deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 13:27:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'main' into vp-csp-pilot

Browse Source
This commit is contained in:
Vinay Pamnani 2022-11-29 10:35:43 -05:00 committed by GitHub
commit b6bf030c85
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
141 changed files with 1754 additions and 1944 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
education/windows/index.yml
View File

@ -7,7 +7,8 @@ metadata:
title: Windows for Education documentation
description: Learn about how to plan, deploy and manage Windows devices in an education environment with Microsoft Intune
ms.topic: landing-page
ms.prod: windows
ms.prod: windows-client
ms.technology: itpro-edu
ms.collection:
- education
- highpri

BIN
images/grouppolicy-paste.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 12 KiB

20
windows/application-management/index.yml
View File

@ -1,25 +1,19 @@
### YamlMime:Landing
title: Windows application management # < 60 chars
summary: Learn about managing applications in Windows client, including how to remove background task resource restrictions. # < 160 chars
title: Windows application management
summary: Learn about managing applications in Windows client, including how to remove background task resource restrictions.
metadata:
title: Windows application management # Required; page title displayed in search results. Include the brand. < 60 chars.
description: Learn about managing applications in Windows 10 and Windows 11. # Required; article description that is displayed in search results. < 160 chars.
services: windows-10
ms.service: windows-10 #Required; service per approved list. service slug assigned to your service by ACOM.
ms.subservice: subservice
ms.topic: landing-page # Required
title: Windows application management
description: Learn about managing applications in Windows 10 and Windows 11.
ms.topic: landing-page
ms.prod: windows-client
ms.collection:
- windows-10
- highpri
author: nicholasswhite
ms.author: nwhite
manager: aaroncz
ms.date: 08/24/2021 #Required; mm/dd/yyyy format.
ms.localizationpriority : medium
# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new
ms.date: 08/24/2021
landingContent:
# Cards and links should be based on top customer tasks or top subjects

8
windows/client-management/index.yml
View File

@ -6,12 +6,10 @@ summary: Find out how to apply custom configurations to Windows client devices.
metadata:
title: Manage Windows client # Required; page title displayed in search results. Include the brand. < 60 chars.
description: Learn about the administrative tools, tasks, and best practices for managing Windows clients across your enterprise. # Required; article description that is displayed in search results. < 160 chars.
services: windows-10
ms.service: windows-10 #Required; service per approved list. service slug assigned to your service by ACOM.
ms.subservice: subservice
ms.topic: landing-page # Required
ms.topic: landing-page
ms.prod: windows-client
ms.technology: itpro-manage
ms.collection:
- windows-10
- highpri
author: aczechowski
ms.author: aaroncz

7
windows/client-management/mdm/index.yml
View File

@ -6,11 +6,10 @@ summary: Learn more about the configuration service provider (CSP) policies avai
metadata:
title: Configuration Service Provider # Required; page title displayed in search results. Include the brand. < 60 chars.
description: Learn more about the configuration service provider (CSP) policies available on Windows 10 and Windows 11. # Required; article description that is displayed in search results. < 160 chars.
ms.topic: landing-page # Required
services: windows-10
ms.prod: windows
ms.topic: landing-page
ms.technology: itpro-manage
ms.prod: windows-client
ms.collection:
- windows-10
- highpri
ms.custom: intro-hub-or-landing
author: vinaypamnani-msft

5
windows/configuration/index.yml
View File

@ -6,12 +6,9 @@ summary: Find out how to apply custom configurations to Windows 10 and Windows 1
metadata:
title: Configure Windows client # Required; page title displayed in search results. Include the brand. < 60 chars.
description: Find out how to apply custom configurations to Windows client devices. # Required; article description that is displayed in search results. < 160 chars.
services: windows-10
ms.service: windows-10 #Required; service per approved list. service slug assigned to your service by ACOM.
ms.subservice: subservice
ms.topic: landing-page # Required
ms.prod: windows-client
ms.collection:
- windows-10
- highpri
author: aczechowski
ms.author: aaroncz

4
windows/deployment/TOC.yml
View File

@ -222,6 +222,10 @@
href: update/wufb-reports-schema-ucclientupdatestatus.md
- name: UCDeviceAlert
href: update/wufb-reports-schema-ucdevicealert.md
- name: UCDOAggregatedStatus
href: update/wufb-reports-schema-ucdoaggregatedstatus.md
- name: UCDOStatus
href: update/wufb-reports-schema-ucdostatus.md
- name: UCServiceUpdateStatus
href: update/wufb-reports-schema-ucserviceupdatestatus.md
- name: UCUpdateAlert

6
windows/deployment/Windows-AutoPilot-EULA-note.md
View File

@ -3,7 +3,7 @@ title: Windows Autopilot EULA dismissal important information
description: A notice about EULA dismissal through Windows Autopilot
ms.prod: windows-client
ms.localizationpriority: medium
ms.date: 10/31/2022
ms.date: 11/23/2022
author: frankroj
ms.author: frankroj
manager: aaroncz
@ -13,8 +13,8 @@ ms.technology: itpro-deploy
---
# Windows Autopilot EULA dismissal important information
>[!IMPORTANT]
>The information below isn't the EULA. It is a notice of awareness to the administrator that's configuring to skip End User License Agreement (EULA) during the OOBE (Out-of-Box Experience).
> [!IMPORTANT]
> The information below isn't the EULA. It is a notice of awareness to the administrator that's configuring to skip End User License Agreement (EULA) during the OOBE (Out-of-Box Experience).
Using this tool allows you to configure individual installations of Windows on devices managed by your organization. You may choose to suppress or hide certain set-up screens that are normally presented to users when setting up Windows, including the EULA acceptance screen.

61
windows/deployment/add-store-apps-to-image.md
View File

@ -9,72 +9,83 @@ ms.reviewer:
manager: aaroncz
ms.topic: article
ms.custom: seo-marvel-apr2020
ms.date: 10/31/2022
ms.date: 11/23/2022
ms.technology: itpro-deploy
---
# Add Microsoft Store for Business applications to a Windows 10 image
**Applies to**
*Applies to:*
- Windows 10
This article describes the correct way to add Microsoft Store for Business applications to a Windows 10 image. Adding Microsoft Store for Business applications to a Windows 10 image will enable you to deploy Windows 10 with pre-installed Microsoft Store for Business apps.
>[!IMPORTANT]
>In order for Microsoft Store for Business applications to persist after image deployment, these applications need to be pinned to Start prior to image deployment.
> [!IMPORTANT]
> In order for Microsoft Store for Business applications to persist after image deployment, these applications need to be pinned to Start prior to image deployment.
## Prerequisites
* [Windows Assessment and Deployment Kit (Windows ADK)](windows-adk-scenarios-for-it-pros.md) for the tools required to mount and edit Windows images.
- [Windows Assessment and Deployment Kit (Windows ADK)](windows-adk-scenarios-for-it-pros.md) for the tools required to mount and edit Windows images.
* Download an offline signed app package and license of the application you would like to add through [Microsoft Store for Business](/microsoft-store/distribute-offline-apps#download-an-offline-licensed-app).
* A Windows Image. For instructions on image creation, see [Create a Windows 10 reference image](deploy-windows-mdt/create-a-windows-10-reference-image.md).
- Download an offline signed app package and license of the application you would like to add through [Microsoft Store for Business](/microsoft-store/distribute-offline-apps#download-an-offline-licensed-app).
- A Windows Image. For instructions on image creation, see [Create a Windows 10 reference image](deploy-windows-mdt/create-a-windows-10-reference-image.md).
>[!NOTE]
> [!NOTE]
> If you'd like to add an internal LOB Microsoft Store application, please follow the instructions on **[Sideload line of business (LOB) apps in Windows client devices](/windows/application-management/sideload-apps-in-windows-10)**.
## Adding a Store application to your image
On a machine where your image file is accessible:
1. Open Windows PowerShell with administrator privileges.
2. Mount the image. At the Windows PowerShell prompt, type:
2. Mount the image. At the Windows PowerShell prompt, enter:
`Mount-WindowsImage -ImagePath c:\images\myimage.wim -Index 1 -Path C:\test`
3. Use the Add-AppxProvisionedPackage cmdlet in Windows PowerShell to preinstall the app. Use the /PackagePath option to specify the location of the Store package and /LicensePath to specify the location of the license .xml file. In Windows PowerShell, type:
3. Use the Add-AppxProvisionedPackage cmdlet in Windows PowerShell to preinstall the app. Use the /PackagePath option to specify the location of the Store package and /LicensePath to specify the location of the license .xml file. In Windows PowerShell, enter:
`Add-AppxProvisionedPackage -Path C:\test -PackagePath C:\downloads\appxpackage -LicensePath C:\downloads\appxpackage\license.xml`
>[!NOTE]
>Paths and file names are examples. Use your paths and file names where appropriate.
> [!NOTE]
> Paths and file names are examples. Use your paths and file names where appropriate.
>
>Do not dismount the image, as you will return to it later.
> Do not dismount the image, as you will return to it later.
## Editing the Start Layout
In order for Microsoft Store for Business applications to persist after image deployment, these applications need to be pinned to Start prior to image deployment.
On a test machine:
1. **Install the Microsoft Store for Business application you previously added** to your image.
2. **Pin these apps to the Start screen**, by typing the name of the app, right-clicking and selecting **Pin to Start**.
3. Open Windows PowerShell with administrator privileges.
4. Use `Export-StartLayout -path <path><file name>.xml` where *\<path>\<file name>* is the path and name of the xml file your will later import into your Windows Image.
5. Copy the XML file you created to a location accessible by the machine you previously used to add Store applications to your image.
Now, on the machine where your image file is accessible:
1. Import the Start layout. At the Windows PowerShell prompt, type:
1. Import the Start layout. At the Windows PowerShell prompt, enter:
`Import-StartLayout -LayoutPath "<path><file name>.xml" -MountPath "C:\test\"`
2. Save changes and dismount the image. At the Windows PowerShell prompt, type:
2. Save changes and dismount the image. At the Windows PowerShell prompt, enter:
`Dismount-WindowsImage -Path c:\test -Save`
>[!NOTE]
>Paths and file names are examples. Use your paths and file names where appropriate.
> [!NOTE]
> Paths and file names are examples. Use your paths and file names where appropriate.
>
>For more information on Start customization, see [Windows 10 Start Layout Customization](/archive/blogs/deploymentguys/windows-10-start-layout-customization)
> For more information on Start customization, see [Windows 10 Start Layout Customization](/archive/blogs/deploymentguys/windows-10-start-layout-customization)
## Related articles
* [Customize and export Start layout](/windows/configuration/customize-and-export-start-layout)
* [Export-StartLayout](/powershell/module/startlayout/export-startlayout)
* [Import-StartLayout](/powershell/module/startlayout/import-startlayout)
* [Sideload line of business (LOB) apps in Windows client devices](/windows/application-management/sideload-apps-in-windows-10)
* [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
* [Deploy Windows 10 with the Microsoft Deployment Toolkit](./deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md)
* [Windows Assessment and Deployment Kit (Windows ADK)](windows-adk-scenarios-for-it-pros.md)
- [Customize and export Start layout](/windows/configuration/customize-and-export-start-layout)
- [Export-StartLayout](/powershell/module/startlayout/export-startlayout)
- [Import-StartLayout](/powershell/module/startlayout/import-startlayout)
- [Sideload line of business (LOB) apps in Windows client devices](/windows/application-management/sideload-apps-in-windows-10)
- [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
- [Deploy Windows 10 with the Microsoft Deployment Toolkit](./deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md)
- [Windows Assessment and Deployment Kit (Windows ADK)](windows-adk-scenarios-for-it-pros.md)

136
windows/deployment/configure-a-pxe-server-to-load-windows-pe.md
View File

@ -8,13 +8,13 @@ manager: aaroncz
ms.author: frankroj
ms.topic: article
ms.custom: seo-marvel-apr2020
ms.date: 10/31/2022
ms.date: 11/23/2022
ms.technology: itpro-deploy
---
# Configure a PXE server to load Windows PE
**Applies to**
*Applies to:*
- Windows 10
@ -37,56 +37,65 @@ All four of the roles specified above can be hosted on the same computer or each
3. Run the following command to copy the base Windows PE files into a new folder. The script requires two arguments: hardware architecture and destination location. The value of **&lt;architecture&gt;** can be **x86**, **amd64**, or **arm** and **&lt;destination&gt;** is a path to a local directory. If the directory doesn't already exist, it will be created.
```
```cmd
copype.cmd <architecture> <destination>
```
For example, the following command copies **amd64** architecture files to the **C:\winpe_amd64** directory:
```
```cmd
copype.cmd amd64 C:\winpe_amd64
```
The script creates the destination directory structure and copies all the necessary files for that architecture. In the previous example, the following directories are created:
```
```cmd
C:\winpe_amd64
C:\winpe_amd64\fwfiles
C:\winpe_amd64\media
C:\winpe_amd64\mount
```
4. Mount the base Windows PE image (winpe.wim) to the \mount directory using the DISM tool. Mounting an image file unpacks the file contents into a folder so that you can make changes directly or by using tools such as DISM. See the following example.
```cmd
dism.exe /mount-image /imagefile:c:\winpe_amd64\media\sources\boot.wim /index:1 /mountdir:C:\winpe_amd64\mount
```
Dism /mount-image /imagefile:c:\winpe_amd64\media\sources\boot.wim /index:1 /mountdir:C:\winpe_amd64\mount
```
Verify that "The operation completed successfully" is displayed. Note: To view currently mounted images, type **dism /get-MountedWiminfo**.
Verify that the message **The operation completed successfully** is displayed.
> [!NOTE]
> To view currently mounted images, enter **`dism.exe /get-MountedWiminfo`**.
5. Map a network share to the root TFTP directory on the PXE/TFTP server and create a \Boot folder. Consult your TFTP server documentation to determine the root TFTP server directory, then enable sharing for this directory, and verify it can be accessed on the network. In the following example, the PXE server name is PXE-1 and the TFTP root directory is shared using a network path of **\\\PXE-1\TFTPRoot**:
```
net use y: \\PXE-1\TFTPRoot
```cmd
net.exe use y: \\PXE-1\TFTPRoot
y:
md Boot
```
6. Copy the PXE boot files from the mounted directory to the \boot folder. For example:
```
```cmd
copy c:\winpe_amd64\mount\windows\boot\pxe\*.* y:\Boot
```
7. Copy the boot.sdi file to the PXE/TFTP server.
```
```cmd
copy C:\winpe_amd64\media\boot\boot.sdi y:\Boot
```
8. Copy the bootable Windows PE image (boot.wim) to the \boot folder.
```
```cmd
copy C:\winpe_amd64\media\sources\boot.wim y:\Boot
```
9. (Optional) Copy true type fonts to the \boot folder
```
9. (Optional) Copy TrueType fonts to the \boot folder
```cmd
copy C:\winpe_amd64\media\Boot\Fonts y:\Boot\Fonts
```
@ -94,50 +103,56 @@ All four of the roles specified above can be hosted on the same computer or each
1. Create a BCD store using bcdedit.exe:
```cmd
bcdedit.exe /createstore c:\BCD
```
bcdedit /createstore c:\BCD
```
2. Configure RAMDISK settings:
```cmd
bcdedit.exe /store c:\BCD /create {ramdiskoptions} /d "Ramdisk options"
bcdedit.exe /store c:\BCD /set {ramdiskoptions} ramdisksdidevice boot
bcdedit.exe /store c:\BCD /set {ramdiskoptions} ramdisksdipath \Boot\boot.sdi
bcdedit.exe /store c:\BCD /create /d "winpe boot image" /application osloader
```
bcdedit /store c:\BCD /create {ramdiskoptions} /d "Ramdisk options"
bcdedit /store c:\BCD /set {ramdiskoptions} ramdisksdidevice boot
bcdedit /store c:\BCD /set {ramdiskoptions} ramdisksdipath \Boot\boot.sdi
bcdedit /store c:\BCD /create /d "winpe boot image" /application osloader
```
The last command will return a GUID, for example:
```
```console
The entry {a4f89c62-2142-11e6-80b6-00155da04110} was successfully created.
```
Copy this GUID for use in the next set of commands. In each command shown, replace "GUID1" with your GUID.
3. Create a new boot application entry for the Windows PE image:
```cmd
bcdedit.exe /store c:\BCD /set {GUID1} device ramdisk=[boot]\Boot\boot.wim,{ramdiskoptions}
bcdedit.exe /store c:\BCD /set {GUID1} path \windows\system32\winload.exe
bcdedit.exe /store c:\BCD /set {GUID1} osdevice ramdisk=[boot]\Boot\boot.wim,{ramdiskoptions}
bcdedit.exe /store c:\BCD /set {GUID1} systemroot \windows
bcdedit.exe /store c:\BCD /set {GUID1} detecthal Yes
bcdedit.exe /store c:\BCD /set {GUID1} winpe Yes
```
bcdedit /store c:\BCD /set {GUID1} device ramdisk=[boot]\Boot\boot.wim,{ramdiskoptions}
bcdedit /store c:\BCD /set {GUID1} path \windows\system32\winload.exe
bcdedit /store c:\BCD /set {GUID1} osdevice ramdisk=[boot]\Boot\boot.wim,{ramdiskoptions}
bcdedit /store c:\BCD /set {GUID1} systemroot \windows
bcdedit /store c:\BCD /set {GUID1} detecthal Yes
bcdedit /store c:\BCD /set {GUID1} winpe Yes
```
4. Configure BOOTMGR settings (remember to replace GUID1 in the third command with your GUID):
```cmd
bcdedit.exe /store c:\BCD /create {bootmgr} /d "boot manager"
bcdedit.exe /store c:\BCD /set {bootmgr} timeout 30
bcdedit.exe /store c:\BCD -displayorder {GUID1} -addlast
```
bcdedit /store c:\BCD /create {bootmgr} /d "boot manager"
bcdedit /store c:\BCD /set {bootmgr} timeout 30
bcdedit /store c:\BCD -displayorder {GUID1} -addlast
```
5. Copy the BCD file to your TFTP server:
```
```cmd
copy c:\BCD \\PXE-1\TFTPRoot\Boot\BCD
```
Your PXE/TFTP server is now configured. You can view the BCD settings that have been configured using the command bcdedit /store &lt;BCD file location&gt; /enum all. See the following example. Note: Your GUID will be different than the one shown below.
Your PXE/TFTP server is now configured. You can view the BCD settings that have been configured using the command bcdedit.exe /store &lt;BCD file location&gt; /enum all. See the following example. Note: Your GUID will be different than the one shown below.
```
C:\>bcdedit /store C:\BCD /enum all
```cmd
C:\>bcdedit.exe /store C:\BCD /enum all
Windows Boot Manager
--------------------
identifier {bootmgr}
@ -163,25 +178,46 @@ ramdisksdidevice boot
ramdisksdipath \Boot\boot.sdi
```
>[!TIP]
>If you start the PXE boot process, but receive the error that "The boot configuration data for your PC is missing or contains errors" then verify that \\boot directory is installed under the correct TFTP server root directory. In the example used here the name of this directory is TFTPRoot, but your TFTP server might be different.
> [!TIP]
> If you start the PXE boot process, but receive the error **The boot configuration data for your PC is missing or contains error**, then verify that `\boot` directory is installed under the correct TFTP server root directory. In the example used here the name of this directory is TFTPRoot, but your TFTP server might be different.
## PXE boot process summary
The following process summarizes the PXE client boot.
>The following assumes that you have configured DHCP option 67 (Bootfile Name) to "boot\PXEboot.n12" which enables direct boot to PXE with no user interaction. For more information about DHCP options for network boot, see [Managing Network Boot Programs](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc732351(v=ws.10)).
<!--
1. A client is directed by DHCP options 066 and 067 to download boot\\PXEboot.n12 from the TFTP server.
2. PXEboot.n12 immediately begins a network boot.
3. The client downloads boot\\bootmgr.exe and the boot\\BCD file from the TFTP server. Note: The BCD store must reside in the \\boot directory on the TFTP server and must be named BCD.
5. Bootmgr.exe reads the BCD operating system entries and downloads boot\\boot.sdi and the Windows PE image (boot\\boot.wim). Optional files that can also be downloaded include true type fonts (boot\\Fonts\\wgl4\_boot.ttf) and the hibernation state file (\\hiberfil.sys) if these files are present.
6. Bootmgr.exe starts Windows PE by calling winload.exe within the Windows PE image.
7. Windows PE loads, a command prompt opens and wpeinit.exe is run to initialize Windows PE.
8. The Windows PE client provides access to tools like imagex, diskpart, and bcdboot using the Windows PE command prompt. With the help of these tools accompanied by a Windows 10 image file, the destination computer can be formatted properly to load a full Windows 10 operating system.
DHCP OPTIONS ARE NOT RECOMMENDED AND IN SOME SCENARIOS NOT SUPPORTED. SWITCHING TO IP HELPERS.
## See Also
>The following assumes that you have configured DHCP option 67 (Bootfile Name) to `boot\PXEboot.n12` which enables direct boot to PXE with no user interaction. For more information about DHCP options for network boot, see [Managing Network Boot Programs](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc732351(v=ws.10)).
### Concepts
1. A client is directed by DHCP options 066 and 067 to download `boot\PXEboot.n12` from the TFTP server.
-->
> [!NOTE]
> The following assumes that the client and PXE server are on the same network/subnet/vlan or that PXE requests have been appropriately forwarded from the client to the PXE server using IP helpers configured in the router or switch. For more information about IP helpers, see [Configuring Your Router to Forward Broadcasts](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc732351(v=ws.10)#configuring-your-router-to-forward-broadcasts-recommended).
1. A client contacts the PXE server. When the client is on a different network/subnet/vlan as the PXE server, the client is routed to the PXE server using the IP helpers.
2. The PXE server sends DHCP options 060 (client identifier **PXEClient**), 066 (boot server host name) and 067 (boot file name) to the client.
3. The client downloads `boot\PXEboot.n12` from the TFTP server based on DHCP option 067 boot file name value received from the PXE server.
4. `PXEboot.n12` immediately begins a network boot.
5. The client downloads `boot\bootmgr.exe` and the `boot\BCD` file from the TFTP server.
> [!NOTE]
> The BCD store must reside in the `\boot` directory on the TFTP server and must be named BCD.
6. `Bootmgr.exe` reads the BCD operating system entries and downloads `boot\boot.sdi` and the Windows PE image (`boot\boot.wim`). Optional files that can also be downloaded include TrueType fonts (`boot\Fonts\wgl4_boot.ttf`) and the hibernation state file (`\hiberfil.sys`) if these files are present.
7. `Bootmgr.exe` starts Windows PE by calling `winload.exe` within the Windows PE image.
8. Windows PE loads, a command prompt opens and `wpeinit.exe` is run to initialize Windows PE.
9. The Windows PE client provides access to tools like `imagex.exe`, `diskpart.exe`, and `bcdboot.exe` using the Windows PE command prompt. With the help of these tools accompanied by a Windows 10 image file, the destination computer can be formatted properly to load a full Windows 10 operating system.
### Related articles
[Windows PE Walkthroughs](/previous-versions/windows/it-pro/windows-vista/cc748899(v=ws.10))

4
windows/deployment/deploy-enterprise-licenses.md
View File

@ -12,7 +12,7 @@ ms.collection: highpri
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
ms.date: 10/31/2022
ms.date: 11/23/2022
---
# Deploy Windows Enterprise licenses
@ -252,7 +252,7 @@ Use the following procedures to review whether a particular device meets these r
To determine if the computer has a firmware-embedded activation key, enter the following command at an elevated Windows PowerShell prompt:
```PowerShell
```powershell
(Get-CimInstance -query 'select * from SoftwareLicensingService').OA3xOriginalProductKey
```

16
windows/deployment/deploy-m365.md
View File

@ -10,13 +10,13 @@ author: frankroj
ms.topic: article
ms.collection: M365-modern-desktop
ms.custom: seo-marvel-apr2020
ms.date: 10/31/2022
ms.date: 11/23/2022
ms.technology: itpro-deploy
---
# Deploy Windows 10 with Microsoft 365
**Applies to**
*Applies to:*
- Windows 10
@ -34,18 +34,18 @@ For Windows 10 deployment, Microsoft 365 includes a fantastic deployment advisor
## Free trial account
**If you already have a Microsoft services subscription account and access to the Microsoft 365 Admin Center**
### If you already have a Microsoft services subscription account and access to the Microsoft 365 Admin Center
From the [Microsoft 365 Admin Center](https://portal.office.com), go to Billing and then Purchase services.
In the Enterprise Suites section of the service offerings, you'll find Microsoft 365 E3 and Microsoft 365 E5 tiles.
There are "Start Free Trial" options available for your selection by hovering your mouse over the tiles.
**If you do not already have a Microsoft services subscription**
### If you do not already have a Microsoft services subscription
You can check out the Microsoft 365 deployment advisor and other resources for free! Just follow the steps below.
>[!NOTE]
>If you have not run a setup guide before, you will see the **Prepare your environment** guide first. This is to make sure you have basics covered like domain verification and a method for adding users. At the end of the "Prepare your environment" guide, there will be a **Ready to continue** button that sends you to the original guide that was selected.
> [!NOTE]
> If you have not run a setup guide before, you will see the **Prepare your environment** guide first. This is to make sure you have basics covered like domain verification and a method for adding users. At the end of the "Prepare your environment" guide, there will be a **Ready to continue** button that sends you to the original guide that was selected.
1. [Obtain a free Microsoft 365 trial](/microsoft-365/commerce/try-or-buy-microsoft-365).
2. Check out the [Microsoft 365 deployment advisor](https://aka.ms/microsoft365setupguide).
@ -55,17 +55,19 @@ Examples of these two deployment advisors are shown below.
- [Deploy Windows 10 with Microsoft 365](#deploy-windows-10-with-microsoft-365)
- [Free trial account](#free-trial-account)
- [If you already have a Microsoft services subscription account and access to the Microsoft 365 Admin Center](#if-you-already-have-a-microsoft-services-subscription-account-and-access-to-the-microsoft-365-admin-center)
- [If you do not already have a Microsoft services subscription](#if-you-do-not-already-have-a-microsoft-services-subscription)
- [Microsoft 365 deployment advisor example](#microsoft-365-deployment-advisor-example)
- [Windows Analytics deployment advisor example](#windows-analytics-deployment-advisor-example)
- [Microsoft 365 Enterprise poster](#microsoft-365-enterprise-poster)
- [Related articles](#related-articles)
## Microsoft 365 deployment advisor example
![Microsoft 365 deployment advisor.](images/m365da.png)
## Windows Analytics deployment advisor example
## Microsoft 365 Enterprise poster
[![Microsoft 365 Enterprise poster.](images/m365e.png)](https://aka.ms/m365eposter)

9
windows/deployment/deploy-whats-new.md
View File

@ -9,13 +9,14 @@ author: frankroj
ms.topic: article
ms.custom: seo-marvel-apr2020
ms.collection: highpri
ms.date: 10/31/2022
ms.date: 11/23/2022
ms.technology: itpro-deploy
---
# What's new in Windows client deployment
**Applies to:**
*Applies to:*
- Windows 10
- Windows 11
@ -30,6 +31,7 @@ When you deploy Windows 11 with Autopilot, you can enable users to view addition
## Windows 11
Check out the following new articles about Windows 11:
- [Overview of Windows 11](/windows/whats-new/windows-11)
- [Plan for Windows 11](/windows/whats-new/windows-11-plan)
- [Prepare for Windows 11](/windows/whats-new/windows-11-prepare)
@ -51,6 +53,7 @@ The [Modern Desktop Deployment Center](/microsoft-365/enterprise/desktop-deploym
## Microsoft 365
Microsoft 365 is a new offering from Microsoft that combines
- Windows 10
- Office 365
- Enterprise Mobility and Security (EMS).
@ -68,6 +71,7 @@ Windows PowerShell cmdlets for Delivery Optimization have been improved:
- **Enable-DeliveryOptimizationVerboseLogs** is a new cmdlet that enables a greater level of logging detail to help in troubleshooting.
Other improvements in [Delivery Optimization](./do/waas-delivery-optimization.md) include:
- Enterprise network [throttling is enhanced](/windows-insider/archive/new-for-business#new-download-throttling-options-for-delivery-optimization-build-18917) to optimize foreground vs. background throttling.
- Automatic cloud-based congestion detection is available for PCs with cloud service support.
- Improved peer efficiency for enterprises and educational institutions with complex networks is enabled with [new policies](/windows/client-management/mdm/policy-csp-deliveryoptimization). These policies now support Microsoft 365 Apps for enterprise updates and Intune content.
@ -84,6 +88,7 @@ The following Delivery Optimization policies are removed in the Windows 10, vers
### Windows Update for Business
[Windows Update for Business](./update/waas-manage-updates-wufb.md) enhancements in this release include:
- Intune console updates: target version is now available allowing you to specify which version of Windows 10 you want devices to move to. Additionally, this capability enables you to keep devices on their current version until they reach end of service. Check it out in Intune, also available as a Group Policy and Configuration Service Provider (CSP) policy.
- Validation improvements: To ensure devices and end users stay productive and protected, Microsoft uses safeguard holds to block devices from updating when there are known issues that would impact that device. Also, to better enable IT administrators to validate on the latest release, we've created a new policy that enables admins to opt devices out of the built-in safeguard holds.

279
windows/deployment/deploy-windows-to-go.md
View File

@ -6,14 +6,15 @@ manager: aaroncz
author: frankroj
ms.author: frankroj
ms.prod: windows-client
ms.technology: itpro-deploy
ms.topic: article
ms.custom: seo-marvel-apr2020
ms.date: 10/31/2022
ms.date: 11/23/2022
---
# Deploy Windows To Go in your organization
**Applies to**
*Applies to:*
- Windows 10
@ -26,15 +27,15 @@ This article helps you to deploy Windows To Go in your organization. Before you
The below list is items that you should be aware of before you start the deployment process:
* Only use recommended USB drives for Windows To Go. Use of other drives isn't supported. Check the list at [Windows To Go: feature overview](planning/windows-to-go-overview.md) for the latest USB drives certified for use as Windows To Go drives.
- Only use recommended USB drives for Windows To Go. Use of other drives isn't supported. Check the list at [Windows To Go: feature overview](planning/windows-to-go-overview.md) for the latest USB drives certified for use as Windows To Go drives.
* After you provision a new workspace, always eject a Windows To Go drive using the **Safely Remove Hardware and Eject Media** control that can be found in the notification area or in Windows Explorer. Removing the drive from the USB port without ejecting it first can cause the drive to become corrupted.
- After you provision a new workspace, always eject a Windows To Go drive using the **Safely Remove Hardware and Eject Media** control that can be found in the notification area or in Windows Explorer. Removing the drive from the USB port without ejecting it first can cause the drive to become corrupted.
* When running a Windows To Go workspace, always shut down the workspace before unplugging the drive.
- When running a Windows To Go workspace, always shut down the workspace before unplugging the drive.
* Configuration Manager SP1 and later includes support for user self-provisioning of Windows To Go drives. For more information on this deployment option, see [How to Provision Windows To Go in Configuration Manager](/previous-versions/system-center/system-center-2012-R2/jj651035(v=technet.10)).
- Configuration Manager SP1 and later includes support for user self-provisioning of Windows To Go drives. For more information on this deployment option, see [How to Provision Windows To Go in Configuration Manager](/previous-versions/system-center/system-center-2012-R2/jj651035(v=technet.10)).
* If you're planning on using a USB drive duplicator to duplicate Windows To Go drives, don't configure offline domain join or BitLocker on the drive.
- If you're planning on using a USB drive duplicator to duplicate Windows To Go drives, don't configure offline domain join or BitLocker on the drive.
## Basic deployment steps
@ -42,15 +43,15 @@ Unless you're using a customized operating system image, your initial Windows To
Completing these steps will give you a generic Windows To Go drive that can be distributed to your users and then customized for their usage as needed. This drive is also appropriate for use with USB drive duplicators. Your specific deployment scenarios will involve more than just these basic steps but these additional deployment considerations are similar to traditional PC deployment and can be incorporated into your Windows To Go deployment plan. For more information, see [Windows Deployment Options](/previous-versions/windows/it-pro/windows-8.1-and-8/hh825230(v=win.10)).
>[!WARNING]
>If you plan to use the generic Windows To Go drive as the master drive in a USB duplicator, the drive should not be booted. If the drive has been booted inadvertently it should be reprovisioned prior to duplication.
> [!WARNING]
> If you plan to use the generic Windows To Go drive as the master drive in a USB duplicator, the drive should not be booted. If the drive has been booted inadvertently it should be reprovisioned prior to duplication.
### Create the Windows To Go workspace
In this step we're creating the operating system image that will be used on the Windows To Go drives. You can use the Windows To Go Creator Wizard or you can [do this manually](/previous-versions/windows/it-pro/windows-8.1-and-8/jj721578(v=ws.11)) using a combination of Windows PowerShell and command-line tools.
>[!WARNING]
>The preferred method to create a single Windows To Go drive is to use the Windows To Go Creator Wizard included in Windows 10 Enterprise and Windows 10 Education.
> [!WARNING]
> The preferred method to create a single Windows To Go drive is to use the Windows To Go Creator Wizard included in Windows 10 Enterprise and Windows 10 Education.
#### To create a Windows To Go workspace with the Windows To Go Creator Wizard
@ -58,37 +59,31 @@ In this step we're creating the operating system image that will be used on the
2. Insert the USB drive that you want to use as your Windows To Go drive into your PC.
3. Verify that the .wim file location (which can be a network share, a DVD, or a USB drive) is accessible and that it contains a valid Windows 10 Enterprise or Windows 10 Education image that has been generalized using sysprep. Many environments can use the same image for both Windows To Go and desktop deployments.
3. Verify that the `.wim` file location (which can be a network share, a DVD, or a USB drive) is accessible and that it contains a valid Windows 10 Enterprise or Windows 10 Education image that has been generalized using sysprep. Many environments can use the same image for both Windows To Go and desktop deployments.
>[!NOTE]
>For more information about .wim files, see [Windows System Image Manager (Windows SIM) Technical Reference](/previous-versions/windows/it-pro/windows-8.1-and-8/hh824929(v=win.10)). For more information about using sysprep, see [Sysprep Overview](/previous-versions/windows/it-pro/windows-8.1-and-8/hh825209(v=win.10)).
> [!NOTE]
> For more information about `.wim` files, see [Windows System Image Manager (Windows SIM) Technical Reference](/previous-versions/windows/it-pro/windows-8.1-and-8/hh824929(v=win.10)). For more information about using sysprep, see [Sysprep Overview](/previous-versions/windows/it-pro/windows-8.1-and-8/hh825209(v=win.10)).
4. Using Cortana, search for **Windows To Go** and then press **Enter**. If the **User Account Control** dialog box appears, confirm that the action it displays is what you want, and then select **Yes**. The **Windows To Go Creator Wizard** opens.
4. Search for **Windows To Go** and then press **Enter**. If the **User Account Control** dialog box appears, confirm that the action it displays is what you want, and then select **Yes**. The **Windows To Go Creator Wizard** opens.
5. On the **Choose the drive you want to use** page select the drive that represents the USB drive you inserted previously, then select **Next.**
6. On the **Choose a Windows image** page, select **Add Search Location** and then navigate to the .wim file location and select select folder. The wizard will display the installable images present in the folder; select the Windows 10 Enterprise or Windows 10 Education image you wish to use and then select **Next**.
6. On the **Choose a Windows image** page, select **Add Search Location** and then navigate to the `.wim` file location and select folder. The wizard will display the installable images present in the folder; select the Windows 10 Enterprise or Windows 10 Education image you wish to use and then select **Next**.
7. (Optional) On the **Set a BitLocker password (optional)** page, you can select **Use BitLocker with my Windows To Go Workspace** to encrypt your Windows To Go drive. If you don't wish to encrypt the drive at this time, select **Skip**. If you decide you want to add BitLocker protection later, see [Enable BitLocker protection for your Windows To Go drive](/previous-versions/windows/it-pro/windows-8.1-and-8/jj721578(v=ws.11)) for instructions.
r
7. (Optional) On the **Set a BitLocker password (optional)** page, you can select **Use BitLocker with my Windows To Go Workspace** to encrypt your Windows To Go drive. If you don't wish to encrypt the drive at this time, select **Skip**. If you decide you want to add BitLocker protection later, for instructions see [Enable BitLocker protection for your Windows To Go drive](/previous-versions/windows/it-pro/windows-8.1-and-8/jj721578(v=ws.11)).
>[!WARNING]
>If you plan to use a USB-Duplicator to create multiple Windows To Go drives, do not enable BitLocker. Drives protected with BitLocker should not be duplicated.
> [!WARNING]
> If you plan to use a USB-Duplicator to create multiple Windows To Go drives, do not enable BitLocker. Drives protected with BitLocker should not be duplicated.
If you choose to encrypt the Windows To Go drive now:
If you choose to encrypt the Windows To Go drive now, enter a password that is at least eight characters long and conforms to your organizations password complexity policy. This password will be provided before the operating system is started so any characters you use must be able to be interpreted by the firmware. Some firmware doesn't support non-ASCII characters.
- Type a password that is at least eight characters long and conforms to your organizations password complexity policy. This password will be provided before the operating system is started so any characters you use must be able to be interpreted by the firmware. Some firmware doesn't support non-ASCII characters.
~~~
>[!IMPORTANT]
>The BitLocker recovery password will be saved in the documents library of the computer used to create the workspace automatically. If your organization is using Active Directory Domain Services (AD DS) to store recovery passwords it will also be saved in AD DS under the computer account of the computer used to create the workspace. This password will be used only if you need to recover access to the drive because the BitLocker password specified in the previous step is not available, such as if a password is lost or forgotten. For more information about BitLocker and AD DS, see [Active Directory Domain Services considerations](/previous-versions/windows/it-pro/windows-8.1-and-8/jj592683(v=ws.11)).
~~~
> [!IMPORTANT]
> The BitLocker recovery password will be saved in the documents library of the computer used to create the workspace automatically. If your organization is using Active Directory Domain Services (AD DS) to store recovery passwords it will also be saved in AD DS under the computer account of the computer used to create the workspace. This password will be used only if you need to recover access to the drive because the BitLocker password specified in the previous step is not available, such as if a password is lost or forgotten. For more information about BitLocker and AD DS, see [Active Directory Domain Services considerations](/previous-versions/windows/it-pro/windows-8.1-and-8/jj592683(v=ws.11)).
8. Verify that the USB drive inserted is the one you want to provision for Windows To Go and then select **Create** to start the Windows To Go workspace creation process.
>[!WARNING]
>The USB drive identified will be reformatted as part of the Windows To Go provisioning process and any data on the drive will be erased.
> [!WARNING]
> The USB drive identified will be reformatted as part of the Windows To Go provisioning process and any data on the drive will be erased.
9. Wait for the creation process to complete, which can take 20 to 30 minutes. A completion page will be displayed that tells you when your Windows To Go workspace is ready to use. From the completion page, you can configure the Windows To Go startup options to configure the current computer as a Windows To Go host computer.
@ -98,11 +93,15 @@ Your Windows To Go workspace is now ready to be started. You can now [prepare a
The following Windows PowerShell cmdlet or cmdlets perform the same function as the preceding procedure. Enter each cmdlet on a single line, even though they may appear word-wrapped across several lines here because of formatting constraints. This procedure can only be used on PCs that are running Windows 10. Before starting, ensure that only the USB drive that you want to provision as a Windows To Go drive is connected to the PC.
1. Using Cortana, search for **powershell**, right-click **Windows PowerShell**, and then select **Run as administrator**.
1. Search for **powershell**, right-click **Windows PowerShell**, and then select **Run as administrator**.
2. In the Windows PowerShell session type, the following commands to partition a master boot record (MBR) disk for use with a FAT32 system partition and an NTFS-formatted operating system partition. This disk layout can support computers that use either UEFI or BIOS firmware:
2. In the Windows PowerShell session, enter the following commands to partition a master boot record (MBR) disk for use with a FAT32 system partition and an NTFS-formatted operating system partition. This disk layout can support computers that use either UEFI or BIOS firmware:
```
<br>
<details>
<summary>Expand to show PowerShell commands to partition an MBR disk</summary>
```powershell
# The following command will set $Disk to all USB drives with >20 GB of storage
$Disk = Get-Disk | Where-Object {$_.Path -match "USBSTOR" -and $_.Size -gt 20Gb -and -not $_.IsBoot }
@ -136,27 +135,31 @@ The following Windows PowerShell cmdlet or cmdlets perform the same function as
Set-Partition -InputObject $OSPartition -NoDefaultDriveLetter $TRUE
```
</details>
3. Next you need to apply the operating system image that you want to use with Windows To Go to the operating system partition you created on the disk (this may take 30 minutes or longer, depending on the size of the image and the speed of your USB connection). The following command shows how this can be accomplished using the [Deployment Image Servicing and Management](/windows-hardware/manufacture/desktop/dism---deployment-image-servicing-and-management-technical-reference-for-windows) command-line tool (DISM):
>[!TIP]
>The index number must be set correctly to a valid Enterprise image in the .WIM file.
> [!TIP]
> The index number must be set correctly to a valid Enterprise image in the `.wim` file.
```
```cmd
#The WIM file must contain a sysprep generalized image.
dism /apply-image /imagefile:n:\imagefolder\deploymentimages\mywtgimage.wim /index:1 /applydir:W:\
dism.exe /apply-image /imagefile:n:\imagefolder\deploymentimages\mywtgimage.wim /index:1 /applydir:W:\
```
4. Now use the [bcdboot](/previous-versions/windows/it-pro/windows-8.1-and-8/hh824874(v=win.10)) command line tool to move the necessary boot components to the system partition on the disk. This helps ensure that the boot components, operating system versions, and architectures match. The `/f ALL` parameter indicates that boot components for UEFI and BIOS should be placed on the system partition of the disk. The following example illustrates this step:
~~~
```
W:\Windows\System32\bcdboot W:\Windows /f ALL /s S:
```
~~~
```cmd
W:\Windows\System32\bcdboot.exe W:\Windows /f ALL /s S:
```
5. Apply SAN policy—OFFLINE\_INTERNAL - "4" to prevent the operating system from automatically bringing online any internally connected disk. This is done by creating and saving a **san\_policy.xml** file on the disk. The following example illustrates this step:
```
<br>
<details>
<summary>Expand to show example san_policy.xml file</summary>
```xml
<?xml version='1.0' encoding='utf-8' standalone='yes'?>
<unattend xmlns="urn:schemas-microsoft-com:unattend">
<settings pass="offlineServicing">
@ -186,15 +189,21 @@ W:\Windows\System32\bcdboot W:\Windows /f ALL /s S:
</unattend>
```
</details>
6. Place the **san\_policy.xml** file created in the previous step into the root directory of the Windows partition on the Windows To Go drive (W: from the previous examples) and run the following command:
```
```cmd
Dism.exe /Image:W:\ /Apply-Unattend:W:\san_policy.xml
```
7. Create an answer file (unattend.xml) that disables the use of Windows Recovery Environment with Windows To Go. You can use the following code sample to create a new answer file or you can paste it into an existing answer file:
```
<br>
<details>
<summary>Expand to show example san_policy.xml file</summary>
```xml
<?xml version="1.0" encoding="utf-8"?>
<unattend xmlns="urn:schemas-microsoft-com:unattend">
<settings pass="oobeSystem">
@ -218,10 +227,12 @@ W:\Windows\System32\bcdboot W:\Windows /f ALL /s S:
</unattend>
```
After the answer file has been saved, copy unattend.xml into the sysprep folder on the Windows To Go drive (for example, W:\\Windows\\System32\\sysprep\)
</details>
>[!IMPORTANT]
>Setup unattend files are processed based on their location. Setup will place a temporary unattend file into the **%systemroot%\\panther** folder which is the first location that setup will check for installation information. You should make sure that folder does not contain a previous version of an unattend.xml file to ensure that the one you just created is used.
After the answer file has been saved, copy `unattend.xml` into the sysprep folder on the Windows To Go drive (for example, `W:\Windows\System32\sysprep\`)
> [!IMPORTANT]
> Setup unattend files are processed based on their location. Setup will place a temporary unattend file into the **`%systemroot%\panther`** folder which is the first location that setup will check for installation information. You should make sure that folder does not contain a previous version of an unattend.xml file to ensure that the one you just created is used.
If you don't wish to boot your Windows To Go device on this computer and want to remove it to boot it on another PC, be sure to use the **Safely Remove Hardware and Eject Media** option to safely disconnect the drive before physically removing it from the PC.
@ -231,14 +242,14 @@ Your Windows To Go workspace is now ready to be started. You can now [prepare a
Computers running Windows 8 and later can be configured as host computers that use Windows To Go automatically whenever a Windows To Go workspace is available at startup. When the Windows To Go startup options are enabled on a host computer, Windows will divert startup to the Windows To Go drive whenever it's attached to the computer. This makes it easy to switch from using the host computer to using the Windows To Go workspace.
>[!TIP]
>If you will be using a PC running Windows 7 as your host computer, see [Tips for configuring your BIOS settings to work with Windows To Go](https://go.microsoft.com/fwlink/p/?LinkId=618951) for information to help you prepare the host computer.
> [!TIP]
> If you will be using a PC running Windows 7 as your host computer, see [Tips for configuring your BIOS settings to work with Windows To Go](https://go.microsoft.com/fwlink/p/?LinkId=618951) for information to help you prepare the host computer.
If you want to use the Windows To Go workspace, shut down the computer, plug in the Windows To Go drive, and turn on the computer. To use the host computer, shut down the Windows To Go workspace, unplug the Windows To Go drive, and turn on the computer.
To set the Windows To Go Startup options for host computers running Windows 10:
1. Using Cortana, search for **Windows To Go startup options** and then press **Enter**.
1. Search for **Windows To Go startup options** and then press **Enter**.
2. In the **Windows To Go Startup Options** dialog box, select **Yes**, and then select **Save Changes** to configure the computer to boot from USB
@ -250,7 +261,7 @@ For host computers running Windows 8 or Windows 8.1:
You can configure your organization's computers to automatically start from the USB drive by enabling the following Group Policy setting:
**\\\\Computer Configuration\\Administrative Templates\\Windows Components\\Portable Operating System\\Windows To Go Default Startup Options**
**Computer Configuration** > **Administrative Templates** > **Windows Components** > **Portable Operating System** > **Windows To Go Default Startup Options**
After this policy setting is enabled, automatic starting of a Windows To Go workspace will be attempted when a USB drive is connected to the computer when it's started. Users won't be able to use the Windows To Go Startup Options to change this behavior. If you disable this policy setting, booting to Windows To Go when a USB drive is connected won't occur unless a user configures the option manually in the firmware. If you don't configure this policy setting, users who are members of the Administrators group can enable or disable booting from a USB drive using the Windows To Go Startup Options.
@ -260,13 +271,13 @@ Your host computer is now ready to boot directly into Windows To Go workspace wh
After you've configured your host PC to boot from USB, you can use the following procedure to boot your Windows To Go workspace:
**To boot your workspace**
**To boot your workspace:**
1. Make sure that the host PC isn't in a sleep state. If the computer is in a sleep state, either shut it down or hibernate it.
2. Insert the Windows To Go USB drive directly into a USB 3.0 or USB 2.0 port on the PC. Don't use a USB hub or extender.
3. Turn on the PC. If your Windows To Go drive is protected with BitLocker you'll be asked to type the password, otherwise the workspace will boot directly into the Windows To Go workspace.
3. Turn on the PC. If your Windows To Go drive is protected with BitLocker you'll be asked to enter the password, otherwise the workspace will boot directly into the Windows To Go workspace.
## Advanced deployment steps
@ -276,7 +287,7 @@ The following steps are used for more advanced deployments where you want to hav
Making sure that Windows To Go workspaces are effective when used off premises is essential to a successful deployment. One of the key benefits of Windows To Go is the ability for your users to use the enterprise managed domain joined workspace on an unmanaged computer that is outside your corporate network. To enable this usage, typically you would provision the USB drive as described in the basic deployment instructions and then add the configuration to support domain joining of the workspace, installation of any line-of-business applications, and configuration of your chosen remote connectivity solution such as a virtual private network client or DirectAccess. Once these configurations have been performed the user can work from the workspace using a computer that is off-premises. The following procedure allows you to provision domain joined Windows To Go workspaces for workers that don't have physical access to your corporate network.
**Prerequisites for remote access scenario**
**Prerequisites for remote access scenario:**
- A domain-joined computer running Windows 8 or later and is configured as a Windows To Go host computer
@ -286,16 +297,16 @@ Making sure that Windows To Go workspaces are effective when used off premises i
- [DirectAccess](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831539(v=ws.11)) configured on the domain
**To configure your Windows To Go workspace for remote access**
**To configure your Windows To Go workspace for remote access:**
1. Start the host computer and sign in using a user account with privileges to add workstations to the domain and then run the following command from an elevated command prompt replacing the example placeholder parameters (denoted by &lt;&gt;) with the ones applicable for your environment:
```
djoin /provision /domain <exampledomain.com> /machine <examplewindowstogo_workspace_name> /certtemplate <WorkstationAuthentication_template> /policynames <DirectAccess Client Policy: {GUID}> /savefile <C:\example\path\domainmetadatafile> /reuse
```cmd
djoin.exe /provision /domain <exampledomain.com> /machine <examplewindowstogo_workspace_name> /certtemplate <WorkstationAuthentication_template> /policynames <DirectAccess Client Policy: {GUID}> /savefile <C:\example\path\domainmetadatafile> /reuse
```
>[!NOTE]
>The **/certtemplate** parameter supports the use of certificate templates for distributing certificates for DirectAccess, if your organization is not using certificate templates you can omit this parameter. Additionally, if are using djoin.exe with Windows Server 2008-based Domain Controllers, append the /downlevel switch during provisioning. For more information, see the [Offline Domain Join Step-by-Step guide](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd392267(v=ws.10)).
> [!NOTE]
> The **/certtemplate** parameter supports the use of certificate templates for distributing certificates for DirectAccess, if your organization is not using certificate templates you can omit this parameter. Additionally, if are using `djoin.exe` with Windows Server 2008-based Domain Controllers, append the /downlevel switch during provisioning. For more information, see the [Offline Domain Join Step-by-Step guide](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd392267(v=ws.10)).
2. Insert the Windows To Go drive.
@ -303,7 +314,11 @@ Making sure that Windows To Go workspaces are effective when used off premises i
4. From the Windows PowerShell command prompt run:
```
<br>
<details>
<summary>Expand this section to show PowerShell commands to run</summary>
```powershell
# The following command will set $Disk to all USB drives with >20 GB of storage
$Disk = Get-Disk | Where-Object {$_.Path -match "USBSTOR" -and $_.Size -gt 20Gb -and -not $_.IsBoot }
@ -337,27 +352,31 @@ Making sure that Windows To Go workspaces are effective when used off premises i
Set-Partition -InputObject $OSPartition -NoDefaultDriveLetter $TRUE
```
</details>
5. Next you need to apply the operating system image that you want to use with Windows To Go to the operating system partition you created on the disk (this may take 30 minutes or longer, depending on the size of the image and the speed of your USB connection). The following command shows how this can be accomplished using the [Deployment Image Servicing and Management](/windows-hardware/manufacture/desktop/dism---deployment-image-servicing-and-management-technical-reference-for-windows) command-line tool (DISM):
~~~
>[!TIP]
>The index number must be set correctly to a valid Enterprise image in the .WIM file.
```cmd
#The WIM file must contain a sysprep generalized image.
dism.exe /apply-image /imagefile:n:\imagefolder\deploymentimages\mywtgimage.wim /index:1 /applydir:W:\
```
```
#The WIM file must contain a sysprep generalized image.
dism /apply-image /imagefile:n:\imagefolder\deploymentimages\mywtgimage.wim /index:1 /applydir:W:\
```
~~~
> [!TIP]
> The index number must be set correctly to a valid Enterprise image in the `.wim` file.
6. After those commands have completed, run the following command:
```
djoin /requestodj /loadfile C:\example\path\domainmetadatafile /windowspath W:\Windows
```cmd
djoin.exe /requestodj /loadfile C:\example\path\domainmetadatafile /windowspath W:\Windows
```
7. Next, we'll need to edit the unattend.xml file to configure the first run (OOBE) settings. In this example we're hiding the Microsoft Software License Terms (EULA) page, configuring automatic updates to install important and recommended updates automatically, and identifying this workspace as part of a private office network. You can use other OOBE settings that you've configured for your organization if desired. For more information about the OOBE settings, see [OOBE](/previous-versions/windows/it-pro/windows-8.1-and-8/ff716016(v=win.10)):
```
<br>
<details>
<summary>Expand this section to show example unattend.xml file</summary>
```xml
<?xml version="1.0" encoding="utf-8"?>
<unattend xmlns="urn:schemas-microsoft-com:unattend">
<settings pass="oobeSystem">
@ -391,16 +410,18 @@ dism /apply-image /imagefile:n:\imagefolder\deploymentimages\mywtgimage.wim /ind
</unattend>
```
</details>
8. Safely remove the Windows To Go drive.
9. From a host computer, either on or off premises, start the computer and boot the Windows To Go workspace.
* If on premises using a host computer with a direct network connection, sign on using your domain credentials.
- If on premises using a host computer with a direct network connection, sign on using your domain credentials.
* If off premises, join a wired or wireless network with internet access and then sign on again using your domain credentials.
- If off premises, join a wired or wireless network with internet access and then sign on again using your domain credentials.
>[!NOTE]
>Depending on your DirectAccess configuration you might be asked to insert your smart card to log on to the domain.
> [!NOTE]
> Depending on your DirectAccess configuration you might be asked to insert your smart card to log on to the domain.
You should now be able to access your organization's network resources and work from your Windows To Go workspace as you would normally work from your standard desktop computer on premises.
@ -410,17 +431,23 @@ Enabling BitLocker on your Windows To Go drive will help ensure that your data i
#### Prerequisites for enabling BitLocker scenario
* A Windows To Go drive that can be successfully provisioned.
- A Windows To Go drive that can be successfully provisioned.
* A computer running Windows 8 configured as a Windows To Go host computer
- A computer running Windows 8 configured as a Windows To Go host computer
* Review the following Group Policy settings for BitLocker Drive Encryption and modify the configuration as necessary:
- Review the following Group Policy settings for BitLocker Drive Encryption and modify the configuration as necessary:
**\\Windows Components\\BitLocker Drive Encryption\\Operating System Drives\\Require additional authentication at startup**. This policy allows the use of a password key protector with an operating system drive; this policy must be enabled to configure BitLocker from within the Windows To Go workspace. This policy setting allows you to configure whether BitLocker requires additional authentication each time the computer starts and whether you're using BitLocker with or without a Trusted Platform Module (TPM). You must enable this setting and select the **Allow BitLocker without a compatible TPM** check box and then enable the **Configure use of passwords for operating system drives** setting.
- **Windows Components** > **BitLocker Drive Encryption** > **Operating System Drives** > **Require additional authentication at startup**
**\\Windows Components\\BitLocker Drive Encryption\\Operating System Drives\\Configure use of passwords for operating system drives**. This policy setting enables passwords to be used to unlock BitLocker-protected operating system drives and provides the means to configure complexity and length requirements on passwords for Windows To Go workspaces. For the complexity requirement setting to be effective the Group Policy setting **Password must meet complexity requirements** located in **Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password Policy\\** must be also enabled.
This policy allows the use of a password key protector with an operating system drive; this policy must be enabled to configure BitLocker from within the Windows To Go workspace. This policy setting allows you to configure whether BitLocker requires additional authentication each time the computer starts and whether you're using BitLocker with or without a Trusted Platform Module (TPM). You must enable this setting and select the **Allow BitLocker without a compatible TPM** check box and then enable the **Configure use of passwords for operating system drives** setting.
**\\Windows Components\\BitLocker Drive Encryption\\Operating System Drives\\Enable use of BitLocker authentication requiring preboot keyboard input on slates**. This policy setting allows users to enable authentication options that require user input from the preboot environment even if the platform indicates a lack of preboot input capability. If this setting isn't enabled, passwords can't be used to unlock BitLocker-protected operating system drives.
- **Windows Components** > **BitLocker Drive Encryption** > **Operating System Drives** > **Configure use of passwords for operating system drives**
This policy setting enables passwords to be used to unlock BitLocker-protected operating system drives and provides the means to configure complexity and length requirements on passwords for Windows To Go workspaces. For the complexity requirement setting to be effective the Group Policy setting **Password must meet complexity requirements** located in **Computer Configuration** > **Windows Settings** > **Security Settings** > **Account Policies** > **Password Policy** must be also enabled.
- **Windows Components** > **BitLocker Drive Encryption** > **Operating System Drives** > **Enable use of BitLocker authentication requiring preboot keyboard input on slates**
This policy setting allows users to enable authentication options that require user input from the preboot environment even if the platform indicates a lack of preboot input capability. If this setting isn't enabled, passwords can't be used to unlock BitLocker-protected operating system drives.
You can choose to enable BitLocker protection on Windows To Go drives before distributing them to users as part of your provisioning process or you can allow your end-users to apply BitLocker protection to them after they have taken possession of the drive. A step-by-step procedure is provided for both scenarios.
@ -434,8 +461,10 @@ BitLocker recovery keys are the keys that can be used to unlock a BitLocker prot
- If BitLocker protection is enabled during provisioning, the BitLocker recovery keys will be stored under the computer account of the computer used for provisioning the drives. If backing up recovery keys to AD DS isn't used, the recovery keys will need to be printed or saved to a file for each drive. The IT administrator must track which keys were assigned to which Windows To Go drive.
- **Warning**
If BitLocker is enabled after distribution, the recovery key will be backed up to AD DS under the computer account of the workspace. If backing up recovery keys to AD DS isn't used, they can be printed or saved to a file by the user. If the IT administrator wants a central record of recovery keys, a process by which the user provides the key to the IT department must be put in place.
- If BitLocker is enabled after distribution, the recovery key will be backed up to AD DS under the computer account of the workspace. If backing up recovery keys to AD DS isn't used, they can be printed or saved to a file by the user.
> [!WARNING]
> If backing up recovery keys to AD DS isn't used and the IT administrator wants a central record of recovery keys, a process by which the user provides the key to the IT department must be put in place.
#### To enable BitLocker during provisioning
@ -447,10 +476,14 @@ BitLocker recovery keys are the keys that can be used to unlock a BitLocker prot
4. Provision the Windows To Go drive using the following cmdlets:
>[!NOTE]
>If you used the [manual method for creating a workspace](/previous-versions/windows/it-pro/windows-8.1-and-8/jj721578(v=ws.11)) you should have already provisioned the Windows To Go drive. If so, you can continue on to the next step.
> [!NOTE]
> If you used the [manual method for creating a workspace](/previous-versions/windows/it-pro/windows-8.1-and-8/jj721578(v=ws.11)) you should have already provisioned the Windows To Go drive. If so, you can continue on to the next step.
```
<br>
<details>
<summary>Expand this section to show PowerShell commands to run</summary>
```powershell
# The following command will set $Disk to all USB drives with >20 GB of storage
$Disk = Get-Disk | Where-Object {$_.Path -match "USBSTOR" -and $_.Size -gt 20Gb -and -not $_.IsBoot }
@ -484,25 +517,27 @@ BitLocker recovery keys are the keys that can be used to unlock a BitLocker prot
Set-Partition -InputObject $OSPartition -NoDefaultDriveLetter $TRUE
```
</details>
Next you need to apply the operating system image that you want to use with Windows To Go to the operating system partition you created on the disk (this may take 30 minutes or longer, depending on the size of the image and the speed of your USB connection). The following command shows how this can be accomplished using the [Deployment Image Servicing and Management](/windows-hardware/manufacture/desktop/dism---deployment-image-servicing-and-management-technical-reference-for-windows) command-line tool (DISM):
>[!TIP]
>The index number must be set correctly to a valid Enterprise image in the .WIM file.
> [!TIP]
> The index number must be set correctly to a valid Enterprise image in the `.wim` file.
```
```cmd
#The WIM file must contain a sysprep generalized image.
dism /apply-image /imagefile:n:\imagefolder\deploymentimages\mywtgimage.wim /index:1 /applydir:W:\
dism.exe /apply-image /imagefile:n:\imagefolder\deploymentimages\mywtgimage.wim /index:1 /applydir:W:\
```
5. In the same PowerShell session, use the following cmdlet to add a recovery key to the drive:
```
```powershell
$BitlockerRecoveryProtector = Add-BitLockerKeyProtector W: -RecoveryPasswordProtector
```
6. Next, use the following cmdlets to save the recovery key to a file:
```
```powershell
#The BitLocker Recovery key is essential if for some reason you forget the BitLocker password
#This recovery key can also be backed up into Active Directory using manage-bde.exe or the
#PowerShell cmdlet Backup-BitLockerKeyProtector.
@ -512,35 +547,34 @@ BitLocker recovery keys are the keys that can be used to unlock a BitLocker prot
7. Then, use the following cmdlets to add the password as a secure string. If you omit the password the cmdlet will prompt you for the password before continuing the operation:
```
```powershell
# Create a variable to store the password
$spwd = ConvertTo-SecureString -String <password> -AsplainText -Force
Enable-BitLocker W: -PasswordProtector $spwd
```
>[!WARNING]
>To have BitLocker only encrypt used space on the disk append the parameter `-UsedSpaceOnly` to the `Enable-BitLocker` cmdlet. As data is added to the drive BitLocker will encrypt additional space. Using this parameter will speed up the preparation process as a smaller percentage of the disk will require encryption. If you are in a time critical situation where you cannot wait for encryption to complete you can also safely remove the Windows To Go drive during the encryption process. The next time the drive is inserted in a computer it will request the BitLocker password. Once the password is supplied, the encryption process will continue. If you do this, make sure your users know that BitLocker encryption is still in process and that they will be able to use the workspace while the encryption completes in the background.
> [!WARNING]
> To have BitLocker only encrypt used space on the disk append the parameter `-UsedSpaceOnly` to the `Enable-BitLocker` cmdlet. As data is added to the drive BitLocker will encrypt additional space. Using this parameter will speed up the preparation process as a smaller percentage of the disk will require encryption. If you are in a time critical situation where you cannot wait for encryption to complete you can also safely remove the Windows To Go drive during the encryption process. The next time the drive is inserted in a computer it will request the BitLocker password. Once the password is supplied, the encryption process will continue. If you do this, make sure your users know that BitLocker encryption is still in process and that they will be able to use the workspace while the encryption completes in the background.
8. Copy the numerical recovery password and save it to a file in a safe location. The recovery password will be required if the password is lost or forgotten.
>[!WARNING]
>If the **Choose how BitLocker-protected removable data drives can be recovered** Group Policy setting has been configured to back up recovery information to Active Directory Domain Services, the recovery information for the drive will be stored under the account of the host computer used to apply the recovery key.
> [!WARNING]
> If the **Choose how BitLocker-protected removable data drives can be recovered** Group Policy setting has been configured to back up recovery information to Active Directory Domain Services, the recovery information for the drive will be stored under the account of the host computer used to apply the recovery key.
If you want to have the recovery information stored under the account of the Windows To Go workspace, you can turn BitLocker from within the Windows To Go workspace using the BitLocker Setup Wizard from the BitLocker Control Panel item as described in [To enable BitLocker after distribution](#enable-bitlocker).
If you want to have the recovery information stored under the account of the Windows To Go workspace, you can turn BitLocker from within the Windows To Go workspace using the BitLocker Setup Wizard from the BitLocker Control Panel item as described in [To enable BitLocker after distribution](#to-enable-bitlocker-after-distribution).
9. Safely remove the Windows To Go drive.
The Windows To Go drives are now ready to be distributed to users and are protected by BitLocker. When you distribute the drives, make sure the users know the following information:
* Initial BitLocker password that they'll need to boot the drives.
- Initial BitLocker password that they'll need to boot the drives.
* Current encryption status.
- Current encryption status.
* Instructions to change the BitLocker password after the initial boot.
- Instructions to change the BitLocker password after the initial boot.
* Instructions for how to retrieve the recovery password if necessary. These instructions may be a help desk process, an automated password retrieval site, or a person to contact.
- Instructions for how to retrieve the recovery password if necessary. These instructions may be a help desk process, an automated password retrieval site, or a person to contact.
<a href="" id="enable-bitlocker"></a>
#### To enable BitLocker after distribution
1. Insert your Windows To Go drive into your host computer (that is currently shut down) and then turn on the computer and boot into your Windows To Go workspace
@ -551,8 +585,8 @@ The Windows To Go drives are now ready to be distributed to users and are protec
4. Complete the steps in the **BitLocker Setup Wizard** selecting the password protection option.
>[!NOTE]
>If you have not configured the Group Policy setting **\\Windows Components\\BitLocker Drive Encryption\\Operating System Drives\\Require additional authentication at startup** to specify **Allow BitLocker without a compatible TPM** you will not be able to enable BitLocker from within the Windows To Go workspace.
> [!NOTE]
> If you have not configured the Group Policy setting **Windows Components** > **BitLocker Drive Encryption** > **Operating System Drives** > **Require additional authentication at startup** to specify **Allow BitLocker without a compatible TPM** you will not be able to enable BitLocker from within the Windows To Go workspace.
### Advanced deployment sample script
@ -562,11 +596,11 @@ The sample script creates an unattend file that streamlines the deployment proce
#### Prerequisites for running the advanced deployment sample script
* To run this sample script, you must open a Windows PowerShell session as an administrator from a domain-joined computer using an account that has permission to create domain accounts.
- To run this sample script, you must open a Windows PowerShell session as an administrator from a domain-joined computer using an account that has permission to create domain accounts.
* Using offline domain join is required by this script, since the script doesn't create a local administrator user account. However, domain membership will automatically put "Domain admins" into the local administrators group. Review your domain policies. If you're using DirectAccess, you'll need to modify the djoin.exe command to include the `policynames` and potentially the `certtemplate` parameters.
- Using offline domain join is required by this script, since the script doesn't create a local administrator user account. However, domain membership will automatically put "Domain admins" into the local administrators group. Review your domain policies. If you're using DirectAccess, you'll need to modify the `djoin.exe` command to include the `policynames` and potentially the `certtemplate` parameters.
* The script needs to use drive letters, so you can only provision half as many drives as you have free drive letters.
- The script needs to use drive letters, so you can only provision half as many drives as you have free drive letters.
#### To run the advanced deployment sample script
@ -576,14 +610,14 @@ The sample script creates an unattend file that streamlines the deployment proce
3. Configure the PowerShell execution policy. By default PowerShell's execution policy is set to Restricted; that means that scripts won't run until you have explicitly given them permission to. To configure PowerShell's execution policy to allow the script to run, use the following command from an elevated PowerShell prompt:
```
```powershell
Set-ExecutionPolicy RemoteSigned
```
The RemoteSigned execution policy will prevent unsigned scripts from the internet from running on the computer, but will allow locally created scripts to run. For more information on execution policies, see [Set-ExecutionPolicy](/powershell/module/microsoft.powershell.security/set-executionpolicy).
> [!TIP]
> To get online help for any Windows PowerShell cmdlet, whether or not it is installed locally type the following cmdlet, replacing &lt;cmdlet-name&gt; with the name of the cmdlet you want to see the help for:
> To get online help for any Windows PowerShell cmdlet, whether or not it is installed locally, enter the following cmdlet, replacing `<cmdlet-name>` with the name of the cmdlet you want to see the help for:
>
> `Get-Help <cmdlet-name> -Online`
>
@ -591,7 +625,11 @@ The sample script creates an unattend file that streamlines the deployment proce
#### Windows To Go multiple drive provisioning sample script
```
<br>
<details>
<summary>Expand this section to view Windows To Go multiple drive provisioning sample script</summary>
```powershell
<#
.SYNOPSIS
Windows To Go multiple drive provisioning sample script.
@ -959,22 +997,23 @@ write-output "Provsioning completed in: $elapsedTime (hh:mm:ss.000)"
write-output "" "Provisioning script complete."
```
</details>
## Considerations when using different USB keyboard layouts with Windows To Go
In the PowerShell provisioning script, after the image has been applied, you can add the following commands that will correctly set the keyboard settings. The following example uses the Japanese keyboard layout:
```
reg load HKLM\WTG-Keyboard ${OSDriveLetter}:\Windows\System32\config\SYSTEM > info.log
reg add HKLM\WTG-Keyboard\ControlSet001\Services\i8042prt\Parameters /v LayerDriver /d JPN:kbd106dll /t REG_SZ /f
reg add HKLM\WTG-Keyboard\ControlSet001\Services\i8042prt\Parameters /v OverrideKeyboardIdentifier /d PCAT_106KEY /t REG_SZ /f
reg add HKLM\WTG-Keyboard\ControlSet001\Services\i8042prt\Parameters /v OverrideKeyboardSubtype /d 2 /t REG_DWORD /f
reg add HKLM\WTG-Keyboard\ControlSet001\Services\i8042prt\Parameters /v OverrideKeyboardType /d 7 /t REG_DWORD /f
reg unload HKLM\WTG-Keyboard
```cmd
reg.exe load HKLM\WTG-Keyboard ${OSDriveLetter}:\Windows\System32\config\SYSTEM > info.log
reg.exe add HKLM\WTG-Keyboard\ControlSet001\Services\i8042prt\Parameters /v LayerDriver /d JPN:kbd106dll /t REG_SZ /f
reg.exe add HKLM\WTG-Keyboard\ControlSet001\Services\i8042prt\Parameters /v OverrideKeyboardIdentifier /d PCAT_106KEY /t REG_SZ /f
reg.exe add HKLM\WTG-Keyboard\ControlSet001\Services\i8042prt\Parameters /v OverrideKeyboardSubtype /d 2 /t REG_DWORD /f
reg.exe add HKLM\WTG-Keyboard\ControlSet001\Services\i8042prt\Parameters /v OverrideKeyboardType /d 7 /t REG_DWORD /f
reg.exe unload HKLM\WTG-Keyboard
```
## Related articles
[Windows To Go: feature overview](planning/windows-to-go-overview.md)
[Windows 10 forums](https://go.microsoft.com/fwlink/p/?LinkId=618949)

2
windows/deployment/deploy.md
View File

@ -9,7 +9,7 @@ ms.prod: windows-client
ms.localizationpriority: medium
ms.topic: article
ms.custom: seo-marvel-apr2020
ms.date: 10/31/2022
ms.date: 11/23/2022
ms.technology: itpro-deploy
---

8
windows/deployment/do/index.yml
View File

@ -6,12 +6,10 @@ summary: Set up peer to peer downloads for Windows Updates and learn about Micro
metadata:
title: Delivery Optimization # Required; page title displayed in search results. Include the brand. < 60 chars.
description: Learn about using peer to peer downloads on Windows clients and learn about Microsoft Connected Cache. # Required; article description that is displayed in search results. < 160 chars.
services: windows-10
ms.service: windows-10 #Required; service per approved list. service slug assigned to your service by ACOM.
ms.subservice: subservice
ms.topic: landing-page # Required
ms.topic: landing-page
ms.prod: windows-client
ms.technology: itpro-updates
ms.collection:
- windows-10
- highpri
author: aczechowski
ms.author: aaroncz

8
windows/deployment/index.yml
View File

@ -6,12 +6,10 @@ summary: Learn about deploying and keeping Windows client devices up to date. #
metadata:
title: Windows client deployment resources and documentation # Required; page title displayed in search results. Include the brand. < 60 chars.
description: Learn about deploying Windows 10 and keeping it up to date in your organization. # Required; article description that is displayed in search results. < 160 chars.
services: windows-10
ms.service: windows-10 #Required; service per approved list. service slug assigned to your service by ACOM.
ms.subservice: subservice
ms.topic: landing-page # Required
ms.topic: landing-page
ms.technology: itpro-apps
ms.prod: windows-client
ms.collection:
- windows-10
- highpri
author: frankroj
ms.author: frankroj

115
windows/deployment/mbr-to-gpt.md
View File

@ -4,7 +4,7 @@ description: Use MBR2GPT.EXE to convert a disk from the Master Boot Record (MBR)
ms.prod: windows-client
author: frankroj
ms.author: frankroj
ms.date: 10/31/2022
ms.date: 11/23/2022
manager: aaroncz
ms.localizationpriority: high
ms.topic: article
@ -15,18 +15,19 @@ ms.technology: itpro-deploy
# MBR2GPT.EXE
**Applies to**
*Applies to:*
- Windows 10
**MBR2GPT.EXE** converts a disk from the Master Boot Record (MBR) to the GUID Partition Table (GPT) partition style without modifying or deleting data on the disk. The tool runs from a Windows Preinstallation Environment (Windows PE) command prompt, but can also be run from the full Windows 10 operating system (OS) by using the **/allowFullOS** option.
**MBR2GPT.EXE** converts a disk from the Master Boot Record (MBR) to the GUID Partition Table (GPT) partition style without modifying or deleting data on the disk. The tool runs from a Windows Preinstallation Environment (Windows PE) command prompt, but can also be run from the full Windows 10 operating system (OS) by using the **`/allowFullOS`** option.
MBR2GPT.EXE is located in the **Windows\\System32** directory on a computer running Windows 10 version 1703 (also known as the Creator's Update) or later.
MBR2GPT.EXE is located in the **`Windows\System32`** directory on a computer running Windows 10 version 1703 or later.
The tool is available in both the full OS environment and Windows PE. To use this tool in a deployment task sequence with Configuration Manager or Microsoft Deployment Toolkit (MDT), you must first update the Windows PE image (winpe.wim, boot.wim) with the [Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit) 1703, or a later version.
See the following video for a detailed description and demonstration of MBR2GPT.
<iframe width="560" height="315" align="center" src="https://www.youtube-nocookie.com/embed/hfJep4hmg9o" frameborder="0" allowfullscreen></iframe>
> [!VIDEO https://www.youtube-nocookie.com/embed/hfJep4hmg9o]
You can use MBR2GPT to:
@ -45,6 +46,7 @@ Offline conversion of system disks with earlier versions of Windows installed, s
## Disk Prerequisites
Before any change to the disk is made, MBR2GPT validates the layout and geometry of the selected disk to ensure that:
- The disk is currently using MBR
- There's enough space not occupied by partitions to store the primary and secondary GPTs:
- 16 KB + 2 sectors at the front of the disk
@ -66,21 +68,21 @@ If any of these checks fails, the conversion won't proceed, and an error will be
| Option | Description |
|----|-------------|
|/validate| Instructs MBR2GPT.exe to perform only the disk validation steps and report whether the disk is eligible for conversion. |
|/convert| Instructs MBR2GPT.exe to perform the disk validation and to proceed with the conversion if all validation tests pass. |
|/disk:\<diskNumber\>| Specifies the disk number of the disk to be converted to GPT. If not specified, the system disk is used. The mechanism used is the same as used by the diskpart.exe tool **SELECT DISK SYSTEM** command.|
|/logs:\<logDirectory\>| Specifies the directory where MBR2GPT.exe logs should be written. If not specified, **%windir%** is used. If specified, the directory must already exist, it will not be automatically created or overwritten.|
|/map:\<source\>=\<destination\>| Specifies other partition type mappings between MBR and GPT. The MBR partition number is specified in decimal notation, not hexadecimal. The GPT GUID can contain brackets, for example: **/map:42={af9b60a0-1431-4f62-bc68-3311714a69ad}**. Multiple /map options can be specified if multiple mappings are required. |
|/allowFullOS| By default, MBR2GPT.exe is blocked unless it's run from Windows PE. This option overrides this block and enables disk conversion while running in the full Windows environment. <br>**Note**: Since the existing MBR system partition is in use while running the full Windows environment, it can't be reused. In this case, a new ESP is created by shrinking the OS partition.|
|**/validate**| Instructs `MBR2GPT.exe` to perform only the disk validation steps and report whether the disk is eligible for conversion. |
|**/convert**| Instructs `MBR2GPT.exe` to perform the disk validation and to proceed with the conversion if all validation tests pass. |
|**/disk:*\<diskNumber\>***| Specifies the disk number of the disk to be converted to GPT. If not specified, the system disk is used. The mechanism used is the same as used by the diskpart.exe tool **SELECT DISK SYSTEM** command.|
|**/logs:*\<logDirectory\>***| Specifies the directory where `MBR2GPT.exe` logs should be written. If not specified, **%windir%** is used. If specified, the directory must already exist, it will not be automatically created or overwritten.|
|**/map:*\<source\>*=*\<destination\>***| Specifies other partition type mappings between MBR and GPT. The MBR partition number is specified in decimal notation, not hexadecimal. The GPT GUID can contain brackets, for example: **/map:42={af9b60a0-1431-4f62-bc68-3311714a69ad}**. Multiple /map options can be specified if multiple mappings are required. |
|**/allowFullOS**| By default, `MBR2GPT.exe` is blocked unless it's run from Windows PE. This option overrides this block and enables disk conversion while running in the full Windows environment. <br>**Note**: Since the existing MBR system partition is in use while running the full Windows environment, it can't be reused. In this case, a new ESP is created by shrinking the OS partition.|
## Examples
### Validation example
In the following example, disk 0 is validated for conversion. Errors and warnings are logged to the default location, **%windir%**.
In the following example, disk 0 is validated for conversion. Errors and warnings are logged to the default location of **`%windir%`**.
```console
X:\>mbr2gpt /validate /disk:0
```cmd
X:\>mbr2gpt.exe /validate /disk:0
MBR2GPT: Attempting to validate disk 0
MBR2GPT: Retrieving layout of disk
MBR2GPT: Validating layout, disk sector size is: 512
@ -92,16 +94,25 @@ MBR2GPT: Validation completed successfully
In the following example:
1. Using DiskPart, the current disk partition layout is displayed prior to conversion - three partitions are present on the MBR disk (disk 0): a system reserved partition, a Windows partition, and a recovery partition. A DVD-ROM is also present as volume 0.
2. The OS volume is selected, partitions are listed, and partition details are displayed for the OS partition. The [MBR partition type](/windows/win32/fileio/disk-partition-types) is **07** corresponding to the installable file system (IFS) type.
2. The MBR2GPT tool is used to convert disk 0.
3. The DiskPart tool displays that disk 0 is now using the GPT format.
4. The new disk layout is displayed - four partitions are present on the GPT disk: three are identical to the previous partitions and one is the new EFI system partition (volume 3).
5. The OS volume is selected again, and detail displays that it has been converted to the [GPT partition type](/windows/win32/api/winioctl/ns-winioctl-partition_information_gpt) of **ebd0a0a2-b9e5-4433-87c0-68b6b72699c7** corresponding to the **PARTITION_BASIC_DATA_GUID** type.
3. The MBR2GPT tool is used to convert disk 0.
4. The DiskPart tool displays that disk 0 is now using the GPT format.
5. The new disk layout is displayed - four partitions are present on the GPT disk: three are identical to the previous partitions and one is the new EFI system partition (volume 3).
6. The OS volume is selected again, and detail displays that it has been converted to the [GPT partition type](/windows/win32/api/winioctl/ns-winioctl-partition_information_gpt) of **ebd0a0a2-b9e5-4433-87c0-68b6b72699c7** corresponding to the **PARTITION_BASIC_DATA_GUID** type.
As noted in the output from the MBR2GPT tool, you must make changes to the computer firmware so that the new EFI system partition will boot properly.
```console
X:\>DiskPart
<br>
<details>
<summary>Expand to show MBR2GPT example</summary>
```cmd
X:\>DiskPart.exe
Microsoft DiskPart version 10.0.15048.0
@ -219,6 +230,8 @@ Offset in Bytes: 524288000
* Volume 1 D Windows NTFS Partition 58 GB Healthy
```
</details>
## Specifications
### Disk conversion workflow
@ -259,14 +272,15 @@ Since GPT partitions use a different set of type IDs than MBR partitions, each p
4. All other MBR partitions recognized by Windows are converted to GPT partitions of type PARTITION_BASIC_DATA_GUID (ebd0a0a2-b9e5-4433-87c0-68b6b72699c7).
In addition to applying the correct partition types, partitions of type PARTITION_MSFT_RECOVERY_GUID also have the following GPT attributes set:
- GPT_ATTRIBUTE_PLATFORM_REQUIRED (0x0000000000000001)
- GPT_BASIC_DATA_ATTRIBUTE_NO_DRIVE_LETTER (0x8000000000000000)
For more information about partition types, see:
- [GPT partition types](/windows/win32/api/winioctl/ns-winioctl-partition_information_gpt)
- [MBR partition types](/windows/win32/fileio/disk-partition-types)
### Persisting drive letter assignments
The conversion tool will attempt to remap all drive letter assignment information contained in the registry that corresponds to the volumes of the converted disk. If a drive letter assignment can't be restored, an error will be displayed at the console and in the log, so that you can manually perform the correct assignment of the drive letter.
@ -302,12 +316,12 @@ The default location for all these log files in Windows PE is **%windir%**.
### Interactive help
To view a list of options available when using the tool, type **mbr2gpt /?**
To view a list of options available when using the tool, enter **`mbr2gpt.exe /?`**
The following text is displayed:
```console
C:\> mbr2gpt /?
```cmd
C:\> mbr2gpt.exe /?
Converts a disk from MBR to GPT partitioning without modifying or deleting data on the disk.
@ -348,19 +362,18 @@ MBR2GPT has the following associated return codes:
| Return code | Description |
|----|-------------|
|0| Conversion completed successfully.|
|1| Conversion was canceled by the user.|
|2| Conversion failed due to an internal error.|
|3| Conversion failed due to an initialization error.|
|4| Conversion failed due to invalid command-line parameters. |
|5| Conversion failed due to error reading the geometry and layout of the selected disk.|
|6| Conversion failed because one or more volumes on the disk is encrypted.|
|7| Conversion failed because the geometry and layout of the selected disk don't meet requirements.|
|8| Conversion failed due to error while creating the EFI system partition.|
|9| Conversion failed due to error installing boot files.|
|10| Conversion failed due to error while applying GPT layout.|
|100| Conversion to GPT layout succeeded, but some boot configuration data entries couldn't be restored.|
|**0**| Conversion completed successfully.|
|**1**| Conversion was canceled by the user.|
|**2**| Conversion failed due to an internal error.|
|**3**| Conversion failed due to an initialization error.|
|**4**| Conversion failed due to invalid command-line parameters. |
|**5**| Conversion failed due to error reading the geometry and layout of the selected disk.|
|**6**| Conversion failed because one or more volumes on the disk is encrypted.|
|**7**| Conversion failed because the geometry and layout of the selected disk don't meet requirements.|
|**8**| Conversion failed due to error while creating the EFI system partition.|
|**9**| Conversion failed due to error installing boot files.|
|**10**| Conversion failed due to error while applying GPT layout.|
|**100**| Conversion to GPT layout succeeded, but some boot configuration data entries couldn't be restored.|
### Determining the partition type
@ -381,8 +394,8 @@ You can also view the partition type of a disk by opening the Disk Management to
If Windows PowerShell and Disk Management aren't available, such as when you're using Windows PE, you can determine the partition type at a command prompt with the DiskPart tool. To determine the partition style from a command line, type **diskpart** and then type **list disk**. See the following example:
```console
X:\>DiskPart
```cmd
X:\>DiskPart.exe
Microsoft DiskPart version 10.0.15048.0
@ -405,15 +418,15 @@ In this example, Disk 0 is formatted with the MBR partition style, and Disk 1 is
When you start a Windows 10, version 1903-based computer in the Windows Preinstallation Environment (Windows PE), you encounter the following issues:
**Issue 1** When you run the MBR2GPT.exe command, the process exits without converting the drive.
**Issue 1** When you run the `MBR2GPT.exe` command, the process exits without converting the drive.
**Issue 2** When you manually run the MBR2GPT.exe command in a Command Prompt window, there's no output from the tool.
**Issue 2** When you manually run the `MBR2GPT.exe` command in a Command Prompt window, there's no output from the tool.
**Issue 3** When MBR2GPT.exe runs inside an imaging process such as a Microsoft Configuration Manager task sequence, an MDT task sequence, or by using a script, you receive the following exit code: 0xC0000135/3221225781.
**Issue 3** When `MBR2GPT.exe` runs inside an imaging process such as a Microsoft Configuration Manager task sequence, an MDT task sequence, or by using a script, you receive the following exit code: 0xC0000135/3221225781.
#### Cause
This issue occurs because in Windows 10, version 1903 and later versions, MBR2GPT.exe requires access to the ReAgent.dll file. However, this dll file and its associated libraries are currently not included in the Windows PE boot image for Windows 10, version 1903 and later.
This issue occurs because in Windows 10, version 1903 and later versions, `MBR2GPT.exe` requires access to the ReAgent.dll file. However, this dll file and its associated libraries are currently not included in the Windows PE boot image for Windows 10, version 1903 and later.
#### Workaround
@ -430,31 +443,31 @@ To fix this issue, mount the Windows PE image (WIM), copy the missing file from
**Command 1:**
```console
```cmd
copy "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Setup\amd64\Sources\ReAgent*.*" "C:\WinPE_Mount\Windows\System32"
```
This command copies three files:
* ReAgent.admx
* ReAgent.dll
* ReAgent.xml
- ReAgent.admx
- ReAgent.dll
- ReAgent.xml
**Command 2:**
```console
```cmd
copy "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Setup\amd64\Sources\En-Us\ReAgent*.*" "C:\WinPE_Mount\Windows\System32\En-Us"
```
This command copies two files:
* ReAgent.adml
* ReAgent.dll.mui
- ReAgent.adml
- ReAgent.dll.mui
> [!NOTE]
> If you aren't using an English version of Windows, replace "En-Us" in the path with the appropriate string that represents the system language.
3. After you copy all the files, commit the changes and unmount the Windows PE WIM. MBR2GPT.exe now functions as expected in Windows PE. For information about how to unmount WIM files while committing changes, see [Unmounting an image](/windows-hardware/manufacture/desktop/mount-and-modify-a-windows-image-using-dism#unmounting-an-image).
3. After you copy all the files, commit the changes and unmount the Windows PE WIM. `MBR2GPT.exe` now functions as expected in Windows PE. For information about how to unmount WIM files while committing changes, see [Unmounting an image](/windows-hardware/manufacture/desktop/mount-and-modify-a-windows-image-using-dism#unmounting-an-image).
## Related articles

3
windows/deployment/planning/windows-10-enterprise-faq-itpro.yml
View File

@ -3,7 +3,8 @@ metadata:
title: Windows 10 Enterprise FAQ for IT pros (Windows 10)
description: Get answers to common questions around compatibility, installation, and support for Windows 10 Enterprise.
keywords: Windows 10 Enterprise, download, system requirements, drivers, appcompat, manage updates, Windows as a service, servicing channels, deployment tools
ms.prod: w10
ms.prod: windows-client
ms.technology: itpro-deploy
ms.mktglfcycl: plan
ms.localizationpriority: medium
ms.sitesec: library

3
windows/deployment/planning/windows-to-go-frequently-asked-questions.yml
View File

@ -8,7 +8,8 @@ metadata:
ms.author: frankroj
manager: aaroncz
keywords: FAQ, mobile, device, USB
ms.prod: w10
ms.prod: windows-client
ms.technology: itpro-deploy
ms.mktglfcycl: deploy
ms.pagetype: mobility
ms.sitesec: library

12
windows/deployment/s-mode.md
View File

@ -8,7 +8,7 @@ author: frankroj
ms.author: frankroj
ms.topic: article
ms.custom: seo-marvel-apr2020
ms.date: 10/31/2022
ms.date: 11/23/2022
ms.technology: itpro-deploy
---
@ -20,15 +20,15 @@ S mode is an evolution of the S SKU introduced with Windows 10 April 2018 Update
## S mode key features
**Microsoft-verified security**
### Microsoft-verified security
With Windows 10 in S mode, you'll find your favorite applications, such as Office, Evernote, and Spotify in the Microsoft Store where they're Microsoft-verified for security. You can also feel secure when you're online. Microsoft Edge, your default browser, gives you protection against phishing and socially engineered malware.
**Performance that lasts**
### Performance that lasts
Start-ups are quick, and S mode is built to keep them that way. With Microsoft Edge as your browser, your online experience is fast and secure. Plus, you'll enjoy a smooth, responsive experience, whether you're streaming HD video, opening apps, or being productive on the go.
**Choice and flexibility**
### Choice and flexibility
Save your files to your favorite cloud, like OneDrive or Dropbox, and access them from any device you choose. Browse the Microsoft Store for thousands of apps, and if you don't find exactly what you want, you can easily [switch out of S mode](./windows-10-pro-in-s-mode.md) to Windows 10 Home, Pro, or Enterprise editions at any time and search the web for more choices, as shown below.
@ -49,6 +49,6 @@ The [MSIX Packaging Tool](/windows/application-management/msix-app-packaging-too
## Related links
- [Consumer applications for S mode](https://www.microsoft.com/windows/s-mode)
- [S mode devices](https://www.microsoft.com/en-us/windows/view-all-devices)
- [S mode devices](https://www.microsoft.com/windows/view-all-devices)
- [Windows Defender Application Control deployment guide](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide)
- [Microsoft Defender for Endpoint](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp)
- [Microsoft Defender for Endpoint](/microsoft-365/windows/microsoft-defender-atp)

BIN
windows/deployment/update/images/wufb-do-overview.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 149 KiB

35
windows/deployment/update/wufb-reports-schema-ucdoaggregatedstatus.md Normal file
View File

@ -0,0 +1,35 @@
---
title: Windows Update for Business reports Data Schema - UCDOAggregatedStatus
ms.reviewer:
manager: naengler
description: UCDOAggregatedStatus schema
ms.prod: windows-client
author: cmknox
ms.author: carmenf
ms.collection: M365-analytics
ms.topic: reference
ms.date: 11/17/2022
ms.technology: itpro-updates
---
# UCDOAggregatedStatus
<!--37063317, 30141258, 37063041-->
***(Applies to: Windows 11 & Windows 10)***
UCDOAggregatedStatus is an aggregation of all individual UDDOStatus records across the tenant and summarizes bandwidth savings across all devices enrolled using [Delivery Optimization and Microsoft Connected Cache](/windows/deployment/do).
|Field |Type |Example |Description |
|---|---|---|---|
| **AzureADDeviceId** | [string](/azure/kusto/query/scalar-data-types/string) | `71db1a1a-f1a6-4a25-b88f-79c2f513dae0` | Azure AD Device ID |
| **AzureADTenantId** | [string](/azure/kusto/query/scalar-data-types/string) | `69ca04b0-703d-4b3a-9184-c4e3c15d6f5e` | Azure AD Tenant ID |
| **BWOptPercent28Days** | [real](/azure/kusto/query/scalar-data-types/real) | `10.61` | Bandwidth optimization (as a percentage of savings of total bandwidth otherwise incurred) for this device. A rolling 28-day basis.|
| **BytesFromCache** | [long](/azure/kusto/query/scalar-data-types/long) | `285212672` | Total number of bytes that were delivered from Microsoft Connected Cache (MCC). |
| **BytesFromCDN** | [long](/azure/kusto/query/scalar-data-types/long) | `11463008693388` | Total number of bytes that were delivered from a Content Delivery Network (CDN). |
| **BytesFromGroupPeers** | [long](/azure/kusto/query/scalar-data-types/long) | `30830657175` | Total number of bytes that were delivered from Group peers, sharing the same GroupId. |
| **BytesFromIntPeers** | [long](/azure/kusto/query/scalar-data-types/long) | `285212672` | Total number of bytes that were delivered from Internet peers. |
| **BytesFromPeers** | [long](/azure/kusto/query/scalar-data-types/long) | `285212672` | Total number of bytes delivered via all peers. |
| **ContentType** | [string](/azure/kusto/query/scalar-data-types/string) | `Driver Updates` | One of the supported types of content. |
| **DeviceCount** | [long](/azure/kusto/query/scalar-data-types/long) | `27077` | Number of devices. |
| **TenantId** | [string](/azure/kusto/query/scalar-data-types/string) | `6yy5y416-2d35-3yyf-ab5f-aea713e489d2` | Tenant ID |
| **TimeGenerated** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2022-11-17T22:11:40.1132971Z` | The time the snapshot generated this specific record. This is to determine to which batch snapshot this record belongs. |
| **Type** | [string](/azure/kusto/query/scalar-data-types/string) | `UCDOAggregatedStatus` | The entity type. |

55
windows/deployment/update/wufb-reports-schema-ucdostatus.md Normal file
View File

@ -0,0 +1,55 @@
---
title: Windows Update for Business reports Data Schema - UCDOStatus
ms.reviewer:
manager: naengler
description: UCDOStatus schema
ms.prod: windows-client
author: cmknox
ms.author: carmenf
ms.collection: M365-analytics
ms.topic: reference
ms.date: 11/17/2022
ms.technology: itpro-updates
---
# UCDOStatus
<!--37063317, 30141258, 37063041-->
***(Applies to: Windows 11 & Windows 10)***
UCDOStatus provides information, for a single device, on its bandwidth utilization across content types in the event they use Delivery Optimization.
|Field |Type |Example |Description |
|---|---|---|---|
| **AzureADDeviceId** | [string](/azure/kusto/query/scalar-data-types/string) | `71db1a1a-f1a6-4a25-b88f-79c2f513dae0` | Azure AD Device ID |
| **AzureADTenantId** | [string](/azure/kusto/query/scalar-data-types/string) | `69ca04b0-703d-4b3a-9184-c4e3c15d6f5e` | Azure AD Tenant ID |
| **BWOptPercent28Days** | [real](/azure/kusto/query/scalar-data-types/real) | `10.61` | Bandwidth optimization (as a percentage of savings of total bandwidth otherwise incurred) for this device. A rolling 28-day basis.|
| **BWOptPercent7Days** | [real](/azure/kusto/query/scalar-data-types/real) | `10.61` | Bandwidth optimization (as a percentage of savings of total bandwidth otherwise incurred) for this device. A rolling 7-day basis.|
| **BytesFromCache** | [long](/azure/kusto/query/scalar-data-types/long) | `285212672` | Total number of bytes that were delivered from Microsoft Connected Cache (MCC). |
| **BytesFromCDN** | [long](/azure/kusto/query/scalar-data-types/long) | `11463008693388` | Total number of bytes that were delivered from a Content Delivery Network (CDN). |
| **BytesFromGroupPeers** | [long](/azure/kusto/query/scalar-data-types/long) | `30830657175` | Total number of bytes that were delivered from Group peers, sharing the same GroupId. |
| **BytesFromIntPeers** | [long](/azure/kusto/query/scalar-data-types/long) | `285212672` | Total number of bytes that were delivered from Internet peers. |
| **BytesFromPeers** | [long](/azure/kusto/query/scalar-data-types/long) | `285212672` | Total number of bytes delivered via all peers. |
| **City** | [string](/azure/kusto/query/scalar-data-types/string) | `Redmond` | Approximate city where device was located while downloading content, based on IP address. |
| **ContentDownloadMode** | [int](/azure/kusto/query/scalar-data-types/int) | `1` | Device's Delivery Optimization Download Mode used to download content. |
| **ContentType** | [string](/azure/kusto/query/scalar-data-types/string) | `Driver Updates` | One of the supported types of content. |
| **Country** | [string](/azure/kusto/query/scalar-data-types/string) | `US` | Approximate country where device was located while downloading content, based on IP address. |
| **DeviceName** | [string](/azure/kusto/query/scalar-data-types/string) | `DESKTOP-DO` | User or organization provided device name. If the value appears as '#', configure the device to send device name. |
| **DOStatusDescription** | [string](/azure/kusto/query/scalar-data-types/string) | `Downloading` | A short description of Delivery Optimization status, if any. |
| **DownloadMode** | [string](/azure/kusto/query/scalar-data-types/string) | `LAN (1)` | Delivery Optimization Download Mode configured on the device. |
| **DownloadModeSrc** | [string](/azure/kusto/query/scalar-data-types/string) | `MDM` | The source of the Download Mode configuration. |
| **GlobalDeviceId** | [string](/azure/kusto/query/scalar-data-types/string) | `g:9832741921341` | Microsoft global device identifier. This identifier is used by Microsoft internally. |
| **GroupID** | [string](/azure/kusto/query/scalar-data-types/string) | `3suvw1efol0nmy8y9g8tfhtj1onwpsk9g9swpwnvfra=` | Delivery Optimization Group ID GUID value. |
| **ISP** | [string](/azure/kusto/query/scalar-data-types/string) | `Microsoft Corporation` | Internet Service Provider estimation. |
| **LastCensusSeenTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | The last time this device performed a successful census scan, if any. |
| **NoPeersCount** | [long](/azure/kusto/query/scalar-data-types/long) | `4` | Count of peers device interacted with. |
| **OSVersion** | [string](/azure/kusto/query/scalar-data-types/string) | `1909` | The Windows 10/11 operating system version currently installed on the device, such as 20H1, 21H2. |
| **PeerEligibleTransfers** | [long](/azure/kusto/query/scalar-data-types/long) | `5` | Total count of eligible transfers by peers. |
| **PeeringStatus** | [string](/azure/kusto/query/scalar-data-types/string) | `On` | Delivery Optimization peering status. |
| **PeersCannotConnectCount** | [long](/azure/kusto/query/scalar-data-types/long) | `1` | Count of peers Delivery Optimization couldn't connect to. |
| **PeersSuccessCount** | [long](/azure/kusto/query/scalar-data-types/long) | `2` | Count of peers Delivery Optimization successfully connected to. |
| **PeersUnknownCount** | [long](/azure/kusto/query/scalar-data-types/long) | `0` | Count of peers with an unknown relation. |
| **TenantId** | [string](/azure/kusto/query/scalar-data-types/string) |`6yy5y416-2d35-3yyf-ab5f-aea713e489d2` | Tenant ID |
| **TimeGenerated** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2022-11-17T22:11:40.1132971Z` | The time the snapshot generated this specific record. This is to determine to which batch snapshot this record belongs. |
| **TotalTimeForDownload** | [string](/azure/kusto/query/scalar-data-types/string) | `00:02:11` | Total time to download content. |
| **TotalTransfers** | [long](/azure/kusto/query/scalar-data-types/long) | `304` | Total count of data transfers needed to download content. |
| **Type** | [string](/azure/kusto/query/scalar-data-types/string) | `UCDOAggregatedStatus` | The entity type. |

4
windows/deployment/update/wufb-reports-workbook.md
View File

@ -141,7 +141,7 @@ The **Device status** group for feature updates contains the following items:
## <a name="bkmk_do"></a> Delivery Optimization (preview tab)
The **Delivery Optimization** tab provides a summarized view of bandwidth efficiencies. This new revised report also includes Microsoft Connected Cache (MCC) information.
The **Delivery Optimization** tab provides a summarized view of bandwidth efficiencies. This new revised report also includes [Microsoft Connected Cache](/windows/deployment/do/waas-microsoft-connected-cache) information.
At the top of the report, tiles display the following information:
@ -156,6 +156,8 @@ The Delivery Optimization tab is further divided into the following groups:
- **Content Distribution**: Includes charts showing percentage volumes and GB volumes by source by content types. All content types are linked to a table for deeper filtering by **ContentType**, **AzureADTenantId**, and **GroupID**.
- **Efficiency By Group**: This view provides filters commonly used ways of grouping devices. The provided filters include: **GroupID**, **City**, **Country**, and **ISP**.
:::image type="content" source="images/wufb-do-overview.png" alt-text="Screenshot of the summary tab in the Windows Update for Business reports workbook for Delivery Optimization." lightbox="images/wufb-do-overview.png":::
## Customize the workbook
Since the Windows Update for Business reports workbook is an [Azure Workbook template](/azure/azure-monitor/visualize/workbooks-templates), it can be customized to suit your needs. If you open a template, make some adjustments, and save it, the template is saved as a workbook. This workbook appears in green. The original template is left untouched. For more information about workbooks, see [Get started with Azure Workbooks](/azure/azure-monitor/visualize/workbooks-getting-started).

5
windows/deployment/usmt/understanding-migration-xml-files.md
View File

@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
author: frankroj
ms.date: 11/01/2022
ms.date: 11/23/2022
ms.topic: article
ms.technology: itpro-deploy
---
@ -136,6 +136,9 @@ The default `MigUser.xml` file migrates the following data:
> [!NOTE]
> The asterisk (`*`) stands for zero or more characters.
> [!NOTE]
> The OpenDocument extensions (`*.odt`, `*.odp`, `*.ods`) that Microsoft Office applications can use aren't migrated by default.
The default `MigUser.xml` file doesn't migrate the following data:
- Files tagged with both the **Hidden** and **System** attributes.

4
windows/deployment/usmt/usmt-faq.yml
View File

@ -3,11 +3,11 @@ metadata:
title: 'Frequently Asked Questions (Windows 10)'
description: 'Learn about frequently asked questions and recommended solutions for migrations using User State Migration Tool (USMT) 10.0.'
ms.assetid: 813c13a7-6818-4e6e-9284-7ee49493241b
ms.reviewer:
ms.prod: windows-client
ms.technology: itpro-deploy
author: frankroj
ms.author: frankroj
manager: aaroncz
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
audience: itpro

5
windows/deployment/usmt/usmt-what-does-usmt-migrate.md
View File

@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
author: frankroj
ms.date: 11/01/2022
ms.date: 11/23/2022
ms.topic: article
ms.technology: itpro-deploy
---
@ -78,6 +78,9 @@ This section describes the user data that USMT migrates by default, using the `M
> [!NOTE]
> The asterisk (`*`) stands for zero or more characters.
> [!NOTE]
> The OpenDocument extensions (`*.odt`, `*.odp`, `*.ods`) that Microsoft Office applications can use aren't migrated by default.
- **Access control lists.** USMT migrates access control lists (ACLs) for specified files and folders from computers running both Windows® XP and Windows Vista. For example, if you migrate a file named `File1.txt` that is **read-only** for **User1** and **read/write** for **User2**, these settings will still apply on the destination computer after the migration.
> [!IMPORTANT]

84
windows/deployment/vda-subscription-activation.md
View File

@ -11,12 +11,12 @@ ms.technology: itpro-fundamentals
ms.localizationpriority: medium
ms.topic: how-to
ms.collection: M365-modern-desktop
ms.date: 10/31/2022
ms.date: 11/23/2022
---
# Configure VDA for Windows subscription activation
Applies to:
*Applies to:*
- Windows 10
- Windows 11
@ -61,42 +61,55 @@ For examples of activation issues, see [Troubleshoot the user experience](./depl
## Active Directory-joined VMs
1. Use the following instructions to prepare the VM for Azure: [Prepare a Windows VHD or VHDX to upload to Azure](/azure/virtual-machines/windows/prepare-for-upload-vhd-image)
2. (Optional) To disable network level authentication, type the following command at an elevated command prompt:
2. (Optional) To disable network level authentication, enter the following command at an elevated command prompt:
```cmd
REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0 /f
REG.exe ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0 /f
```
3. At an elevated command prompt, type **sysdm.cpl** and press ENTER.
3. At an elevated command prompt, enter **sysdm.cpl**.
4. On the Remote tab, choose **Allow remote connections to this computer** and then select **Select Users**.
5. Select **Add**, type **Authenticated users**, and then select **OK** three times.
5. Select **Add**, enter **Authenticated users**, and then select **OK** three times.
6. Follow the instructions to use sysprep at [Steps to generalize a VHD](/azure/virtual-machines/windows/prepare-for-upload-vhd-image#generalize-a-vhd) and then start the VM again.
7. If you must activate Windows Pro as described for [scenario 3](#scenario-3), complete the following steps to use Windows Configuration Designer and inject an activation key. Otherwise, skip to step 8.
1. [Install Windows Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd).
1. Open Windows Configuration Designer and select **Provision desktop services**.
1. Under **Name**, type **Desktop AD Enrollment Pro GVLK**, select **Finish**, and then on the **Set up device** page enter a device name.
2. Open Windows Configuration Designer and select **Provision desktop services**.
3. Under **Name**, enter **Desktop AD Enrollment Pro GVLK**, select **Finish**, and then on the **Set up device** page enter a device name.
> [!NOTE]
> You can use a different project name, but this name is also used with dism.exe in a later step.
1. Under **Enter product key** type the Pro GVLK key: `W269N-WFGWX-YVC9B-4J6C9-T83GX`.
1. On the Set up network page, choose **Off**.
1. On the Account Management page, choose **Enroll into Active Directory** and then enter the account details.
4. Under **Enter product key** enter the Pro GVLK key: `W269N-WFGWX-YVC9B-4J6C9-T83GX`.
5. On the Set up network page, choose **Off**.
6. On the Account Management page, choose **Enroll into Active Directory** and then enter the account details.
> [!NOTE]
> This step is different for [Azure AD-joined VMs](#azure-active-directory-joined-vms).
1. On the Add applications page, add applications if desired. This step is optional.
1. On the Add certificates page, add certificates if desired. This step is optional.
1. On the Finish page, select **Create**.
1. In file explorer, open the VHD to mount the disk image. Determine the drive letter of the mounted image.
1. Type the following command at an elevated command prompt. Replace the letter `G` with the drive letter of the mounted image, and enter the project name you used if it's different than the one suggested:
7. On the Add applications page, add applications if desired. This step is optional.
8. On the Add certificates page, add certificates if desired. This step is optional.
9. On the Finish page, select **Create**.
10. In file explorer, open the VHD to mount the disk image. Determine the drive letter of the mounted image.
11. Enter the following command at an elevated command prompt. Replace the letter `G` with the drive letter of the mounted image, and enter the project name you used if it's different than the one suggested:
```cmd
Dism.exe /Image=G:\ /Add-ProvisioningPackage /PackagePath: "Desktop AD Enrollment Pro GVLK.ppkg"
```
1. Right-click the mounted image in file explorer and select **Eject**.
12. Right-click the mounted image in file explorer and select **Eject**.
8. See the instructions at [Upload and create VM from generalized VHD](/azure/virtual-machines/windows/upload-generalized-managed#upload-the-vhd) to sign in to Azure, get your storage account details, upload the VHD, and create a managed image.
@ -107,33 +120,50 @@ For examples of activation issues, see [Troubleshoot the user experience](./depl
For Azure AD-joined VMs, follow the same instructions as for [Active Directory-joined VMs](#active-directory-joined-vms) with the following exceptions:
- During setup with Windows Configuration Designer, under **Name**, type a name for the project that indicates it isn't for Active Directory-joined VMs, such as **Desktop Bulk Enrollment Token Pro GVLK**.
- During setup with Windows Configuration Designer, under **Name**, enter a name for the project that indicates it isn't for Active Directory-joined VMs, such as **Desktop Bulk Enrollment Token Pro GVLK**.
- During setup with Windows Configuration Designer, on the Account Management page, instead of enrolling in Active Directory, choose **Enroll in Azure AD**, select **Get Bulk Token**, sign in, and add the bulk token using your organization's credentials.
- When entering the PackagePath, use the project name you previously entered. For example, **Desktop Bulk Enrollment Token Pro GVLK.ppkg**
- When attempting to access the VM using remote desktop, you'll need to create a custom RDP settings file as described below in [Create custom RDP settings for Azure](#create-custom-rdp-settings-for-azure).
## Azure Gallery VMs
1. (Optional) To disable network level authentication, type the following command at an elevated command prompt:
1. (Optional) To disable network level authentication, enter the following command at an elevated command prompt:
```cmd
REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0 /f
REG.exe ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0 /f
```
2. At an elevated command prompt, type `sysdm.cpl` and press ENTER.
2. At an elevated command prompt, enter `sysdm.cpl`.
3. On the Remote tab, choose **Allow remote connections to this computer** and then select **Select Users**.
4. Select **Add**, type **Authenticated users**, and then select **OK** three times.
4. Select **Add**, enter **Authenticated users**, and then select **OK** three times.
5. [Install Windows Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd).
6. Open Windows Configuration Designer and select **Provision desktop services**.
7. If you must activate Windows Pro as described for [scenario 3](#scenario-3), complete the following steps. Otherwise, skip to step 8.
1. Under **Name**, type **Desktop Bulk Enrollment Token Pro GVLK**, select **Finish**, and then on the **Set up device** page enter a device name.
2. Under **Enter product key** type the Pro GVLK key: `W269N-WFGWX-YVC9B-4J6C9-T83GX`.
8. Under **Name**, type **Desktop Bulk Enrollment**, select **Finish**, and then on the **Set up device** page enter a device name.
1. Under **Name**, enter **Desktop Bulk Enrollment Token Pro GVLK**, select **Finish**, and then on the **Set up device** page enter a device name.
2. Under **Enter product key** enter the Pro GVLK key: `W269N-WFGWX-YVC9B-4J6C9-T83GX`.
8. Under **Name**, enter **Desktop Bulk Enrollment**, select **Finish**, and then on the **Set up device** page enter a device name.
9. On the Set up network page, choose **Off**.
10. On the Account Management page, choose **Enroll in Azure AD**, select **Get Bulk Token**, sign in, and add the bulk token using your organizations credentials.
11. On the Add applications page, add applications if desired. This step is optional.
12. On the Add certificates page, add certificates if desired. This step is optional.
13. On the Finish page, select **Create**.
14. Copy the PPKG file to the remote virtual machine. Open the provisioning package to install it. This process will restart the system.
> [!NOTE]
@ -142,9 +172,13 @@ For Azure AD-joined VMs, follow the same instructions as for [Active Directory-j
## Create custom RDP settings for Azure
1. Open Remote Desktop Connection and enter the IP address or DNS name for the remote host.
2. Select **Show Options**, and then under Connection settings select **Save As**. Save the RDP file to the location where you'll use it.
3. Close the Remote Desktop Connection window and open Notepad.
4. Open the RDP file in Notepad to edit it.
5. Enter or replace the line that specifies authentication level with the following two lines of text:
```text

5
windows/deployment/wds-boot-support.md
View File

@ -8,13 +8,14 @@ ms.author: frankroj
manager: aaroncz
ms.topic: article
ms.custom: seo-marvel-apr2020
ms.date: 10/31/2022
ms.date: 11/23/2022
ms.technology: itpro-deploy
---
# Windows Deployment Services (WDS) boot.wim support
Applies to:
*Applies to:*
- Windows 10
- Windows 11

5
windows/deployment/windows-10-deployment-posters.md
View File

@ -9,12 +9,13 @@ ms.prod: windows-client
ms.technology: itpro-deploy
ms.localizationpriority: medium
ms.topic: reference
ms.date: 10/31/2022
ms.date: 11/23/2022
---
# Windows 10 deployment process posters
**Applies to**
*Applies to:*
- Windows 10
The following posters step through various options for deploying Windows 10 with Windows Autopilot or Microsoft Configuration Manager.

22
windows/deployment/windows-10-deployment-scenarios.md
View File

@ -7,13 +7,13 @@ author: frankroj
ms.prod: windows-client
ms.localizationpriority: medium
ms.topic: article
ms.date: 10/31/2022
ms.date: 11/23/2022
ms.technology: itpro-deploy
---
# Windows 10 deployment scenarios
**Applies to**
*Applies to:*
- Windows 10
@ -55,9 +55,9 @@ The following tables summarize various Windows 10 deployment scenarios. The scen
|[Refresh](#computer-refresh)|Also called wipe and load. Redeploy a device by saving the user state, wiping the disk, then restoring the user state. | [Refresh a Windows 7 computer with Windows 10](/windows/deployment/deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10)<br>[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](/windows/deployment/deploy-windows-cm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager)|
|[Replace](#computer-replace)|Replace an existing device with a new one by saving the user state on the old device and then restoring it to the new device.| [Replace a Windows 7 computer with a Windows 10 computer](/windows/deployment/deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer)<br>[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](/windows/deployment/deploy-windows-cm/replace-a-windows-7-client-with-windows-10-using-configuration-manager)|
>[!IMPORTANT]
>The Windows Autopilot and Subscription Activation scenarios require that the beginning OS be Windows 10 version 1703, or later.<br>
>Except for clean install scenarios such as traditional bare metal and Windows Autopilot, all the methods described can optionally migrate apps and settings to the new OS.
> [!IMPORTANT]
> The Windows Autopilot and Subscription Activation scenarios require that the beginning OS be Windows 10 version 1703, or later.<br>
> Except for clean install scenarios such as traditional bare metal and Windows Autopilot, all the methods described can optionally migrate apps and settings to the new OS.
## Modern deployment methods
@ -106,7 +106,7 @@ For new PCs, organizations have historically replaced the version of Windows inc
The goal of dynamic provisioning is to take a new PC out of the box, turn it on, and transform it into a productive organization device, with minimal time and effort. The types of transformations that are available include:
### Windows 10 Subscription Activation<A ID="windows-10-subscription-activation"></A>
### Windows 10 Subscription Activation
Windows 10 Subscription Activation is a dynamic deployment method that enables you to change the SKU from Pro to Enterprise with no keys and no reboots. For more information about Subscription Activation, see [Windows 10 Subscription Activation](/windows/deployment/windows-10-enterprise-subscription-activation).
@ -122,17 +122,17 @@ These scenarios can be used to enable "choose your own device" (CYOD) programs.
While the initial Windows 10 release includes various provisioning settings and deployment mechanisms, provisioning settings and deployment mechanisms will continue to be enhanced and extended based on feedback from organizations. As with all Windows features, organizations can submit suggestions for more features through the Windows Feedback app or through their Microsoft Support contacts.
## Traditional deployment:
## Traditional deployment
New versions of Windows have typically been deployed by organizations using an image-based process built on top of tools provided in the [Windows Assessment and Deployment Kit](windows-adk-scenarios-for-it-pros.md), Windows Deployment Services, the [Deploy Windows 10 with the Microsoft Deployment Toolkit](./deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md), and [Microsoft Configuration Manager](deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md).
New versions of Windows have typically been deployed by organizations using an image-based process built on top of tools provided in the [Windows Assessment and Deployment Kit](windows-adk-scenarios-for-it-pros.md), Windows Deployment Services, the [Microsoft Deployment Toolkit](./deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md), and [Microsoft Configuration Manager](deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md).
With the release of Windows 10, all of these tools are being updated to fully support Windows 10. Although newer scenarios such as in-place upgrade and dynamic provisioning may reduce the need for traditional deployment capabilities in some organizations, these traditional methods remain important, and will continue to be available to organizations that need them.
The traditional deployment scenario can be divided into different sub-scenarios. These sub-scenarios are explained in detail in the following sections, but the following list provides a brief summary:
- **New computer.** A bare-metal deployment of a new machine.
- **Computer refresh.** A reinstall of the same machine (with user-state migration and an optional full Windows Imaging (WIM) image backup).
- **Computer replace.** A replacement of the old machine with a new machine (with user-state migration and an optional full WIM image backup).
- **New computer**: A bare-metal deployment of a new machine.
- **Computer refresh**: A reinstall of the same machine (with user-state migration and an optional full Windows Imaging (WIM) image backup).
- **Computer replace**: A replacement of the old machine with a new machine (with user-state migration and an optional full WIM image backup).
### New computer

22
windows/deployment/windows-10-enterprise-e3-overview.md
View File

@ -3,7 +3,7 @@ title: Windows 10/11 Enterprise E3 in CSP
description: Describes Windows 10/11 Enterprise E3, an offering that delivers, by subscription, the features of Windows 10/11 Enterprise edition.
ms.prod: windows-client
ms.localizationpriority: medium
ms.date: 10/31/2022
ms.date: 11/23/2022
author: frankroj
ms.author: frankroj
manager: aaroncz
@ -15,7 +15,8 @@ ms.technology: itpro-deploy
# Windows 10/11 Enterprise E3 in CSP
Applies to:
*Applies to:*
- Windows 10
- Windows 11
@ -60,15 +61,15 @@ In summary, the Windows 10/11 Enterprise E3 in CSP program is an upgrade offerin
Windows 10 Enterprise edition has many features that are unavailable in Windows 10 Pro. Table 1 lists the Windows 10 Enterprise features not found in Windows 10 Pro. Many of these features are security-related, whereas others enable finer-grained device management.
*Table 1. Windows 10 Enterprise features not found in Windows 10 Pro*
### Table 1. Windows 10 Enterprise features not found in Windows 10 Pro
|Feature|Description|
|--- |--- |
|Credential Guard|Credential Guard uses virtualization-based security to help protect security secrets so that only privileged system software can access them. Examples of security secrets that can be protected include NTLM password hashes and Kerberos Ticket Granting Tickets. This protection helps prevent Pass-the-Hash or Pass-the-Ticket attacks.<p>Credential Guard has the following features:<li>**Hardware-level security**. Credential Guard uses hardware platform security features (such as Secure Boot and virtualization) to help protect derived domain credentials and other secrets.<li>**Virtualization-based security**. Windows services that access derived domain credentials and other secrets run in a virtualized, protected environment that is isolated.<li>**Improved protection against persistent threats**. Credential Guard works with other technologies (for example, Device Guard) to help provide further protection against attacks, no matter how persistent.<li>**Improved manageability**. Credential Guard can be managed through Group Policy, Windows Management Instrumentation (WMI), or Windows PowerShell.<p>For more information, see [Protect derived domain credentials with Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard).<p>*Credential Guard requires UEFI 2.3.1 or greater with Trusted Boot; Virtualization Extensions such as Intel VT-x, AMD-V, and SLAT must be enabled; x64 version of Windows; IOMMU, such as Intel VT-d, AMD-Vi; BIOS Lockdown; TPM 2.0 recommended for device health attestation (will use software if TPM 2.0 not present)*|
|Device Guard|This feature is a combination of hardware and software security features that allows only trusted applications to run on a device. Even if an attacker manages to get control of the Windows kernel, they'll be much less likely to run executable code. Device Guard can use virtualization-based security (VBS) in Windows 10 Enterprise edition to isolate the Code Integrity service from the Windows kernel itself. With VBS, even if malware gains access to the kernel, the effects can be severely limited, because the hypervisor can prevent the malware from executing code.<p>Device Guard protects in the following ways:<li>Helps protect against malware<li>Helps protect the Windows system core from vulnerability and zero-day exploits<li>Allows only trusted apps to run<p>For more information, see [Introduction to Device Guard](/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control).|
|AppLocker management|This feature helps IT pros determine which applications and files users can run on a device. The applications and files that can be managed include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers.<p>For more information, see [AppLocker](/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview).|
|Application Virtualization (App-V)|This feature makes applications available to end users without installing the applications directly on users' devices. App-V transforms applications into centrally managed services that are never installed and don't conflict with other applications. This feature also helps ensure that applications are kept current with the latest security updates.<p>For more information, see [Getting Started with App-V for Windows 10](/windows/application-management/app-v/appv-getting-started).|
|User Experience Virtualization (UE-V)|With this feature, you can capture user-customized Windows and application settings and store them on a centrally managed network file share.<p>When users log on, their personalized settings are applied to their work session, regardless of which device or virtual desktop infrastructure (VDI) sessions they log on to.<p>UE-V provides the following features:<li>Specify which application and Windows settings synchronize across user devices<li>Deliver the settings anytime and anywhere users work throughout the enterprise<li>Create custom templates for your third-party or line-of-business applications<li>Recover settings after hardware replacement or upgrade, or after re-imaging a virtual machine to its initial state<p>For more information, see [User Experience Virtualization (UE-V) for Windows 10 overview](/windows/configuration/ue-v/uev-for-windows).|
|Credential Guard|Credential Guard uses virtualization-based security to help protect security secrets so that only privileged system software can access them. Examples of security secrets that can be protected include NTLM password hashes and Kerberos Ticket Granting Tickets. This protection helps prevent Pass-the-Hash or Pass-the-Ticket attacks.<br><br>Credential Guard has the following features:<li>**Hardware-level security** - Credential Guard uses hardware platform security features (such as Secure Boot and virtualization) to help protect derived domain credentials and other secrets.<li>**Virtualization-based security** - Windows services that access derived domain credentials and other secrets run in a virtualized, protected environment that is isolated.<li>**Improved protection against persistent threats** - Credential Guard works with other technologies (for example, Device Guard) to help provide further protection against attacks, no matter how persistent.<li>**Improved manageability** - Credential Guard can be managed through Group Policy, Windows Management Instrumentation (WMI), or Windows PowerShell.<br><br>For more information, see [Protect derived domain credentials with Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard).<br><br>*Credential Guard requires UEFI 2.3.1 or greater with Trusted Boot; Virtualization Extensions such as Intel VT-x, AMD-V, and SLAT must be enabled; x64 version of Windows; IOMMU, such as Intel VT-d, AMD-Vi; BIOS Lockdown; TPM 2.0 recommended for device health attestation (will use software if TPM 2.0 not present)*|
|Device Guard|This feature is a combination of hardware and software security features that allows only trusted applications to run on a device. Even if an attacker manages to get control of the Windows kernel, they'll be much less likely to run executable code. Device Guard can use virtualization-based security (VBS) in Windows 10 Enterprise edition to isolate the Code Integrity service from the Windows kernel itself. With VBS, even if malware gains access to the kernel, the effects can be severely limited, because the hypervisor can prevent the malware from executing code.<br><br>Device Guard protects in the following ways:<li>Helps protect against malware<li>Helps protect the Windows system core from vulnerability and zero-day exploits<li>Allows only trusted apps to run<br><br>For more information, see [Introduction to Device Guard](/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control).|
|AppLocker management|This feature helps IT pros determine which applications and files users can run on a device. The applications and files that can be managed include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers.<br><br>For more information, see [AppLocker](/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview).|
|Application Virtualization (App-V)|This feature makes applications available to end users without installing the applications directly on users' devices. App-V transforms applications into centrally managed services that are never installed and don't conflict with other applications. This feature also helps ensure that applications are kept current with the latest security updates.<br><br>For more information, see [Getting Started with App-V for Windows 10](/windows/application-management/app-v/appv-getting-started).|
|User Experience Virtualization (UE-V)|With this feature, you can capture user-customized Windows and application settings and store them on a centrally managed network file share.<br><br>When users log on, their personalized settings are applied to their work session, regardless of which device or virtual desktop infrastructure (VDI) sessions they log on to.<br><br>UE-V provides the following features:<li>Specify which application and Windows settings synchronize across user devices<li>Deliver the settings anytime and anywhere users work throughout the enterprise<li>Create custom templates for your third-party or line-of-business applications<li>Recover settings after hardware replacement or upgrade, or after re-imaging a virtual machine to its initial state<br><br>For more information, see [User Experience Virtualization (UE-V) for Windows 10 overview](/windows/configuration/ue-v/uev-for-windows).|
|Managed User Experience|This feature helps customize and lock down a Windows device's user interface to restrict it to a specific task. For example, you can configure a device for a controlled scenario such as a kiosk or classroom device. The user experience would be automatically reset once a user signs off. You can also restrict access to services including Cortana or the Windows Store, and manage Start layout options, such as:<li>Removing and preventing access to the Shut Down, Restart, Sleep, and Hibernate commands<li>Removing Log Off (the User tile) from the Start menu<li>Removing frequent programs from the Start menu<li>Removing the All Programs list from the Start menu<li>Preventing users from customizing their Start screen<li>Forcing Start menu to be either full-screen size or menu size<li>Preventing changes to Taskbar and Start menu settings|
## Deployment of Windows 10/11 Enterprise E3 licenses
@ -104,8 +105,6 @@ For more information about implementing Credential Guard, see the following reso
- [PC OEM requirements for Device Guard and Credential Guard](/windows-hardware/design/device-experiences/oem-security-considerations)
- [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337)
### Device Guard
Now that the devices have Windows 10/11 Enterprise, you can implement Device Guard on the Windows 10 Enterprise devices by performing the following steps:
@ -152,6 +151,7 @@ For more information about implementing the App-V server, App-V sequencer, and A
- [Deploying the App-V Sequencer and Configuring the Client](/windows/application-management/app-v/appv-deploying-the-appv-sequencer-and-client)
### UE-V
UE-V requires server and client-side components that you'll need to download, activate, and install. These components include:
- **UE-V service**. The UE-V service (when enabled on devices) monitors registered applications and Windows for any settings changes, then synchronizes those settings between devices.
@ -174,7 +174,7 @@ For more information about deploying UE-V, see the following resources:
The Managed User Experience feature is a set of Windows 10 Enterprise edition features and corresponding settings that you can use to manage user experience. Table 2 describes the Managed User Experience settings (by category), which are only available in Windows 10 Enterprise edition. The management methods used to configure each feature depend on the feature. Some features are configured by using Group Policy, while others are configured by using Windows PowerShell, Deployment Image Servicing and Management (DISM), or other command-line tools. For the Group Policy settings, you must have AD DS with the Windows 10 Enterprise devices joined to your AD DS domain.
*Table 2. Managed User Experience features*
#### Table 2. Managed User Experience features
| Feature | Description |
|------------------|-----------------|

4
windows/deployment/windows-10-media.md
View File

@ -3,7 +3,7 @@ title: Windows 10 volume license media
description: Learn about volume license media in Windows 10, and channels such as the Volume License Service Center (VLSC).
ms.prod: windows-client
ms.localizationpriority: medium
ms.date: 10/31/2022
ms.date: 11/23/2022
ms.reviewer:
manager: aaroncz
ms.author: frankroj
@ -14,7 +14,7 @@ ms.technology: itpro-deploy
# Windows 10 volume license media
**Applies to**
*Applies to:*
- Windows 10

8
windows/deployment/windows-10-missing-fonts.md
View File

@ -7,12 +7,12 @@ author: frankroj
ms.author: frankroj
manager: aaroncz
ms.topic: article
ms.date: 10/31/2022
ms.date: 11/23/2022
ms.technology: itpro-deploy
---
# How to install fonts that are missing after upgrading to Windows client
**Applies to**
*Applies to:*
- Windows 10
- Windows 11
@ -36,7 +36,7 @@ For example, if you've an English, French, German, or Spanish version of Windows
If you want to use these fonts, you can enable the optional feature to add them back to your system. The removal of these fonts is a permanent change in behavior for Windows client, and it will remain this way in future releases.
## Installing language-associated features via language settings:
## Installing language-associated features via language settings
If you want to use the fonts from the optional feature and you know that you'll want to view Web pages, edit documents, or use apps in the language associated with that feature, add that language into your user profile. Use the Settings app.
@ -57,7 +57,7 @@ Once you've added Hebrew to your language list, then the optional Hebrew font fe
> [!NOTE]
> The optional features are installed by Windows Update. You need to be online for the Windows Update service to work.
## Install optional fonts manually without changing language settings:
## Install optional fonts manually without changing language settings
If you want to use fonts in an optional feature but don't need to search web pages, edit documents, or use apps in the associated language, you can install the optional font features manually without changing your language settings.

114
windows/deployment/windows-10-poc-mdt.md
View File

@ -3,7 +3,7 @@ title: Step by step - Deploy Windows 10 in a test lab using MDT
description: In this article, you'll learn how to deploy Windows 10 in a test lab using Microsoft Deployment Toolkit (MDT).
ms.prod: windows-client
ms.localizationpriority: medium
ms.date: 10/31/2022
ms.date: 11/23/2022
ms.reviewer:
manager: aaroncz
ms.author: frankroj
@ -14,23 +14,26 @@ ms.technology: itpro-deploy
# Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit
**Applies to**
*Applies to:*
- Windows 10
> [!IMPORTANT]
> This guide leverages the proof of concept (PoC) environment configured using procedures in the following guide:
- [Step by step guide: Configure a test lab to deploy Windows 10](windows-10-poc.md)
Complete all steps in the prerequisite guide before starting this guide. This guide requires about 5 hours to complete, but can require less time or more time depending on the speed of the Hyper-V host. After completing the current guide, also see the companion guide:
- [Deploy Windows 10 in a test lab using Microsoft Configuration Manager](windows-10-poc-sc-config-mgr.md)
>
> [Step by step guide: Configure a test lab to deploy Windows 10](windows-10-poc.md)
>
> Complete all steps in the prerequisite guide before starting this guide. This guide requires about 5 hours to complete, but can require less time or more time depending on the speed of the Hyper-V host. After completing the current guide, also see the companion guide:
>
> [Deploy Windows 10 in a test lab using Microsoft Configuration Manager](windows-10-poc-sc-config-mgr.md)
The PoC environment is a virtual network running on Hyper-V with three virtual machines (VMs):
- **DC1**: A contoso.com domain controller, DNS server, and DHCP server.
- **SRV1**: A dual-homed contoso.com domain member server, DNS server, and default gateway providing NAT service for the PoC network.
- **PC1**: A contoso.com member computer running Windows 7, Windows 8, or Windows 8.1 that has been shadow-copied from a physical computer on your corporate network.
This guide uses the Hyper-V server role. If you don't complete all steps in a single session, consider using [checkpoints](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn818483(v=ws.11)) and [saved states](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee247418(v=ws.10)) to pause, resume, or restart your work.
This guide uses the Hyper-V server role. If you don't complete all steps in a single session, consider using [checkpoints](/virtualization/hyper-v-on-windows/user-guide/checkpoints) to pause, resume, or restart your work.
## In this guide
@ -51,8 +54,11 @@ Topics and procedures in this guide are summarized in the following table. An es
## About MDT
MDT performs deployments by using the Lite Touch Installation (LTI), Zero Touch Installation (ZTI), and User-Driven Installation (UDI) deployment methods.
- LTI is the deployment method used in the current guide, requiring only MDT and performed with a minimum amount of user interaction.
- ZTI is fully automated, requiring no user interaction and is performed using MDT and Microsoft Configuration Manager. After completing the steps in the current guide, see [Step by step: Deploy Windows 10 in a test lab using Microsoft Configuration Manager](windows-10-poc-sc-config-mgr.md) to use the ZTI deployment method in the PoC environment.
- UDI requires manual intervention to respond to installation prompts such as machine name, password and language settings. UDI requires MDT and Microsoft Configuration Manager.
## Install MDT
@ -80,11 +86,12 @@ MDT performs deployments by using the Lite Touch Installation (LTI), Zero Touch
A reference image serves as the foundation for Windows 10 devices in your organization.
1. In [Step by step guide: Configure a test lab to deploy Windows 10](windows-10-poc.md), the Windows 10 Enterprise .iso file was saved to the c:\VHD directory as **c:\VHD\w10-enterprise.iso**. The first step in creating a deployment share is to mount this file on SRV1. To mount the Windows 10 Enterprise DVD on SRV1, open an elevated Windows PowerShell prompt on the Hyper-V host computer and type the following command:
1. In [Step by step guide: Configure a test lab to deploy Windows 10](windows-10-poc.md), the Windows 10 Enterprise .iso file was saved to the c:\VHD directory as **c:\VHD\w10-enterprise.iso**. The first step in creating a deployment share is to mount this file on SRV1. To mount the Windows 10 Enterprise DVD on SRV1, open an elevated Windows PowerShell prompt on the Hyper-V host computer and enter the following command:
```powershell
Set-VMDvdDrive -VMName SRV1 -Path c:\VHD\w10-enterprise.iso
```
2. On SRV1, verify that the Windows Enterprise installation DVD is mounted as drive letter D.
3. The Windows 10 Enterprise installation files will be used to create a deployment share on SRV1 using the MDT deployment workbench. To open the deployment workbench, select **Start**, type **deployment**, and then select **Deployment Workbench**.
@ -119,6 +126,7 @@ A reference image serves as the foundation for Windows 10 devices in your organi
For purposes of this test lab, we'll only add the prerequisite .NET Framework feature. Commercial applications (ex: Microsoft Office) won't be added to the deployment share. For information about adding applications, see the [Add applications](./deploy-windows-mdt/create-a-windows-10-reference-image.md#add-applications) section of the [Create a Windows 10 reference image](deploy-windows-mdt/create-a-windows-10-reference-image.md) article.
11. The next step is to create a task sequence to reference the operating system that was imported. To create a task sequence, right-click the **Task Sequences** node and then select **New Task Sequence**. Use the following settings for the New Task Sequence Wizard:
- Task sequence ID: **REFW10X64-001**<BR>
- Task sequence name: **Windows 10 Enterprise x64 Default Image** <BR>
- Task sequence comments: **Reference Build**<BR>
@ -153,7 +161,7 @@ A reference image serves as the foundation for Windows 10 devices in your organi
20. Replace the default rules with the following text:
```text
```ini
[Settings]
Priority=Default
@ -188,7 +196,7 @@ A reference image serves as the foundation for Windows 10 devices in your organi
21. Select **Apply** and then select **Edit Bootstrap.ini**. Replace the contents of the Bootstrap.ini file with the following text, and save the file:
```text
```ini
[Settings]
Priority=Default
@ -211,7 +219,7 @@ A reference image serves as the foundation for Windows 10 devices in your organi
> [!TIP]
> To copy the file, right-click the **LiteTouchPE_x86.iso** file and click **Copy** on SRV1, then open the **c:\VHD** folder on the Hyper-V host, right-click inside the folder and click **Paste**.
26. Open a Windows PowerShell prompt on the Hyper-V host computer and type the following commands:
26. Open a Windows PowerShell prompt on the Hyper-V host computer and enter the following commands:
```powershell
New-VM REFW10X64-001 -SwitchName poc-internal -NewVHDPath "c:\VHD\REFW10X64-001.vhdx" -NewVHDSizeBytes 60GB
@ -244,6 +252,7 @@ A reference image serves as the foundation for Windows 10 devices in your organi
This procedure will demonstrate how to deploy the reference image to the PoC environment using MDT.
1. On SRV1, open the MDT Deployment Workbench console, right-click **Deployment Shares**, and then select **New Deployment Share**. Use the following values in the New Deployment Share Wizard:
- **Deployment share path**: C:\MDTProd
- **Share name**: MDTProd$
- **Deployment share description**: MDT Production
@ -274,6 +283,7 @@ This procedure will demonstrate how to deploy the reference image to the PoC env
1. Using the Deployment Workbench, right-click **Task Sequences** under the **MDT Production** node, select **New Folder** and create a folder with the name: **Windows 10**.
2. Right-click the **Windows 10** folder created in the previous step, and then select **New Task Sequence**. Use the following settings for the New Task Sequence Wizard:
- Task sequence ID: W10-X64-001
- Task sequence name: Windows 10 Enterprise x64 Custom Image
- Task sequence comments: Production Image
@ -282,22 +292,23 @@ This procedure will demonstrate how to deploy the reference image to the PoC env
- Specify Product Key: Don't specify a product key at this time
- Full Name: Contoso
- Organization: Contoso
- Internet Explorer home page: http://www.contoso.com
- Internet Explorer home page: `http://www.contoso.com`
- Admin Password: pass@word1
### Configure the MDT production deployment share
1. On SRV1, open an elevated Windows PowerShell prompt and type the following commands:
1. On SRV1, open an elevated Windows PowerShell prompt and enter the following commands:
```powershell
copy-item "C:\Program Files\Microsoft Deployment Toolkit\Templates\Bootstrap.ini" C:\MDTProd\Control\Bootstrap.ini -Force
copy-item "C:\Program Files\Microsoft Deployment Toolkit\Templates\CustomSettings.ini" C:\MDTProd\Control\CustomSettings.ini -Force
```
2. In the Deployment Workbench console on SRV1, right-click the **MDT Production** deployment share and then select **Properties**.
3. Select the **Rules** tab and replace the rules with the following text (don't select OK yet):
```text
```ini
[Settings]
Priority=Default
@ -341,13 +352,13 @@ This procedure will demonstrate how to deploy the reference image to the PoC env
If desired, edit the following line to include or exclude other users when migrating settings. Currently, the command is set to user exclude (`ue`) all users except for CONTOSO users specified by the user include option (ui):
```console
```cmd
ScanStateArgs=/ue:*\* /ui:CONTOSO\*
```
For example, to migrate **all** users on the computer, replace this line with the following line:
```console
```cmd
ScanStateArgs=/all
```
@ -355,7 +366,7 @@ This procedure will demonstrate how to deploy the reference image to the PoC env
4. Select **Edit Bootstap.ini** and replace text in the file with the following text:
```text
```ini
[Settings]
Priority=Default
@ -391,9 +402,9 @@ This procedure will demonstrate how to deploy the reference image to the PoC env
1. Initialize Windows Deployment Services (WDS) by typing the following command at an elevated Windows PowerShell prompt on SRV1:
```powershell
WDSUTIL /Verbose /Progress /Initialize-Server /Server:SRV1 /RemInst:"C:\RemoteInstall"
WDSUTIL /Set-Server /AnswerClients:All
```cmd
WDSUTIL.exe /Verbose /Progress /Initialize-Server /Server:SRV1 /RemInst:"C:\RemoteInstall"
WDSUTIL.exe /Set-Server /AnswerClients:All
```
2. Select **Start**, type **Windows Deployment**, and then select **Windows Deployment Services**.
@ -407,9 +418,9 @@ This procedure will demonstrate how to deploy the reference image to the PoC env
1. Before using WDS to deploy a client image, you must temporarily disable the external network adapter on SRV1. This configuration is just an artifact of the lab environment. In a typical deployment environment WDS wouldn't be installed on the default gateway.
> [!NOTE]
> Do not disable the *internal* network interface. To quickly view IP addresses and interface names configured on the VM, type **Get-NetIPAddress | ft interfacealias, ipaddress**
> Do not disable the *internal* network interface. To quickly view IP addresses and interface names configured on the VM, enter **`Get-NetIPAddress | ft interfacealias, ipaddress** in a PowerShell prompt.
Assuming the external interface is named "Ethernet 2", to disable the *external* interface on SRV1, open a Windows PowerShell prompt on SRV1 and type the following command:
Assuming the external interface is named "Ethernet 2", to disable the *external* interface on SRV1, open a Windows PowerShell prompt on SRV1 and enter the following command:
```powershell
Disable-NetAdapter "Ethernet 2" -Confirm:$false
@ -417,7 +428,7 @@ This procedure will demonstrate how to deploy the reference image to the PoC env
>Wait until the disable-netadapter command completes before proceeding.
2. Next, switch to the Hyper-V host and open an elevated Windows PowerShell prompt. Create a generation 2 VM on the Hyper-V host that will load its OS using PXE. To create this VM, type the following commands at an elevated Windows PowerShell prompt:
2. Next, switch to the Hyper-V host and open an elevated Windows PowerShell prompt. Create a generation 2 VM on the Hyper-V host that will load its OS using PXE. To create this VM, enter the following commands at an elevated Windows PowerShell prompt:
```powershell
New-VM -Name "PC2" -NewVHDPath "c:\vhd\pc2.vhdx" -NewVHDSizeBytes 60GB -SwitchName poc-internal -BootDevice NetworkAdapter -Generation 2
@ -437,7 +448,7 @@ This procedure will demonstrate how to deploy the reference image to the PoC env
5. In the Windows Deployment Wizard, choose the **Windows 10 Enterprise x64 Custom Image** and then select **Next**.
6. After MDT lite touch installation has started, be sure to re-enable the external network adapter on SRV1. Re-enabling the external network adapter is needed so the client can use Windows Update after operating system installation is complete. To re-enable the external network interface, open an elevated Windows PowerShell prompt on SRV1 and type the following command:
6. After MDT lite touch installation has started, be sure to re-enable the external network adapter on SRV1. Re-enabling the external network adapter is needed so the client can use Windows Update after operating system installation is complete. To re-enable the external network interface, open an elevated Windows PowerShell prompt on SRV1 and enter the following command:
```powershell
Enable-NetAdapter "Ethernet 2"
@ -462,7 +473,7 @@ This section will demonstrate how to export user data from an existing client co
vmconnect localhost PC1
```
2. Switch back to the Hyper-V host and create a checkpoint for the PC1 VM so that it can easily be reverted to its current state for troubleshooting purposes and performing additional scenarios. Checkpoints are also known as snapshots. To create a checkpoint for the PC1 VM, type the following command at an elevated Windows PowerShell prompt on the Hyper-V host:
2. Switch back to the Hyper-V host and create a checkpoint for the PC1 VM so that it can easily be reverted to its current state for troubleshooting purposes and performing additional scenarios. Checkpoints are also known as snapshots. To create a checkpoint for the PC1 VM, enter the following command at an elevated Windows PowerShell prompt on the Hyper-V host:
```powershell
Checkpoint-VM -Name PC1 -SnapshotName BeginState
@ -472,10 +483,10 @@ This section will demonstrate how to export user data from an existing client co
Specify **contoso\administrator** as the user name to ensure you don't sign on using the local administrator account. You must sign in with this account so that you have access to the deployment share.
4. Open an elevated command prompt on PC1 and type the following command:
4. Open an elevated command prompt on PC1 and enter the following command:
```console
cscript \\SRV1\MDTProd$\Scripts\Litetouch.vbs
```cmd
cscript.exe \\SRV1\MDTProd$\Scripts\Litetouch.vbs
```
> [!NOTE]
@ -498,13 +509,13 @@ This section will demonstrate how to export user data from an existing client co
8. Sign in with the CONTOSO\Administrator account and verify that all CONTOSO domain user accounts and data have been migrated to the new operating system, or other user accounts as specified [previously](#configure-the-mdt-production-deployment-share).
9. Create another checkpoint for the PC1 VM so that you can review results of the computer refresh later. To create a checkpoint, type the following command at an elevated Windows PowerShell prompt on the Hyper-V host:
9. Create another checkpoint for the PC1 VM so that you can review results of the computer refresh later. To create a checkpoint, enter the following command at an elevated Windows PowerShell prompt on the Hyper-V host:
```powershell
Checkpoint-VM -Name PC1 -SnapshotName RefreshState
```
10. Restore the PC1 VM to its previous state in preparation for the replace procedure. To restore a checkpoint, type the following command at an elevated Windows PowerShell prompt on the Hyper-V host:
10. Restore the PC1 VM to its previous state in preparation for the replace procedure. To restore a checkpoint, enter the following command at an elevated Windows PowerShell prompt on the Hyper-V host:
```powershell
Restore-VMSnapshot -VMName PC1 -Name BeginState -Confirm:$false
@ -516,15 +527,18 @@ This section will demonstrate how to export user data from an existing client co
## Replace a computer with Windows 10
At a high level, the computer replace process consists of:<BR>
At a high level, the computer replace process consists of:
- A special replace task sequence that runs the USMT backup and an optional full Windows Imaging (WIM) backup.<BR>
- A standard OS deployment on a new computer. At the end of the deployment, the USMT backup from the old computer is restored.
### Create a backup-only task sequence
1. On SRV1, in the deployment workbench console, right-click the MDT Production deployment share, select **Properties**, select the **Rules** tab, and change the line **SkipUserData=YES** to **SkipUserData=NO**.
2. Select **OK**, right-click **MDT Production**, select **Update Deployment Share** and accept the default options in the wizard to update the share.
3. Type the following commands at an elevated Windows PowerShell prompt on SRV1:
3. enter the following commands at an elevated Windows PowerShell prompt on SRV1:
```powershell
New-Item -Path C:\MigData -ItemType directory
@ -533,45 +547,56 @@ At a high level, the computer replace process consists of:<BR>
```
4. On SRV1 in the deployment workbench, under **MDT Production**, right-click the **Task Sequences** node, and select **New Folder**.
5. Name the new folder **Other**, and complete the wizard using default options.
6. Right-click the **Other** folder and then select **New Task Sequence**. Use the following values in the wizard:
- **Task sequence ID**: REPLACE-001
- **Task sequence name**: Backup Only Task Sequence
- **Task sequence comments**: Run USMT to back up user data and settings
- **Template**: Standard Client Replace Task Sequence (note: this template isn't the default template)
7. Accept defaults for the rest of the wizard and then select **Finish**. The replace task sequence will skip OS selection and settings.
8. Open the new task sequence that was created and review it. Note the type of capture and backup tasks that are present. Select **OK** when you're finished reviewing the task sequence.
8. Open the new task sequence that was created and review it. Note the enter of capture and backup tasks that are present. Select **OK** when you're finished reviewing the task sequence.
### Run the backup-only task sequence
1. If you aren't already signed on to PC1 as **contoso\administrator**, sign in using this account. To verify the currently signed in account, type the following command at an elevated command prompt:
1. If you aren't already signed on to PC1 as **contoso\administrator**, sign in using this account. To verify the currently signed in account, enter the following command at an elevated command prompt:
```console
whoami
```cmd
whoami.exe
```
2. To ensure a clean environment before running the backup task sequence, type the following commands at an elevated Windows PowerShell prompt on PC1:
2. To ensure a clean environment before running the backup task sequence, enter the following commands at an elevated Windows PowerShell prompt on PC1:
```powershell
Remove-Item c:\minint -recurse
Remove-Item c:\_SMSTaskSequence -recurse
Restart-Computer
```
3. Sign in to PC1 using the contoso\administrator account, and then type the following command at an elevated command prompt:
```console
cscript \\SRV1\MDTProd$\Scripts\Litetouch.vbs
3. Sign in to PC1 using the contoso\administrator account, and then enter the following command at an elevated command prompt:
```cmd
cscript.exe \\SRV1\MDTProd$\Scripts\Litetouch.vbs
```
4. Complete the deployment wizard using the following settings:
- **Task Sequence**: Backup Only Task Sequence
- **User Data**: Specify a location: **\\\\SRV1\MigData$\PC1**
- **Computer Backup**: Don't back up the existing computer.
5. While the task sequence is running on PC1, open the deployment workbench console on SRV1 and select the **Monitoring* node. Press F5 to refresh the console, and view the status of current tasks.
6. On PC1, verify that **The user state capture was completed successfully** is displayed, and select **Finish** when the capture is complete.
7. On SRV1, verify that the file **USMT.MIG** was created in the **C:\MigData\PC1\USMT** directory. See the following example:
```powershell
PS C:\> dir C:\MigData\PC1\USMT
```cmd
dir C:\MigData\PC1\USMT
Directory: C:\MigData\PC1\USMT
@ -582,14 +607,14 @@ At a high level, the computer replace process consists of:<BR>
### Deploy PC3
1. On the Hyper-V host, type the following commands at an elevated Windows PowerShell prompt:
1. On the Hyper-V host, enter the following commands at an elevated Windows PowerShell prompt:
```powershell
New-VM -Name "PC3" -NewVHDPath "c:\vhd\pc3.vhdx" -NewVHDSizeBytes 60GB -SwitchName poc-internal -BootDevice NetworkAdapter -Generation 2
Set-VMMemory -VMName "PC3" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes 2048MB -Buffer 20
```
2. Temporarily disable the external network adapter on SRV1 again, so that we can successfully boot PC3 from WDS. To disable the adapter, type the following command at an elevated Windows PowerShell prompt on SRV1:
2. Temporarily disable the external network adapter on SRV1 again, so that we can successfully boot PC3 from WDS. To disable the adapter, enter the following command at an elevated Windows PowerShell prompt on SRV1:
```powershell
Disable-NetAdapter "Ethernet 2" -Confirm:$false
@ -628,6 +653,7 @@ At a high level, the computer replace process consists of:<BR>
## Troubleshooting logs, events, and utilities
Deployment logs are available on the client computer in the following locations:
- Before the image is applied: X:\MININT\SMSOSD\OSDLOGS
- After the system drive has been formatted: C:\MININT\SMSOSD\OSDLOGS
- After deployment: %WINDIR%\TEMP\DeploymentLogs

411
windows/deployment/windows-10-poc-sc-config-mgr.md
View File

@ -9,16 +9,16 @@ manager: aaroncz
ms.author: frankroj
author: frankroj
ms.topic: tutorial
ms.date: 10/31/2022
ms.date: 11/23/2022
---
# Deploy Windows 10 in a test lab using Configuration Manager
*Applies to*
*Applies to:*
- Windows 10
> [!Important]
> [!IMPORTANT]
> This guide uses the proof of concept (PoC) environment, and some settings that are configured in the following guides:
>
> - [Step by step guide: Deploy Windows 10 in a test lab](windows-10-poc.md)
@ -59,7 +59,7 @@ The procedures in this guide are summarized in the following table. An estimate
## Install prerequisites
1. Before installing Microsoft Configuration Manager, we must install prerequisite services and features. Type the following command at an elevated Windows PowerShell prompt on SRV1:
1. Before installing Microsoft Configuration Manager, we must install prerequisite services and features. Enter the following command at an elevated Windows PowerShell prompt on SRV1:
```powershell
Install-WindowsFeature Web-Windows-Auth,Web-ISAPI-Ext,Web-Metabase,Web-WMI,BITS,RDC,NET-Framework-Features,Web-Asp-Net,Web-Asp-Net45,NET-HTTP-Activation,NET-Non-HTTP-Activ
@ -69,7 +69,7 @@ The procedures in this guide are summarized in the following table. An estimate
> If the request to add features fails, retry the installation by typing the command again.
2. Download [SQL Server 2014 SP2](https://www.microsoft.com/evalcenter/evaluate-sql-server-2014-sp2) from the Microsoft Evaluation Center as an .ISO file on the Hyper-V host computer. Save the file to the **C:\VHD** directory.
3. When you've downloaded the file **SQLServer2014SP2-FullSlipstream-x64-ENU.iso** and placed it in the C:\VHD directory, type the following command at an elevated Windows PowerShell prompt on the Hyper-V host:
3. When you've downloaded the file **SQLServer2014SP2-FullSlipstream-x64-ENU.iso** and placed it in the C:\VHD directory, enter the following command at an elevated Windows PowerShell prompt on the Hyper-V host:
```powershell
Set-VMDvdDrive -VMName SRV1 -Path c:\VHD\SQLServer2014SP2-FullSlipstream-x64-ENU.iso
@ -77,15 +77,15 @@ The procedures in this guide are summarized in the following table. An estimate
This command mounts the .ISO file to drive D on SRV1.
4. Type the following command at an elevated Windows PowerShell prompt on SRV1 to install SQL Server:
4. Enter the following command at an elevated Windows PowerShell prompt on SRV1 to install SQL Server:
```powershell
```cmd
D:\setup.exe /q /ACTION=Install /ERRORREPORTING="False" /FEATURES=SQLENGINE,RS,IS,SSMS,TOOLS,ADV_SSMS,CONN /INSTANCENAME=MSSQLSERVER /INSTANCEDIR="C:\Program Files\Microsoft SQL Server" /SQLSVCACCOUNT="NT AUTHORITY\System" /SQLSYSADMINACCOUNTS="BUILTIN\ADMINISTRATORS" /SQLSVCSTARTUPTYPE=Automatic /AGTSVCACCOUNT="NT AUTHORITY\SYSTEM" /AGTSVCSTARTUPTYPE=Automatic /RSSVCACCOUNT="NT AUTHORITY\System" /RSSVCSTARTUPTYPE=Automatic /ISSVCACCOUNT="NT AUTHORITY\System" /ISSVCSTARTUPTYPE=Disabled /ASCOLLATION="Latin1_General_CI_AS" /SQLCOLLATION="SQL_Latin1_General_CP1_CI_AS" /TCPENABLED="1" /NPENABLED="1" /IAcceptSQLServerLicenseTerms
```
Installation will take several minutes. When installation is complete, the following output will be displayed:
```dos
```console
Microsoft (R) SQL Server 2014 12.00.5000.00
Copyright (c) Microsoft Corporation. All rights reserved.
@ -99,10 +99,9 @@ The procedures in this guide are summarized in the following table. An estimate
Success
One or more affected files have operations pending.
You should restart your computer to complete this process.
PS C:\>
```
5. Type the following commands at an elevated Windows PowerShell prompt on SRV1:
5. Enter the following commands at an elevated Windows PowerShell prompt on SRV1:
```powershell
New-NetFirewallRule -DisplayName "SQL Server" -Direction Inbound -Protocol TCP -LocalPort 1433 -Action allow
@ -124,13 +123,13 @@ The procedures in this guide are summarized in the following table. An estimate
Stop-Process -Name Explorer
```
1. Download [Microsoft Configuration Manager (current branch)](https://www.microsoft.com/evalcenter/evaluate-microsoft-endpoint-configuration-manager) and extract the contents on SRV1.
2. Download [Microsoft Configuration Manager (current branch)](https://www.microsoft.com/evalcenter/evaluate-microsoft-endpoint-configuration-manager) and extract the contents on SRV1.
1. Open the file, enter **C:\configmgr** for **Unzip to folder**, and select **Unzip**. The `C:\configmgr` directory will be automatically created. Select **OK** and then close the **WinZip Self-Extractor** dialog box when finished.
3. Open the file, enter **C:\configmgr** for **Unzip to folder**, and select **Unzip**. The `C:\configmgr` directory will be automatically created. Select **OK** and then close the **WinZip Self-Extractor** dialog box when finished.
1. Before starting the installation, verify that WMI is working on SRV1. See the following examples. Verify that **Running** is displayed under **Status** and **True** is displayed next to **TcpTestSucceeded**:
4. Before starting the installation, verify that WMI is working on SRV1. See the following examples. Verify that **Running** is displayed under **Status** and **True** is displayed next to **TcpTestSucceeded**:
```dos
```powershell
Get-Service Winmgmt
Status Name DisplayName
@ -157,36 +156,48 @@ The procedures in this guide are summarized in the following table. An estimate
If the WMI service isn't started, attempt to start it or reboot the computer. If WMI is running but errors are present, see [WMIDiag](https://blogs.technet.microsoft.com/askperf/2015/05/12/wmidiag-2-2-is-here/) for troubleshooting information.
1. To extend the Active Directory schema, type the following command at an elevated Windows PowerShell prompt:
5. To extend the Active Directory schema, enter the following command at an elevated Windows PowerShell prompt:
```powershell
cmd /c C:\configmgr\SMSSETUP\BIN\X64\extadsch.exe
```cmd
C:\configmgr\SMSSETUP\BIN\X64\extadsch.exe
```
1. Temporarily switch to the DC1 VM, and type the following command at an elevated command prompt on DC1:
6. Temporarily switch to the DC1 VM, and enter the following command at an elevated command prompt on DC1:
```dos
```cmd
adsiedit.msc
```
1. Right-click **ADSI Edit**, select **Connect to**, select **Default (Domain or server that you logged in to)** under **Computer** and then select **OK**.
1. Expand **Default naming context**>**DC=contoso,DC=com**, and then in the console tree right-click **CN=System**, point to **New**, and then select **Object**.
1. Select **container** and then select **Next**.
1. Next to **Value**, type **System Management**, select **Next**, and then select **Finish**.
1. Right-click **CN=system Management** and then select **Properties**.
1. On the **Security** tab, select **Add**, select **Object Types**, select **Computers**, and select **OK**.
1. Under **Enter the object names to select**, type **SRV1** and select **OK**.
1. The **SRV1** computer account will be highlighted, select **Allow** next to **Full control**.
1. Select **Advanced**, select **SRV1 (CONTOSO\SRV1$)** and select **Edit**.
1. Next to **Applies to**, choose **This object and all descendant objects**, and then select **OK** three times.
1. Close the ADSI Edit console and switch back to SRV1.
1. To start Configuration Manager installation, type the following command at an elevated Windows PowerShell prompt on SRV1:
7. Right-click **ADSI Edit**, select **Connect to**, select **Default (Domain or server that you logged in to)** under **Computer** and then select **OK**.
```powershell
cmd /c C:\configmgr\SMSSETUP\BIN\X64\Setup.exe
8. Expand **Default naming context**>**DC=contoso,DC=com**, and then in the console tree right-click **CN=System**, point to **New**, and then select **Object**.
9. Select **container** and then select **Next**.
10. Next to **Value**, enter **System Management**, select **Next**, and then select **Finish**.
11. Right-click **CN=system Management** and then select **Properties**.
12. On the **Security** tab, select **Add**, select **Object Types**, select **Computers**, and select **OK**.
13. Under **Enter the object names to select**, enter **SRV1** and select **OK**.
14. The **SRV1** computer account will be highlighted, select **Allow** next to **Full control**.
15. Select **Advanced**, select **SRV1 (CONTOSO\SRV1$)** and select **Edit**.
16. Next to **Applies to**, choose **This object and all descendant objects**, and then select **OK** three times.
17. Close the ADSI Edit console and switch back to SRV1.
18. To start Configuration Manager installation, enter the following command at an elevated Windows PowerShell prompt on SRV1:
```cmd
C:\configmgr\SMSSETUP\BIN\X64\Setup.exe
```
1. Provide the following information in the Configuration Manager Setup Wizard:
19. Provide the following information in the Configuration Manager Setup Wizard:
- **Before You Begin**: Read the text and select *Next*.
- **Getting Started**: Choose **Install a Configuration Manager primary site** and select the **Use typical installation options for a stand-alone primary site** checkbox.
- Select **Yes** in response to the popup window.
@ -206,7 +217,7 @@ The procedures in this guide are summarized in the following table. An estimate
Depending on the speed of the Hyper-V host and resources allocated to SRV1, installation can require approximately one hour. Select **Close** when installation is complete.
1. If desired, re-enable IE Enhanced Security Configuration at this time on SRV1:
20. If desired, re-enable IE Enhanced Security Configuration at this time on SRV1:
```powershell
Set-ItemProperty -Path $AdminKey -Name "IsInstalled" -Value 1
@ -217,24 +228,30 @@ The procedures in this guide are summarized in the following table. An estimate
> [!IMPORTANT]
> This step requires an MSDN subscription or volume licence agreement. For more information, see [Ready for Windows 10: MDOP 2015 and more tools are now available](https://blogs.technet.microsoft.com/windowsitpro/2015/08/17/ready-for-windows-10-mdop-2015-and-more-tools-are-now-available/).
<!--
THE LINK REFERENCED IN THE BELOW URL IS DEAD SO COMMENTING OUT
> If your organization qualifies and does not already have an MSDN subscription, you can obtain a [free MSDN subscription with BizSpark](/archive/blogs/zainnab/bizspark-free-msdn-subscription-for-start-up-companies/).
-->
1. Download the [Microsoft Desktop Optimization Pack 2015](https://msdn.microsoft.com/subscriptions/downloads/#ProductFamilyId=597) to the Hyper-V host using an MSDN subscription. Download the .ISO file (mu_microsoft_desktop_optimization_pack_2015_x86_x64_dvd_5975282.iso, 2.79 GB) to the C:\VHD directory on the Hyper-V host.
2. Type the following command at an elevated Windows PowerShell prompt on the Hyper-V host to mount the MDOP file on SRV1:
2. Enter the following command at an elevated Windows PowerShell prompt on the Hyper-V host to mount the MDOP file on SRV1:
```powershell
Set-VMDvdDrive -VMName SRV1 -Path c:\VHD\mu_microsoft_desktop_optimization_pack_2015_x86_x64_dvd_5975282.iso
```
3. Type the following command at an elevated Windows PowerShell prompt on SRV1:
3. Enter the following command at an elevated Windows PowerShell prompt on SRV1:
```powershell
cmd /c "D:\DaRT\DaRT 10\Installers\en-us\x64\MSDaRT100.msi"
```cmd
D:\DaRT\DaRT 10\Installers\en-us\x64\MSDaRT100.msi
```
4. Install DaRT 10 using default settings.
5. Type the following commands at an elevated Windows PowerShell prompt on SRV1:
5. Enter the following commands at an elevated Windows PowerShell prompt on SRV1:
```powershell
Copy-Item "C:\Program Files\Microsoft DaRT\v10\Toolsx64.cab" -Destination "C:\Program Files\Microsoft Deployment Toolkit\Templates\Distribution\Tools\x64"
@ -247,7 +264,7 @@ This section contains several procedures to support Zero Touch installation with
### Create a folder structure
1. Type the following commands at a Windows PowerShell prompt on SRV1:
1. Enter the following commands at a Windows PowerShell prompt on SRV1:
```powershell
New-Item -ItemType Directory -Path "C:\Sources\OSD\Boot"
@ -262,56 +279,78 @@ This section contains several procedures to support Zero Touch installation with
### Enable MDT ConfigMgr integration
1. On SRV1, select **Start**, type `configmgr`, and then select **Configure ConfigMgr Integration**.
2. Type `PS1` as the **Site code**, and then select **Next**.
1. On SRV1, select **Start**, enter `configmgr`, and then select **Configure ConfigMgr Integration**.
2. Enter `PS1` as the **Site code**, and then select **Next**.
3. Verify **The process completed successfully** is displayed, and then select **Finish**.
### Configure client settings
1. On SRV1, select **Start**, type **configuration manager**, right-click **Configuration Manager Console**, and then select **Pin to Taskbar**.
1. On SRV1, select **Start**, enter **configuration manager**, right-click **Configuration Manager Console**, and then select **Pin to Taskbar**.
2. Select **Desktop**, and then launch the Configuration Manager console from the taskbar.
3. If the console notifies you that an update is available, select **OK**. It isn't necessary to install updates to complete this lab.
4. In the console tree, open the **Administration** workspace (in the lower left corner) and select **Client Settings**.
5. In the display pane, double-click **Default Client Settings**.
6. Select **Computer Agent**, next to **Organization name displayed in Software Center** type **Contoso**, and then select **OK**.
6. Select **Computer Agent**, next to **Organization name displayed in Software Center** enter **Contoso**, and then select **OK**.
### Configure the network access account
1. in the **Administration** workspace, expand **Site Configuration** and select **Sites**.
2. On the **Home** ribbon at the top of the console window, select **Configure Site Components** and then select **Software Distribution**.
3. On the **Network Access Account** tab, choose **Specify the account that accesses network locations**.
4. Select the yellow starburst and then select **New Account**.
5. Select **Browse** and then under **Enter the object name to select**, type **CM_NAA** and select **OK**.
6. Next to **Password** and **Confirm Password**, type **pass\@word1**, and then select **OK** twice.
5. Select **Browse** and then under **Enter the object name to select**, enter **CM_NAA** and select **OK**.
6. Next to **Password** and **Confirm Password**, enter **pass\@word1**, and then select **OK** twice.
### Configure a boundary group
1. in the **Administration** workspace, expand **Hierarchy Configuration**, right-click **Boundaries** and then select **Create Boundary**.
2. Next to **Description**, type **PS1**, next to **Type** choose **Active Directory Site**, and then select **Browse**.
2. Next to **Description**, enter **PS1**, next to **Type** choose **Active Directory Site**, and then select **Browse**.
3. Choose **Default-First-Site-Name** and then select **OK** twice.
4. in the **Administration** workspace, right-click **Boundary Groups** and then select **Create Boundary Group**.
5. Next to **Name**, type **PS1 Site Assignment and Content Location**, select **Add**, select the **Default-First-Site-Name** boundary and then select **OK**.
5. Next to **Name**, enter **PS1 Site Assignment and Content Location**, select **Add**, select the **Default-First-Site-Name** boundary and then select **OK**.
6. On the **References** tab in the **Create Boundary Group** window, select the **Use this boundary group for site assignment** checkbox.
7. Select **Add**, select the **\\\SRV1.contoso.com** checkbox, and then select **OK** twice.
### Add the state migration point role
1. in the **Administration** workspace, expand **Site Configuration**, select **Sites**, and then in on the **Home** ribbon at the top of the console select **Add Site System Roles**.
2. In the Add site System Roles Wizard, select **Next** twice and then on the Specify roles for this server page, select the **State migration point** checkbox.
3. Select **Next**, select the yellow starburst, type **C:\MigData** for the **Storage folder**, and select **OK**.
3. Select **Next**, select the yellow starburst, enter **C:\MigData** for the **Storage folder**, and select **OK**.
4. Select **Next**, and then verify under **Boundary groups** that **PS1 Site Assignment and Content Location** is displayed.
5. Select **Next** twice and then select **Close**.
### Enable PXE on the distribution point
> [!IMPORTANT]
> Before enabling PXE in Configuration Manager, ensure that any previous installation of WDS does not cause conflicts. Configuration Manager will automatically configure the WDS service to manage PXE requests. To disable a previous installation, if it exists, type the following commands at an elevated Windows PowerShell prompt on SRV1:
> Before enabling PXE in Configuration Manager, ensure that any previous installation of WDS does not cause conflicts. Configuration Manager will automatically configure the WDS service to manage PXE requests. To disable a previous installation, if it exists, enter the following commands at an elevated Windows PowerShell prompt on SRV1:
```powershell
WDSUTIL /Set-Server /AnswerClients:None
```cmd
WDSUTIL.exe /Set-Server /AnswerClients:None
```
1. Determine the MAC address of the internal network adapter on SRV1. Type the following command at an elevated Windows PowerShell prompt on SRV1:
1. Determine the MAC address of the internal network adapter on SRV1. Enter the following command at an elevated Windows PowerShell prompt on SRV1:
```powershell
(Get-NetAdapter "Ethernet").MacAddress
@ -321,8 +360,11 @@ WDSUTIL /Set-Server /AnswerClients:None
> If the internal network adapter, assigned an IP address of 192.168.0.2, isn't named "Ethernet" then replace the name "Ethernet" in the previous command with the name of this network adapter. You can review the names of network adapters and the IP addresses assigned to them by typing **ipconfig**.
2. In the Configuration Manager console, in the **Administration** workspace, select **Distribution Points**.
3. In the display pane, right-click **SRV1.CONTOSO.COM** and then select **Properties**.
4. On the PXE tab, select the following settings:
- **Enable PXE support for clients**. Select **Yes** in the popup that appears.
- **Allow this distribution point to respond to incoming PXE requests**
- **Enable unknown computer support**. Select **OK** in the popup that appears.
@ -334,10 +376,11 @@ WDSUTIL /Set-Server /AnswerClients:None
![Config Mgr PXE.](images/configmgr-pxe.png)
5. Select **OK**.
6. Wait for a minute, then type the following command at an elevated Windows PowerShell prompt on SRV1, and verify that the files displayed are present:
```powershell
cmd /c dir /b C:\RemoteInstall\SMSBoot\x64
6. Wait for a minute, then enter the following command at an elevated Windows PowerShell prompt on SRV1, and verify that the files displayed are present:
```cmd
dir /b C:\RemoteInstall\SMSBoot\x64
abortpxe.com
bootmgfw.efi
@ -349,12 +392,12 @@ WDSUTIL /Set-Server /AnswerClients:None
```
> [!NOTE]
> If these files aren't present in the C:\RemoteInstall directory, verify that the REMINST share is configured as C:\RemoteInstall. You can view the properties of this share by typing `net share REMINST` at a command prompt. If the share path is set to a different value, then replace C:\RemoteInstall with your REMINST share path.
> If these files aren't present in the C:\RemoteInstall directory, verify that the REMINST share is configured as C:\RemoteInstall. You can view the properties of this share by typing `net.exe share REMINST` at a command prompt. If the share path is set to a different value, then replace C:\RemoteInstall with your REMINST share path.
>
> You can also type the following command at an elevated Windows PowerShell prompt to open the CMTrace. In the tool, select **File**, select **Open**, and then open the **distmgr.log** file. If errors are present, they will be highlighted in red:
> You can also enter the following command at an elevated Windows PowerShell prompt to open CMTrace. In the tool, select **File**, select **Open**, and then open the **distmgr.log** file. If errors are present, they will be highlighted in red:
>
> ```powershell
> Invoke-Item 'C:\Program Files\Microsoft Configuration Manager\tools\cmtrace.exe'
> ```cmd
> "C:\Program Files\Microsoft Configuration Manager\tools\cmtrace.exe"
> ```
>
> The log file is updated continuously while Configuration Manager is running. Wait for Configuration Manager to repair any issues that are present, and periodically recheck that the files are present in the REMINST share location. Close CMTrace when done. You'll see the following line in distmgr.log that indicates the REMINST share is being populated with necessary files:
@ -366,7 +409,8 @@ WDSUTIL /Set-Server /AnswerClients:None
### Create a branding image file
1. If you have a bitmap (.BMP) image for suitable use as a branding image, copy it to the C:\Sources\OSD\Branding folder on SRV1. Otherwise, use the following step to copy a branding image.
2. Type the following command at an elevated Windows PowerShell prompt:
2. Enter the following command at an elevated Windows PowerShell prompt:
```powershell
Copy-Item -Path "C:\ProgramData\Microsoft\User Account Pictures\user.bmp" -Destination "C:\Sources\OSD\Branding\contoso.bmp"
@ -378,16 +422,26 @@ WDSUTIL /Set-Server /AnswerClients:None
### Create a boot image for Configuration Manager
1. In the Configuration Manager console, in the **Software Library** workspace, expand **Operating Systems**, right-click **Boot Images**, and then select **Create Boot Image using MDT**.
2. On the Package Source page, under **Package source folder to be created (UNC Path):**, type **\\\SRV1\Sources$\OSD\Boot\Zero Touch WinPE x64**, and then select **Next**.
2. On the Package Source page, under **Package source folder to be created (UNC Path):**, enter **\\\SRV1\Sources$\OSD\Boot\Zero Touch WinPE x64**, and then select **Next**.
- The Zero Touch WinPE x64 folder doesn't yet exist. The folder will be created later.
3. On the General Settings page, type **Zero Touch WinPE x64** next to **Name**, and select **Next**.
3. On the General Settings page, enter **Zero Touch WinPE x64** next to **Name**, and select **Next**.
4. On the Options page, under **Platform** choose **x64**, and select **Next**.
5. On the Components page, in addition to the default selection of **Microsoft Data Access Components (MDAC/ADO) support**, select the **Microsoft Diagnostics and Recovery Toolkit (DaRT)** checkbox, and select **Next**.
6. On the Customization page, select the **Use a custom background bitmap file** checkbox, and under **UNC path**, type or browse to **\\\SRV1\Sources$\OSD\Branding\contoso.bmp**, and then select **Next** twice. It will take a few minutes to generate the boot image.
6. On the Customization page, select the **Use a custom background bitmap file** checkbox, and under **UNC path**, enter or browse to **\\\SRV1\Sources$\OSD\Branding\contoso.bmp**, and then select **Next** twice. It will take a few minutes to generate the boot image.
7. Select **Finish**.
8. In the console display pane, right-click the **Zero Touch WinPE x64** boot image, and then select **Distribute Content**.
9. In the Distribute Content Wizard, select **Next**, select **Add** and select **Distribution Point**, select the **SRV1.CONTOSO.COM** checkbox, select **OK**, select **Next** twice, and then select **Close**.
10. Use the CMTrace application to view the **distmgr.log** file again and verify that the boot image has been distributed. To open CMTrace, type the following command at an elevated Windows PowerShell prompt on SRV1:
10. Use the CMTrace application to view the **distmgr.log** file again and verify that the boot image has been distributed. To open CMTrace, enter the following command at an elevated Windows PowerShell prompt on SRV1:
```powershell
Invoke-Item 'C:\Program Files\Microsoft Configuration Manager\tools\cmtrace.exe'
@ -400,12 +454,15 @@ WDSUTIL /Set-Server /AnswerClients:None
```
11. You can also review status by clicking the **Zero Touch WinPE x64** image, and then clicking **Content Status** under **Related Objects** in the bottom right-hand corner of the console, or by entering **\Monitoring\Overview\Distribution Status\Content Status** on the location bar in the console. Double-click **Zero Touch WinPE x64** under **Content Status** in the console tree and verify that a status of **Successfully distributed content** is displayed on the **Success** tab.
12. Next, in the **Software Library** workspace, double-click **Zero Touch WinPE x64** and then select the **Data Source** tab.
13. Select the **Deploy this boot image from the PXE-enabled distribution point** checkbox, and select **OK**.
14. Review the distmgr.log file again for "**STATMSG: ID=2301**" and verify that there are three folders under **C:\RemoteInstall\SMSImages** with boot images. See the following example:
```console
cmd /c dir /s /b C:\RemoteInstall\SMSImages
```cmd
dir /s /b C:\RemoteInstall\SMSImages
C:\RemoteInstall\SMSImages\PS100004
C:\RemoteInstall\SMSImages\PS100005
@ -422,19 +479,19 @@ WDSUTIL /Set-Server /AnswerClients:None
If you've already completed steps in [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md) then you've already created a Windows 10 reference image. In this case, skip to the next procedure in this guide: [Add a Windows 10 OS image](#add-a-windows-10-os-image). If you've not yet created a Windows 10 reference image, complete the steps in this section.
1. In [Step by step guide: Deploy Windows 10 in a test lab](windows-10-poc.md) the Windows 10 Enterprise .iso file was saved to the c:\VHD directory as **c:\VHD\w10-enterprise.iso**. The first step in creating a deployment share is to mount this file on SRV1. To mount the Windows 10 Enterprise DVD on SRV1, open an elevated Windows PowerShell prompt on the Hyper-V host computer and type the following command:
1. In [Step by step guide: Deploy Windows 10 in a test lab](windows-10-poc.md) the Windows 10 Enterprise .iso file was saved to the c:\VHD directory as **c:\VHD\w10-enterprise.iso**. The first step in creating a deployment share is to mount this file on SRV1. To mount the Windows 10 Enterprise DVD on SRV1, open an elevated Windows PowerShell prompt on the Hyper-V host computer and enter the following command:
```powershell
Set-VMDvdDrive -VMName SRV1 -Path c:\VHD\w10-enterprise.iso
```
1. Verify that the Windows Enterprise installation DVD is mounted on SRV1 as drive letter D.
2. Verify that the Windows Enterprise installation DVD is mounted on SRV1 as drive letter D.
1. The Windows 10 Enterprise installation files will be used to create a deployment share on SRV1 using the MDT deployment workbench. To open the deployment workbench, select **Start**, type **deployment**, and then select **Deployment Workbench**.
3. The Windows 10 Enterprise installation files will be used to create a deployment share on SRV1 using the MDT deployment workbench. To open the deployment workbench, select **Start**, enter **deployment**, and then select **Deployment Workbench**.
1. In the Deployment Workbench console, right-click **Deployment Shares** and select **New Deployment Share**.
4. In the Deployment Workbench console, right-click **Deployment Shares** and select **New Deployment Share**.
1. Use the following settings for the New Deployment Share Wizard:
5. Use the following settings for the New Deployment Share Wizard:
- Deployment share path: **C:\MDTBuildLab**
- Share name: **MDTBuildLab$**
- Deployment share description: **MDT build lab**
@ -443,22 +500,23 @@ If you've already completed steps in [Deploy Windows 10 in a test lab using Micr
- Progress: settings will be applied
- Confirmation: Select **Finish**
1. Expand the **Deployment Shares** node, and then expand **MDT build lab**.
6. Expand the **Deployment Shares** node, and then expand **MDT build lab**.
1. Right-click the **Operating Systems** node, and then select **New Folder**. Name the new folder **Windows 10**. Complete the wizard using default values and select **Finish**.
7. Right-click the **Operating Systems** node, and then select **New Folder**. Name the new folder **Windows 10**. Complete the wizard using default values and select **Finish**.
1. Right-click the **Windows 10** folder created in the previous step, and then select **Import Operating System**.
8. Right-click the **Windows 10** folder created in the previous step, and then select **Import Operating System**.
1. Use the following settings for the Import Operating System Wizard:
9. Use the following settings for the Import Operating System Wizard:
- OS Type: **Full set of source files**
- Source: **D:\\**
- Destination: **W10Ent_x64**
- Summary: Select **Next**
- Confirmation: Select **Finish**
1. For purposes of this test lab, we won't add applications, such as Microsoft Office, to the deployment share. For more information about adding applications, see [Add applications](deploy-windows-mdt/create-a-windows-10-reference-image.md#add-applications).
10. For purposes of this test lab, we won't add applications, such as Microsoft Office, to the deployment share. For more information about adding applications, see [Add applications](deploy-windows-mdt/create-a-windows-10-reference-image.md#add-applications).
11. The next step is to create a task sequence to reference the OS that was imported. To create a task sequence, right-click the **Task Sequences** node under **MDT Build Lab** and then select **New Task Sequence**. Use the following settings for the New Task Sequence Wizard:
1. The next step is to create a task sequence to reference the OS that was imported. To create a task sequence, right-click the **Task Sequences** node under **MDT Build Lab** and then select **New Task Sequence**. Use the following settings for the New Task Sequence Wizard:
- Task sequence ID: **REFW10X64-001**
- Task sequence name: **Windows 10 Enterprise x64 Default Image**
- Task sequence comments: **Reference Build**
@ -467,31 +525,31 @@ If you've already completed steps in [Deploy Windows 10 in a test lab using Micr
- Specify Product Key: **Do not specify a product key at this time**
- Full Name: **Contoso**
- Organization: **Contoso**
- Internet Explorer home page: **http://www.contoso.com**
- Internet Explorer home page: **`http://www.contoso.com`**
- Admin Password: **Do not specify an Administrator password at this time**
- Summary: Select **Next**
- Confirmation: Select **Finish**
1. Edit the task sequence to add the Microsoft NET Framework 3.5, which is required by many applications. To edit the task sequence, double-click **Windows 10 Enterprise x64 Default Image** that was created in the previous step.
12. Edit the task sequence to add the Microsoft NET Framework 3.5, which is required by many applications. To edit the task sequence, double-click **Windows 10 Enterprise x64 Default Image** that was created in the previous step.
1. Select the **Task Sequence** tab. Under **State Restore**, select **Tattoo** to highlight it, then select **Add** and choose **New Group**. A new group will be added under Tattoo.
13. Select the **Task Sequence** tab. Under **State Restore**, select **Tattoo** to highlight it, then select **Add** and choose **New Group**. A new group will be added under Tattoo.
1. On the Properties tab of the group that was created in the previous step, change the Name from New Group to **Custom Tasks (Pre-Windows Update)** and then select **Apply**. To see the name change, select **Tattoo**, then select the new group again.
14. On the Properties tab of the group that was created in the previous step, change the Name from New Group to **Custom Tasks (Pre-Windows Update)** and then select **Apply**. To see the name change, select **Tattoo**, then select the new group again.
1. Select the **Custom Tasks (Pre-Windows Update)** group again, select **Add**, point to **Roles**, and then select **Install Roles and Features**.
15. Select the **Custom Tasks (Pre-Windows Update)** group again, select **Add**, point to **Roles**, and then select **Install Roles and Features**.
1. Under **Select the roles and features that should be installed**, select **.NET Framework 3.5 (includes .NET 2.0 and 3.0)** and then select **Apply**.
16. Under **Select the roles and features that should be installed**, select **.NET Framework 3.5 (includes .NET 2.0 and 3.0)** and then select **Apply**.
1. Enable Windows Update in the task sequence by clicking the **Windows Update (Post-Application Installation)** step, clicking the **Options** tab, and clearing the **Disable this step** checkbox.
17. Enable Windows Update in the task sequence by clicking the **Windows Update (Post-Application Installation)** step, clicking the **Options** tab, and clearing the **Disable this step** checkbox.
> [!NOTE]
> Since we aren't installing applications in this test lab, there's no need to enable the Windows Update Pre-Application Installation step. However, you should enable this step if you're also installing applications.
1. Select **OK** to complete editing the task sequence.
18. Select **OK** to complete editing the task sequence.
1. The next step is to configure the MDT deployment share rules. To configure rules in the Deployment Workbench, right-click MDT build lab (C:\MDTBuildLab) and select **Properties**, and then select the **Rules** tab.
19. The next step is to configure the MDT deployment share rules. To configure rules in the Deployment Workbench, right-click MDT build lab (C:\MDTBuildLab) and select **Properties**, and then select the **Rules** tab.
1. Replace the default rules with the following text:
20. Replace the default rules with the following text:
```ini
[Settings]
@ -526,7 +584,7 @@ If you've already completed steps in [Deploy Windows 10 in a test lab using Micr
SkipFinalSummary=NO
```
1. Select **Apply** and then select **Edit Bootstrap.ini**. Replace the contents of the Bootstrap.ini file with the following text, and save the file:
21. Select **Apply** and then select **Edit Bootstrap.ini**. Replace the contents of the Bootstrap.ini file with the following text, and save the file:
```ini
[Settings]
@ -540,18 +598,18 @@ If you've already completed steps in [Deploy Windows 10 in a test lab using Micr
SkipBDDWelcome=YES
```
1. Select **OK** to complete the configuration of the deployment share.
22. Select **OK** to complete the configuration of the deployment share.
1. Right-click **MDT build lab (C:\MDTBuildLab)** and then select **Update Deployment Share**.
23. Right-click **MDT build lab (C:\MDTBuildLab)** and then select **Update Deployment Share**.
1. Accept all default values in the Update Deployment Share Wizard by clicking **Next**. The update process will take 5 to 10 minutes. When it has completed, select **Finish**.
24. Accept all default values in the Update Deployment Share Wizard by clicking **Next**. The update process will take 5 to 10 minutes. When it has completed, select **Finish**.
1. Copy **c:\MDTBuildLab\Boot\LiteTouchPE_x86.iso** on SRV1 to the **c:\VHD** directory on the Hyper-V host computer. In MDT, the x86 boot image can deploy both x86 and x64 operating systems, except on computers based on Unified Extensible Firmware Interface (UEFI).
25. Copy **c:\MDTBuildLab\Boot\LiteTouchPE_x86.iso** on SRV1 to the **c:\VHD** directory on the Hyper-V host computer. In MDT, the x86 boot image can deploy both x86 and x64 operating systems, except on computers based on Unified Extensible Firmware Interface (UEFI).
> [!TIP]
> To copy the file, right-click the **LiteTouchPE_x86.iso** file, and select **Copy** on SRV1. Then open the **c:\VHD** folder on the Hyper-V host, right-click inside the folder, and select **Paste**.
1. Open a Windows PowerShell prompt on the Hyper-V host computer and type the following commands:
26. Open a Windows PowerShell prompt on the Hyper-V host computer and enter the following commands:
```powershell
New-VM -Name REFW10X64-001 -SwitchName poc-internal -NewVHDPath "c:\VHD\REFW10X64-001.vhdx" -NewVHDSizeBytes 60GB
@ -561,9 +619,9 @@ If you've already completed steps in [Deploy Windows 10 in a test lab using Micr
vmconnect localhost REFW10X64-001
```
1. In the Windows Deployment Wizard, select **Windows 10 Enterprise x64 Default Image**, and then select **Next**.
27. In the Windows Deployment Wizard, select **Windows 10 Enterprise x64 Default Image**, and then select **Next**.
1. Accept the default values on the Capture Image page, and select **Next**. OS installation will complete after 5 to 10 minutes and then the VM will reboot automatically. Allow the system to boot normally, don't press a key. The process is fully automated.
28. Accept the default values on the Capture Image page, and select **Next**. OS installation will complete after 5 to 10 minutes and then the VM will reboot automatically. Allow the system to boot normally, don't press a key. The process is fully automated.
Other system restarts will occur to complete updating and preparing the OS. Setup will complete the following procedures:
@ -579,7 +637,7 @@ If you've already completed steps in [Deploy Windows 10 in a test lab using Micr
### Add a Windows 10 OS image
1. Type the following commands at an elevated Windows PowerShell prompt on SRV1:
1. Enter the following commands at an elevated Windows PowerShell prompt on SRV1:
```powershell
New-Item -ItemType Directory -Path "C:\Sources\OSD\OS\Windows 10 Enterprise x64"
@ -588,9 +646,9 @@ If you've already completed steps in [Deploy Windows 10 in a test lab using Micr
2. In the Configuration Manager console, in the **Software Library** workspace, expand **Operating Systems**, right-click **Operating System Images**, and then select **Add Operating System Image**.
3. On the Data Source page, under **Path:**, type or browse to **\\\SRV1\Sources$\OSD\OS\Windows 10 Enterprise x64\REFW10X64-001.wim**, and select **Next**.
3. On the Data Source page, under **Path:**, enter or browse to **\\\SRV1\Sources$\OSD\OS\Windows 10 Enterprise x64\REFW10X64-001.wim**, and select **Next**.
4. On the General page, next to **Name:**, type **Windows 10 Enterprise x64**, select **Next** twice, and then select **Close**.
4. On the General page, next to **Name:**, enter **Windows 10 Enterprise x64**, select **Next** twice, and then select **Close**.
5. Distribute the OS image to the SRV1 distribution point by right-clicking the **Windows 10 Enterprise x64** OS image and then clicking **Distribute Content**.
@ -610,9 +668,10 @@ If you've already completed steps in [Deploy Windows 10 in a test lab using Micr
2. On the Choose Template page, select the **Client Task Sequence** template and select **Next**.
3. On the General page, type **Windows 10 Enterprise x64** under **Task sequence name:** and then select **Next**.
3. On the General page, enter **Windows 10 Enterprise x64** under **Task sequence name:** and then select **Next**.
4. On the Details page, enter the following settings:
- Join a domain: **contoso.com**
- Account: Select **Set**
- User name: **contoso\CM_JD**
@ -632,9 +691,9 @@ If you've already completed steps in [Deploy Windows 10 in a test lab using Micr
6. On the Boot Image page, browse and select the **Zero Touch WinPE x64** boot image package, select **OK**, and then select **Next**.
7. On the MDT Package page, select **Create a new Microsoft Deployment Toolkit Files package**, under **Package source folder to be created (UNC Path):**, type **\\\SRV1\Sources$\OSD\MDT\MDT** (MDT is repeated here, not a typo), and then select **Next**.
7. On the MDT Package page, select **Create a new Microsoft Deployment Toolkit Files package**, under **Package source folder to be created (UNC Path):**, enter **\\\SRV1\Sources$\OSD\MDT\MDT** (MDT is repeated here, not a typo), and then select **Next**.
8. On the MDT Details page, next to **Name:** type **MDT** and then select **Next**.
8. On the MDT Details page, next to **Name:** enter **MDT** and then select **Next**.
9. On the OS Image page, browse and select the **Windows 10 Enterprise x64** package, select **OK**, and then select **Next**.
@ -644,9 +703,9 @@ If you've already completed steps in [Deploy Windows 10 in a test lab using Micr
12. On the USMT Package page, browse and select the **Microsoft Corporation User State Migration Tool for Windows 10.0.14393.0** package, select **OK**, and then select **Next**.
13. On the Settings Package page, select **Create a new settings package**, and under **Package source folder to be created (UNC Path):**, type **\\\SRV1\Sources$\OSD\Settings\Windows 10 x64 Settings**, and then select **Next**.
13. On the Settings Package page, select **Create a new settings package**, and under **Package source folder to be created (UNC Path):**, enter **\\\SRV1\Sources$\OSD\Settings\Windows 10 x64 Settings**, and then select **Next**.
14. On the Settings Details page, next to **Name:**, type **Windows 10 x64 Settings**, and select **Next**.
14. On the Settings Details page, next to **Name:**, enter **Windows 10 x64 Settings**, and select **Next**.
15. On the Sysprep Package page, select **Next** twice.
@ -663,6 +722,7 @@ If you've already completed steps in [Deploy Windows 10 in a test lab using Micr
4. In the **State Restore** group, select the **Set Status 5** action, select **Add** in the upper left corner, point to **User State**, and select **Request State Store**. This action adds a new step immediately after **Set Status 5**.
5. Configure this **Request State Store** step with the following settings:
- Request state storage location to: **Restore state from another computer**
- Select the **If computer account fails to connect to state store, use the Network Access account** checkbox.
- Options tab: Select the **Continue on error** checkbox.
@ -676,6 +736,7 @@ If you've already completed steps in [Deploy Windows 10 in a test lab using Micr
6. In the **State Restore** group, select **Restore User State**, select **Add**, point to **User State**, and select **Release State Store**.
7. Configure this **Release State Store** step with the following settings:
- Options tab: Select the **Continue on error** checkbox.
- Add Condition: **Task Sequence Variable**:
- Variable: **USMTLOCAL**
@ -704,10 +765,10 @@ If you've already completed steps in [Deploy Windows 10 in a test lab using Micr
4. Select the **Monitoring** tab, select the **Enable monitoring for this deployment share** checkbox, and then select **OK**.
5. Type the following command at an elevated Windows PowerShell prompt on SRV1:
5. Enter the following command at an elevated Windows PowerShell prompt on SRV1:
```powershell
notepad "C:\Sources\OSD\Settings\Windows 10 x64 Settings\CustomSettings.ini"
```cmd
notepad.exe "C:\Sources\OSD\Settings\Windows 10 x64 Settings\CustomSettings.ini"
```
6. Replace the contents of the file with the following text, and then save the file:
@ -735,9 +796,9 @@ If you've already completed steps in [Deploy Windows 10 in a test lab using Micr
> OSDMigrateAdditionalCaptureOptions=/all
> ```
7. Return to the Configuration Manager console, and in the Software Library workspace, expand **Application Management**, select **Packages**, right-click **Windows 10 x64 Settings**, and then select **Update Distribution Points**. Select **OK** in the popup that appears.
7. Return to the Configuration Manager console, and in the **Software Library** workspace, expand **Application Management**, select **Packages**, right-click **Windows 10 x64 Settings**, and then select **Update Distribution Points**. Select **OK** in the popup that appears.
8. In the Software Library workspace, expand **Operating Systems**, select **Task Sequences**, right-click **Windows 10 Enterprise x64**, and then select **Distribute Content**.
8. In the **Software Library** workspace, expand **Operating Systems**, select **Task Sequences**, right-click **Windows 10 Enterprise x64**, and then select **Distribute Content**.
9. In the Distribute Content Wizard, select **Next** twice, select **Add**, select **Distribution Point**, select the **SRV1.CONTOSO.COM** distribution point, select **OK**, select **Next** twice and then select **Close**.
@ -745,7 +806,7 @@ If you've already completed steps in [Deploy Windows 10 in a test lab using Micr
### Create a deployment for the task sequence
1. In the Software Library workspace, expand **Operating Systems**, select **Task Sequences**, right-click **Windows 10 Enterprise x64**, and then select **Deploy**.
1. In the **Software Library** workspace, expand **Operating Systems**, select **Task Sequences**, right-click **Windows 10 Enterprise x64**, and then select **Deploy**.
2. On the General page, next to **Collection**, select **Browse**, select the **All Unknown Computers** collection, select **OK**, and then select **Next**.
@ -761,7 +822,7 @@ If you've already completed steps in [Deploy Windows 10 in a test lab using Micr
In this first deployment scenario, you'll deploy Windows 10 using PXE. This scenario creates a new computer that doesn't have any migrated users or settings.
1. Type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host:
1. Enter the following commands at an elevated Windows PowerShell prompt on the Hyper-V host:
```powershell
New-VM -Name "PC4" -NewVHDPath "c:\vhd\pc4.vhdx" -NewVHDSizeBytes 40GB -SwitchName poc-internal -BootDevice NetworkAdapter -Generation 2
@ -776,7 +837,7 @@ In this first deployment scenario, you'll deploy Windows 10 using PXE. This scen
4. Before you select **Next** in the Task Sequence Wizard, press the **F8** key. A command prompt will open.
5. At the command prompt, type **explorer.exe** and review the Windows PE file structure.
5. At the command prompt, enter **explorer.exe** and review the Windows PE file structure.
6. The smsts.log file is critical for troubleshooting any installation problems that might be encountered. Depending on the deployment phase, the smsts.log file is created in different locations:
- X:\Windows\temp\SMSTSLog\smsts.log before disks are formatted.
@ -796,6 +857,7 @@ In this first deployment scenario, you'll deploy Windows 10 using PXE. This scen
10. The **Windows 10 Enterprise x64** task sequence is selected in the Task Sequence Wizard. Select **Next** to continue with the deployment.
11. The task sequence will require several minutes to complete. You can monitor progress of the task sequence using the MDT Deployment Workbench under Deployment Shares > MDTProduction > Monitoring. The task sequence will:
- Install Windows 10
- Install the Configuration Manager client and hotfix
- Join the computer to the contoso.com domain
@ -803,7 +865,7 @@ In this first deployment scenario, you'll deploy Windows 10 using PXE. This scen
12. When Windows 10 installation has completed, sign in to PC4 using the **contoso\administrator** account.
13. Right-click **Start**, select **Run**, type **control appwiz.cpl**, press ENTER, select **Turn Windows features on or off**, and verify that **.NET Framework 3.5 (includes .NET 2.0 and 3.0)** is installed. This feature is included in the reference image.
13. Right-click **Start**, select **Run**, enter **control appwiz.cpl**, press ENTER, select **Turn Windows features on or off**, and verify that **.NET Framework 3.5 (includes .NET 2.0 and 3.0)** is installed. This feature is included in the reference image.
14. Shut down the PC4 VM.
@ -821,19 +883,25 @@ In the replace procedure, PC1 won't be migrated to a new OS. It's simplest to pe
### Create a replace task sequence
1. On SRV1, in the Configuration Manager console, in the Software Library workspace, expand **Operating Systems**, right-click **Task Sequences**, and then select **Create MDT Task Sequence**.
1. On SRV1, in the Configuration Manager console, in the **Software Library** workspace, expand **Operating Systems**, right-click **Task Sequences**, and then select **Create MDT Task Sequence**.
2. On the Choose Template page, select **Client Replace Task Sequence** and select **Next**.
3. On the General page, type the following information:
3. On the General page, enter the following information:
- Task sequence name: **Replace Task Sequence**
- Task sequence comments: **USMT backup only**
4. Select **Next**, and on the Boot Image page, browse and select the **Zero Touch WinPE x64** boot image package. Select **OK** and then select **Next** to continue.
5. On the MDT Package page, browse and select the **MDT** package. Select **OK** and then select **Next** to continue.
6. On the USMT Package page, browse and select the **Microsoft Corporation User State Migration Tool for Windows** package. Select **OK** and then select **Next** to continue.
7. On the Settings Package page, browse and select the **Windows 10 x64 Settings** package. Select **OK** and then select **Next** to continue.
8. On the Summary page, review the details and then select **Next**.
9. On the Confirmation page, select **Finish**.
> [!NOTE]
@ -841,7 +909,7 @@ In the replace procedure, PC1 won't be migrated to a new OS. It's simplest to pe
### Deploy PC4
Create a VM named PC4 to receive the applications and settings from PC1. This VM represents a new computer that will replace PC1. To create this VM, type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host:
Create a VM named PC4 to receive the applications and settings from PC1. This VM represents a new computer that will replace PC1. To create this VM, enter the following commands at an elevated Windows PowerShell prompt on the Hyper-V host:
```powershell
New-VM -Name "PC4" -NewVHDPath "c:\vhd\pc4.vhdx" -NewVHDSizeBytes 60GB -SwitchName poc-internal -BootDevice NetworkAdapter -Generation 2
@ -856,61 +924,66 @@ Set-VMNetworkAdapter -VMName PC4 -StaticMacAddress 00-15-5D-83-26-FF
1. Verify that the PC1 VM is running and in its original state, which was saved as a checkpoint and then restored in [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md).
1. If you haven't already saved a checkpoint for PC1, then do it now. Type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host:
2. If you haven't already saved a checkpoint for PC1, then do it now. Enter the following commands at an elevated Windows PowerShell prompt on the Hyper-V host:
```powershell
Checkpoint-VM -Name PC1 -SnapshotName BeginState
```
1. On SRV1, in the Configuration Manager console, in the **Administration** workspace, expand **Hierarchy Configuration** and select on **Discovery Methods**.
1. Double-click **Active Directory System Discovery** and on the **General** tab select the **Enable Active Directory System Discovery** checkbox.
1. Select the yellow starburst, select **Browse**, select **contoso\Computers**, and then select **OK** three times.
1. When a popup dialog box asks if you want to run full discovery, select **Yes**.
1. In the Assets and Compliance workspace, select **Devices** and verify that the computer account names for SRV1 and PC1 are displayed. See the following example (GREGLIN-PC1 is the computer account name of PC1 in this example):
3. On SRV1, in the Configuration Manager console, in the **Administration** workspace, expand **Hierarchy Configuration** and select on **Discovery Methods**.
4. Double-click **Active Directory System Discovery** and on the **General** tab select the **Enable Active Directory System Discovery** checkbox.
5. Select the yellow starburst, select **Browse**, select **contoso\Computers**, and then select **OK** three times.
6. When a popup dialog box asks if you want to run full discovery, select **Yes**.
7. In the **Assets and Compliance** workspace, select **Devices** and verify that the computer account names for SRV1 and PC1 are displayed. See the following example (GREGLIN-PC1 is the computer account name of PC1 in this example):
> [!TIP]
> If you don't see the computer account for PC1, select **Refresh** in the upper right corner of the console.
The **Client** column indicates that the Configuration Manager client isn't currently installed. This procedure will be carried out next.
1. Sign in to PC1 using the contoso\administrator account and type the following command at an elevated command prompt to remove any pre-existing client configuration, if it exists.
8. Sign in to PC1 using the contoso\administrator account and enter the following command at an elevated command prompt to remove any pre-existing client configuration, if it exists.
> [!Note]
> This command requires an elevated _command prompt_, not an elevated Windows PowerShell prompt.
> This command requires an elevated command prompt, not an elevated Windows PowerShell prompt.
```dos
sc stop ccmsetup
```cmd
sc.exe stop ccmsetup
"\\SRV1\c$\Program Files\Microsoft Configuration Manager\Client\CCMSetup.exe" /Uninstall
```
> [!NOTE]
> If PC1 still has Configuration Manager registry settings that were applied by Group Policy, startup scripts, or other policies in its previous domain, these might not all be removed by `CCMSetup /Uninstall` and can cause problems with installation or registration of the client in its new environment. It might be necessary to manually remove these settings if they are present. For more information, see [Manual removal of the Configuration Manager client](/archive/blogs/michaelgriswold/manual-removal-of-the-sccm-client).
1. On PC1, temporarily stop Windows Update from queuing items for download and clear all BITS jobs from the queue. From an elevated command prompt, type:
9. On PC1, temporarily stop Windows Update from queuing items for download and clear all BITS jobs from the queue. From an elevated command prompt, enter:
```dos
net stop wuauserv
net stop BITS
```cmd
net.exe stop wuauserv
net.exe stop BITS
```
Verify that both services were stopped successfully, then type the following command at an elevated command prompt:
Verify that both services were stopped successfully, then enter the following command at an elevated command prompt:
```dos
```cmd
del "%ALLUSERSPROFILE%\Application Data\Microsoft\Network\Downloader\qmgr*.dat"
net start BITS
bitsadmin /list /allusers
net.exe start BITS
bitsadmin.exe /list /allusers
```
Verify that BITSAdmin displays zero jobs.
1. To install the Configuration Manager client as a standalone process, type the following command at an elevated command prompt:
10. To install the Configuration Manager client as a standalone process, enter the following command at an elevated command prompt:
```dos
```cmd
"\\SRV1\c$\Program Files\Microsoft Configuration Manager\Client\CCMSetup.exe" /mp:SRV1.contoso.com /logon SMSSITECODE=PS1
```
1. On PC1, using file explorer, open the **C:\Windows\ccmsetup** directory. During client installation, files will be downloaded here.
1. Installation progress will be captured in the file: **c:\windows\ccmsetup\logs\ccmsetup.log**. You can periodically open this file in notepad, or you can type the following command at an elevated Windows PowerShell prompt to monitor installation progress:
11. On PC1, using file explorer, open the **C:\Windows\ccmsetup** directory. During client installation, files will be downloaded here.
12. Installation progress will be captured in the file: **c:\windows\ccmsetup\logs\ccmsetup.log**. You can periodically open this file in notepad, or you can enter the following command at an elevated Windows PowerShell prompt to monitor installation progress:
```powershell
Get-Content -Path c:\windows\ccmsetup\logs\ccmsetup.log -Wait
@ -918,21 +991,21 @@ Set-VMNetworkAdapter -VMName PC4 -StaticMacAddress 00-15-5D-83-26-FF
Installation might require several minutes, and display of the log file will appear to hang while some applications are installed. This behavior is normal. When setup is complete, verify that **CcmSetup is existing with return code 0** is displayed on the last line of the ccmsetup.log file. Then press **CTRL-C** to break out of the Get-Content operation. If you're viewing the log file in Windows PowerShell, the last line will be wrapped. A return code of `0` indicates that installation was successful and you should now see a directory created at **C:\Windows\CCM** that contains files used in registration of the client with its site.
1. On PC1, open the Configuration Manager control panel applet by typing the following command from a command prompt:
13. On PC1, open the Configuration Manager control panel applet by typing the following command from a command prompt:
```dos
control smscfgrc
```cmd
control.exe smscfgrc
```
1. Select the **Site** tab, select **Configure Settings**, and select **Find Site**. The client will report that it has found the PS1 site. See the following example:
14. Select the **Site** tab, select **Configure Settings**, and select **Find Site**. The client will report that it has found the PS1 site. See the following example:
![site.](images/configmgr-site.png)
If the client isn't able to find the PS1 site, review any error messages that are displayed in **C:\Windows\CCM\Logs\ClientIDManagerStartup.log** and **LocationServices.log**. A common reason the client can't locate the site code is because a previous configuration exists. For example, if a previous site code is configured at **HKLM\SOFTWARE\Microsoft\SMS\Mobile Client\GPRequestedSiteAssignmentCode**, delete or update this entry.
1. On SRV1, in the Assets and Compliance workspace, select **Device Collections** and then double-click **All Desktop and Server Clients**. This node will be added under **Devices**.
15. On SRV1, in the **Assets and Compliance** workspace, select **Device Collections** and then double-click **All Desktop and Server Clients**. This node will be added under **Devices**.
1. Select **All Desktop and Server Clients** and verify that the computer account for PC1 is displayed here with **Yes** and **Active** in the **Client** and **Client Activity** columns, respectively. You might have to refresh the view and wait few minutes for the client to appear here. See the following example:
16. Select **All Desktop and Server Clients** and verify that the computer account for PC1 is displayed here with **Yes** and **Active** in the **Client** and **Client Activity** columns, respectively. You might have to refresh the view and wait few minutes for the client to appear here. See the following example:
![client.](images/configmgr-client.png)
@ -941,9 +1014,10 @@ Set-VMNetworkAdapter -VMName PC4 -StaticMacAddress 00-15-5D-83-26-FF
### Create a device collection and deployment
1. On SRV1, in the Configuration Manager console, in the Asset and Compliance workspace, right-click **Device Collections** and then select **Create Device Collection**.
1. On SRV1, in the Configuration Manager console, in the **Assets and Compliance** workspace, right-click **Device Collections** and then select **Create Device Collection**.
2. Use the following settings in the **Create Device Collection Wizard**:
- General > Name: **Install Windows 10 Enterprise x64**
- General > Limiting collection: **All Systems**
- Membership Rules > Add Rule: **Direct Rule**
@ -956,7 +1030,7 @@ Set-VMNetworkAdapter -VMName PC4 -StaticMacAddress 00-15-5D-83-26-FF
3. Double-click the Install Windows 10 Enterprise x64 device collection and verify that the PC1 computer account is displayed.
4. In the Software Library workspace, expand **Operating Systems**, select **Task Sequences**, right-click **Windows 10 Enterprise x64** and then select **Deploy**.
4. In the **Software Library** workspace, expand **Operating Systems**, select **Task Sequences**, right-click **Windows 10 Enterprise x64** and then select **Deploy**.
5. Use the following settings in the Deploy Software wizard:
- General > Collection: Select Browse and select **Install Windows 10 Enterprise x64**
@ -971,24 +1045,25 @@ Set-VMNetworkAdapter -VMName PC4 -StaticMacAddress 00-15-5D-83-26-FF
### Associate PC4 with PC1
1. On SRV1 in the Configuration Manager console, in the Assets and Compliance workspace, right-click **Devices** and then select **Import Computer Information**.
1. On SRV1 in the Configuration Manager console, in the **Assets and Compliance** workspace, right-click **Devices** and then select **Import Computer Information**.
2. On the Select Source page, choose **Import single computer** and select **Next**.
3. On the Single Computer page, use the following settings:
- Computer Name: **PC4**
- MAC Address: **00:15:5D:83:26:FF**
- Source Computer: \<type the hostname of PC1, or select **Search** twice, select the hostname, and select **OK**\>
- Source Computer: \<enter the hostname of PC1, or select **Search** twice, select the hostname, and select **OK**\>
4. Select **Next**, and on the User Accounts page choose **Capture and restore specified user accounts**, then select the yellow starburst next to **User accounts to migrate**.
5. Select **Browse** and then under Enter the object name to select type **user1** and select OK twice.
5. Select **Browse** and then under **Enter the object name to select** enter **user1** and select **OK** twice.
6. Select the yellow starburst again and repeat the previous step to add the **contoso\administrator** account.
7. Select **Next** twice, and on the Choose Target Collection page, choose **Add computers to the following collection**, select **Browse**, choose **Install Windows 10 Enterprise x64**, select **OK**, select **Next** twice, and then select **Close**.
8. In the Assets and Compliance workspace, select **User State Migration** and review the computer association in the display pane. The source computer will be the computername of PC1 (GREGLIN-PC1 in this example), the destination computer will be **PC4**, and the migration type will be **side-by-side**.
8. In the **Assets and Compliance** workspace, select **User State Migration** and review the computer association in the display pane. The source computer will be the computername of PC1 (GREGLIN-PC1 in this example), the destination computer will be **PC4**, and the migration enter will be **side-by-side**.
9. Right-click the association in the display pane and then select **Specify User Accounts**. You can add or remove user account here. Select **OK**.
@ -1000,9 +1075,10 @@ Set-VMNetworkAdapter -VMName PC4 -StaticMacAddress 00-15-5D-83-26-FF
### Create a device collection for PC1
1. On SRV1, in the Configuration Manager console, in the Assets and Compliance workspace, right-click **Device Collections** and then select **Create Device Collection**.
1. On SRV1, in the Configuration Manager console, in the **Assets and Compliance** workspace, right-click **Device Collections** and then select **Create Device Collection**.
2. Use the following settings in the **Create Device Collection Wizard**:
- General > Name: **USMT Backup (Replace)**
- General > Limiting collection: **All Systems**
- Membership Rules > Add Rule: **Direct Rule**
@ -1032,15 +1108,15 @@ In the Configuration Manager console, in the **Software Library** workspace, und
1. On PC1, open the Configuration Manager control panel applet by typing the following command in a command prompt:
```dos
control smscfgrc
```cmd
control.exe smscfgrc
```
2. On the **Actions** tab, select **Machine Policy Retrieval & Evaluation Cycle**, select **Run Now**, select **OK**, and then select **OK** again. This method is one that you can use to run a task sequence in addition to the Client Notification method that will be demonstrated in the computer refresh procedure.
3. Type the following command at an elevated command prompt to open the Software Center:
3. Enter the following command at an elevated command prompt to open the Software Center:
```dos
```cmd
C:\Windows\CCM\SCClient.exe
```
@ -1052,26 +1128,30 @@ In the Configuration Manager console, in the **Software Library** workspace, und
> If you don't see any available software, try running step #2 again to start the Machine Policy Retrieval & Evaluation Cycle. You should see an alert that new software is available.
5. Select **INSTALL SELECTED** and then select **INSTALL OPERATING SYSTEM**.
6. Allow the **Replace Task Sequence** to complete, then verify that the C:\MigData folder on SRV1 contains the USMT backup.
### Deploy the new computer
1. Start PC4 and press ENTER for a network boot when prompted. To start PC4, type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host:
1. Start PC4 and press ENTER for a network boot when prompted. To start PC4, enter the following commands at an elevated Windows PowerShell prompt on the Hyper-V host:
```powershell
Start-VM PC4
vmconnect localhost PC4
```
1. In the **Welcome to the Task Sequence Wizard**, enter **pass@word1** and select **Next**.
1. Choose the **Windows 10 Enterprise X64** image.
1. Setup will install the OS using the Windows 10 Enterprise x64 reference image, install the configuration manager client, join PC4 to the domain, and restore users and settings from PC1.
1. Save checkpoints for all VMs if you wish to review their status at a later date. This action isn't required, as checkpoints do take up space on the Hyper-V host.
2. In the **Welcome to the Task Sequence Wizard**, enter **pass@word1** and select **Next**.
3. Choose the **Windows 10 Enterprise X64** image.
4. Setup will install the OS using the Windows 10 Enterprise x64 reference image, install the configuration manager client, join PC4 to the domain, and restore users and settings from PC1.
5. Save checkpoints for all VMs if you wish to review their status at a later date. This action isn't required, as checkpoints do take up space on the Hyper-V host.
> [!Note]
> The next procedure will install a new OS on PC1, and update its status in Configuration Manager and in Active Directory as a Windows 10 device. So you can't return to a previous checkpoint only on the PC1 VM without a conflict. Therefore, if you do create a checkpoint, you should do this action for all VMs.
To save a checkpoint for all VMs, type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host:
To save a checkpoint for all VMs, enter the following commands at an elevated Windows PowerShell prompt on the Hyper-V host:
```powershell
Checkpoint-VM -Name DC1 -SnapshotName cm-refresh
@ -1083,14 +1163,17 @@ In the Configuration Manager console, in the **Software Library** workspace, und
### Initiate the computer refresh
1. On SRV1, in the Assets and Compliance workspace, select **Device Collections** and then double-click **Install Windows 10 Enterprise x64**.
1. On SRV1, in the **Assets and Compliance** workspace, select **Device Collections** and then double-click **Install Windows 10 Enterprise x64**.
2. Right-click the computer account for PC1, point to **Client Notification**, select **Download Computer Policy**, and select **OK** in the popup dialog box.
3. On PC1, in the notification area, select **New software is available** and then select **Open Software Center**.
4. In the Software Center, select **Operating Systems**, select **Windows 10 Enterprise x64**, select **Install** and then select **INSTALL OPERATING SYSTEM**. See the following example:
![installOS.](images/configmgr-install-os.png)
The computer will restart several times during the installation process. Installation includes downloading updates, reinstalling the Configuration Manager Client Agent, and restoring the user state. You can view status of the installation in the Configuration Manager console by accessing the Monitoring workspace, clicking **Deployments**, and then double-clicking the deployment associated with the **Install Windows 10 Enterprise x64** collection. Under **Asset Details**, right-click the device and then select **More Details**. Select the **Status** tab to see a list of tasks that have been performed. See the following example:
The computer will restart several times during the installation process. Installation includes downloading updates, reinstalling the Configuration Manager Client Agent, and restoring the user state. You can view status of the installation in the Configuration Manager console by accessing the **Monitoring** workspace, clicking **Deployments**, and then double-clicking the deployment associated with the **Install Windows 10 Enterprise x64** collection. Under **Asset Details**, right-click the device and then select **More Details**. Select the **Status** tab to see a list of tasks that have been performed. See the following example:
![asset.](images/configmgr-asset.png)

151
windows/deployment/windows-10-poc.md
View File

@ -9,12 +9,12 @@ ms.prod: windows-client
ms.technology: itpro-deploy
ms.localizationpriority: medium
ms.topic: tutorial
ms.date: 10/31/2022
ms.date: 11/23/2022
---
# Step by step guide: Configure a test lab to deploy Windows 10
*Applies to*
*Applies to:*
- Windows 10
@ -69,6 +69,7 @@ The procedures in this guide are summarized in the following table. An estimate
One computer that meets the hardware and software specifications below is required to complete the guide; A second computer is recommended to validate the upgrade process.
- **Computer 1**: the computer you'll use to run Hyper-V and host virtual machines. This computer should have 16 GB or more of installed RAM and a multi-core processor.
- **Computer 2**: a client computer from your network. It's shadow-copied to create a VM that can be added to the PoC environment, enabling you to test a mirror image of a computer on your network. If you don't have a computer to use for this simulation, you can download an evaluation VHD and use it to represent this computer. Subsequent guides use this computer to simulate Windows 10 replace and refresh scenarios, so the VM is required even if you can't create this VM using computer 2.
Hardware requirements are displayed below:
@ -92,7 +93,9 @@ The lab architecture is summarized in the following diagram:
![PoC diagram.](images/poc.png)
- Computer 1 is configured to host four VMs on a private, PoC network.
- Two VMs are running Windows Server 2012 R2 with required network services and tools installed.
- Two VMs are client systems: One VM is intended to mirror a host on your network (computer 2) and one VM is running Windows 10 Enterprise to demonstrate the hardware replacement scenario.
> [!NOTE]
@ -120,8 +123,8 @@ Starting with Windows 8, the host computer's microprocessor must support second
1. To verify your computer supports SLAT, open an administrator command prompt, type **systeminfo**, press ENTER, and review the section displayed at the bottom of the output, next to Hyper-V Requirements. See the following example:
```console
C:\>systeminfo
```cmd
C:\>systeminfo.exe
...
Hyper-V Requirements: VM Monitor Mode Extensions: Yes
@ -136,8 +139,8 @@ Starting with Windows 8, the host computer's microprocessor must support second
You can also identify Hyper-V support using [tools](/archive/blogs/taylorb/hyper-v-will-my-computer-run-hyper-v-detecting-intel-vt-and-amd-v) provided by the processor manufacturer, the [msinfo32](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc731397(v=ws.11)) tool, or you can download the [coreinfo](/sysinternals/downloads/coreinfo) utility and run it, as shown in the following example:
```console
C:\>coreinfo -v
```cmd
C:\>coreinfo.exe -v
Coreinfo v3.31 - Dump information on system CPU and memory topology
Copyright (C) 2008-2014 Mark Russinovich
@ -205,7 +208,7 @@ When you have completed installation of Hyper-V on the host computer, begin conf
The following example displays the procedures described in this section, both before and after downloading files:
```console
```cmd
C:>mkdir VHD
C:>cd VHD
C:\VHD&gt;ren 9600*.vhd 2012R2-poc-1.vhd
@ -225,13 +228,23 @@ When you have completed installation of Hyper-V on the host computer, begin conf
If you don't have a PC available to convert to VM, do the following steps to download an evaluation VM:
1. Open the [Download virtual machines](https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/) page.<!-- only works with locale :( -->
1. Open the [Download virtual machines](https://developer.microsoft.com/microsoft-edge/tools/vms/) page.
> [!NOTE]
> The above link may not be available in all locales.
2. Under **Virtual machine**, choose **IE11 on Win7**.
3. Under **Select platform**, choose **HyperV (Windows)**.
4. Select **Download .zip**. The download is 3.31 GB.
5. Extract the zip file. Three directories are created.
6. Open the **Virtual Hard Disks** directory and then copy **IE11 - Win7.vhd** to the **C:\VHD** directory.
7. Rename **IE11 - Win7.vhd** to **w7.vhd** (don't rename the file to w7.vhdx).
8. In step 5 of the [Configure Hyper-V](#configure-hyper-v) section, replace the VHD file name **w7.vhdx** with **w7.vhd**.
If you have a PC available to convert to VM (computer 2):
@ -242,6 +255,7 @@ If you have a PC available to convert to VM (computer 2):
> The account used in this step must have local administrator privileges. You can use a local computer account, or a domain account with administrative rights if domain policy allows the use of cached credentials. After converting the computer to a VM, you must be able to sign in on this VM with administrator rights while the VM is disconnected from the network.
2. [Determine the VM generation and partition type](#determine-the-vm-generation-and-partition-type) that is required.
3. Based on the VM generation and partition type, perform one of the following procedures: [Prepare a generation 1 VM](#prepare-a-generation-1-vm), [Prepare a generation 2 VM](#prepare-a-generation-2-vm), or [prepare a generation 1 VM from a GPT disk](#prepare-a-generation-1-vm-from-a-gpt-disk).
#### Determine the VM generation and partition type
@ -256,6 +270,7 @@ When creating a VM in Hyper-V, you must specify either generation 1 or generatio
If the PC is running a 32-bit OS or the OS is Windows 7, it must be converted to a generation 1 VM. Otherwise, it can be converted to a generation 2 VM.
- To determine the OS and architecture of a PC, type **systeminfo** at a command prompt and review the output next to **OS Name** and **System Type**.
- To determine the partition style, open a Windows PowerShell prompt on the PC and type the following command:
```powershell
@ -265,7 +280,7 @@ If the PC is running a 32-bit OS or the OS is Windows 7, it must be converted to
If the **Type** column doesn't indicate GPT, then the disk partition format is MBR ("Installable File System" = MBR). In the following example, the disk is GPT:
```powershell
PS C:> Get-WmiObject -Class Win32_DiskPartition | Select-Object -Property SystemName,Caption,Type
Get-WmiObject -Class Win32_DiskPartition | Select-Object -Property SystemName,Caption,Type
SystemName Caption Type
---------- ------- ----
@ -276,7 +291,7 @@ USER-PC1 Disk #0, Partition #1 GPT
On a computer running Windows 8 or later, you can also type **Get-Disk** at a Windows PowerShell prompt to discover the partition style. The default output of this cmdlet displays the partition style for all attached disks. Both commands are displayed below. In this example, the client computer is running Windows 8.1 and uses a GPT style partition format:
```powershell
PS C:> Get-WmiObject -Class Win32_DiskPartition | Select-Object -Property SystemName,Caption,Type
Get-WmiObject -Class Win32_DiskPartition | Select-Object -Property SystemName,Caption,Type
SystemName Caption Type
---------- ------- ----
@ -293,34 +308,32 @@ Number Friendly Name OperationalStatus Tota
0 INTEL SSDSCMMW240A3L Online 223.57 GB GPT
```
<span id="determine-vm-generation"/>
**Choosing a VM generation**
##### Choosing a VM generation
The following tables display the Hyper-V VM generation to choose based on the OS, architecture, and partition style. Links to procedures to create the corresponding VMs are included.
**Windows 7 MBR**
###### Windows 7 MBR
|Architecture|VM generation|Procedure|
|--- |--- |--- |
|32|1|[Prepare a generation 1 VM](#prepare-a-generation-1-vm)|
|64|1|[Prepare a generation 1 VM](#prepare-a-generation-1-vm)|
**Windows 7 GPT**
###### Windows 7 GPT
|Architecture|VM generation|Procedure|
|--- |--- |--- |
|32|N/A|N/A|
|64|1|[Prepare a generation 1 VM from a GPT disk](#prepare-a-generation-1-vm-from-a-gpt-disk)|
**Windows 8 or later MBR**
###### Windows 8 or later MBR
|Architecture|VM generation|Procedure|
|--- |--- |--- |
|32|1|[Prepare a generation 1 VM](#prepare-a-generation-1-vm)|
|64|1, 2|[Prepare a generation 1 VM](#prepare-a-generation-1-vm)|
**Windows 8 or later GPT**
###### Windows 8 or later GPT
|Architecture|VM generation|Procedure|
|--- |--- |--- |
@ -347,7 +360,7 @@ The following tables display the Hyper-V VM generation to choose based on the OS
3. Select the checkboxes next to the `C:\` and the **system reserved** (BIOS/MBR) volumes. The system volume isn't assigned a drive letter, but will be displayed in the Disk2VHD tool with a volume label similar to `\?\Volume{`. See the following example.
> [!IMPORTANT]
> You must include the system volume in order to create a bootable VHD. If this volume isn't displayed in the disk2vhd tool, then the computer is likely to be using the GPT partition style. For more information, see [Determine VM generation](#determine-vm-generation).
> You must include the system volume in order to create a bootable VHD. If this volume isn't displayed in the disk2vhd tool, then the computer is likely to be using the GPT partition style. For more information, see [Choosing a VM generation](#choosing-a-vm-generation).
4. Specify a location to save the resulting VHD or VHDX file (F:\VHD\w7.vhdx in the following example) and select **Create**. See the following example:
@ -374,13 +387,14 @@ The following tables display the Hyper-V VM generation to choose based on the OS
2. On the computer you wish to convert, open an elevated command prompt and type the following command:
```console
mountvol s: /s
```cmd
mountvol.exe s: /s
```
This command temporarily assigns a drive letter of S to the system volume and mounts it. If the letter S is already assigned to a different volume on the computer, then choose one that is available (ex: mountvol z: /s).
3. On the computer you wish to convert, double-click the disk2vhd utility to start the graphical user interface.
4. Select the checkboxes next to the **C:\\** and the **S:\\** volumes, and clear the **Use Volume Shadow Copy checkbox**. Volume shadow copy won't work if the EFI system partition is selected.
> [!IMPORTANT]
@ -394,7 +408,7 @@ The following tables display the Hyper-V VM generation to choose based on the OS
6. When the Disk2vhd utility has completed converting the source computer to a VHD, copy the VHDX file (PC1.vhdx) to your Hyper-V host in the C:\VHD directory. There should now be four files in this directory:
```console
```cmd
C:\vhd>dir /B
2012R2-poc-1.vhd
2012R2-poc-2.vhd
@ -409,6 +423,7 @@ The following tables display the Hyper-V VM generation to choose based on the OS
You might experience timeouts if you attempt to run Disk2vhd from a network share, or specify a network share for the destination. To avoid timeouts, use local, portable media such as a USB drive.
2. On the computer you wish to convert, double-click the disk2vhd utility to start the graphical user interface.
3. Select the checkbox next to the **C:\\** volume and clear the checkbox next to **Use Vhdx**.
> [!NOTE]
@ -524,7 +539,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40 GB to
> [!NOTE]
> The RAM values assigned to VMs in this step are not permanent, and can be easily increased or decreased later if needed to address performance issues.
5. Using the same elevated Windows PowerShell prompt that was used in the previous step, type one of the following sets of commands, depending on the type of VM that was prepared in the [Determine VM generation](#determine-vm-generation) section, either generation 1, generation 2, or generation 1 with GPT.
5. Using the same elevated Windows PowerShell prompt that was used in the previous step, type one of the following sets of commands, depending on the type of VM that was prepared in the [Choosing a VM generation](#choosing-a-vm-generation) section, either generation 1, generation 2, or generation 1 with GPT.
To create a generation 1 VM (using c:\vhd\w7.vhdx):
@ -574,19 +589,23 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40 GB to
The VM will automatically boot into Windows Setup. In the PC1 window:
1. Select **Next**.
2. Select **Repair your computer**.
3. Select **Troubleshoot**.
4. Select **Command Prompt**.
5. Type the following command to save an image of the OS drive:
```console
dism /Capture-Image /ImageFile:D:\c.wim /CaptureDir:C:\ /Name:Drive-C
```cmd
dism.exe /Capture-Image /ImageFile:D:\c.wim /CaptureDir:C:\ /Name:Drive-C
```
6. Wait for the OS image to complete saving, and then type the following commands to convert the C: drive to MBR:
```console
diskpart
```cmd
diskpart.exe
select disk 0
clean
convert MBR
@ -601,14 +620,16 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40 GB to
7. Type the following commands to restore the OS image and boot files:
```console
dism /Apply-Image /ImageFile:D:\c.wim /Index:1 /ApplyDir:C:\
bcdboot c:\windows
```cmd
dism.exe /Apply-Image /ImageFile:D:\c.wim /Index:1 /ApplyDir:C:\
bcdboot.exe c:\windows
exit
```
8. Select **Continue** and verify the VM boots successfully. Don't boot from DVD.
9. Select **Ctrl+Alt+Del**, and then in the bottom right corner, select **Shut down**.
10. Type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host to remove the temporary disks and drives from PC1:
```powershell
@ -626,8 +647,14 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40 GB to
```
2. Select **Next** to accept the default settings, read the license terms and select **I accept**, provide a strong administrator password, and select **Finish**.
3. Select **Ctrl+Alt+Del** in the upper left corner of the virtual machine connection window, and then sign in to DC1 using the Administrator account.
4. Right-click **Start**, point to **Shut down or sign out**, and select **Sign out**. The VM connection will reset and a new connection dialog box will appear enabling you to choose a custom display configuration. Select a desktop size, select **Connect** and sign in again with the local Administrator account. Note: Signing in this way ensures that [enhanced session mode](/windows-server/virtualization/hyper-v/learn-more/Use-local-resources-on-Hyper-V-virtual-machine-with-VMConnect) is enabled. It's only necessary to do this action the first time you sign in to a new VM.
4. Right-click **Start**, point to **Shut down or sign out**, and select **Sign out**. The VM connection will reset and a new connection dialog box will appear enabling you to choose a custom display configuration. Select a desktop size, select **Connect** and sign in again with the local Administrator account.
> [!NOTE]
> Signing in this way ensures that [enhanced session mode](/windows-server/virtualization/hyper-v/learn-more/Use-local-resources-on-Hyper-V-virtual-machine-with-VMConnect) is enabled. It's only necessary to do this action the first time you sign in to a new VM.
5. If DC1 is configured as described in this guide, it will currently be assigned an APIPA address, have a randomly generated hostname, and a single network adapter named "Ethernet." Open an elevated Windows PowerShell prompt on DC1 and type or paste the following commands to provide a new hostname and configure a static IP address and gateway:
```powershell
@ -690,7 +717,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40 GB to
The following output should be displayed:
```powershell
```console
UseRootHint : True
Timeout(s) : 3
EnableReordering : True
@ -752,8 +779,8 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40 GB to
To open Windows PowerShell on Windows 7, select **Start**, and search for "**power**." Right-click **Windows PowerShell** and then select **Pin to Taskbar** so that it's simpler to use Windows PowerShell during this lab. Select **Windows PowerShell** on the taskbar, and then type `ipconfig` at the prompt to see the client's current IP address. Also type `ping dc1.contoso.com` and `nltest /dsgetdc:contoso.com` to verify that it can reach the domain controller. See the following examples of a successful network connection:
```console
ipconfig
```cmd
ipconfig.exe
Windows IP Configuration
@ -909,8 +936,8 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40 GB to
33. In most cases, this process completes configuration of the PoC network. However, if your network has a firewall that filters queries from local DNS servers, you'll also need to configure a server-level DNS forwarder on SRV1 to resolve internet names. To test whether or not DNS is working without this forwarder, try to reach a name on the internet from DC1 or PC1, which are only using DNS services on the PoC network. You can test DNS with the ping command, for example:
```powershell
ping www.microsoft.com
```cmd
ping.exe www.microsoft.com
```
If you see "Ping request couldn't find host `www.microsoft.com`" on PC1 and DC1, but not on SRV1, then you'll need to configure a server-level DNS forwarder on SRV1. To do this action, open an elevated Windows PowerShell prompt on SRV1 and type the following command.
@ -924,8 +951,8 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40 GB to
34. If DNS and routing are both working correctly, you'll see the following output on DC1 and PC1 (the IP address might be different, but that's OK):
```powershell
PS C:\> ping www.microsoft.com
```cmd
ping www.microsoft.com
Pinging e2847.dspb.akamaiedge.net [23.222.146.170] with 32 bytes of data:
Reply from 23.222.146.170: bytes=32 time=3ms TTL=51
@ -943,7 +970,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40 GB to
36. Lastly, because the client computer has different hardware after copying it to a VM, its Windows activation will be invalidated and you might receive a message that you must activate Windows in three days. To extend this period to 30 days, type the following commands at an elevated Windows PowerShell prompt on PC1:
```powershell
runas /noprofile /env /user:administrator@contoso.com "cmd /c slmgr -rearm"
runas.exe /noprofile /env /user:administrator@contoso.com "cmd.exe /c slmgr -rearm"
Restart-Computer
```
@ -963,7 +990,7 @@ Use the following procedures to verify that the PoC environment is configured pr
Resolve-DnsName -Server dc1.contoso.com -Name www.microsoft.com
Get-DhcpServerInDC
Get-DhcpServerv4Statistics
ipconfig /all
ipconfig.exe /all
```
**Get-Service** displays a status of "Running" for all three services.
@ -988,8 +1015,8 @@ Use the following procedures to verify that the PoC environment is configured pr
Get-Service DNS,RemoteAccess
Get-DnsServerForwarder
Resolve-DnsName -Server dc1.contoso.com -Name www.microsoft.com
ipconfig /all
netsh int ipv4 show address
ipconfig.exe /all
netsh.exe int ipv4 show address
```
**Get-Service** displays a status of "Running" for both services.
@ -1004,38 +1031,38 @@ Use the following procedures to verify that the PoC environment is configured pr
3. On PC1, open an elevated Windows PowerShell prompt and type the following commands:
```powershell
whoami
hostname
nslookup www.microsoft.com
ping -n 1 dc1.contoso.com
tracert www.microsoft.com
```cmd
whoami.exe
hostname.exe
nslookup.exe www.microsoft.com
ping.exe -n 1 dc1.contoso.com
tracert.exe www.microsoft.com
```
**whoami** displays the current user context, for example in an elevated Windows PowerShell prompt, contoso\administrator is displayed.
**whoami.exe** displays the current user context, for example in an elevated Windows PowerShell prompt, contoso\administrator is displayed.
**hostname** displays the name of the local computer, for example W7PC-001.
**hostname.exe** displays the name of the local computer, for example W7PC-001.
**nslookup** displays the DNS server used for the query, and the results of the query. For example, server `dc1.contoso.com`, address 192.168.0.1, Name `e2847.dspb.akamaiedge.net`.
**nslookup.exe** displays the DNS server used for the query, and the results of the query. For example, server `dc1.contoso.com`, address 192.168.0.1, Name `e2847.dspb.akamaiedge.net`.
**ping** displays if the source can resolve the target name, and whether or not the target responds to ICMP. If it can't be resolved, "couldn't find host" will be displayed. If the target is found and also responds to ICMP, you'll see "Reply from" and the IP address of the target.
**ping.exe** displays if the source can resolve the target name, and whether or not the target responds to ICMP. If it can't be resolved, "couldn't find host" will be displayed. If the target is found and also responds to ICMP, you'll see "Reply from" and the IP address of the target.
**tracert** displays the path to reach the destination, for example `srv1.contoso.com` [192.168.0.2] followed by a list of hosts and IP addresses corresponding to subsequent routing nodes between the source and the destination.
**tracert.exe** displays the path to reach the destination, for example `srv1.contoso.com` [192.168.0.2] followed by a list of hosts and IP addresses corresponding to subsequent routing nodes between the source and the destination.
## Appendix B: Terminology used in this guide
|Term|Definition|
|--- |--- |
|GPT|GUID partition table (GPT) is an updated hard-disk formatting scheme that enables the use of newer hardware. GPT is one of the partition formats that can be chosen when first initializing a hard drive, prior to creating and formatting partitions.|
|Hyper-V|Hyper-V is a server role introduced with Windows Server 2008 that lets you create a virtualized computing environment. Hyper-V can also be installed as a Windows feature on Windows client operating systems, starting with Windows 8.|
|Hyper-V host|The computer where Hyper-V is installed.|
|Hyper-V Manager|The user-interface console used to view and configure Hyper-V.|
|MBR|Master Boot Record (MBR) is a legacy hard-disk formatting scheme that limits support for newer hardware. MBR is one of the partition formats that can be chosen when first initializing a hard drive, prior to creating and formatting partitions. MBR is in the process of being replaced by the GPT partition format.|
|Proof of concept (PoC)|Confirmation that a process or idea works as intended. A PoC is carried out in a test environment to learn about and verify a process.|
|Shadow copy|A copy or "snapshot" of a computer at a point in time, created by the Volume Shadow Copy Service (VSS), typically for backup purposes.|
|Virtual machine (VM)|A VM is a virtual computer with its own operating system, running on the Hyper-V host.|
|Virtual switch|A virtual network connection used to connect VMs to each other and to physical network adapters on the Hyper-V host.|
|VM snapshot|A point in time image of a VM that includes its disk, memory and device state. It can be used to return a virtual machine to a former state corresponding to the time the snapshot was taken.|
|**GPT**|GUID partition table (GPT) is an updated hard-disk formatting scheme that enables the use of newer hardware. GPT is one of the partition formats that can be chosen when first initializing a hard drive, prior to creating and formatting partitions.|
|**Hyper-V**|Hyper-V is a server role introduced with Windows Server 2008 that lets you create a virtualized computing environment. Hyper-V can also be installed as a Windows feature on Windows client operating systems, starting with Windows 8.|
|**Hyper-V host**|The computer where Hyper-V is installed.|
|**Hyper-V Manager**|The user-interface console used to view and configure Hyper-V.|
|**MBR**|Master Boot Record (MBR) is a legacy hard-disk formatting scheme that limits support for newer hardware. MBR is one of the partition formats that can be chosen when first initializing a hard drive, prior to creating and formatting partitions. MBR is in the process of being replaced by the GPT partition format.|
|**Proof of concept (PoC)**|Confirmation that a process or idea works as intended. A PoC is carried out in a test environment to learn about and verify a process.|
|**Shadow copy**|A copy or "snapshot" of a computer at a point in time, created by the Volume Shadow Copy Service (VSS), typically for backup purposes.|
|**Virtual machine (VM)**|A VM is a virtual computer with its own operating system, running on the Hyper-V host.|
|**Virtual switch**|A virtual network connection used to connect VMs to each other and to physical network adapters on the Hyper-V host.|
|**VM snapshot**|A point in time image of a VM that includes its disk, memory and device state. It can be used to return a virtual machine to a former state corresponding to the time the snapshot was taken.|
## Next steps

15
windows/deployment/windows-10-pro-in-s-mode.md
View File

@ -9,7 +9,7 @@ ms.prod: windows-client
ms.collection:
- M365-modern-desktop
ms.topic: article
ms.date: 10/31/2022
ms.date: 11/23/2022
ms.technology: itpro-deploy
---
@ -37,20 +37,26 @@ Many other transformations are possible depending on which version and edition o
| | Home | Not by any method | Not by any method | Not by any method |
Use the following information to switch to Windows 10 Pro through the Microsoft Store.
> [!IMPORTANT]
> While it's free to switch to Windows 10 Pro, it's not reversible. The only way to rollback this kind of switch is through a [bare-metal recovery (BMR)](/windows-hardware/manufacture/desktop/create-media-to-run-push-button-reset-features-s14) reset. This restores a Windows device to the factory state, even if the user needs to replace the hard drive or completely wipe the drive clean. If a device is switched out of S mode via the Microsoft Store, it will remain out of S mode even after the device is reset.
## Switch one device through the Microsoft Store
Use the following information to switch to Windows 10 Pro through the Microsoft Store or by navigating to **Settings** and then **Activation** on the device.
Note these differences affecting switching modes in various releases of Windows 10:
- In Windows 10, version 1709, you can switch devices one at a time from Windows 10 Pro in S mode to Windows 10 Pro by using the Microsoft Store or **Settings**. No other switches are possible.
- In Windows 10, version 1803, you can switch devices running any S mode edition to the equivalent non-S mode edition one at a time by using the Microsoft Store or **Settings**.
- Windows 10, version 1809, you can switch devices running any S mode edition to the equivalent non-S mode edition one at a time by using the Microsoft Store, **Settings**, or you can switch multiple devices in bulk by using Intune. You can also block users from switching devices themselves.
1. Sign into the Microsoft Store using your Microsoft account.
2. Search for "S mode".
3. In the offer, select **Buy**, **Get**, or **Learn more.**
You'll be prompted to save your files before the switch starts. Follow the prompts to switch to Windows 10 Pro.
@ -60,13 +66,14 @@ You'll be prompted to save your files before the switch starts. Follow the promp
Starting with Windows 10, version 1809, if you need to switch multiple devices in your environment from Windows 10 Pro in S mode to Windows 10 Pro, you can use Microsoft Intune or any other supported mobile device management software. You can configure devices to switch out of S mode during OOBE or post-OOBE. Switching out of S mode gives you flexibility to manage Windows 10 in S mode devices at any point during the device lifecycle.
1. Start Microsoft Intune.
2. Navigate to **Device configuration > Profiles > Windows 10 and later > Edition upgrade and mode switch**.
2. Navigate to **Device configuration** > **Profiles** > **Windows 10 and later** > **Edition upgrade and mode switch**.
3. Follow the instructions to complete the switch.
## Block users from switching
You can control which devices or users can use the Microsoft Store to switch out of S mode in Windows 10.
To set this policy, go to **Device configuration > Profiles > Windows 10 and later > Edition upgrade and mode switch in Microsoft Intune**, and then choose **Keep in S mode**.
You can control which devices or users can use the Microsoft Store to switch out of S mode in Windows 10. To set this policy, go to **Device configuration** > **Profiles** > **Windows 10 and later** > **Edition upgrade and mode switch in Microsoft Intune**, and then choose **Keep in S mode**.
## S mode management with CSPs

6
windows/deployment/windows-10-subscription-activation.md
View File

@ -13,7 +13,7 @@ ms.collection:
search.appverid:
- MET150
ms.topic: conceptual
ms.date: 10/31/2022
ms.date: 11/23/2022
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
@ -98,7 +98,7 @@ The following list illustrates how deploying Windows client has evolved with eac
> The following requirements don't apply to general Windows client activation on Azure. Azure activation requires a connection to Azure KMS only. It supports workgroup, hybrid, and Azure AD-joined VMs. In most scenarios, activation of Azure VMs happens automatically. For more information, see [Understanding Azure KMS endpoints for Windows product activation of Azure virtual machines](/troubleshoot/azure/virtual-machines/troubleshoot-activation-problems).
> [!IMPORTANT]
> As of October 1, 2022, subscription activation is available for _commercial_ and _GCC_ tenants. It's currently not available on GCC High or DoD tenants.<!-- 6783128 --> For more information, see [Enable subscription activation with an existing EA](deploy-enterprise-licenses.md#enable-subscription-activation-with-an-existing-ea).
> As of October 1, 2022, subscription activation is available for *commercial* and *GCC* tenants. It's currently not available on GCC High or DoD tenants.<!-- 6783128 --> For more information, see [Enable subscription activation with an existing EA](deploy-enterprise-licenses.md#enable-subscription-activation-with-an-existing-ea).
For Microsoft customers with Enterprise Agreements (EA) or Microsoft Products & Services Agreements (MPSA), you must have the following requirements:
@ -144,7 +144,7 @@ You can benefit by moving to Windows as an online service in the following ways:
> [!NOTE]
> The following examples use Windows 10 Pro to Enterprise edition. The examples also apply to Windows 11, and Education editions.
The device is Azure AD-joined from **Settings > Accounts > Access work or school**.
The device is Azure AD-joined from **Settings** > **Accounts** > **Access work or school**.
You assign Windows 10 Enterprise to a user:

4
windows/deployment/windows-adk-scenarios-for-it-pros.md
View File

@ -6,7 +6,7 @@ ms.author: frankroj
manager: aaroncz
ms.prod: windows-client
ms.localizationpriority: medium
ms.date: 10/31/2022
ms.date: 11/23/2022
ms.topic: article
ms.technology: itpro-deploy
---
@ -19,7 +19,7 @@ In previous releases of Windows, the Windows ADK docs were published on both Tec
Here are some key scenarios that will help you find the content on the MSDN Hardware Dev Center.
### Create a Windows image using command-line tools
## Create a Windows image using command-line tools
[DISM](/windows-hardware/manufacture/desktop/dism---deployment-image-servicing-and-management-technical-reference-for-windows) is used to mount and service Windows images.

26
windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md
View File

@ -16,8 +16,6 @@ msreviewer: hathind
Seeing issues with your tenant? This article details how to remediate issues found with your tenant.
If you need more assistance with tenant enrollment, you can submit a [tenant enrollment support request](#submit-a-support-request).
## Check results
For each check, the tool will report one of four possible results:
@ -72,27 +70,3 @@ Windows Autopatch requires the following licenses:
| Result | Meaning |
| ----- | ----- |
| Not ready | Windows Autopatch requires Windows 10/11 Enterprise E3 (or higher) to be assigned to your users. Additionally, Azure Active Directory Premium, and Microsoft Intune are required. For more information, see [more about licenses](../prepare/windows-autopatch-prerequisites.md#more-about-licenses). |
## Submit a support request
> [!IMPORTANT]
> Make sure you've [added and verified your admin contacts](../deploy/windows-autopatch-admin-contacts.md). The Windows Autopatch Service Engineering Team will contact these individuals for assistance with troubleshooting issues.
If you need more assistance with tenant enrollment, you can submit support tickets to the Windows Autopatch Service Engineering Team in the Windows Autopatch enrollment tool. Email is the recommended approach to interact with the Windows Autopatch Service Engineering Team.
**To submit a new support request:**
1. If the Readiness assessment tool fails, remediation steps can be found by selecting **View details** under **Management settings** and then selecting the individual check. The **Contact Support** button will be available below remediation instructions in the fly-in-pane.
2. Enter your question(s) and/or a description of the problem.
3. Review all the information you provided for accuracy.
4. When you're ready, select **Create**.
### Manage an active support request
The primary contact for the support request will receive email notifications when a case is created, assigned to a service engineer to investigate, and mitigated. If you have a question about the case, the best way to get in touch is to reply directly to one of the emails. If we have questions about your request or need more details, we'll email the primary contact listed in the support request.
**To view all your active pre-enrollment support requests:**
1. Sign into the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and navigate to the **Tenant Administration** menu.
1. In the **Windows Autopatch** section, select **Tenant Enrollment**.
1. Select the **Support history** tab. You can view the list of all support cases, or select an individual case to view the details.

8
windows/deployment/windows-autopilot/index.yml
View File

@ -6,12 +6,10 @@ summary: 'Note: Windows Autopilot documentation has moved! A few more resources
metadata:
title: Windows Autopilot deployment resources and documentation # Required; page title displayed in search results. Include the brand. < 60 chars.
description: Learn about deploying Windows 10 and keeping it up to date in your organization. # Required; article description that is displayed in search results. < 160 chars.
services: windows-10
ms.service: windows-10 #Required; service per approved list. service slug assigned to your service by ACOM.
ms.subservice: subservice
ms.topic: landing-page # Required
ms.topic: landing-page
ms.prod: windows-client
ms.technology: itpro-deploy
ms.collection:
- windows-10
- highpri
author: frankroj
ms.author: frankroj

91
windows/deployment/windows-deployment-scenarios-and-tools.md
View File

@ -6,7 +6,7 @@ ms.author: frankroj
author: frankroj
ms.prod: windows-client
ms.topic: article
ms.date: 10/31/2022
ms.date: 11/23/2022
ms.technology: itpro-deploy
---
@ -32,13 +32,13 @@ DISM is one of the deployment tools included in the Windows ADK and is used for
DISM services online and offline images. For example, with DISM you can install the Microsoft .NET Framework 3.5.1 in Windows 10 online, which means that you can start the installation in the running operating system, not that you get the software online. The /LimitAccess switch configures DISM to get the files only from a local source:
``` syntax
```cmd
Dism.exe /Online /Enable-Feature /FeatureName:NetFX3 /All /Source:D:\Sources\SxS /LimitAccess
```
In Windows 10, you can use Windows PowerShell for many of the functions done by DISM.exe. The equivalent command in Windows 10 using PowerShell is:
``` syntax
```powershell
Enable-WindowsOptionalFeature -Online -FeatureName NetFx3 -All
-Source D:\Sources\SxS -LimitAccess
```
@ -55,15 +55,15 @@ USMT is a backup and restore tool that allows you to migrate user state, data, a
USMT includes several command-line tools, the most important of which are ScanState and LoadState:
- **ScanState.exe.** This tool performs the user-state backup.
- **LoadState.exe.** This tool performs the user-state restore.
- **UsmtUtils.exe.** This tool supplements the functionality in ScanState.exe and LoadState.exe.
- **ScanState.exe**: This tool performs the user-state backup.
- **LoadState.exe**: This tool performs the user-state restore.
- **UsmtUtils.exe**: This tool supplements the functionality in ScanState.exe and LoadState.exe.
In addition to these tools, there are also XML templates that manage which data is migrated. You can customize the templates, or create new ones, to manage the backup process at a high level of detail. USMT uses the following terms for its templates:
- **Migration templates.** The default templates in USMT.
- **Custom templates.** Custom templates that you create.
- **Config template.** An optional template called Config.xml which you can use to exclude or include components in a migration without modifying the other standard XML templates.
- **Migration templates**: The default templates in USMT.
- **Custom templates**: Custom templates that you create.
- **Config template**: An optional template called Config.xml which you can use to exclude or include components in a migration without modifying the other standard XML templates.
![A sample USMT migration file that will exclude .MP3 files on all local drives and include the folder C:\\Data and all its files, including its subdirectories and their files..](images/mdt-11-fig06.png)
@ -74,58 +74,19 @@ USMT supports capturing data and settings from Windows Vista and later, and rest
By default USMT migrates many settings, most of which are related to the user profile but also to Control Panel configurations, file types, and more. The default templates that are used in Windows 10 deployments are MigUser.xml and MigApp.xml. These two default templates migrate the following data and settings:
- Folders from each profile, including those folders from user profiles, and shared and public profiles. For example, the My Documents, My Video, My Music, My Pictures, desktop files, Start menu, Quick Launch settings, and Favorites folders are migrated.
- Specific file types.
<details>
<summary>USMT templates migrate the following file types:</summary>
- `.accdb`
- `.ch3`
- `.csv`
- `.dif`
- `.doc*`
- `.dot*`
- `.dqy`
- `.iqy`
- `.mcw`
- `.mdb*`
- `.mpp`
- `.one*`
- `.oqy`
- `.or6`
- `.pot*`
- `.ppa`
- `.pps*`
- `.ppt*`
- `.pre`
- `.pst`
- `.pub`
- `.qdf`
- `.qel`
- `.qph`
- `.qsd`
- `.rqy`
- `.rtf`
- `.scd`
- `.sh3`
- `.slk`
- `.txt`
- `.vl*`
- `.vsd`
- `.wk*`
- `.wpd`
- `.wps`
- `.wq1`
- `.wri`
- `.xl*`
- `.xla`
- `.xlb`
- `.xls*`
</details>
- The following specific file types:
`.accdb`, `.ch3`, `.csv`, `.dif`, `.doc*`, `.dot*`, `.dqy`, `.iqy`, `.mcw`, `.mdb*`, `.mpp`, `.one*`, `.oqy`, `.or6`, `.pot*`, `.ppa`, `.pps*`, `.ppt*`, `.pre`, `.pst`, `.pub`, `.qdf`, `.qel`, `.qph`, `.qsd`, `.rqy`, `.rtf`, `.scd`, `.sh3`, `.slk`, `.txt`, `.vl*`, `.vsd`, `.wk*`, `.wpd`, `.wps`, `.wq1`, `.wri`, `.xl*`, `.xla`, `.xlb`, `.xls*`
> [!NOTE]
> The asterisk (`*`) stands for zero or more characters.
> [!NOTE]
> The OpenDocument extensions (`*.odt`, `*.odp`, `*.ods`) that Microsoft Office applications can use aren't migrated by default.
- Operating system component settings
- Application settings
These settings are migrated by the default MigUser.xml and MigApp.xml templates. For more information, see [What does USMT migrate?](./usmt/usmt-what-does-usmt-migrate.md) For more general information on USMT, see [USMT technical reference](./usmt/usmt-reference.md).
@ -160,7 +121,7 @@ The updated Volume Activation Management Tool.
VAMT also can be used to create reports, switch from MAK to KMS, manage Active Directory-based activation, and manage Office 2010 and Office 2013 volume activation. VAMT also supports PowerShell (instead of the old command-line tool). For example, if you want to get information from the VAMT database, you can type:
``` syntax
```powershell
Get-VamtProduct
```
@ -178,7 +139,7 @@ A machine booted with the Windows ADK default Windows PE boot image.
For more information on Windows PE, see [Windows PE (WinPE)](/windows-hardware/manufacture/desktop/winpe-intro).
## <a href="" id="sec07"></a>Windows Recovery Environment
## Windows Recovery Environment
Windows Recovery Environment (Windows RE) is a diagnostics and recovery toolset included in Windows Vista and later operating systems. The latest version of Windows RE is based on Windows PE. You can also extend Windows RE and add your own tools if needed. If a Windows installation fails to start and Windows RE is installed, you'll see an automatic failover into Windows RE.
@ -204,9 +165,9 @@ In some cases, you need to modify TFTP Maximum Block Size settings for performan
Also, there are a few new features related to TFTP performance:
- **Scalable buffer management.** Allows buffering an entire file instead of a fixed-size buffer for each client, enabling different sessions to read from the same shared buffer.
- **Scalable port management.** Provides the capability to service clients with shared UDP port allocation, increasing scalability.
- **Variable-size transmission window (Variable Windows Extension).** Improves TFTP performance by allowing the client and server to determine the largest workable window size.
- **Scalable buffer management**: Allows buffering an entire file instead of a fixed-size buffer for each client, enabling different sessions to read from the same shared buffer.
- **Scalable port management**: Provides the capability to service clients with shared UDP port allocation, increasing scalability.
- **Variable-size transmission window (Variable Windows Extension)**: Improves TFTP performance by allowing the client and server to determine the largest workable window size.
![TFTP changes are now easy to perform.](images/mdt-11-fig12.png)
@ -214,7 +175,6 @@ TFTP changes are now easy to perform.
## Microsoft Deployment Toolkit
MDT is a free deployment solution from Microsoft. It provides end-to-end guidance, best practices, and tools for planning, building, and deploying Windows operating systems. MDT builds on top of the core deployment tools in the Windows ADK by contributing guidance, reducing complexity, and adding critical features for an enterprise-ready deployment solution.
MDT has two main parts: the first is Lite Touch, which is a stand-alone deployment solution; the second is Zero Touch, which is an extension to Configuration Manager.
@ -252,6 +212,10 @@ The following components are included in the MDOP suite:
For more information on the benefits of an MDOP subscription, see [Microsoft Desktop Optimization Pack](/microsoft-desktop-optimization-pack/).
<!--
REMOVING SECTION SINCE INTERNET EXPLORER IS NO LONGER SUPPORTED
## Internet Explorer Administration Kit 11
There has been a version of IEAK for every version of Internet Explorer since 3.0. It gives you the capability to customize Internet Explorer as you would like. The end result of using IEAK is an Internet Explorer package that can be deployed unattended. The wizard creates one .exe file and one .msi file.
@ -262,6 +226,8 @@ The User Experience selection screen in IEAK 11.
To download IEAK 11, see the [Internet Explorer Administration Kit (IEAK) Information and Downloads](/internet-explorer/ie11-ieak/ieak-information-and-downloads) page.
-->
## Windows Server Update Services
WSUS is a server role in Windows Server 2012 R2 that enables you to maintain a local repository of Microsoft updates and then distribute them to machines on your network. WSUS offers approval control and reporting of update status in your environment.
@ -274,7 +240,6 @@ For more information on WSUS, see the [Windows Server Update Services Overview](
## Unified Extensible Firmware Interface
For many years, BIOS has been the industry standard for booting a PC. BIOS has served us well, but it's time to replace it with something better. **UEFI** is the replacement for BIOS, so it's important to understand the differences between BIOS and UEFI. In this section, you learn the major differences between the two and how they affect operating system deployment.
### Introduction to UEFI
@ -299,7 +264,7 @@ With UEFI, you can benefit from:
- **Flexible pre-operating system environment.** UEFI can perform many functions for you. You just need an UEFI application, and you can perform diagnostics and automatic repairs, and call home to report errors.
- **Secure boot.** Windows 8 and later can use the UEFI firmware validation process, called secure boot, which is defined in UEFI 2.3.1. Using this process, you can ensure that UEFI launches only a verified operating system loader and that malware can't switch the boot loader.
### Versions
### UEFI versions
UEFI Version 2.3.1B is the version required for Windows 8 and later logo compliance. Later versions have been released to address issues; a few machines may need to upgrade their firmware to fully support the UEFI implementation in Windows 8 and later.

7
windows/hub/index.yml
View File

@ -8,12 +8,9 @@ brand: windows
metadata:
title: Windows client documentation for IT Pros # Required; page title displayed in search results. Include the brand. < 60 chars.
description: Evaluate, plan, deploy, secure, and manage devices running Windows 10 and Windows 11. # Required; article description that is displayed in search results. < 160 chars.
services: windows-10
ms.service: subservice #Required; service per approved list. service slug assigned to your service by ACOM.
ms.subservice: subservice # Optional; Remove if no subservice is used.
ms.topic: hub-page # Required
ms.topic: hub-page
ms.prod: windows-client
ms.collection:
- windows-10
- highpri
author: dougeby #Required; your GitHub user alias, with correct capitalization.
ms.author: dougeby #Required; microsoft alias of author; optional team alias.

6
windows/security/docfx.json
View File

@ -65,13 +65,13 @@
},
"fileMetadata": {
"author":{
"/identity-protection/hello-for-business/*.md": "paolomatarazzo"
"identity-protection/hello-for-business/**/*.md": "paolomatarazzo"
},
"ms.author":{
"/identity-protection/hello-for-business/*.md": "paoloma"
"identity-protection/hello-for-business/**/*.md": "paoloma"
},
"ms.reviewer":{
"/identity-protection/hello-for-business/*.md": "erikdau"
"identity-protection/hello-for-business/**/*.md": "erikdau"
}
},
"template": [],

32
windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md
View File

@ -1,37 +1,23 @@
---
title: Multi-factor Unlock
description: Learn how Windows 10 and Windows 11 offer multi-factor device unlock by extending Windows Hello with trusted signals.
ms.prod: windows-client
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 03/20/2018
author: paolomatarazzo
ms.author: paoloma
ms.reviewer: prsriva
manager: aaroncz
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
ms.technology: itpro-security
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
ms.topic: article
---
# Multi-factor Unlock
**Requirements:**
* Windows Hello for Business deployment (Cloud, Hybrid or On-premises)
* Azure AD, Hybrid Azure AD, or Domain Joined (Cloud, Hybrid, or On-Premises deployments)
* Windows 10, version 1709 or newer, or Windows 11
* Bluetooth, Bluetooth capable phone - optional
Windows Hello for Business supports the use of a single credential (PIN and biometrics) for unlocking a device. Therefore, if any of those credentials are compromised (shoulder surfed), an attacker could gain access to the system.
Windows, today, natively only supports the use of a single credential (password, PIN, fingerprint, face, etc.) for unlocking a device. Therefore, if any of those credentials are compromised (shoulder surfed), an attacker could gain access to the system.
Windows 10 and Windows 11 offer multi-factor device unlock by extending Windows Hello with trusted signals. Administrators can configure their Windows to request a combination of factors and trusted signals to unlock their devices.
Windows Hello for Business can be configured with multi-factor device unlock, by extending Windows Hello with trusted signals. Administrators can configure devices to request a combination of factors and trusted signals to unlock theim.
Which organizations can take advantage of Multi-factor unlock? Those who:
* Have expressed that PINs alone do not meet their security needs.
* Want to prevent Information Workers from sharing credentials.
* Want their organizations to comply with regulatory two-factor authentication policy.
* Want to retain the familiar Windows sign-in user experience and not settle for a custom solution.
- Have expressed that PINs alone do not meet their security needs
- Want to prevent Information Workers from sharing credentials
- Want their organizations to comply with regulatory two-factor authentication policy
- Want to retain the familiar Windows sign-in user experience and not settle for a custom solution
You enable multi-factor unlock using Group Policy. The **Configure device unlock factors** policy setting is located under **Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business**.

23
windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md
View File

@ -1,25 +1,18 @@
---
title: Azure Active Directory join cloud only deployment
description: Use this deployment guide to successfully use Azure Active Directory to join a Windows 10 or Windows 11 device.
ms.prod: windows-client
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 06/23/2021
author: paolomatarazzo
ms.author: paoloma
ms.reviewer: prsriva
manager: aaroncz
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
ms.technology: itpro-security
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
ms.topic: article
---
# Azure Active Directory join cloud only deployment
[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-cloud.md)]
## Introduction
When you Azure Active Directory (Azure AD) join a Windows 10 or Windows 11 device, the system prompts you to enroll in Windows Hello for Business by default. If you want to use Windows Hello for Business in your cloud only environment, then there's no additional configuration needed.
When you Azure Active Directory (Azure AD) join a Windows device, the system prompts you to enroll in Windows Hello for Business by default. If you want to use Windows Hello for Business in your cloud-only environment, then there's no additional configuration needed.
You may wish to disable the automatic Windows Hello for Business enrollment prompts if you aren't ready to use it in your environment. Instructions on how to disable Windows Hello for Business enrollment in a cloud only environment are included below.
@ -71,7 +64,11 @@ If you don't use Intune in your organization, then you can disable Windows Hello
Intune uses the following registry keys: **`HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Policies\PassportForWork\<Tenant-ID>\Device\Policies`**
To look up your Tenant ID, see [How to find your Azure Active Directory tenant ID](/azure/active-directory/fundamentals/active-directory-how-to-find-tenant)
To look up your Tenant ID, see [How to find your Azure Active Directory tenant ID](/azure/active-directory/fundamentals/active-directory-how-to-find-tenant) or try the following, ensuring to sign-in with your organization's account:
```msgraph-interactive
GET https://graph.microsoft.com/v1.0/organization?$select=id
```
These registry settings are pushed from Intune for user policies:

17
windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md
View File

@ -1,22 +1,11 @@
---
title: Having enough Domain Controllers for Windows Hello for Business deployments
description: Guide for planning to have an adequate number of Windows Server 2016 or later Domain Controllers for Windows Hello for Business deployments
ms.prod: windows-client
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 08/20/2018
author: paolomatarazzo
ms.author: paoloma
ms.reviewer: prsriva
manager: aaroncz
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
- ✅ <b>Windows Server 2016 or later</b>
- ✅ <b>Hybrid or On-Premises deployment</b>
- ✅ <b>Key trust</b>
ms.technology: itpro-security
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
- ✅ <a href=https://learn.microsoft.com/en-us/windows/release-health/windows-server-release-info target=_blank>Windows Server 2016 and later</a>
ms.topic: article
---
# Planning an adequate number of Windows Server 2016 or later Domain Controllers for Windows Hello for Business deployments

13
windows/security/identity-protection/hello-for-business/hello-and-password-changes.md
View File

@ -1,19 +1,10 @@
---
title: Windows Hello and password changes (Windows)
description: When you change your password on a device, you may need to sign in with a password on other devices to reset Hello.
ms.prod: windows-client
ms.collection: M365-identity-device-management
ms.topic: article
ms.localizationpriority: medium
ms.date: 07/27/2017
author: paolomatarazzo
ms.author: paoloma
ms.reviewer: prsriva
manager: aaroncz
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
ms.technology: itpro-security
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
ms.topic: article
---
# Windows Hello and password changes

15
windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md
View File

@ -1,21 +1,10 @@
---
title: Windows Hello biometrics in the enterprise (Windows)
description: Windows Hello uses biometrics to authenticate users and guard against potential spoofing, through fingerprint matching and facial recognition.
ms.prod: windows-client
ms.collection:
- M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 01/12/2021
author: paolomatarazzo
ms.author: paoloma
ms.reviewer: prsriva
manager: aaroncz
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
- ✅ <b>Windows Holographic for Business</b>
ms.technology: itpro-security
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
ms.topic: article
---
# Windows Hello biometrics in the enterprise

22
windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md
View File

@ -1,25 +1,15 @@
---
title: Prepare and Deploy Windows AD FS certificate trust (Windows Hello for Business)
description: Learn how to Prepare and Deploy Windows Server 2016 Active Directory Federation Services (AD FS) for Windows Hello for Business, using certificate trust.
ms.prod: windows-client
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 01/14/2021
author: paolomatarazzo
ms.author: paoloma
ms.reviewer: prsriva
manager: aaroncz
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
- ✅ <b>On-premises deployments</b>
- ✅ <b>Certificate trust</b>
ms.technology: itpro-security
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
- ✅ <a href=https://learn.microsoft.com/en-us/windows/release-health/windows-server-release-info target=_blank>Windows Server 2016 and later</a>
ms.topic: article
---
# Prepare and Deploy Windows Server 2016 Active Directory Federation Services - Certificate Trust
# Prepare and Deploy Active Directory Federation Services (AD FS)
Windows Hello for Business works exclusively with the Active Directory Federation Service role included with Windows Server 2016 and requires an additional server update. The on-premises certificate trust deployment uses Active Directory Federation Services roles for key registration, device registration, and as a certificate registration authority.
Windows Hello for Business works exclusively with the Active Directory Federation Service (AD FS). The on-premises certificate trust deployment uses Active Directory Federation Services roles for key registration, device registration, and as a certificate registration authority.
The following guidance describes deploying a new instance of Active Directory Federation Services 2016 using the Windows Information Database as the configuration database, which is ideal for environments with no more than 30 federation servers and no more than 100 relying party trusts.
@ -120,6 +110,8 @@ Sign-in the federation server with _Enterprise Admin_ equivalent credentials.
## Review & validate
[!INCLUDE [hello-on-premises-cert-trust](../../includes/hello-on-premises-cert-trust.md)]
Before you continue with the deployment, validate your deployment progress by reviewing the following items:
- Confirm the AD FS farm uses the correct database configuration.

21
windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md
View File

@ -1,28 +1,21 @@
---
title: Configure Windows Hello for Business Policy settings - certificate trust
description: Configure Windows Hello for Business Policy settings for Windows Hello for Business. Certificate-based deployments need three group policy settings.
ms.prod: windows-client
ms.collection:
- M365-identity-device-management
- highpri
ms.topic: article
localizationpriority: medium
ms.date: 08/20/2018
author: paolomatarazzo
ms.author: paoloma
ms.reviewer: prsriva
manager: aaroncz
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
- ✅ <b>On-premises deployments</b>
- ✅ <b>Certificate trust</b>
ms.technology: itpro-security
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
- ✅ <a href=https://learn.microsoft.com/en-us/windows/release-health/windows-server-release-info target=_blank>Windows Server 2016 and later</a>
ms.topic: article
---
# Configure Windows Hello for Business Policy settings - Certificate Trust
You need at least a Windows 10, version 1703 workstation to run the Group Policy Management Console, which provides the latest Windows Hello for Business and PIN Complexity Group Policy settings. To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows. You can download these tools from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=45520).
Install the Remote Server Administration Tools for Windows on a computer running Windows 10, version 1703 or later.
[!INCLUDE [hello-on-premises-cert-trust](../../includes/hello-on-premises-cert-trust.md)]
To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows. You can download these tools from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=45520).
Install the Remote Server Administration Tools for Windows on a computer running Windows 10 or later.
On-premises certificate-based deployments of Windows Hello for Business needs three Group Policy settings:
* Enable Windows Hello for Business

22
windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md
View File

@ -1,24 +1,16 @@
---
title: Update Active Directory schema for cert-trust deployment (Windows Hello for Business)
description: How to Validate Active Directory prerequisites for Windows Hello for Business when deploying with the certificate trust model.
ms.prod: windows-client
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 08/19/2018
author: paolomatarazzo
ms.author: paoloma
ms.reviewer: prsriva
manager: aaroncz
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
- ✅ <b>On-premises deployments</b>
- ✅ <b>Certificate trust</b>
ms.technology: itpro-security
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
- ✅ <a href=https://learn.microsoft.com/en-us/windows/release-health/windows-server-release-info target=_blank>Windows Server 2016 and later</a>
ms.topic: article
---
# Validate Active Directory prerequisites for cert-trust deployment
[!INCLUDE [hello-on-premises-cert-trust](../../includes/hello-on-premises-cert-trust.md)]
The key registration process for the on-premises deployment of Windows Hello for Business needs the Windows Server 2016 Active Directory or later schema. The key-trust model receives the schema extension when the first Windows Server 2016 or later domain controller is added to the forest. The certificate trust model requires manually updating the current schema to the Windows Server 2016 or later schema.
> [!NOTE]
@ -30,7 +22,9 @@ Manually updating Active Directory uses the command-line utility **adprep.exe**
To locate the schema master role holder, open and command prompt and type:
```Netdom query fsmo | findstr -i “schema”```
```cmd
netdom.exe query fsmo | findstr.exe -i "schema"
```
![Netdom example output.](images/hello-cmd-netdom.png)

18
windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md
View File

@ -1,24 +1,16 @@
---
title: Validate and Deploy MFA for Windows Hello for Business with certificate trust
description: How to Validate and Deploy Multi-factor Authentication (MFA) Services for Windows Hello for Business with certificate trust
ms.prod: windows-client
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 08/19/2018
author: paolomatarazzo
ms.author: paoloma
ms.reviewer: prsriva
manager: aaroncz
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
- ✅ <b>On-premises deployments</b>
- ✅ <b>Certificate trust</b>
ms.technology: itpro-security
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
- ✅ <a href=https://learn.microsoft.com/en-us/windows/release-health/windows-server-release-info target=_blank>Windows Server 2016 and later</a>
ms.topic: article
---
# Validate and Deploy Multi-Factor Authentication feature
[!INCLUDE [hello-on-premises-cert-trust](../../includes/hello-on-premises-cert-trust.md)]
Windows Hello for Business requires all users perform multi-factor authentication prior to creating and registering a Windows Hello for Business credential. On-premises deployments can use certificates, third-party authentication providers for AD FS, or a custom authentication provider for AD FS as an on-premises MFA option.
For information on available third-party authentication methods, see [Configure Additional Authentication Methods for AD FS](/windows-server/identity/ad-fs/operations/configure-additional-authentication-methods-for-ad-fs). For creating a custom authentication method, see [Build a Custom Authentication Method for AD FS in Windows Server](/windows-server/identity/ad-fs/development/ad-fs-build-custom-auth-method)

26
windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md
View File

@ -1,29 +1,21 @@
---
title: Validate Public Key Infrastructure - certificate trust model (Windows Hello for Business)
description: How to Validate Public Key Infrastructure for Windows Hello for Business, under a certificate trust model.
ms.prod: windows-client
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 08/19/2018
author: paolomatarazzo
ms.author: paoloma
ms.reviewer: prsriva
manager: aaroncz
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
- ✅ <b>On-premises deployments</b>
- ✅ <b>Certificate trust</b>
ms.technology: itpro-security
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
- ✅ <a href=https://learn.microsoft.com/en-us/windows/release-health/windows-server-release-info target=_blank>Windows Server 2016 and later</a>
ms.topic: article
---
# Validate and Configure Public Key Infrastructure - Certificate Trust Model
[!INCLUDE [hello-on-premises-cert-trust](../../includes/hello-on-premises-cert-trust.md)]
Windows Hello for Business must have a public key infrastructure regardless of the deployment or trust model. All trust models depend on the domain controllers having a certificate. The certificate serves as a root of trust for clients to ensure they are not communicating with a rogue domain controller. The certificate trust model extends certificate issuance to client computers. During Windows Hello for Business provisioning, the user receives a sign-in certificate.
## Deploy an enterprise certificate authority
This guide assumes most enterprise have an existing public key infrastructure. Windows Hello for Business depends on a Windows enterprise public key infrastructure running the Active Directory Certificate Services role from Windows Server 2012 or later.
This guide assumes most enterprise have an existing public key infrastructure. Windows Hello for Business depends on a Windows enterprise public key infrastructure running Active Directory Certificate Services.
### Lab-based public key infrastructure
@ -34,13 +26,13 @@ Sign-in using _Enterprise Admin_ equivalent credentials on Windows Server 2012 o
>[!NOTE]
>Never install a certificate authority on a domain controller in a production environment.
1. Open an elevated Windows PowerShell prompt.
2. Use the following command to install the Active Directory Certificate Services role.
1. Open an elevated Windows PowerShell prompt
2. Use the following command to install the Active Directory Certificate Services role
```PowerShell
Add-WindowsFeature Adcs-Cert-Authority -IncludeManagementTools
```
3. Use the following command to configure the Certificate Authority using a basic certificate authority configuration.
3. Use the following command to configure the Certificate Authority using a basic certificate authority configuration
```PowerShell
Install-AdcsCertificationAuthority
```

18
windows/security/identity-protection/hello-for-business/hello-deployment-cert-trust.md
View File

@ -1,24 +1,16 @@
---
title: Windows Hello for Business Deployment Guide - On Premises Certificate Trust Deployment
description: A guide to on premises, certificate trust Windows Hello for Business deployment.
ms.prod: windows-client
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 08/19/2018
author: paolomatarazzo
ms.author: paoloma
ms.reviewer: prsriva
manager: aaroncz
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
- ✅ <b>On-premises deployments</b>
- ✅ <b>Certificate trust</b>
ms.technology: itpro-security
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
- ✅ <a href=https://learn.microsoft.com/en-us/windows/release-health/windows-server-release-info target=_blank>Windows Server 2016 and later</a>
ms.topic: article
---
# On Premises Certificate Trust Deployment
[!INCLUDE [hello-on-premises-cert-trust](../../includes/hello-on-premises-cert-trust.md)]
Windows Hello for Business replaces username and password sign-in to Windows with authentication using an asymmetric key pair. This deployment guide provides the information you'll need to successfully deploy Windows Hello for Business in an existing environment.
Below, you can find all the information needed to deploy Windows Hello for Business in a Certificate Trust Model in your on-premises environment:

18
windows/security/identity-protection/hello-for-business/hello-deployment-guide.md
View File

@ -1,25 +1,13 @@
---
title: Windows Hello for Business Deployment Overview
description: Use this deployment guide to successfully deploy Windows Hello for Business in an existing environment.
ms.prod: windows-client
author: paolomatarazzo
ms.author: paoloma
manager: aaroncz
ms.reviewer: prsriva
ms.collection:
- M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 02/15/2022
ms.technology: itpro-security
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
ms.topic: article
---
# Windows Hello for Business Deployment Overview
**Applies to**
- Windows 10, version 1703 or later
- Windows 11
Windows Hello for Business is the springboard to a world without passwords. It replaces username and password sign-in to Windows with strong user authentication based on an asymmetric key pair.
This deployment overview is to guide you through deploying Windows Hello for Business. Your first step should be to use the Passwordless Wizard in the [Microsoft 365 admin center](https://admin.microsoft.com/AdminPortal/Home#/modernonboarding/passwordlesssetup) or the [Planning a Windows Hello for Business Deployment](hello-planning-guide.md) guide to determine the right deployment model for your organization.

19
windows/security/identity-protection/hello-for-business/hello-deployment-issues.md
View File

@ -1,17 +1,10 @@
---
title: Windows Hello for Business Deployment Known Issues
description: A Troubleshooting Guide for Known Windows Hello for Business Deployment Issues
params: siblings_only
ms.prod: windows-client
author: paolomatarazzo
ms.author: paoloma
manager: aaroncz
ms.reviewer: prsriva
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 05/03/2021
ms.technology: itpro-security
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
ms.topic: article
---
# Windows Hello for Business Known Deployment Issues
@ -19,12 +12,6 @@ The content of this article is to help troubleshoot and workaround known deploym
## PIN Reset on Azure AD Join Devices Fails with "We can't open that page right now" error
Applies to:
- Azure AD joined deployments
- Windows 10, version 1803 and later
- Windows 11
PIN reset on Azure AD-joined devices uses a flow called web sign-in to authenticate the user above lock. Web sign in only allows navigation to specific domains. If it attempts to navigate to a domain that is not allowed it will show a page with the error message "We can't open that page right now".
### Identifying Azure AD joined PIN Reset Allowed Domains Issue

19
windows/security/identity-protection/hello-for-business/hello-deployment-key-trust.md
View File

@ -1,30 +1,21 @@
---
title: Windows Hello for Business Deployment Guide - On Premises Key Deployment
description: A guide to on premises, key trust Windows Hello for Business deployment.
ms.prod: windows-client
author: paolomatarazzo
ms.author: paoloma
manager: aaroncz
ms.reviewer: prsriva
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 08/20/2018
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
- ✅ <b>On-premises deployment</b>
- ✅ <b>Key trust</b>
ms.technology: itpro-security
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
ms.topic: article
---
# On Premises Key Trust Deployment
[!INCLUDE [hello-on-premises-key-trust](../../includes/hello-on-premises-key-trust.md)]
Windows Hello for Business replaces username and password sign-in to Windows with strong user authentication based on asymmetric key pair. The following deployment guide provides the information needed to successfully deploy Windows Hello for Business in an existing environment.
Below, you can find all the information you need to deploy Windows Hello for Business in a key trust model in your on-premises environment:
1. [Validate Active Directory prerequisites](hello-key-trust-validate-ad-prereq.md)
2. [Validate and Configure Public Key Infrastructure](hello-key-trust-validate-pki.md)
3. [Prepare and Deploy Windows Server 2016 Active Directory Federation Services](hello-key-trust-adfs.md)
3. [Prepare and Deploy Active Directory Federation Services](hello-key-trust-adfs.md)
4. [Validate and Deploy Multifactor Authentication Services (MFA)](hello-key-trust-validate-deploy-mfa.md)
5. [Configure Windows Hello for Business Policy settings](hello-key-trust-policy-settings.md)

16
windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
View File

@ -1,19 +1,13 @@
---
title: Deploy certificates for remote desktop sign-in
description: Learn how to deploy certificates to cloud Kerberos trust and key trust users, to enable remote desktop sign-in with supplied credentials.
ms.prod: windows-client
author: paolomatarazzo
ms.author: paoloma
manager: aaroncz
ms.reviewer: erikdau
ms.collection:
- M365-identity-device-management
- ContentEngagementFY23
ms.topic: how-to
ms.topic: article
localizationpriority: medium
ms.date: 11/15/2022
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10 and later</a>
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
ms.technology: itpro-security
---
@ -61,7 +55,7 @@ Follow these steps to create a certificate template:
| *Compatibility* | <ul><li>Clear the **Show resulting changes** check box</li><li>Select **Windows Server 2012 or Windows Server 2012 R2** from the *Certification Authority list*</li><li>Select **Windows Server 2012 or Windows Server 2012 R2** from the *Certification Recipient list*</li></ul>|
| *General* | <ul><li>Specify a **Template display name**, for example *WHfB Certificate Authentication*</li><li>Set the validity period to the desired value</li><li>Take note of the Template name for later, which should be the same as the Template display name minus spaces (*WHfBCertificateAuthentication* in this example)</li></ul>|
| *Extensions* | Verify the **Application Policies** extension includes **Smart Card Logon**|
| *Subject Name* | <ul><li> Select the **Build from this Active Directory** information button if it isn't already selected</li><li>Select **Fully distinguished name** from the **Subject name format** list if Fully distinguished name isn't already selected</li><li>Select the **User Principal Name (UPN)** check box under **Include this information in alternative subject name**</li></ul>|
| *Subject Name* | <ul><li> Select the **Build from this Active Directory** information button if it isn't already selected</li><li>Select **Fully distinguished name** from the **Subject name format** list if Fully distinguished name isn't already selected</li><li>Select the **User Principal Name (UPN)** check box under **Include this information in alternative subject name**</li></ul><br>**Note:** If you deploy certificates via Intune, select **Supply in the request** instead of *Build from this Active Directory*.|
|*Request Handling*|<ul><li>Set the Purpose to **Signature and smartcard logon** and select **Yes** when prompted to change the certificate purpose</li><li>Select the **Renew with same key** check box</li><li>Select **Prompt the user during enrollment**</li></ul>|
|*Cryptography*|<ul><li>Set the Provider Category to **Key Storage Provider**</li><li>Set the Algorithm name to **RSA**</li><li>Set the minimum key size to **2048**</li><li>Select **Requests must use one of the following providers**</li><li>Select **Microsoft Software Key Storage Provider**</li><li>Set the Request hash to **SHA256**</li></ul>|
|*Security*|Add the security group that you want to give **Enroll** access to. For example, if you want to give access to all users, select the **Authenticated** users group, and then select Enroll permissions for them|
@ -139,14 +133,14 @@ This section describes how to configure a SCEP policy in Intune. Similar steps c
| --- | --- |
|*Certificate Type*| User |
|*Subject name format* | `CN={{UserPrincipalName}}` |
|*Subject alternative name* |From the dropdown, select **User principal name (UPN)** with a value of `CN={{UserPrincipalName}}`
|*Subject alternative name* |From the dropdown, select **User principal name (UPN)** with a value of `{{UserPrincipalName}}`
|*Certificate validity period* | Configure a value of your choosing|
|*Key storage provider (KSP)* | **Enroll to Windows Hello for Business, otherwise fail (Windows 10 and later)**
|*Key usage*| **Digital Signature**|
|*Key size (bits)* | **2048**|
|*For Hash algorithm*|**SHA-2**|
|*Root Certificate*| Select **+Root Certificate** and select the trusted certificate profile created earlier for the Root CA Certificate|
|*Extended key usage*| <ul><li>*Name:* **Smart Card Logon**</li><li>*Object Identifier:* `1.3.6.1.4.1.311.20.2.2`</li><li>*Predefined Values:* **Smart Card Logon**</li><br><li>*Name:* **Client Authentication**</li><li>*Object Identifier:* `1.3.6.1.5.5.7.3.2 `</li><li>*Predefined Values:* **Client Authentication**</li></ul>|
|*Extended key usage*| <ul><li>*Name:* **Smart Card Logon**</li><li>*Object Identifier:* `1.3.6.1.4.1.311.20.2.2`</li><li>*Predefined Values:* **Not configured**</li><br><li>*Name:* **Client Authentication**</li><li>*Object Identifier:* `1.3.6.1.5.5.7.3.2 `</li><li>*Predefined Values:* **Client Authentication**</li></ul>|
|*Renewal threshold (%)*|Configure a value of your choosing|
|*SCEP Server URLs*|Provide the public endpoint(s) that you configured during the deployment of your SCEP infrastructure|

12
windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md
View File

@ -1,20 +1,10 @@
---
title: Windows Hello errors during PIN creation (Windows)
description: When you set up Windows Hello in Windows 10/11, you may get an error during the Create a work PIN step.
ms.prod: windows-client
author: paolomatarazzo
ms.author: paoloma
manager: aaroncz
ms.reviewer: prsriva
ms.collection:
- M365-identity-device-management
ms.topic: troubleshooting
ms.localizationpriority: medium
ms.date: 05/05/2018
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
ms.technology: itpro-security
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
---
# Windows Hello errors during PIN creation

13
windows/security/identity-protection/hello-for-business/hello-event-300.md
View File

@ -1,19 +1,10 @@
---
title: Event ID 300 - Windows Hello successfully created (Windows)
description: This event is created when a Windows Hello for Business is successfully created and registered with Azure Active Directory (Azure AD).
ms.prod: windows-client
author: paolomatarazzo
ms.author: paoloma
manager: aaroncz
ms.reviewer: prsriva
ms.collection: M365-identity-device-management
ms.topic: article
ms.localizationpriority: medium
ms.date: 07/27/2017
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
ms.technology: itpro-security
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
ms.topic: article
---
# Event ID 300 - Windows Hello successfully created

5
windows/security/identity-protection/hello-for-business/hello-faq.yml
View File

@ -19,8 +19,7 @@ metadata:
localizationpriority: medium
ms.date: 11/11/2022
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
title: Windows Hello for Business Frequently Asked Questions (FAQ)
summary: |
@ -211,7 +210,7 @@ sections:
- question: I have extended Active Directory to Azure Active Directory. Can I use the on-premises deployment model?
answer: |
No. If your organization is federated or using online services, such as Azure AD Connect, Office 365, or OneDrive, then you must use a hybrid deployment model. On-premises deployments are exclusive to organizations who need more time before moving to the cloud and exclusively use Active Directory.
No. If your organization is using Microsoft cloud services, then you must use a hybrid deployment model. On-premises deployments are exclusive to organizations who need more time before moving to the cloud and exclusively use Active Directory.
- question: Does Windows Hello for Business prevent the use of simple PINs?
answer: |

12
windows/security/identity-protection/hello-for-business/hello-feature-conditional-access.md
View File

@ -1,16 +1,10 @@
---
title: Conditional Access
description: Ensure that only approved users can access your devices, applications, and services from anywhere by enabling single sign-on with Azure Active Directory.
ms.prod: windows-client
author: paolomatarazzo
ms.author: paoloma
manager: aaroncz
ms.reviewer: prsriva
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 09/09/2019
ms.technology: itpro-security
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
ms.topic: article
---
# Conditional access

13
windows/security/identity-protection/hello-for-business/hello-feature-dual-enrollment.md
View File

@ -1,16 +1,10 @@
---
title: Dual Enrollment
description: Learn how to configure Windows Hello for Business dual enrollment. Also, learn how to configure Active Directory to support Domain Administrator enrollment.
ms.prod: windows-client
author: paolomatarazzo
ms.author: paoloma
manager: aaroncz
ms.reviewer: prsriva
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 09/09/2019
ms.technology: itpro-security
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
ms.topic: article
---
# Dual Enrollment
@ -19,7 +13,6 @@ ms.technology: itpro-security
* Hybrid and On-premises Windows Hello for Business deployments
* Enterprise joined or Hybrid Azure joined devices
* Windows 10, version 1709 or later
* Certificate trust
> [!NOTE]

13
windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md
View File

@ -1,19 +1,10 @@
---
title: Dynamic lock
description: Learn how to set Dynamic lock on Windows 10 and Windows 11 devices, by configuring group policies. This feature locks a device when a Bluetooth signal falls below a set value.
ms.prod: windows-client
author: paolomatarazzo
ms.author: paoloma
manager: aaroncz
ms.reviewer: prsriva
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 07/12/2022
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
ms.technology: itpro-security
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
ms.topic: article
---
# Dynamic lock

23
windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
View File

@ -1,21 +1,13 @@
---
title: Pin Reset
description: Learn how Microsoft PIN reset services enable you to help users recover who have forgotten their PIN.
ms.prod: windows-client
author: paolomatarazzo
ms.author: paoloma
manager: aaroncz
ms.reviewer: prsriva
ms.collection:
- M365-identity-device-management
- highpri
ms.topic: article
localizationpriority: medium
ms.date: 07/29/2022
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
ms.technology: itpro-security
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
ms.topic: article
---
# PIN reset
@ -31,11 +23,6 @@ There are two forms of PIN reset:
There are two forms of PIN reset called destructive and non-destructive. Destructive PIN reset is the default and doesn't require configuration. During a destructive PIN reset, the user's existing PIN and underlying credentials, including any keys or certificates added to their Windows Hello container, will be deleted from the client and a new logon key and PIN are provisioned. For non-destructive PIN reset, you must deploy the Microsoft PIN reset service and client policy to enable the PIN recovery feature. During a non-destructive PIN reset, the user's Windows Hello for Business container and keys are preserved, but the user's PIN that they use to authorize key usage is changed.
**Requirements**
- Reset from settings - Windows 10, version 1703 or later, Windows 11
- Reset above Lock - Windows 10, version 1709 or later, Windows 11
Destructive and non-destructive PIN reset use the same steps for initiating a PIN reset. If users have forgotten their PINs, but have an alternate sign-in method, they can navigate to Sign-in options in *Settings* and initiate a PIN reset from the PIN options. If users don't have an alternate way to sign into their devices, PIN reset can also be initiated from the Windows lock screen in the PIN credential provider.
@ -185,7 +172,11 @@ You can configure Windows devices to use the **Microsoft PIN Reset Service** usi
- Value: **True**
>[!NOTE]
> You must replace `TenantId` with the identifier of your Azure Active Directory tenant.
> You must replace `TenantId` with the identifier of your Azure Active Directory tenant. To look up your Tenant ID, see [How to find your Azure Active Directory tenant ID](/azure/active-directory/fundamentals/active-directory-how-to-find-tenant) or try the following, ensuring to sign-in with your organization's account::
```msgraph-interactive
GET https://graph.microsoft.com/v1.0/organization?$select=id
```
---

15
windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md
View File

@ -1,24 +1,15 @@
---
title: Remote Desktop
description: Learn how Windows Hello for Business supports using biometrics with remote desktop
ms.prod: windows-client
author: paolomatarazzo
ms.author: paoloma
manager: aaroncz
ms.reviewer: prsriva
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 02/24/2021
ms.technology: itpro-security
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
ms.topic: article
---
# Remote Desktop
**Requirements**
- Windows 10
- Windows 11
- Hybrid and On-premises Windows Hello for Business deployments
- Azure AD joined, Hybrid Azure AD joined, and Enterprise joined devices

13
windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md
View File

@ -1,19 +1,10 @@
---
title: How Windows Hello for Business works - Authentication
description: Learn about the authentication flow for Windows Hello for Business.
ms.prod: windows-client
author: paolomatarazzo
ms.author: paoloma
manager: aaroncz
ms.reviewer: prsriva
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 02/15/2022
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
ms.technology: itpro-security
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
ms.topic: article
---
# Windows Hello for Business and Authentication

13
windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md
View File

@ -1,19 +1,10 @@
---
title: How Windows Hello for Business works - Provisioning
description: Explore the provisioning flows for Windows Hello for Business, from within a variety of environments.
ms.prod: windows-client
author: paolomatarazzo
ms.author: paoloma
manager: aaroncz
ms.reviewer: prsriva
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 2/15/2022
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
ms.technology: itpro-security
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
ms.topic: article
---
# Windows Hello for Business Provisioning

21
windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
View File

@ -1,19 +1,10 @@
---
title: How Windows Hello for Business works - technology and terms
description: Explore technology and terms associated with Windows Hello for Business. Learn how Windows Hello for Business works.
ms.prod: windows-client
author: paolomatarazzo
ms.author: paoloma
manager: aaroncz
ms.reviewer: prsriva
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 10/08/2018
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
ms.technology: itpro-security
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
ms.topic: article
---
# Technology and terms
@ -158,7 +149,7 @@ For certain devices that use firmware-based TPM produced by Intel or Qualcomm, t
## Federated environment
Primarily for large enterprise organizations with more complex authentication requirements, on-premises directory objects are synchronized with Azure AD and users accounts are managed on-premises. With AD FS, users have the same password on-premises and in the cloud and they don't have to sign in again to use Office 365 or other Azure-based applications. This federated authentication model can provide extra authentication requirements, such as smart card-based authentication or a third-party multi-factor authentication and is typically required when organizations have an authentication requirement not natively supported by Azure AD.
Primarily for large enterprise organizations with more complex authentication requirements, on-premises directory objects are synchronized with Azure AD and users accounts are managed on-premises. With AD FS, users have the same password on-premises and in the cloud and they don't have to sign in again to use Microsoft cloud services. This federated authentication model can provide extra authentication requirements, such as smart card-based authentication or a third-party multi-factor authentication and is typically required when organizations have an authentication requirement not natively supported by Azure AD.
### Related to federated environment
@ -194,7 +185,7 @@ If your environment has an on-premises AD footprint and you also want benefit fr
## Hybrid deployment
The Windows Hello for Business hybrid deployment is for organizations that have both on-premises and cloud resources that are accessed using a managed or federated identity that's synchronized with Azure AD. Hybrid deployments support devices that are Azure AD-registered, Azure AD-joined, and hybrid Azure AD-joined. The Hybrid deployment model supports two trust types for on-premises authentication, key trust and certificate trust.
The Windows Hello for Business hybrid deployment is for organizations that have both on-premises and cloud resources that are accessed using a managed or federated identity that's synchronized with Azure AD. Hybrid deployments support devices that are Azure AD-registered, Azure AD-joined, and hybrid Azure AD-joined. The Hybrid deployment model supports three trust types for on-premises authentication: cloud Kerberos trust, key trust and certificate trust.
### Related to hybrid deployment
@ -269,7 +260,7 @@ The Windows Hello for Business on-premises deployment is for organizations that
## Pass-through authentication
Pass-through authentication provides a simple password validation for Azure AD authentication services. It uses a software agent that runs on one or more on-premises servers to validate the users directly with your on-premises Active Directory. With pass-through authentication (PTA), you synchronize on-premises Active Directory user account objects with Office 365 and manage your users on-premises. Allows your users to sign in to both on-premises and Office 365 resources and applications using their on-premises account and password. This configuration validates users' passwords directly against your on-premises Active Directory without sending password hashes to Office 365. Companies with a security requirement to immediately enforce on-premises user account states, password policies, and sign-in hours would use this authentication method. With seamless single sign-on, users are automatically signed in to Azure AD when they are on their corporate devices and connected to your corporate network.
Pass-through authentication provides a simple password validation for Azure AD authentication services. It uses a software agent that runs on one or more on-premises servers to validate the users directly with your on-premises Active Directory. With pass-through authentication (PTA), you synchronize on-premises Active Directory user account objects with Azure AD and manage your users on-premises. Allows your users to sign in to both on-premises and Microsoft cloud resources and applications using their on-premises account and password. This configuration validates users' passwords directly against your on-premises Active Directory without sending password hashes to Azure AD. Companies with a security requirement to immediately enforce on-premises user account states, password policies, and sign-in hours would use this authentication method. With seamless single sign-on, users are automatically signed in to Azure AD when they are on their corporate devices and connected to your corporate network.
### Related to pass-through authentication
@ -283,7 +274,7 @@ Pass-through authentication provides a simple password validation for Azure AD a
## Password hash sync
Password hash sync is the simplest way to enable authentication for on-premises directory objects in Azure AD. With password hash sync (PHS), you synchronize your on-premises Active Directory user account objects with Office 365 and manage your users on-premises. Hashes of user passwords are synchronized from your on-premises Active Directory to Azure AD so that the users have the same password on-premises and in the cloud. When passwords are changed or reset on-premises, the new password hashes are synchronized to Azure AD so that your users can always use the same password for cloud resources and on-premises resources. The passwords are never sent to Azure AD or stored in Azure AD in clear text. Some premium features of Azure AD, such as Identity Protection, require PHS regardless of which authentication method is selected. With seamless single sign-on, users are automatically signed in to Azure AD when they are on their corporate devices and connected to your corporate network.
Password hash sync is the simplest way to enable authentication for on-premises directory objects in Azure AD. With password hash sync (PHS), you synchronize your on-premises Active Directory user account objects with Azure AD and manage your users on-premises. Hashes of user passwords are synchronized from your on-premises Active Directory to Azure AD so that the users have the same password on-premises and in the cloud. When passwords are changed or reset on-premises, the new password hashes are synchronized to Azure AD so that your users can always use the same password for cloud resources and on-premises resources. The passwords are never sent to Azure AD or stored in Azure AD in clear text. Some premium features of Azure AD, such as Identity Protection, require PHS regardless of which authentication method is selected. With seamless single sign-on, users are automatically signed in to Azure AD when they are on their corporate devices and connected to your corporate network.
### Related to password hash sync

12
windows/security/identity-protection/hello-for-business/hello-how-it-works.md
View File

@ -1,18 +1,10 @@
---
title: How Windows Hello for Business works
description: Learn how Windows Hello for Business works, and how it can help your users authenticate to services.
ms.prod: windows-client
author: paolomatarazzo
ms.author: paoloma
manager: aaroncz
ms.reviewer: prsriva
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 05/05/2018
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10 and later</a>
ms.technology: itpro-security
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
ms.topic: article
---
# How Windows Hello for Business works in Windows Devices

20
windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md
View File

@ -1,25 +1,15 @@
---
title: Configure Azure AD-joined devices for On-premises Single-Sign On using Windows Hello for Business
description: Before adding Azure Active Directory (Azure AD) joined devices to your existing hybrid deployment, you need to verify the existing deployment can support them.
ms.prod: windows-client
author: paolomatarazzo
ms.author: paoloma
manager: aaroncz
ms.reviewer: prsriva
ms.collection:
- M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 01/14/2021
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
- ✅ <b>Azure Active Directory-join</b>
- ✅ <b>Hybrid Deployment</b>
- ✅ <b>Key trust</b>
ms.technology: itpro-security
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
ms.topic: article
---
# Configure Azure AD-joined devices for On-premises Single-Sign On using Windows Hello for Business
[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-keycert-trust-aad.md)]
## Prerequisites
Before adding Azure Active Directory (Azure AD) joined devices to your existing hybrid deployment, you need to verify the existing deployment can support Azure AD-joined devices. Unlike hybrid Azure AD-joined devices, Azure AD-joined devices don't have a relationship with your Active Directory domain. This factor changes the way in which users authenticate to Active Directory. Validate the following configurations to ensure they support Azure AD-joined devices.

20
windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
View File

@ -1,26 +1,16 @@
---
title: Using Certificates for AADJ On-premises Single-sign On single sign-on
title: Use Certificates to enable SSO for Azure AD join devices
description: If you want to use certificates for on-premises single-sign on for Azure Active Directory-joined devices, then follow these additional steps.
ms.prod: windows-client
author: paolomatarazzo
ms.author: paoloma
manager: aaroncz
ms.reviewer: prsriva
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 08/19/2018
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
- ✅ <b>Azure AD-join</b>
- ✅ <b>Hybrid Deployment</b>
- ✅ <b>Certificate trust</b>
ms.technology: itpro-security
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
ms.topic: article
---
# Using Certificates for AADJ On-premises Single-sign On
[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-cert-trust-aad.md)]
If you plan to use certificates for on-premises single-sign on, then follow these **additional** steps to configure the environment to enroll Windows Hello for Business certificates for Azure AD-joined devices.
> [!IMPORTANT]

15
windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md
View File

@ -1,22 +1,15 @@
---
title: Azure AD Join Single Sign-on Deployment
description: Learn how to provide single sign-on to your on-premises resources for Azure Active Directory-joined devices, using Windows Hello for Business.
ms.prod: windows-client
author: paolomatarazzo
ms.author: paoloma
manager: aaroncz
ms.reviewer: prsriva
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 08/19/2018
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
ms.technology: itpro-security
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
ms.topic: article
---
# Azure AD Join Single Sign-on Deployment
[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-keycert-trust-aad.md)]
Windows Hello for Business combined with Azure Active Directory-joined devices makes it easy for users to securely access cloud-based resources using a strong, two-factor credential. Some resources may remain on-premises as enterprises transition resources to the cloud and Azure AD-joined devices may need to access these resources. With additional configurations to your current hybrid deployment, you can provide single sign-on to your on-premises resources for Azure Active Directory-joined devices using Windows Hello for Business, using a key or a certificate.
## Key vs. Certificate

17
windows/security/identity-protection/hello-for-business/hello-hybrid-cert-new-install.md
View File

@ -1,24 +1,15 @@
---
title: Hybrid Azure AD joined Windows Hello for Business Trust New Installation (Windows Hello for Business)
description: Learn about new installations for Windows Hello for Business certificate trust and the various technologies hybrid certificate trust deployments rely on.
ms.prod: windows-client
author: paolomatarazzo
ms.author: paoloma
manager: aaroncz
ms.reviewer: prsriva
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 4/30/2021
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
- ✅ <b>Hybrid deployment</b>
- ✅ <b>Certificate trust</b>
ms.technology: itpro-security
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
ms.topic: article
---
# Hybrid Azure AD joined Windows Hello for Business Certificate Trust New Installation
[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-cert-trust.md)]
Windows Hello for Business involves configuring distributed technologies that may or may not exist in your current infrastructure. Hybrid certificate trust deployments of Windows Hello for Business rely on these technologies
- [Active Directory](#active-directory)

17
windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md
View File

@ -1,24 +1,15 @@
---
title: Configure Device Registration for Hybrid Azure AD joined Windows Hello for Business
description: Azure Device Registration for Hybrid Certificate Trust Deployment (Windows Hello for Business)
ms.prod: windows-client
author: paolomatarazzo
ms.author: paoloma
manager: aaroncz
ms.reviewer: prsriva
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 4/30/2021
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
- ✅ <b>Hybrid deployment</b>
- ✅ <b>Certificate trust</b>
ms.technology: itpro-security
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
ms.topic: article
---
# Configure Device Registration for Hybrid Azure AD joined Windows Hello for Business
[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-cert-trust-ad.md)]
Your environment is federated and you're ready to configure device registration for your hybrid environment. Hybrid Windows Hello for Business deployment needs device registration and device write-back to enable proper device authentication.
> [!IMPORTANT]

17
windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md
View File

@ -1,24 +1,15 @@
---
title: Hybrid Azure AD joined Windows Hello for Business Prerequisites
description: Learn these prerequisites for hybrid Windows Hello for Business deployments using certificate trust.
ms.prod: windows-client
author: paolomatarazzo
ms.author: paoloma
manager: aaroncz
ms.reviewer: prsriva
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 4/30/2021
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
- ✅ <b>Hybrid deployment</b>
- ✅ <b>Certificate trust</b>
ms.technology: itpro-security
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
ms.topic: article
---
# Hybrid Azure AD joined Windows Hello for Business Prerequisites
[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-cert-trust.md)]
Hybrid environments are distributed systems that enable organizations to use on-premises and Azure-based identities and resources. Windows Hello for Business uses the existing distributed system as a foundation on which organizations can provide two-factor authentication that provides a single sign-in like experience to modern resources.
The distributed systems on which these technologies were built involved several pieces of on-premises and cloud infrastructure. High-level pieces of the infrastructure include:

23
windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md
View File

@ -1,39 +1,30 @@
---
title: Hybrid Certificate Trust Deployment (Windows Hello for Business)
description: Learn the information you need to successfully deploy Windows Hello for Business in a hybrid certificate trust scenario.
ms.prod: windows-client
author: paolomatarazzo
ms.author: paoloma
manager: aaroncz
ms.reviewer: prsriva
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 09/08/2017
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
- ✅ <b>Hybrid deployment</b>
- ✅ <b>Certificate trust</b>
ms.technology: itpro-security
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
ms.topic: article
---
# Hybrid Azure AD joined Certificate Trust Deployment
[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-cert-trust.md)]
Windows Hello for Business replaces username and password sign-in to Windows with strong user authentication based on asymmetric key pair. The following deployment guide provides the information needed to successfully deploy Windows Hello for Business in a hybrid certificate trust scenario.
It is recommended that you review the Windows Hello for Business planning guide prior to using the deployment guide. The planning guide helps you make decisions by explaining the available options with each aspect of the deployment and explains the potential outcomes based on each of these decisions. You can review the [planning guide](/windows/access-protection/hello-for-business/hello-planning-guide) and download the [planning worksheet](https://go.microsoft.com/fwlink/?linkid=852514).
This deployment guide provides guidance for new deployments and customers who are already federated with Office 365. These two scenarios provide a baseline from which you can begin your deployment.
This deployment guide provides guidance for new deployments and customers who are already federated with Azure AD. These two scenarios provide a baseline from which you can begin your deployment.
## New Deployment Baseline
The new deployment baseline helps organizations who are moving to Azure and Office 365 to include Windows Hello for Business as part of their deployments. This baseline is good for organizations who are looking to deploy proof of concepts as well as IT professionals who want to familiarize themselves Windows Hello for Business by deploying a lab environment.
The new deployment baseline helps organizations who are moving to Azure AD to include Windows Hello for Business as part of their deployments. This baseline is good for organizations who are looking to deploy proof of concepts as well as IT professionals who want to familiarize themselves Windows Hello for Business by deploying a lab environment.
This baseline provides detailed procedures to move your environment from an on-premises only environment to a hybrid environment using Windows Hello for Business to authenticate to Azure Active Directory and to your on-premises Active Directory using a single Windows sign-in.
## Federated Baseline
The federated baseline helps organizations that have completed their federation with Azure Active Directory and Office 365 and enables them to introduce Windows Hello for Business into their hybrid environment. This baseline exclusively focuses on the procedures needed to add Azure Device Registration and Windows Hello for Business to an existing hybrid deployment.
The federated baseline helps organizations that have completed their federation with Azure Active Directory and enables them to introduce Windows Hello for Business into their hybrid environment. This baseline exclusively focuses on the procedures needed to add Azure Device Registration and Windows Hello for Business to an existing hybrid deployment.
Regardless of the baseline you choose, your next step is to familiarize yourself with the prerequisites needed for the deployment. Many of the prerequisites will be new for organizations and individuals pursuing the new deployment baseline. Organizations and individuals starting from the federated baseline will likely be familiar with most of the prerequisites, but should validate they are using the proper versions that include the latest updates.

17
windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md
View File

@ -1,24 +1,15 @@
---
title: Hybrid Azure AD joined Windows Hello for Business Certificate Trust Provisioning (Windows Hello for Business)
description: In this article, learn about provisioning for hybrid certificate trust deployments of Windows Hello for Business.
ms.prod: windows-client
author: paolomatarazzo
ms.author: paoloma
manager: aaroncz
ms.reviewer: prsriva
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 4/30/2021
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
- ✅ <b>Hybrid deployment</b>
- ✅ <b>Certificate trust</b>
ms.technology: itpro-security
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
ms.topic: article
---
# Hybrid Azure AD joined Windows Hello for Business Certificate Trust Provisioning
[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-cert-trust.md)]
## Provisioning
The Windows Hello for Business provisioning begins immediately after the user has signed in, after the user profile is loaded, but before the user receives their desktop. Windows only launches the provisioning experience if all the prerequisite checks pass. You can determine the status of the prerequisite checks by viewing the **User Device Registration** in the **Event Viewer** under **Applications and Services Logs\Microsoft\Windows**.

17
windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md
View File

@ -1,24 +1,15 @@
---
title: Configure Hybrid Azure AD joined Windows Hello for Business - Active Directory (AD)
description: Discussing the configuration of Active Directory (AD) in a Hybrid deployment of Windows Hello for Business
ms.prod: windows-client
author: paolomatarazzo
ms.author: paoloma
manager: aaroncz
ms.reviewer: prsriva
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 4/30/2021
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
- ✅ <b>Hybrid deployment</b>
- ✅ <b>Certificate trust</b>
ms.technology: itpro-security
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
ms.topic: article
---
# Configure Hybrid Azure AD joined Windows Hello for Business: Active Directory
[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-cert-trust.md)]
The key synchronization process for the hybrid deployment of Windows Hello for Business needs the Windows Server 2016 Active Directory schema.
### Creating Security Groups

17
windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md
View File

@ -1,24 +1,15 @@
---
title: Configuring Hybrid Azure AD joined Windows Hello for Business - Active Directory Federation Services (ADFS)
description: Discussing the configuration of Active Directory Federation Services (ADFS) in a Hybrid deployment of Windows Hello for Business
ms.prod: windows-client
author: paolomatarazzo
ms.author: paoloma
manager: aaroncz
ms.reviewer: prsriva
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 4/30/2021
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
- ✅ <b>Hybrid deployment</b>
- ✅ <b>Certificate trust</b>
ms.technology: itpro-security
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
ms.topic: article
---
# Configure Hybrid Azure AD joined Windows Hello for Business: Active Directory Federation Services
[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-cert-trust.md)]
## Federation Services
The Windows Server 2016 Active Directory Federation Server Certificate Registration Authority (AD FS RA) enrolls for an enrollment agent certificate. Once the registration authority verifies the certificate request, it signs the certificate request using its enrollment agent certificate and sends it to the certificate authority.

17
windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md
View File

@ -1,25 +1,16 @@
---
title: Configure Hybrid Azure AD joined Windows Hello for Business Directory Synch
description: Discussing Directory Synchronization in a Hybrid deployment of Windows Hello for Business
ms.prod: windows-client
author: paolomatarazzo
ms.author: paoloma
manager: aaroncz
ms.reviewer: prsriva
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 4/30/2021
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
- ✅ <b>Hybrid deployment</b>
- ✅ <b>Certificate trust</b>
ms.technology: itpro-security
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
ms.topic: article
---
# Configure Hybrid Azure AD joined Windows Hello for Business- Directory Synchronization
[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-cert-trust.md)]
## Directory Synchronization
In hybrid deployments, users register the public portion of their Windows Hello for Business credential with Azure. Azure AD Connect synchronizes the Windows Hello for Business public key to Active Directory.

17
windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md
View File

@ -1,25 +1,16 @@
---
title: Configuring Hybrid Azure AD joined Windows Hello for Business - Public Key Infrastructure (PKI)
description: Discussing the configuration of the Public Key Infrastructure (PKI) in a Hybrid deployment of Windows Hello for Business
ms.prod: windows-client
author: paolomatarazzo
ms.author: paoloma
manager: aaroncz
ms.reviewer: prsriva
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 4/30/2021
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
- ✅ <b>Hybrid deployment</b>
- ✅ <b>Certificate trust</b>
ms.technology: itpro-security
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
ms.topic: article
---
# Configure Hybrid Azure AD joined Windows Hello for Business - Public Key Infrastructure
[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-cert-trust.md)]
Windows Hello for Business deployments rely on certificates. Hybrid deployments use publicly-issued server authentication certificates to validate the name of the server to which they are connecting and to encrypt the data that flows between them and the client computer.
All deployments use enterprise issued certificates for domain controllers as a root of trust. Hybrid certificate trust deployments issue users with a sign-in certificate that enables them to authenticate using Windows Hello for Business credentials to non-Windows Server 2016 domain controllers. Additionally, hybrid certificate trust deployments issue certificates to registration authorities to provide defense-in-depth security when issuing user authentication certificates.

16
windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md
View File

@ -1,24 +1,14 @@
---
title: Configuring Hybrid Azure AD joined Windows Hello for Business - Group Policy
description: Discussing the configuration of Group Policy in a Hybrid deployment of Windows Hello for Business
ms.prod: windows-client
author: paolomatarazzo
ms.author: paoloma
manager: aaroncz
ms.reviewer: prsriva
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 4/30/2021
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
- ✅ <b>Hybrid deployment</b>
- ✅ <b>Certificate trust</b>
ms.technology: itpro-security
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
ms.topic: article
---
# Configure Hybrid Azure AD joined Windows Hello for Business - Group Policy
[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-cert-trust-ad.md)]
## Policy Configuration

17
windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md
View File

@ -1,24 +1,15 @@
---
title: Configure Hybrid Windows Hello for Business Settings (Windows Hello for Business)
description: Learn how to configure Windows Hello for Business settings in hybrid certificate trust deployment.
ms.prod: windows-client
author: paolomatarazzo
ms.author: paoloma
manager: aaroncz
ms.reviewer: prsriva
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 4/30/2021
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
- ✅ <b>Hybrid deployment</b>
- ✅ <b>Certificate trust</b>
ms.technology: itpro-security
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
ms.topic: article
---
# Configure Hybrid Azure AD joined Windows Hello for Business
[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-cert-trust.md)]
Your environment is federated and you are ready to configure your hybrid environment for Windows Hello for business using the certificate trust model.
> [!IMPORTANT]
> If your environment is not federated, review the [New Installation baseline](hello-hybrid-cert-new-install.md) section of this deployment document to learn how to federate your environment for your Windows Hello for Business deployment.

21
windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md
View File

@ -1,29 +1,14 @@
---
title: Hybrid cloud Kerberos trust deployment (Windows Hello for Business)
description: Learn the information you need to successfully deploy Windows Hello for Business in a hybrid cloud Kerberos trust scenario.
ms.prod: windows-client
author: paolomatarazzo
ms.author: paoloma
manager: aaroncz
ms.reviewer: prsriva
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 11/1/2022
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10, version 21H2 and later</a>
ms.technology: itpro-security
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10, version 21H2 and later</a>
ms.topic: article
---
# Hybrid cloud Kerberos trust deployment
This document describes Windows Hello for Business functionalities or scenarios that apply to:\
**Deployment type:** [hybrid](hello-how-it-works-technology.md#hybrid-deployment)\
**Trust type:** [cloud Kerberos trust](hello-hybrid-cloud-kerberos-trust.md)\
**Device registration type:** [Azure AD join](hello-how-it-works-technology.md#azure-active-directory-join), [Hybrid Azure AD join](hello-how-it-works-technology.md#hybrid-azure-ad-join)
<br>
---
[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-cloudkerb-trust.md)]
Windows Hello for Business replaces password sign-in with strong authentication, using an asymmetric key pair. This deployment guide provides the information to successfully deploy Windows Hello for Business in a hybrid cloud Kerberos trust scenario.

17
windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md
View File

@ -1,24 +1,15 @@
---
title: Windows Hello for Business Hybrid Azure AD joined Key Trust New Installation
description: Learn how to configure a hybrid key trust deployment of Windows Hello for Business for systems with no previous installations.
ms.prod: windows-client
author: paolomatarazzo
ms.author: paoloma
manager: aaroncz
ms.reviewer: prsriva
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 4/30/2021
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
- ✅ <b>Hybrid deployment</b>
- ✅ <b>Key trust</b>
ms.technology: itpro-security
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
ms.topic: article
---
# Windows Hello for Business Hybrid Azure AD joined Key Trust New Installation
[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-key-trust.md)]
Windows Hello for Business involves configuring distributed technologies that may or may not exist in your current infrastructure. Hybrid key trust deployments of Windows Hello for Business rely on these technologies
- [Active Directory](#active-directory)

17
windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md
View File

@ -1,24 +1,15 @@
---
title: Configure Device Registration for Hybrid Azure AD joined key trust Windows Hello for Business
description: Azure Device Registration for Hybrid Certificate Key Deployment (Windows Hello for Business)
ms.prod: windows-client
author: paolomatarazzo
ms.author: paoloma
manager: aaroncz
ms.reviewer: prsriva
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 05/04/2022
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
- ✅ <b>Hybrid deployment</b>
- ✅ <b>Key trust</b>
ms.technology: itpro-security
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
ms.topic: article
---
# Configure Device Registration for Hybrid Azure AD joined key trust Windows Hello for Business
[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-key-trust.md)]
You're ready to configure device registration for your hybrid environment. Hybrid Windows Hello for Business deployment needs device registration to enable proper device authentication.
> [!NOTE]

17
windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md
View File

@ -1,24 +1,15 @@
---
title: Configure Directory Synchronization for Hybrid Azure AD joined key trust Windows Hello for Business
description: Azure Directory Synchronization for Hybrid Certificate Key Deployment (Windows Hello for Business)
ms.prod: windows-client
author: paolomatarazzo
ms.author: paoloma
manager: aaroncz
ms.reviewer: prsriva
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 4/30/2021
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
- ✅ <b>Hybrid deployment</b>
- ✅ <b>Key trust</b>
ms.technology: itpro-security
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
ms.topic: article
---
# Configure Directory Synchronization for Hybrid Azure AD joined key trust Windows Hello for Business
[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-key-trust.md)]
You are ready to configure directory synchronization for your hybrid environment. Hybrid Windows Hello for Business deployment needs both a cloud and an on-premises identity to authenticate and access resources in the cloud or on-premises.
## Deploy Azure AD Connect

22
windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
View File

@ -1,24 +1,16 @@
---
title: Hybrid Azure AD joined Key trust Windows Hello for Business Prerequisites (Windows Hello for Business)
description: Learn about the prerequisites for hybrid Windows Hello for Business deployments using key trust and what the next steps are in the deployment process.
ms.prod: windows-client
author: paolomatarazzo
ms.author: paoloma
manager: aaroncz
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 4/30/2021
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
- ✅ <b>Hybrid deployment</b>
- ✅ <b>Key trust</b>
ms.technology: itpro-security
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
ms.topic: article
---
# Hybrid Azure AD joined Key trust Windows Hello for Business Prerequisites
Hybrid environments are distributed systems that enable organizations to use on-premises and Azure-based identities and resources. Windows Hello for Business uses the existing distributed system as a foundation on which organizations can provide two-factor authentication that provides a single sign-in like experience to modern resources.
[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-key-trust.md)]
Hybrid environments are distributed systems that enable organizations to use on-premises and Azure AD-based identities and resources. Windows Hello for Business uses the existing distributed system as a foundation on which organizations can provide two-factor authentication that provides a single sign-in like experience to modern resources.
The distributed systems on which these technologies were built involved several pieces of on-premises and cloud infrastructure. High-level pieces of the infrastructure include:
@ -33,7 +25,7 @@ The distributed systems on which these technologies were built involved several
Hybrid Windows Hello for Business needs two directories: on-premises Active Directory and a cloud Azure Active Directory. The minimum required domain functional and forest functional levels for Windows Hello for Business deployment is Windows Server 2008 R2.
A hybrid Windows Hello for Business deployment needs an Azure Active Directory subscription. The hybrid key trust deployment does not need a premium Azure Active Directory subscription.
A hybrid Windows Hello for Business deployment requires Azure Active Directory. The hybrid key trust deployment does not need a premium Azure Active Directory subscription.
You can deploy Windows Hello for Business in any environment with Windows Server 2008 R2 or later domain controllers.
If using the key trust deployment model, you MUST ensure that you have adequate (1 or more, depending on your authentication load) Windows Server 2016 or later Domain Controllers in each Active Directory site where users will be authenticating for Windows Hello for Business.
@ -113,7 +105,7 @@ You can deploy Windows Hello for Business key trust in non-federated and federat
Windows Hello for Business is a strong, two-factor credential the helps organizations reduce their dependency on passwords. The provisioning process lets a user enroll in Windows Hello for Business using their user name and password as one factor, but needs a second factor of authentication.
Hybrid Windows Hello for Business deployments can use Azure's Multifactor Authentication (MFA) service or they can use multifactor authentication provided by AD FS beginning with Windows Server 2012 R2, which includes an adapter model that enables third parties to integrate their MFA into AD FS. The MFA enabled by an Office 365 license is sufficient for Azure AD.
Hybrid Windows Hello for Business deployments can use Azure's Multifactor Authentication (MFA) service or they can use multifactor authentication provided by AD FS, which includes an adapter model that enables third parties to integrate their MFA into AD FS.
### Section Review

21
windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md
View File

@ -1,33 +1,24 @@
---
title: Hybrid Key Trust Deployment (Windows Hello for Business)
description: Review this deployment guide to successfully deploy Windows Hello for Business in a hybrid key trust scenario.
ms.prod: windows-client
author: paolomatarazzo
ms.author: paoloma
manager: aaroncz
ms.reviewer: prsriva
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 08/20/2018
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
- ✅ <b>Hybrid deployment</b>
- ✅ <b>Key trust</b>
ms.technology: itpro-security
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
ms.topic: article
---
# Hybrid Azure AD joined Key Trust Deployment
[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-key-trust.md)]
Windows Hello for Business replaces username and password sign-in to Windows with strong user authentication based on asymmetric key pair. The following deployment guide provides the information needed to successfully deploy Windows Hello for Business in a hybrid key trust scenario.
It is recommended that you review the Windows Hello for Business planning guide prior to using the deployment guide. The planning guide helps you make decisions by explaining the available options with each aspect of the deployment and explains the potential outcomes based on each of these decisions. You can review the [planning guide](/windows/access-protection/hello-for-business/hello-planning-guide) and download the [planning worksheet](https://go.microsoft.com/fwlink/?linkid=852514).
This deployment guide provides guidance for new deployments and customers who are already federated with Office 365. These two scenarios provide a baseline from which you can begin your deployment.
This deployment guide provides guidance for new deployments and customers who are already federated with Azure AD. These two scenarios provide a baseline from which you can begin your deployment.
## New Deployment Baseline ##
The new deployment baseline helps organizations who are moving to Azure and Office 365 to include Windows Hello for Business as part of their deployments. This baseline is good for organizations who are looking to deploy proof of concepts as well as IT professionals who want to familiarize themselves Windows Hello for Business by deploying a lab environment.
The new deployment baseline helps organizations who are moving to Azure AD to include Windows Hello for Business as part of their deployments. This baseline is good for organizations who are looking to deploy proof of concepts as well as IT professionals who want to familiarize themselves Windows Hello for Business by deploying a lab environment.
This baseline provides detailed procedures to move your environment from an on-premises only environment to a hybrid environment using Windows Hello for Business to authenticate to Azure Active Directory and to your on-premises Active Directory using a single Windows sign-in.

18
windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md
View File

@ -1,23 +1,15 @@
---
title: Hybrid Azure AD joined Windows Hello for Business key trust Provisioning (Windows Hello for Business)
description: Learn about provisioning for hybrid key trust deployments of Windows Hello for Business and learn where to find the hybrid key trust deployment guide.
ms.prod: windows-client
author: paolomatarazzo
ms.author: paoloma
manager: aaroncz
ms.reviewer: prsriva
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 4/30/2021
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
- ✅ <b>Hybrid deployment</b>
- ✅ <b>Key trust</b>
ms.technology: itpro-security
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
ms.topic: article
---
# Hybrid Azure AD joined Windows Hello for Business Key Trust Provisioning
[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-key-trust.md)]
## Provisioning
The Windows Hello for Business provisioning begins immediately after the user has signed in, after the user profile is loaded, but before the user receives their desktop. Windows only launches the provisioning experience if all the prerequisite checks pass. You can determine the status of the prerequisite checks by viewing the **User Device Registration** in the **Event Viewer** under **Applications and Services Logs\Microsoft\Windows**.

18
windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-ad.md
View File

@ -1,24 +1,14 @@
---
title: Configuring Hybrid Azure AD joined key trust Windows Hello for Business - Active Directory (AD)
description: Configuring Hybrid key trust Windows Hello for Business - Active Directory (AD)
ms.prod: windows-client
author: paolomatarazzo
ms.author: paoloma
manager: aaroncz
ms.reviewer: prsriva
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 4/30/2021
ms.technology: itpro-security
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
ms.topic: article
---
# Configuring Hybrid Azure AD joined key trust Windows Hello for Business: Active Directory
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
- ✅ <b>Hybrid deployment</b>
- ✅ <b>Key trust</b>
[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-key-trust-ad.md)]
Configure the appropriate security groups to efficiently deploy Windows Hello for Business to users.

19
windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md
View File

@ -1,27 +1,18 @@
---
title: Hybrid Azure AD joined Windows Hello for Business - Directory Synchronization
description: How to configure Hybrid key trust Windows Hello for Business - Directory Synchronization
ms.prod: windows-client
author: paolomatarazzo
ms.author: paoloma
manager: aaroncz
ms.reviewer: prsriva
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 4/30/2021
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
- ✅ <b>Hybrid deployment</b>
- ✅ <b>Key trust</b>
ms.technology: itpro-security
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
ms.topic: article
---
# Configure Hybrid Azure AD joined Windows Hello for Business: Directory Synchronization
[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-key-trust.md)]
## Directory Synchronization
In hybrid deployments, users register the public portion of their Windows Hello for Business credential with Azure. Azure AD Connect synchronizes the Windows Hello for Business public key to Active Directory.
In hybrid deployments, users register the public portion of their Windows Hello for Business credential with Azure AD. Azure AD Connect synchronizes the Windows Hello for Business public key to Active Directory.
### Group Memberships for the Azure AD Connect Service Account
>[!IMPORTANT]

17
windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md
View File

@ -1,24 +1,15 @@
---
title: Configure Hybrid Azure AD joined key trust Windows Hello for Business
description: Configuring Hybrid key trust Windows Hello for Business - Public Key Infrastructure (PKI)
ms.prod: windows-client
author: paolomatarazzo
ms.author: paoloma
manager: aaroncz
ms.reviewer: prsriva
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 04/30/2021
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
- ✅ <b>Hybrid deployment</b>
- ✅ <b>Key trust</b>
ms.technology: itpro-security
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
ms.topic: article
---
# Configure Hybrid Azure AD joined Windows Hello for Business: Public Key Infrastructure
[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-key-trust.md)]
Windows Hello for Business deployments rely on certificates. Hybrid deployments use publicly issued server authentication certificates to validate the name of the server to which they are connecting and to encrypt the data that flows them and the client computer.
All deployments use enterprise issued certificates for domain controllers as a root of trust.

17
windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md
View File

@ -1,24 +1,15 @@
---
title: Configure Hybrid Azure AD joined Windows Hello for Business - Group Policy
description: Configuring Hybrid key trust Windows Hello for Business - Group Policy
ms.prod: windows-client
author: paolomatarazzo
ms.author: paoloma
manager: aaroncz
ms.reviewer: prsriva
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 4/30/2021
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
- ✅ <b>Hybrid deployment</b>
- ✅ <b>Key trust</b>
ms.technology: itpro-security
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
ms.topic: article
---
# Configure Hybrid Azure AD joined Windows Hello for Business: Group Policy
[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-key-trust-ad.md)]
## Policy Configuration
You need at least a Windows 10, version 1703 workstation to run the Group Policy Management Console, which provides the latest Windows Hello for Business and PIN Complexity Group Policy settings. To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows. You can download these tools from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=45520).

17
windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings.md
View File

@ -1,24 +1,15 @@
---
title: Configure Hybrid Azure AD joined Windows Hello for Business key trust Settings
description: Begin the process of configuring your hybrid key trust environment for Windows Hello for Business. Start with your Active Directory configuration.
ms.prod: windows-client
author: paolomatarazzo
ms.author: paoloma
manager: aaroncz
ms.reviewer: prsriva
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 4/30/2021
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
- ✅ <b>Hybrid deployment</b>
- ✅ <b>Key trust</b>
ms.technology: itpro-security
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
ms.topic: article
---
# Configure Hybrid Azure AD joined Windows Hello for Business key trust settings
[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-key-trust.md)]
You are ready to configure your hybrid Azure AD joined key trust environment for Windows Hello for Business.
> [!IMPORTANT]

12
windows/security/identity-protection/hello-for-business/hello-identity-verification.md
View File

@ -1,18 +1,13 @@
---
title: Windows Hello for Business Deployment Prerequisite Overview
description: Overview of all the different infrastructure requirements for Windows Hello for Business deployment models
ms.prod: windows-client
author: paolomatarazzo
ms.author: paoloma
manager: aaroncz
ms.reviewer: prsriva
ms.collection:
- M365-identity-device-management
- highpri
ms.topic: article
localizationpriority: medium
ms.date: 2/15/2022
ms.technology: itpro-security
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
ms.topic: article
---
# Windows Hello for Business Deployment Prerequisite Overview
@ -21,7 +16,6 @@ This article lists the infrastructure requirements for the different deployment
## Azure AD Cloud Only Deployment
* Windows 10, version 1511 or later, or Windows 11
* Microsoft Azure Account
* Azure Active Directory
* Azure AD Multifactor Authentication

Some files were not shown because too many files have changed in this diff Show More