or a custom authentication provider for AD FS as an on-premises MFA option.
For information on available third-party authentication methods, see [Configure Additional Authentication Methods for AD FS](/windows-server/identity/ad-fs/operations/configure-additional-authentication-methods-for-ad-fs). For creating a custom authentication method, see [Build a Custom Authentication Method for AD FS in Windows Server](/windows-server/identity/ad-fs/development/ad-fs-build-custom-auth-method)

26
windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md
View File

@ -1,29 +1,21 @@
---
title: Validate Public Key Infrastructure - certificate trust model (Windows Hello for Business)
description: How to Validate Public Key Infrastructure for Windows Hello for Business, under a certificate trust model.
ms.prod: windows-client
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 08/19/2018
author: paolomatarazzo
ms.author: paoloma
ms.reviewer: prsriva
manager: aaroncz
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
- ✅ <b>On-premises deployments</b>
- ✅ <b>Certificate trust</b>
ms.technology: itpro-security
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
- ✅ <a href=https://learn.microsoft.com/en-us/windows/release-health/windows-server-release-info target=_blank>Windows Server 2016 and later</a>
ms.topic: article
---
# Validate and Configure Public Key Infrastructure - Certificate Trust Model
[!INCLUDE [hello-on-premises-cert-trust](../../includes/hello-on-premises-cert-trust.md)]
Windows Hello for Business must have a public key infrastructure regardless of the deployment or trust model. All trust models depend on the domain controllers having a certificate. The certificate serves as a root of trust for clients to ensure they are not communicating with a rogue domain controller. The certificate trust model extends certificate issuance to client computers. During Windows Hello for Business provisioning, the user receives a sign-in certificate.
## Deploy an enterprise certificate authority
This guide assumes most enterprise have an existing public key infrastructure. Windows Hello for Business depends on a Windows enterprise public key infrastructure running the Active Directory Certificate Services role from Windows Server 2012 or later.
This guide assumes most enterprise have an existing public key infrastructure. Windows Hello for Business depends on a Windows enterprise public key infrastructure running Active Directory Certificate Services.
### Lab-based public key infrastructure
@ -34,13 +26,13 @@ Sign-in using _Enterprise Admin_ equivalent credentials on Windows Server 2012 o
>[!NOTE]
>Never install a certificate authority on a domain controller in a production environment.
1. Open an elevated Windows PowerShell prompt.
2. Use the following command to install the Active Directory Certificate Services role.
1. Open an elevated Windows PowerShell prompt
2. Use the following command to install the Active Directory Certificate Services role
```PowerShell
Add-WindowsFeature Adcs-Cert-Authority -IncludeManagementTools
```
3. Use the following command to configure the Certificate Authority using a basic certificate authority configuration.
3. Use the following command to configure the Certificate Authority using a basic certificate authority configuration
```PowerShell
Install-AdcsCertificationAuthority
```

18
windows/security/identity-protection/hello-for-business/hello-deployment-cert-trust.md
View File

@ -1,24 +1,16 @@
---
title: Windows Hello for Business Deployment Guide - On Premises Certificate Trust Deployment
description: A guide to on premises, certificate trust Windows Hello for Business deployment.
ms.prod: windows-client
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 08/19/2018
author: paolomatarazzo
ms.author: paoloma
ms.reviewer: prsriva
manager: aaroncz
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
- ✅ <b>On-premises deployments</b>
- ✅ <b>Certificate trust</b>
ms.technology: itpro-security
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
- ✅ <a href=https://learn.microsoft.com/en-us/windows/release-health/windows-server-release-info target=_blank>Windows Server 2016 and later</a>
ms.topic: article
---
# On Premises Certificate Trust Deployment
[!INCLUDE [hello-on-premises-cert-trust](../../includes/hello-on-premises-cert-trust.md)]
Windows Hello for Business replaces username and password sign-in to Windows with authentication using an asymmetric key pair. This deployment guide provides the information you'll need to successfully deploy Windows Hello for Business in an existing environment.
Below, you can find all the information needed to deploy Windows Hello for Business in a Certificate Trust Model in your on-premises environment:

18
windows/security/identity-protection/hello-for-business/hello-deployment-guide.md
View File

@ -1,25 +1,13 @@
---
title: Windows Hello for Business Deployment Overview
description: Use this deployment guide to successfully deploy Windows Hello for Business in an existing environment.
ms.prod: windows-client
author: paolomatarazzo
ms.author: paoloma
manager: aaroncz
ms.reviewer: prsriva
ms.collection:
- M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 02/15/2022
ms.technology: itpro-security
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
ms.topic: article
---
# Windows Hello for Business Deployment Overview
**Applies to**
- Windows 10, version 1703 or later
- Windows 11
Windows Hello for Business is the springboard to a world without passwords. It replaces username and password sign-in to Windows with strong user authentication based on an asymmetric key pair.
This deployment overview is to guide you through deploying Windows Hello for Business. Your first step should be to use the Passwordless Wizard in the [Microsoft 365 admin center](https://admin.microsoft.com/AdminPortal/Home#/modernonboarding/passwordlesssetup) or the [Planning a Windows Hello for Business Deployment](hello-planning-guide.md) guide to determine the right deployment model for your organization.

19
windows/security/identity-protection/hello-for-business/hello-deployment-issues.md
View File

@ -1,17 +1,10 @@
---
title: Windows Hello for Business Deployment Known Issues
description: A Troubleshooting Guide for Known Windows Hello for Business Deployment Issues
params: siblings_only
ms.prod: windows-client
author: paolomatarazzo
ms.author: paoloma
manager: aaroncz
ms.reviewer: prsriva
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 05/03/2021
ms.technology: itpro-security
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
ms.topic: article
---
# Windows Hello for Business Known Deployment Issues
@ -19,12 +12,6 @@ The content of this article is to help troubleshoot and workaround known deploym
## PIN Reset on Azure AD Join Devices Fails with "We can't open that page right now" error
Applies to:
- Azure AD joined deployments
- Windows 10, version 1803 and later
- Windows 11
PIN reset on Azure AD-joined devices uses a flow called web sign-in to authenticate the user above lock. Web sign in only allows navigation to specific domains. If it attempts to navigate to a domain that is not allowed it will show a page with the error message "We can't open that page right now".
### Identifying Azure AD joined PIN Reset Allowed Domains Issue

19
windows/security/identity-protection/hello-for-business/hello-deployment-key-trust.md
View File

@ -1,30 +1,21 @@
---
title: Windows Hello for Business Deployment Guide - On Premises Key Deployment
description: A guide to on premises, key trust Windows Hello for Business deployment.
ms.prod: windows-client
author: paolomatarazzo
ms.author: paoloma
manager: aaroncz
ms.reviewer: prsriva
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 08/20/2018
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
- ✅ <b>On-premises deployment</b>
- ✅ <b>Key trust</b>
ms.technology: itpro-security
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
ms.topic: article
---
# On Premises Key Trust Deployment
[!INCLUDE [hello-on-premises-key-trust](../../includes/hello-on-premises-key-trust.md)]
Windows Hello for Business replaces username and password sign-in to Windows with strong user authentication based on asymmetric key pair. The following deployment guide provides the information needed to successfully deploy Windows Hello for Business in an existing environment.
Below, you can find all the information you need to deploy Windows Hello for Business in a key trust model in your on-premises environment:
1. [Validate Active Directory prerequisites](hello-key-trust-validate-ad-prereq.md)
2. [Validate and Configure Public Key Infrastructure](hello-key-trust-validate-pki.md)
3. [Prepare and Deploy Windows Server 2016 Active Directory Federation Services](hello-key-trust-adfs.md)
3. [Prepare and Deploy Active Directory Federation Services](hello-key-trust-adfs.md)
4. [Validate and Deploy Multifactor Authentication Services (MFA)](hello-key-trust-validate-deploy-mfa.md)
5. [Configure Windows Hello for Business Policy settings](hello-key-trust-policy-settings.md)

22
windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
View File

@ -1,19 +1,13 @@
---
title: Deploy certificates for remote desktop sign-in
description: Learn how to deploy certificates to cloud Kerberos trust and key trust users, to enable remote desktop sign-in with supplied credentials.
ms.prod: windows-client
author: paolomatarazzo
ms.author: paoloma
manager: aaroncz
ms.reviewer: erikdau
ms.collection:
- M365-identity-device-management
ms.collection:
- ContentEngagementFY23
ms.topic: how-to
ms.topic: article
localizationpriority: medium
ms.date: 11/15/2022
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10 and later</a>
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
ms.technology: itpro-security
---
@ -61,7 +55,7 @@ Follow these steps to create a certificate template:
| *Compatibility* | <ul><li>Clear the **Show resulting changes** check box</li><li>Select **Windows Server 2012 or Windows Server 2012 R2** from the *Certification Authority list*</li><li>Select **Windows Server 2012 or Windows Server 2012 R2** from the *Certification Recipient list*</li></ul>|
| *General* | <ul><li>Specify a **Template display name**, for example *WHfB Certificate Authentication*</li><li>Set the validity period to the desired value</li><li>Take note of the Template name for later, which should be the same as the Template display name minus spaces (*WHfBCertificateAuthentication* in this example)</li></ul>|
| *Extensions* | Verify the **Application Policies** extension includes **Smart Card Logon**|
| *Subject Name* | <ul><li> Select the **Build from this Active Directory** information button if it isn't already selected</li><li>Select **Fully distinguished name** from the **Subject name format** list if Fully distinguished name isn't already selected</li><li>Select the **User Principal Name (UPN)** check box under **Include this information in alternative subject name**</li></ul>|
| *Subject Name* | <ul><li> Select the **Build from this Active Directory** information button if it isn't already selected</li><li>Select **Fully distinguished name** from the **Subject name format** list if Fully distinguished name isn't already selected</li><li>Select the **User Principal Name (UPN)** check box under **Include this information in alternative subject name**</li></ul><br>**Note:** If you deploy certificates via Intune, select **Supply in the request** instead of *Build from this Active Directory*.|
|*Request Handling*|<ul><li>Set the Purpose to **Signature and smartcard logon** and select **Yes** when prompted to change the certificate purpose</li><li>Select the **Renew with same key** check box</li><li>Select **Prompt the user during enrollment**</li></ul>|
|*Cryptography*|<ul><li>Set the Provider Category to **Key Storage Provider**</li><li>Set the Algorithm name to **RSA**</li><li>Set the minimum key size to **2048**</li><li>Select **Requests must use one of the following providers**</li><li>Select **Microsoft Software Key Storage Provider**</li><li>Set the Request hash to **SHA256**</li></ul>|
|*Security*|Add the security group that you want to give **Enroll** access to. For example, if you want to give access to all users, select the **Authenticated** users group, and then select Enroll permissions for them|
@ -139,14 +133,14 @@ This section describes how to configure a SCEP policy in Intune. Similar steps c
| --- | --- |
|*Certificate Type*| User |
|*Subject name format* | `CN={{UserPrincipalName}}` |
|*Subject alternative name* |From the dropdown, select **User principal name (UPN)** with a value of `CN={{UserPrincipalName}}`
|*Subject alternative name* |From the dropdown, select **User principal name (UPN)** with a value of `{{UserPrincipalName}}`
|*Certificate validity period* | Configure a value of your choosing|
|*Key storage provider (KSP)* | **Enroll to Windows Hello for Business, otherwise fail (Windows 10 and later)**
|*Key usage*| **Digital Signature**|
|*Key size (bits)* | **2048**|
|*For Hash algorithm*|**SHA-2**|
|*Root Certificate*| Select **+Root Certificate** and select the trusted certificate profile created earlier for the Root CA Certificate|
|*Extended key usage*| <ul><li>*Name:* **Smart Card Logon**</li><li>*Object Identifier:* `1.3.6.1.4.1.311.20.2.2`</li><li>*Predefined Values:* **Smart Card Logon**</li><br><li>*Name:* **Client Authentication**</li><li>*Object Identifier:* `1.3.6.1.5.5.7.3.2 `</li><li>*Predefined Values:* **Client Authentication**</li></ul>|
|*Extended key usage*| <ul><li>*Name:* **Smart Card Logon**</li><li>*Object Identifier:* `1.3.6.1.4.1.311.20.2.2`</li><li>*Predefined Values:* **Not configured**</li><br><li>*Name:* **Client Authentication**</li><li>*Object Identifier:* `1.3.6.1.5.5.7.3.2 `</li><li>*Predefined Values:* **Client Authentication**</li></ul>|
|*Renewal threshold (%)*|Configure a value of your choosing|
|*SCEP Server URLs*|Provide the public endpoint(s) that you configured during the deployment of your SCEP infrastructure|
@ -198,4 +192,4 @@ After obtaining a certificate, users can RDP to any Windows devices in the same
[MEM-5]: /mem/intune/protect/certificates-trusted-root
[MEM-6]: /mem/intune/protect/certificate-authority-add-scep-overview
[HTTP-1]: https://www.powershellgallery.com/packages/Generate-CertificateRequest
[HTTP-1]: https://www.powershellgallery.com/packages/Generate-CertificateRequest

12
windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md
View File

@ -1,20 +1,10 @@
---
title: Windows Hello errors during PIN creation (Windows)
description: When you set up Windows Hello in Windows 10/11, you may get an error during the Create a work PIN step.
ms.prod: windows-client
author: paolomatarazzo
ms.author: paoloma
manager: aaroncz
ms.reviewer: prsriva
ms.collection:
- M365-identity-device-management
ms.topic: troubleshooting
ms.localizationpriority: medium
ms.date: 05/05/2018
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
ms.technology: itpro-security
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
---
# Windows Hello errors during PIN creation

13
windows/security/identity-protection/hello-for-business/hello-event-300.md
View File

@ -1,19 +1,10 @@
---
title: Event ID 300 - Windows Hello successfully created (Windows)
description: This event is created when a Windows Hello for Business is successfully created and registered with Azure Active Directory (Azure AD).
ms.prod: windows-client
author: paolomatarazzo
ms.author: paoloma
manager: aaroncz
ms.reviewer: prsriva
ms.collection: M365-identity-device-management
ms.topic: article
ms.localizationpriority: medium
ms.date: 07/27/2017
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
ms.technology: itpro-security
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
ms.topic: article
---
# Event ID 300 - Windows Hello successfully created

7
windows/security/identity-protection/hello-for-business/hello-faq.yml
View File

@ -18,9 +18,8 @@ metadata:
ms.topic: faq
localizationpriority: medium
ms.date: 11/11/2022
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
title: Windows Hello for Business Frequently Asked Questions (FAQ)
summary: |
@ -211,7 +210,7 @@ sections:
- question: I have extended Active Directory to Azure Active Directory. Can I use the on-premises deployment model?
answer: |
No. If your organization is federated or using online services, such as Azure AD Connect, Office 365, or OneDrive, then you must use a hybrid deployment model. On-premises deployments are exclusive to organizations who need more time before moving to the cloud and exclusively use Active Directory.
No. If your organization is using Microsoft cloud services, then you must use a hybrid deployment model. On-premises deployments are exclusive to organizations who need more time before moving to the cloud and exclusively use Active Directory.
- question: Does Windows Hello for Business prevent the use of simple PINs?
answer: |

12
windows/security/identity-protection/hello-for-business/hello-feature-conditional-access.md
View File

@ -1,16 +1,10 @@
---
title: Conditional Access
description: Ensure that only approved users can access your devices, applications, and services from anywhere by enabling single sign-on with Azure Active Directory.
ms.prod: windows-client
author: paolomatarazzo
ms.author: paoloma
manager: aaroncz
ms.reviewer: prsriva
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 09/09/2019
ms.technology: itpro-security
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
ms.topic: article
---
# Conditional access

13
windows/security/identity-protection/hello-for-business/hello-feature-dual-enrollment.md
View File

@ -1,16 +1,10 @@
---
title: Dual Enrollment
description: Learn how to configure Windows Hello for Business dual enrollment. Also, learn how to configure Active Directory to support Domain Administrator enrollment.
ms.prod: windows-client
author: paolomatarazzo
ms.author: paoloma
manager: aaroncz
ms.reviewer: prsriva
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 09/09/2019
ms.technology: itpro-security
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
ms.topic: article
---
# Dual Enrollment
@ -19,7 +13,6 @@ ms.technology: itpro-security
* Hybrid and On-premises Windows Hello for Business deployments
* Enterprise joined or Hybrid Azure joined devices
* Windows 10, version 1709 or later
* Certificate trust
> [!NOTE]

13
windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md
View File

@ -1,19 +1,10 @@
---
title: Dynamic lock
description: Learn how to set Dynamic lock on Windows 10 and Windows 11 devices, by configuring group policies. This feature locks a device when a Bluetooth signal falls below a set value.
ms.prod: windows-client
author: paolomatarazzo
ms.author: paoloma
manager: aaroncz
ms.reviewer: prsriva
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 07/12/2022
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
ms.technology: itpro-security
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
ms.topic: article
---
# Dynamic lock

23
windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
View File

@ -1,21 +1,13 @@
---
title: Pin Reset
description: Learn how Microsoft PIN reset services enable you to help users recover who have forgotten their PIN.
ms.prod: windows-client
author: paolomatarazzo
ms.author: paoloma
manager: aaroncz
ms.reviewer: prsriva
ms.collection:
- M365-identity-device-management
- highpri
ms.topic: article
localizationpriority: medium
ms.date: 07/29/2022
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
ms.technology: itpro-security
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
ms.topic: article
---
# PIN reset
@ -31,11 +23,6 @@ There are two forms of PIN reset:
There are two forms of PIN reset called destructive and non-destructive. Destructive PIN reset is the default and doesn't require configuration. During a destructive PIN reset, the user's existing PIN and underlying credentials, including any keys or certificates added to their Windows Hello container, will be deleted from the client and a new logon key and PIN are provisioned. For non-destructive PIN reset, you must deploy the Microsoft PIN reset service and client policy to enable the PIN recovery feature. During a non-destructive PIN reset, the user's Windows Hello for Business container and keys are preserved, but the user's PIN that they use to authorize key usage is changed.
**Requirements**
- Reset from settings - Windows 10, version 1703 or later, Windows 11
- Reset above Lock - Windows 10, version 1709 or later, Windows 11
Destructive and non-destructive PIN reset use the same steps for initiating a PIN reset. If users have forgotten their PINs, but have an alternate sign-in method, they can navigate to Sign-in options in *Settings* and initiate a PIN reset from the PIN options. If users don't have an alternate way to sign into their devices, PIN reset can also be initiated from the Windows lock screen in the PIN credential provider.
@ -185,7 +172,11 @@ You can configure Windows devices to use the **Microsoft PIN Reset Service** usi
- Value: **True**
>[!NOTE]
> You must replace `TenantId` with the identifier of your Azure Active Directory tenant.
> You must replace `TenantId` with the identifier of your Azure Active Directory tenant. To look up your Tenant ID, see [How to find your Azure Active Directory tenant ID](/azure/active-directory/fundamentals/active-directory-how-to-find-tenant) or try the following, ensuring to sign-in with your organization's account::
```msgraph-interactive
GET https://graph.microsoft.com/v1.0/organization?$select=id
```
---

15
windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md
View File

@ -1,24 +1,15 @@
---
title: Remote Desktop
description: Learn how Windows Hello for Business supports using biometrics with remote desktop
ms.prod: windows-client
author: paolomatarazzo
ms.author: paoloma
manager: aaroncz
ms.reviewer: prsriva
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 02/24/2021
ms.technology: itpro-security
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
ms.topic: article
---
# Remote Desktop
**Requirements**
- Windows 10
- Windows 11
- Hybrid and On-premises Windows Hello for Business deployments
- Azure AD joined, Hybrid Azure AD joined, and Enterprise joined devices

13
windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md
View File

@ -1,19 +1,10 @@
---
title: How Windows Hello for Business works - Authentication
description: Learn about the authentication flow for Windows Hello for Business.
ms.prod: windows-client
author: paolomatarazzo
ms.author: paoloma
manager: aaroncz
ms.reviewer: prsriva
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 02/15/2022
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
ms.technology: itpro-security
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
ms.topic: article
---
# Windows Hello for Business and Authentication

13
windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md
View File

@ -1,19 +1,10 @@
---
title: How Windows Hello for Business works - Provisioning
description: Explore the provisioning flows for Windows Hello for Business, from within a variety of environments.
ms.prod: windows-client
author: paolomatarazzo
ms.author: paoloma
manager: aaroncz
ms.reviewer: prsriva
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 2/15/2022
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
ms.technology: itpro-security
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
ms.topic: article
---
# Windows Hello for Business Provisioning

21
windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
View File

@ -1,19 +1,10 @@
---
title: How Windows Hello for Business works - technology and terms
description: Explore technology and terms associated with Windows Hello for Business. Learn how Windows Hello for Business works.
ms.prod: windows-client
author: paolomatarazzo
ms.author: paoloma
manager: aaroncz
ms.reviewer: prsriva
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 10/08/2018
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
ms.technology: itpro-security
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
ms.topic: article
---
# Technology and terms
@ -158,7 +149,7 @@ For certain devices that use firmware-based TPM produced by Intel or Qualcomm, t
## Federated environment
Primarily for large enterprise organizations with more complex authentication requirements, on-premises directory objects are synchronized with Azure AD and users accounts are managed on-premises. With AD FS, users have the same password on-premises and in the cloud and they don't have to sign in again to use Office 365 or other Azure-based applications. This federated authentication model can provide extra authentication requirements, such as smart card-based authentication or a third-party multi-factor authentication and is typically required when organizations have an authentication requirement not natively supported by Azure AD.
Primarily for large enterprise organizations with more complex authentication requirements, on-premises directory objects are synchronized with Azure AD and users accounts are managed on-premises. With AD FS, users have the same password on-premises and in the cloud and they don't have to sign in again to use Microsoft cloud services. This federated authentication model can provide extra authentication requirements, such as smart card-based authentication or a third-party multi-factor authentication and is typically required when organizations have an authentication requirement not natively supported by Azure AD.
### Related to federated environment
@ -194,7 +185,7 @@ If your environment has an on-premises AD footprint and you also want benefit fr
## Hybrid deployment
The Windows Hello for Business hybrid deployment is for organizations that have both on-premises and cloud resources that are accessed using a managed or federated identity that's synchronized with Azure AD. Hybrid deployments support devices that are Azure AD-registered, Azure AD-joined, and hybrid Azure AD-joined. The Hybrid deployment model supports two trust types for on-premises authentication, key trust and certificate trust.
The Windows Hello for Business hybrid deployment is for organizations that have both on-premises and cloud resources that are accessed using a managed or federated identity that's synchronized with Azure AD. Hybrid deployments support devices that are Azure AD-registered, Azure AD-joined, and hybrid Azure AD-joined. The Hybrid deployment model supports three trust types for on-premises authentication: cloud Kerberos trust, key trust and certificate trust.
### Related to hybrid deployment
@ -269,7 +260,7 @@ The Windows Hello for Business on-premises deployment is for organizations that
## Pass-through authentication
Pass-through authentication provides a simple password validation for Azure AD authentication services. It uses a software agent that runs on one or more on-premises servers to validate the users directly with your on-premises Active Directory. With pass-through authentication (PTA), you synchronize on-premises Active Directory user account objects with Office 365 and manage your users on-premises. Allows your users to sign in to both on-premises and Office 365 resources and applications using their on-premises account and password. This configuration validates users' passwords directly against your on-premises Active Directory without sending password hashes to Office 365. Companies with a security requirement to immediately enforce on-premises user account states, password policies, and sign-in hours would use this authentication method. With seamless single sign-on, users are automatically signed in to Azure AD when they are on their corporate devices and connected to your corporate network.
Pass-through authentication provides a simple password validation for Azure AD authentication services. It uses a software agent that runs on one or more on-premises servers to validate the users directly with your on-premises Active Directory. With pass-through authentication (PTA), you synchronize on-premises Active Directory user account objects with Azure AD and manage your users on-premises. Allows your users to sign in to both on-premises and Microsoft cloud resources and applications using their on-premises account and password. This configuration validates users' passwords directly against your on-premises Active Directory without sending password hashes to Azure AD. Companies with a security requirement to immediately enforce on-premises user account states, password policies, and sign-in hours would use this authentication method. With seamless single sign-on, users are automatically signed in to Azure AD when they are on their corporate devices and connected to your corporate network.
### Related to pass-through authentication
@ -283,7 +274,7 @@ Pass-through authentication provides a simple password validation for Azure AD a
## Password hash sync
Password hash sync is the simplest way to enable authentication for on-premises directory objects in Azure AD. With password hash sync (PHS), you synchronize your on-premises Active Directory user account objects with Office 365 and manage your users on-premises. Hashes of user passwords are synchronized from your on-premises Active Directory to Azure AD so that the users have the same password on-premises and in the cloud. When passwords are changed or reset on-premises, the new password hashes are synchronized to Azure AD so that your users can always use the same password for cloud resources and on-premises resources. The passwords are never sent to Azure AD or stored in Azure AD in clear text. Some premium features of Azure AD, such as Identity Protection, require PHS regardless of which authentication method is selected. With seamless single sign-on, users are automatically signed in to Azure AD when they are on their corporate devices and connected to your corporate network.
Password hash sync is the simplest way to enable authentication for on-premises directory objects in Azure AD. With password hash sync (PHS), you synchronize your on-premises Active Directory user account objects with Azure AD and manage your users on-premises. Hashes of user passwords are synchronized from your on-premises Active Directory to Azure AD so that the users have the same password on-premises and in the cloud. When passwords are changed or reset on-premises, the new password hashes are synchronized to Azure AD so that your users can always use the same password for cloud resources and on-premises resources. The passwords are never sent to Azure AD or stored in Azure AD in clear text. Some premium features of Azure AD, such as Identity Protection, require PHS regardless of which authentication method is selected. With seamless single sign-on, users are automatically signed in to Azure AD when they are on their corporate devices and connected to your corporate network.
### Related to password hash sync

14
windows/security/identity-protection/hello-for-business/hello-how-it-works.md
View File

@ -1,18 +1,10 @@
---
title: How Windows Hello for Business works
description: Learn how Windows Hello for Business works, and how it can help your users authenticate to services.
ms.prod: windows-client
author: paolomatarazzo
ms.author: paoloma
manager: aaroncz
ms.reviewer: prsriva
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 05/05/2018
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10 and later</a>
ms.technology: itpro-security
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
ms.topic: article
---
# How Windows Hello for Business works in Windows Devices

20
windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md
View File

@ -1,25 +1,15 @@
---
title: Configure Azure AD-joined devices for On-premises Single-Sign On using Windows Hello for Business
description: Before adding Azure Active Directory (Azure AD) joined devices to your existing hybrid deployment, you need to verify the existing deployment can support them.
ms.prod: windows-client
author: paolomatarazzo
ms.author: paoloma
manager: aaroncz
ms.reviewer: prsriva
ms.collection:
- M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 01/14/2021
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
- ✅ <b>Azure Active Directory-join</b>
- ✅ <b>Hybrid Deployment</b>
- ✅ <b>Key trust</b>
ms.technology: itpro-security
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
ms.topic: article
---
# Configure Azure AD-joined devices for On-premises Single-Sign On using Windows Hello for Business
[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-keycert-trust-aad.md)]
## Prerequisites
Before adding Azure Active Directory (Azure AD) joined devices to your existing hybrid deployment, you need to verify the existing deployment can support Azure AD-joined devices. Unlike hybrid Azure AD-joined devices, Azure AD-joined devices don't have a relationship with your Active Directory domain. This factor changes the way in which users authenticate to Active Directory. Validate the following configurations to ensure they support Azure AD-joined devices.

20
windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
View File

@ -1,26 +1,16 @@
---
title: Using Certificates for AADJ On-premises Single-sign On single sign-on
title: Use Certificates to enable SSO for Azure AD join devices
description: If you want to use certificates for on-premises single-sign on for Azure Active Directory-joined devices, then follow these additional steps.
ms.prod: windows-client
author: paolomatarazzo
ms.author: paoloma
manager: aaroncz
ms.reviewer: prsriva
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 08/19/2018
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
- ✅ <b>Azure AD-join</b>
- ✅ <b>Hybrid Deployment</b>
- ✅ <b>Certificate trust</b>
ms.technology: itpro-security
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
ms.topic: article
---
# Using Certificates for AADJ On-premises Single-sign On
[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-cert-trust-aad.md)]
If you plan to use certificates for on-premises single-sign on, then follow these **additional** steps to configure the environment to enroll Windows Hello for Business certificates for Azure AD-joined devices.
> [!IMPORTANT]

15
windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md
View File

@ -1,22 +1,15 @@
---
title: Azure AD Join Single Sign-on Deployment
description: Learn how to provide single sign-on to your on-premises resources for Azure Active Directory-joined devices, using Windows Hello for Business.
ms.prod: windows-client
author: paolomatarazzo
ms.author: paoloma
manager: aaroncz
ms.reviewer: prsriva
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 08/19/2018
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
ms.technology: itpro-security
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
ms.topic: article
---
# Azure AD Join Single Sign-on Deployment
[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-keycert-trust-aad.md)]
Windows Hello for Business combined with Azure Active Directory-joined devices makes it easy for users to securely access cloud-based resources using a strong, two-factor credential. Some resources may remain on-premises as enterprises transition resources to the cloud and Azure AD-joined devices may need to access these resources. With additional configurations to your current hybrid deployment, you can provide single sign-on to your on-premises resources for Azure Active Directory-joined devices using Windows Hello for Business, using a key or a certificate.
## Key vs. Certificate

17
windows/security/identity-protection/hello-for-business/hello-hybrid-cert-new-install.md
View File

@ -1,24 +1,15 @@
---
title: Hybrid Azure AD joined Windows Hello for Business Trust New Installation (Windows Hello for Business)
description: Learn about new installations for Windows Hello for Business certificate trust and the various technologies hybrid certificate trust deployments rely on.
ms.prod: windows-client
author: paolomatarazzo
ms.author: paoloma
manager: aaroncz
ms.reviewer: prsriva
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 4/30/2021
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
- ✅ <b>Hybrid deployment</b>
- ✅ <b>Certificate trust</b>
ms.technology: itpro-security
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
ms.topic: article
---
# Hybrid Azure AD joined Windows Hello for Business Certificate Trust New Installation
[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-cert-trust.md)]
Windows Hello for Business involves configuring distributed technologies that may or may not exist in your current infrastructure. Hybrid certificate trust deployments of Windows Hello for Business rely on these technologies
- [Active Directory](#active-directory)

17
windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md
View File

@ -1,24 +1,15 @@
---
title: Configure Device Registration for Hybrid Azure AD joined Windows Hello for Business
description: Azure Device Registration for Hybrid Certificate Trust Deployment (Windows Hello for Business)
ms.prod: windows-client
author: paolomatarazzo
ms.author: paoloma
manager: aaroncz
ms.reviewer: prsriva
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 4/30/2021
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
- ✅ <b>Hybrid deployment</b>
- ✅ <b>Certificate trust</b>
ms.technology: itpro-security
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
ms.topic: article
---
# Configure Device Registration for Hybrid Azure AD joined Windows Hello for Business
[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-cert-trust-ad.md)]
Your environment is federated and you're ready to configure device registration for your hybrid environment. Hybrid Windows Hello for Business deployment needs device registration and device write-back to enable proper device authentication.
> [!IMPORTANT]

17
windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md
View File

@ -1,24 +1,15 @@
---
title: Hybrid Azure AD joined Windows Hello for Business Prerequisites
description: Learn these prerequisites for hybrid Windows Hello for Business deployments using certificate trust.
ms.prod: windows-client
author: paolomatarazzo
ms.author: paoloma
manager: aaroncz
ms.reviewer: prsriva
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 4/30/2021
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
- ✅ <b>Hybrid deployment</b>
- ✅ <b>Certificate trust</b>
ms.technology: itpro-security
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
ms.topic: article
---
# Hybrid Azure AD joined Windows Hello for Business Prerequisites
[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-cert-trust.md)]
Hybrid environments are distributed systems that enable organizations to use on-premises and Azure-based identities and resources. Windows Hello for Business uses the existing distributed system as a foundation on which organizations can provide two-factor authentication that provides a single sign-in like experience to modern resources.
The distributed systems on which these technologies were built involved several pieces of on-premises and cloud infrastructure. High-level pieces of the infrastructure include:

23
windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md
View File

@ -1,39 +1,30 @@
---
title: Hybrid Certificate Trust Deployment (Windows Hello for Business)
description: Learn the information you need to successfully deploy Windows Hello for Business in a hybrid certificate trust scenario.
ms.prod: windows-client
author: paolomatarazzo
ms.author: paoloma
manager: aaroncz
ms.reviewer: prsriva
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 09/08/2017
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
- ✅ <b>Hybrid deployment</b>
- ✅ <b>Certificate trust</b>
ms.technology: itpro-security
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
ms.topic: article
---
# Hybrid Azure AD joined Certificate Trust Deployment
[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-cert-trust.md)]
Windows Hello for Business replaces username and password sign-in to Windows with strong user authentication based on asymmetric key pair. The following deployment guide provides the information needed to successfully deploy Windows Hello for Business in a hybrid certificate trust scenario.
It is recommended that you review the Windows Hello for Business planning guide prior to using the deployment guide. The planning guide helps you make decisions by explaining the available options with each aspect of the deployment and explains the potential outcomes based on each of these decisions. You can review the [planning guide](/windows/access-protection/hello-for-business/hello-planning-guide) and download the [planning worksheet](https://go.microsoft.com/fwlink/?linkid=852514).
This deployment guide provides guidance for new deployments and customers who are already federated with Office 365. These two scenarios provide a baseline from which you can begin your deployment.
This deployment guide provides guidance for new deployments and customers who are already federated with Azure AD. These two scenarios provide a baseline from which you can begin your deployment.
## New Deployment Baseline
The new deployment baseline helps organizations who are moving to Azure and Office 365 to include Windows Hello for Business as part of their deployments. This baseline is good for organizations who are looking to deploy proof of concepts as well as IT professionals who want to familiarize themselves Windows Hello for Business by deploying a lab environment.
The new deployment baseline helps organizations who are moving to Azure AD to include Windows Hello for Business as part of their deployments. This baseline is good for organizations who are looking to deploy proof of concepts as well as IT professionals who want to familiarize themselves Windows Hello for Business by deploying a lab environment.
This baseline provides detailed procedures to move your environment from an on-premises only environment to a hybrid environment using Windows Hello for Business to authenticate to Azure Active Directory and to your on-premises Active Directory using a single Windows sign-in.
## Federated Baseline
The federated baseline helps organizations that have completed their federation with Azure Active Directory and Office 365 and enables them to introduce Windows Hello for Business into their hybrid environment. This baseline exclusively focuses on the procedures needed to add Azure Device Registration and Windows Hello for Business to an existing hybrid deployment.
The federated baseline helps organizations that have completed their federation with Azure Active Directory and enables them to introduce Windows Hello for Business into their hybrid environment. This baseline exclusively focuses on the procedures needed to add Azure Device Registration and Windows Hello for Business to an existing hybrid deployment.
Regardless of the baseline you choose, your next step is to familiarize yourself with the prerequisites needed for the deployment. Many of the prerequisites will be new for organizations and individuals pursuing the new deployment baseline. Organizations and individuals starting from the federated baseline will likely be familiar with most of the prerequisites, but should validate they are using the proper versions that include the latest updates.

17
windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md
View File

@ -1,24 +1,15 @@
---
title: Hybrid Azure AD joined Windows Hello for Business Certificate Trust Provisioning (Windows Hello for Business)
description: In this article, learn about provisioning for hybrid certificate trust deployments of Windows Hello for Business.
ms.prod: windows-client
author: paolomatarazzo
ms.author: paoloma
manager: aaroncz
ms.reviewer: prsriva
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 4/30/2021
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
- ✅ <b>Hybrid deployment</b>
- ✅ <b>Certificate trust</b>
ms.technology: itpro-security
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
ms.topic: article
---
# Hybrid Azure AD joined Windows Hello for Business Certificate Trust Provisioning
[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-cert-trust.md)]
## Provisioning
The Windows Hello for Business provisioning begins immediately after the user has signed in, after the user profile is loaded, but before the user receives their desktop. Windows only launches the provisioning experience if all the prerequisite checks pass. You can determine the status of the prerequisite checks by viewing the **User Device Registration** in the **Event Viewer** under **Applications and Services Logs\Microsoft\Windows**.

17
windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md
View File

@ -1,24 +1,15 @@
---
title: Configure Hybrid Azure AD joined Windows Hello for Business - Active Directory (AD)
description: Discussing the configuration of Active Directory (AD) in a Hybrid deployment of Windows Hello for Business
ms.prod: windows-client
author: paolomatarazzo
ms.author: paoloma
manager: aaroncz
ms.reviewer: prsriva
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 4/30/2021
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
- ✅ <b>Hybrid deployment</b>
- ✅ <b>Certificate trust</b>
ms.technology: itpro-security
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
ms.topic: article
---
# Configure Hybrid Azure AD joined Windows Hello for Business: Active Directory
[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-cert-trust.md)]
The key synchronization process for the hybrid deployment of Windows Hello for Business needs the Windows Server 2016 Active Directory schema.
### Creating Security Groups

17
windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md
View File

@ -1,24 +1,15 @@
---
title: Configuring Hybrid Azure AD joined Windows Hello for Business - Active Directory Federation Services (ADFS)
description: Discussing the configuration of Active Directory Federation Services (ADFS) in a Hybrid deployment of Windows Hello for Business
ms.prod: windows-client
author: paolomatarazzo
ms.author: paoloma
manager: aaroncz
ms.reviewer: prsriva
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 4/30/2021
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
- ✅ <b>Hybrid deployment</b>
- ✅ <b>Certificate trust</b>
ms.technology: itpro-security
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
ms.topic: article
---
# Configure Hybrid Azure AD joined Windows Hello for Business: Active Directory Federation Services
[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-cert-trust.md)]
## Federation Services
The Windows Server 2016 Active Directory Federation Server Certificate Registration Authority (AD FS RA) enrolls for an enrollment agent certificate. Once the registration authority verifies the certificate request, it signs the certificate request using its enrollment agent certificate and sends it to the certificate authority.

17
windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md
View File

@ -1,25 +1,16 @@
---
title: Configure Hybrid Azure AD joined Windows Hello for Business Directory Synch
description: Discussing Directory Synchronization in a Hybrid deployment of Windows Hello for Business
ms.prod: windows-client
author: paolomatarazzo
ms.author: paoloma
manager: aaroncz
ms.reviewer: prsriva
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 4/30/2021
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
- ✅ <b>Hybrid deployment</b>
- ✅ <b>Certificate trust</b>
ms.technology: itpro-security
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
ms.topic: article
---
# Configure Hybrid Azure AD joined Windows Hello for Business- Directory Synchronization
[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-cert-trust.md)]
## Directory Synchronization
In hybrid deployments, users register the public portion of their Windows Hello for Business credential with Azure. Azure AD Connect synchronizes the Windows Hello for Business public key to Active Directory.

17
windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md
View File

@ -1,25 +1,16 @@
---
title: Configuring Hybrid Azure AD joined Windows Hello for Business - Public Key Infrastructure (PKI)
description: Discussing the configuration of the Public Key Infrastructure (PKI) in a Hybrid deployment of Windows Hello for Business
ms.prod: windows-client
author: paolomatarazzo
ms.author: paoloma
manager: aaroncz
ms.reviewer: prsriva
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 4/30/2021
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
- ✅ <b>Hybrid deployment</b>
- ✅ <b>Certificate trust</b>
ms.technology: itpro-security
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
ms.topic: article
---
# Configure Hybrid Azure AD joined Windows Hello for Business - Public Key Infrastructure
[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-cert-trust.md)]
Windows Hello for Business deployments rely on certificates. Hybrid deployments use publicly-issued server authentication certificates to validate the name of the server to which they are connecting and to encrypt the data that flows between them and the client computer.
All deployments use enterprise issued certificates for domain controllers as a root of trust. Hybrid certificate trust deployments issue users with a sign-in certificate that enables them to authenticate using Windows Hello for Business credentials to non-Windows Server 2016 domain controllers. Additionally, hybrid certificate trust deployments issue certificates to registration authorities to provide defense-in-depth security when issuing user authentication certificates.

16
windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md
View File

@ -1,24 +1,14 @@
---
title: Configuring Hybrid Azure AD joined Windows Hello for Business - Group Policy
description: Discussing the configuration of Group Policy in a Hybrid deployment of Windows Hello for Business
ms.prod: windows-client
author: paolomatarazzo
ms.author: paoloma
manager: aaroncz
ms.reviewer: prsriva
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 4/30/2021
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
- ✅ <b>Hybrid deployment</b>
- ✅ <b>Certificate trust</b>
ms.technology: itpro-security
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
ms.topic: article
---
# Configure Hybrid Azure AD joined Windows Hello for Business - Group Policy
[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-cert-trust-ad.md)]
## Policy Configuration

17
windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md
View File

@ -1,24 +1,15 @@
---
title: Configure Hybrid Windows Hello for Business Settings (Windows Hello for Business)
description: Learn how to configure Windows Hello for Business settings in hybrid certificate trust deployment.
ms.prod: windows-client
author: paolomatarazzo
ms.author: paoloma
manager: aaroncz
ms.reviewer: prsriva
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 4/30/2021
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
- ✅ <b>Hybrid deployment</b>
- ✅ <b>Certificate trust</b>
ms.technology: itpro-security
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
ms.topic: article
---
# Configure Hybrid Azure AD joined Windows Hello for Business
[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-cert-trust.md)]
Your environment is federated and you are ready to configure your hybrid environment for Windows Hello for business using the certificate trust model.
> [!IMPORTANT]
> If your environment is not federated, review the [New Installation baseline](hello-hybrid-cert-new-install.md) section of this deployment document to learn how to federate your environment for your Windows Hello for Business deployment.

23
windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md
View File

@ -1,29 +1,14 @@
---
title: Hybrid cloud Kerberos trust deployment (Windows Hello for Business)
description: Learn the information you need to successfully deploy Windows Hello for Business in a hybrid cloud Kerberos trust scenario.
ms.prod: windows-client
author: paolomatarazzo
ms.author: paoloma
manager: aaroncz
ms.reviewer: prsriva
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 11/1/2022
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10, version 21H2 and later</a>
ms.technology: itpro-security
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10, version 21H2 and later</a>
ms.topic: article
---
# Hybrid cloud Kerberos trust deployment
This document describes Windows Hello for Business functionalities or scenarios that apply to:\
**Deployment type:** [hybrid](hello-how-it-works-technology.md#hybrid-deployment)\
**Trust type:** [cloud Kerberos trust](hello-hybrid-cloud-kerberos-trust.md)\
**Device registration type:** [Azure AD join](hello-how-it-works-technology.md#azure-active-directory-join), [Hybrid Azure AD join](hello-how-it-works-technology.md#hybrid-azure-ad-join)
<br>
---
[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-cloudkerb-trust.md)]
Windows Hello for Business replaces password sign-in with strong authentication, using an asymmetric key pair. This deployment guide provides the information to successfully deploy Windows Hello for Business in a hybrid cloud Kerberos trust scenario.

17
windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md
View File

@ -1,24 +1,15 @@
---
title: Windows Hello for Business Hybrid Azure AD joined Key Trust New Installation
description: Learn how to configure a hybrid key trust deployment of Windows Hello for Business for systems with no previous installations.
ms.prod: windows-client
author: paolomatarazzo
ms.author: paoloma
manager: aaroncz
ms.reviewer: prsriva
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 4/30/2021
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
- ✅ <b>Hybrid deployment</b>
- ✅ <b>Key trust</b>
ms.technology: itpro-security
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
ms.topic: article
---
# Windows Hello for Business Hybrid Azure AD joined Key Trust New Installation
[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-key-trust.md)]
Windows Hello for Business involves configuring distributed technologies that may or may not exist in your current infrastructure. Hybrid key trust deployments of Windows Hello for Business rely on these technologies
- [Active Directory](#active-directory)

17
windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md
View File

@ -1,24 +1,15 @@
---
title: Configure Device Registration for Hybrid Azure AD joined key trust Windows Hello for Business
description: Azure Device Registration for Hybrid Certificate Key Deployment (Windows Hello for Business)
ms.prod: windows-client
author: paolomatarazzo
ms.author: paoloma
manager: aaroncz
ms.reviewer: prsriva
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 05/04/2022
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
- ✅ <b>Hybrid deployment</b>
- ✅ <b>Key trust</b>
ms.technology: itpro-security
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
ms.topic: article
---
# Configure Device Registration for Hybrid Azure AD joined key trust Windows Hello for Business
[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-key-trust.md)]
You're ready to configure device registration for your hybrid environment. Hybrid Windows Hello for Business deployment needs device registration to enable proper device authentication.
> [!NOTE]

17
windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md
View File

@ -1,24 +1,15 @@
---
title: Configure Directory Synchronization for Hybrid Azure AD joined key trust Windows Hello for Business
description: Azure Directory Synchronization for Hybrid Certificate Key Deployment (Windows Hello for Business)
ms.prod: windows-client
author: paolomatarazzo
ms.author: paoloma
manager: aaroncz
ms.reviewer: prsriva
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 4/30/2021
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
- ✅ <b>Hybrid deployment</b>
- ✅ <b>Key trust</b>
ms.technology: itpro-security
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
ms.topic: article
---
# Configure Directory Synchronization for Hybrid Azure AD joined key trust Windows Hello for Business
[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-key-trust.md)]
You are ready to configure directory synchronization for your hybrid environment. Hybrid Windows Hello for Business deployment needs both a cloud and an on-premises identity to authenticate and access resources in the cloud or on-premises.
## Deploy Azure AD Connect

22
windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
View File

@ -1,24 +1,16 @@
---
title: Hybrid Azure AD joined Key trust Windows Hello for Business Prerequisites (Windows Hello for Business)
description: Learn about the prerequisites for hybrid Windows Hello for Business deployments using key trust and what the next steps are in the deployment process.
ms.prod: windows-client
author: paolomatarazzo
ms.author: paoloma
manager: aaroncz
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 4/30/2021
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
- ✅ <b>Hybrid deployment</b>
- ✅ <b>Key trust</b>
ms.technology: itpro-security
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
ms.topic: article
---
# Hybrid Azure AD joined Key trust Windows Hello for Business Prerequisites
Hybrid environments are distributed systems that enable organizations to use on-premises and Azure-based identities and resources. Windows Hello for Business uses the existing distributed system as a foundation on which organizations can provide two-factor authentication that provides a single sign-in like experience to modern resources.
[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-key-trust.md)]
Hybrid environments are distributed systems that enable organizations to use on-premises and Azure AD-based identities and resources. Windows Hello for Business uses the existing distributed system as a foundation on which organizations can provide two-factor authentication that provides a single sign-in like experience to modern resources.
The distributed systems on which these technologies were built involved several pieces of on-premises and cloud infrastructure. High-level pieces of the infrastructure include:
@ -33,7 +25,7 @@ The distributed systems on which these technologies were built involved several
Hybrid Windows Hello for Business needs two directories: on-premises Active Directory and a cloud Azure Active Directory. The minimum required domain functional and forest functional levels for Windows Hello for Business deployment is Windows Server 2008 R2.
A hybrid Windows Hello for Business deployment needs an Azure Active Directory subscription. The hybrid key trust deployment does not need a premium Azure Active Directory subscription.
A hybrid Windows Hello for Business deployment requires Azure Active Directory. The hybrid key trust deployment does not need a premium Azure Active Directory subscription.
You can deploy Windows Hello for Business in any environment with Windows Server 2008 R2 or later domain controllers.
If using the key trust deployment model, you MUST ensure that you have adequate (1 or more, depending on your authentication load) Windows Server 2016 or later Domain Controllers in each Active Directory site where users will be authenticating for Windows Hello for Business.
@ -113,7 +105,7 @@ You can deploy Windows Hello for Business key trust in non-federated and federat
Windows Hello for Business is a strong, two-factor credential the helps organizations reduce their dependency on passwords. The provisioning process lets a user enroll in Windows Hello for Business using their user name and password as one factor, but needs a second factor of authentication.
Hybrid Windows Hello for Business deployments can use Azure's Multifactor Authentication (MFA) service or they can use multifactor authentication provided by AD FS beginning with Windows Server 2012 R2, which includes an adapter model that enables third parties to integrate their MFA into AD FS. The MFA enabled by an Office 365 license is sufficient for Azure AD.
Hybrid Windows Hello for Business deployments can use Azure's Multifactor Authentication (MFA) service or they can use multifactor authentication provided by AD FS, which includes an adapter model that enables third parties to integrate their MFA into AD FS.
### Section Review

21
windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md
View File

@ -1,33 +1,24 @@
---
title: Hybrid Key Trust Deployment (Windows Hello for Business)
description: Review this deployment guide to successfully deploy Windows Hello for Business in a hybrid key trust scenario.
ms.prod: windows-client
author: paolomatarazzo
ms.author: paoloma
manager: aaroncz
ms.reviewer: prsriva
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 08/20/2018
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
- ✅ <b>Hybrid deployment</b>
- ✅ <b>Key trust</b>
ms.technology: itpro-security
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
ms.topic: article
---
# Hybrid Azure AD joined Key Trust Deployment
[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-key-trust.md)]
Windows Hello for Business replaces username and password sign-in to Windows with strong user authentication based on asymmetric key pair. The following deployment guide provides the information needed to successfully deploy Windows Hello for Business in a hybrid key trust scenario.
It is recommended that you review the Windows Hello for Business planning guide prior to using the deployment guide. The planning guide helps you make decisions by explaining the available options with each aspect of the deployment and explains the potential outcomes based on each of these decisions. You can review the [planning guide](/windows/access-protection/hello-for-business/hello-planning-guide) and download the [planning worksheet](https://go.microsoft.com/fwlink/?linkid=852514).
This deployment guide provides guidance for new deployments and customers who are already federated with Office 365. These two scenarios provide a baseline from which you can begin your deployment.
This deployment guide provides guidance for new deployments and customers who are already federated with Azure AD. These two scenarios provide a baseline from which you can begin your deployment.
## New Deployment Baseline ##
The new deployment baseline helps organizations who are moving to Azure and Office 365 to include Windows Hello for Business as part of their deployments. This baseline is good for organizations who are looking to deploy proof of concepts as well as IT professionals who want to familiarize themselves Windows Hello for Business by deploying a lab environment.
The new deployment baseline helps organizations who are moving to Azure AD to include Windows Hello for Business as part of their deployments. This baseline is good for organizations who are looking to deploy proof of concepts as well as IT professionals who want to familiarize themselves Windows Hello for Business by deploying a lab environment.
This baseline provides detailed procedures to move your environment from an on-premises only environment to a hybrid environment using Windows Hello for Business to authenticate to Azure Active Directory and to your on-premises Active Directory using a single Windows sign-in.

18
windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md
View File

@ -1,23 +1,15 @@
---
title: Hybrid Azure AD joined Windows Hello for Business key trust Provisioning (Windows Hello for Business)
description: Learn about provisioning for hybrid key trust deployments of Windows Hello for Business and learn where to find the hybrid key trust deployment guide.
ms.prod: windows-client
author: paolomatarazzo
ms.author: paoloma
manager: aaroncz
ms.reviewer: prsriva
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 4/30/2021
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
- ✅ <b>Hybrid deployment</b>
- ✅ <b>Key trust</b>
ms.technology: itpro-security
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
ms.topic: article
---
# Hybrid Azure AD joined Windows Hello for Business Key Trust Provisioning
[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-key-trust.md)]
## Provisioning
The Windows Hello for Business provisioning begins immediately after the user has signed in, after the user profile is loaded, but before the user receives their desktop. Windows only launches the provisioning experience if all the prerequisite checks pass. You can determine the status of the prerequisite checks by viewing the **User Device Registration** in the **Event Viewer** under **Applications and Services Logs\Microsoft\Windows**.

18
windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-ad.md
View File

@ -1,24 +1,14 @@
---
title: Configuring Hybrid Azure AD joined key trust Windows Hello for Business - Active Directory (AD)
description: Configuring Hybrid key trust Windows Hello for Business - Active Directory (AD)
ms.prod: windows-client
author: paolomatarazzo
ms.author: paoloma
manager: aaroncz
ms.reviewer: prsriva
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 4/30/2021
ms.technology: itpro-security
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
ms.topic: article
---
# Configuring Hybrid Azure AD joined key trust Windows Hello for Business: Active Directory
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
- ✅ <b>Hybrid deployment</b>
- ✅ <b>Key trust</b>
[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-key-trust-ad.md)]
Configure the appropriate security groups to efficiently deploy Windows Hello for Business to users.

19
windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md
View File

@ -1,27 +1,18 @@
---
title: Hybrid Azure AD joined Windows Hello for Business - Directory Synchronization
description: How to configure Hybrid key trust Windows Hello for Business - Directory Synchronization
ms.prod: windows-client
author: paolomatarazzo
ms.author: paoloma
manager: aaroncz
ms.reviewer: prsriva
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 4/30/2021
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
- ✅ <b>Hybrid deployment</b>
- ✅ <b>Key trust</b>
ms.technology: itpro-security
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
ms.topic: article
---
# Configure Hybrid Azure AD joined Windows Hello for Business: Directory Synchronization
[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-key-trust.md)]
## Directory Synchronization
In hybrid deployments, users register the public portion of their Windows Hello for Business credential with Azure. Azure AD Connect synchronizes the Windows Hello for Business public key to Active Directory.
In hybrid deployments, users register the public portion of their Windows Hello for Business credential with Azure AD. Azure AD Connect synchronizes the Windows Hello for Business public key to Active Directory.
### Group Memberships for the Azure AD Connect Service Account
>[!IMPORTANT]

17
windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md
View File

@ -1,24 +1,15 @@
---
title: Configure Hybrid Azure AD joined key trust Windows Hello for Business
description: Configuring Hybrid key trust Windows Hello for Business - Public Key Infrastructure (PKI)
ms.prod: windows-client
author: paolomatarazzo
ms.author: paoloma
manager: aaroncz
ms.reviewer: prsriva
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 04/30/2021
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
- ✅ <b>Hybrid deployment</b>
- ✅ <b>Key trust</b>
ms.technology: itpro-security
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
ms.topic: article
---
# Configure Hybrid Azure AD joined Windows Hello for Business: Public Key Infrastructure
[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-key-trust.md)]
Windows Hello for Business deployments rely on certificates. Hybrid deployments use publicly issued server authentication certificates to validate the name of the server to which they are connecting and to encrypt the data that flows them and the client computer.
All deployments use enterprise issued certificates for domain controllers as a root of trust.

17
windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md
View File

@ -1,24 +1,15 @@
---
title: Configure Hybrid Azure AD joined Windows Hello for Business - Group Policy
description: Configuring Hybrid key trust Windows Hello for Business - Group Policy
ms.prod: windows-client
author: paolomatarazzo
ms.author: paoloma
manager: aaroncz
ms.reviewer: prsriva
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 4/30/2021
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
- ✅ <b>Hybrid deployment</b>
- ✅ <b>Key trust</b>
ms.technology: itpro-security
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
ms.topic: article
---
# Configure Hybrid Azure AD joined Windows Hello for Business: Group Policy
[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-key-trust-ad.md)]
## Policy Configuration
You need at least a Windows 10, version 1703 workstation to run the Group Policy Management Console, which provides the latest Windows Hello for Business and PIN Complexity Group Policy settings. To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows. You can download these tools from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=45520).

19
windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings.md
View File

@ -1,26 +1,17 @@
---
title: Configure Hybrid Azure AD joined Windows Hello for Business key trust Settings
description: Begin the process of configuring your hybrid key trust environment for Windows Hello for Business. Start with your Active Directory configuration.
ms.prod: windows-client
author: paolomatarazzo
ms.author: paoloma
manager: aaroncz
ms.reviewer: prsriva
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 4/30/2021
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
- ✅ <b>Hybrid deployment</b>
- ✅ <b>Key trust</b>
ms.technology: itpro-security
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
ms.topic: article
---
# Configure Hybrid Azure AD joined Windows Hello for Business key trust settings
[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-key-trust.md)]
You are ready to configure your hybrid Azure AD joined key trust environment for Windows Hello for Business.
> [!IMPORTANT]
> Ensure your environment meets all the [prerequisites](hello-hybrid-key-trust-prereqs.md) before proceeding. Review the [New Installation baseline](hello-hybrid-key-new-install.md) section of this deployment document to learn how to prepare your environment for your Windows Hello for Business deployment.

12
windows/security/identity-protection/hello-for-business/hello-identity-verification.md
View File

@ -1,18 +1,13 @@
---
title: Windows Hello for Business Deployment Prerequisite Overview
description: Overview of all the different infrastructure requirements for Windows Hello for Business deployment models
ms.prod: windows-client
author: paolomatarazzo
ms.author: paoloma
manager: aaroncz
ms.reviewer: prsriva
ms.collection:
- M365-identity-device-management
- highpri
ms.topic: article
localizationpriority: medium
ms.date: 2/15/2022
ms.technology: itpro-security
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
ms.topic: article
---
# Windows Hello for Business Deployment Prerequisite Overview
@ -21,7 +16,6 @@ This article lists the infrastructure requirements for the different deployment
## Azure AD Cloud Only Deployment
* Windows 10, version 1511 or later, or Windows 11
* Microsoft Azure Account
* Azure Active Directory
* Azure AD Multifactor Authentication

Some files were not shown because too many files have changed in this diff Show More