deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 13:27:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'master' of https://github.com/microsoftdocs/windows-itpro-docs into public-8919

Browse Source
This commit is contained in:
Liza Poggemeyer 2019-08-09 14:50:47 -07:00
commit b887daef29
216 changed files with 17150 additions and 16941 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
browsers/edge/includes/allow-adobe-flash-include.md
View File

@ -3,7 +3,8 @@ author: eavena
ms.author: eravena
ms.date: 10/02/2018
ms.reviewer:
audience: itpro manager: dansimp
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---
@ -34,7 +35,7 @@ ms.topic: include
#### MDM settings
- **MDM name:** Browser/[AllowFlash](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser\#browser-allowflash)
- **Supported devices:** Desktop
- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowAdobeFlash
- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowFlash
- **Data type:** Integer
#### Registry settings

3
browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-2-guidance.md
View File

@ -7,7 +7,8 @@ author: lomayor
ms.prod: ie11
ms.assetid: 909ca359-5654-4df9-b9fb-921232fc05f5
ms.reviewer:
audience: itpro manager: dansimp
audience: itpro
manager: dansimp
ms.author: lomayor
title: Enterprise Mode schema v.2 guidance (Internet Explorer 11 for IT Pros)
ms.sitesec: library

12
devices/surface-hub/surface-hub-update-history.md
View File

@ -26,6 +26,18 @@ Please refer to the “[Surface Hub Important Information](https://support.micro
## Windows 10 Team Creators Update 1703
<details>
<summary>June 18, 2019—update for Team edition based on KB4503289* (OS Build 15063.1897)</summary>
This update to the Surface Hub includes quality improvements and security fixes. Key updates to Surface Hub, not already outlined in [Windows 10 Update History](https://support.microsoft.com/help/4018124/windows-10-update-history), include:
* Addresses an issue with log collection for Microsoft Surface Hub 2S.
* Addresses an issue preventing a user from signing in to a Microsoft Surface Hub device with an Azure Active Directory account. This issue occurs because a previous session did not end successfully.
Please refer to the [Surface Hub Admin guide](https://docs.microsoft.com/surface-hub/) for enabling/disabling device features and services.
*[KB4503289](https://support.microsoft.com/help/4503289)
</details>
<details>
<summary>May 28, 2019—update for Team edition based on KB4499162* (OS Build 15063.1835)</summary>

5
devices/surface-hub/whiteboard-collaboration.md
View File

@ -34,7 +34,7 @@ To get Whiteboard to Whiteboard collaboration up and running, youll need to m
- Currently not utilizing Office 365 Germany or Office 365 operated by 21Vianet
- Surface Hub needs to be updated to Windows 10, version 1607 or newer
- Port 443 needs to be open since Whiteboard makes standard https requests
- Whiteboard.ms, wbd.ms, \*.onenote.com, and your company's SharePoint tenant domain URLs need to be whitelisted for proxies
- Whiteboard.ms, whiteboard.microsoft.com, wbd.ms, \*.onenote.com, and your company's SharePoint tenant domain URLs need to be whitelisted for proxies
>[!NOTE]
@ -68,4 +68,5 @@ After youre done, you can export a copy of the Whiteboard collaboration for y
## Related topics
- [Windows 10 Creators Update for Surface Hub](https://www.microsoft.com/surface/support/surface-hub/windows-10-creators-update-surface-hub)
- [Support documentation for Microsoft Whiteboard](https://support.office.com/en-us/article/Whiteboard-Help-0c0f2aa0-b1bb-491c-b814-fd22de4d7c01)
- [Support documentation for Microsoft Whiteboard](https://support.office.com/article/Whiteboard-Help-0c0f2aa0-b1bb-491c-b814-fd22de4d7c01)

321
devices/surface/use-system-center-configuration-manager-to-manage-devices-with-semm.md
View File

@ -103,39 +103,45 @@ The sample scripts include examples of how to set Surface UEFI settings and how
### Specify certificate and package names
The first region of the script that you need to modify is the portion that specifies and loads the SEMM certificate, and also indicates the names for the SEMM configuration package and SEMM reset package. The certificate and package names are specified on lines 56 through 67 in the ConfigureSEMM.ps1 script:
The first region of the script that you need to modify is the portion that specifies and loads the SEMM certificate, and also indicates SurfaceUEFIManager version, the names for the SEMM configuration package and SEMM reset package. The certificate name and SurfaceUEFIManager version are specified on lines 56 through 73 in the ConfigureSEMM.ps1 script:
```
56 $WorkingDirPath = split-path -parent $MyInvocation.MyCommand.Definition
57 $packageRoot = "$WorkingDirPath\Config"
58
59 if (-not (Test-Path $packageRoot)) { New-Item -ItemType Directory -Force -Path $packageRoot }
60 Copy-Item "$WorkingDirPath\FabrikamOwnerSigner.pfx" $packageRoot
61
62 $privateOwnerKey = Join-Path -Path $packageRoot -ChildPath "FabrikamOwnerSigner.pfx"
63 $ownerPackageName = Join-Path -Path $packageRoot -ChildPath "FabrikamSignerProvisioningPackage.pkg"
64 $resetPackageName = Join-Path -Path $packageRoot -ChildPath "FabrikamUniversalResetPackage.pkg"
65
66 # If your PFX file requires a password then it can be set here, otherwise use a blank string.
67 $password = "1234"
58 $certName = "FabrikamSEMMSample.pfx"
59 $DllVersion = "2.26.136.0"
60
61 $certNameOnly = [System.IO.Path]::GetFileNameWithoutExtension($certName)
62 $ProvisioningPackage = $certNameOnly + "ProvisioningPackage.pkg"
63 $ResetPackage = $certNameOnly + "ResetPackage.pkg"
64
65 if (-not (Test-Path $packageRoot)) { New-Item -ItemType Directory -Force -Path $packageRoot }
66 Copy-Item "$WorkingDirPath\$certName" $packageRoot
67
68 $privateOwnerKey = Join-Path -Path $packageRoot -ChildPath $certName
69 $ownerPackageName = Join-Path -Path $packageRoot -ChildPath $ProvisioningPackage
70 $resetPackageName = Join-Path -Path $packageRoot -ChildPath $ResetPackage
71
72 # If your PFX file requires a password then it can be set here, otherwise use a blank string.
73 $password = "1234"
```
Replace the **FabrikamOwnerSigner.pfx** value for the **$privateOwnerKey** variable with the name of your SEMM Certificate file on both lines 60 and 62. The script will create a working directory (named Config) in the folder where your scripts are located, and will then copy the certificate file to this working directory.
Replace the **FabrikamSEMMSample.pfx** value for the **$certName** variable with the name of your SEMM Certificate file on line 58. The script will create a working directory (named Config) in the folder where your scripts are located, and will then copy the certificate file to this working directory.
Replace the **FabrikamSignerProvisioningPackage.pkg** and **FabrikamUniversalResetPackage.pkg** values on lines 63 and 64 to define the **$ownerPackageName** and **$resetPackageName** variables with your desired names for the SEMM configuration and reset packages. These packages will also be created in the Config directory and hold the configuration for Surface UEFI settings and permissions generated by the script.
Owner package and reset package will also be created in the Config directory and hold the configuration for Surface UEFI settings and permissions generated by the script.
On line 67, replace the value of the **$password** variable, from 1234, to the password for your certificate file. If a password is not required, delete the **1234** text.
On line 73, replace the value of the **$password** variable, from 1234, to the password for your certificate file. If a password is not required, delete the **1234** text.
>[!Note]
>The last two characters of the certificate thumbprint are required to enroll a device in SEMM. This script will display these digits to the user, which allows the user or technician to record these digits before the system reboots to enroll the device in SEMM. The script uses the following code, found on lines 144-149, to accomplish this:
>The last two characters of the certificate thumbprint are required to enroll a device in SEMM. This script will display these digits to the user, which allows the user or technician to record these digits before the system reboots to enroll the device in SEMM. The script uses the following code, found on lines 150-155, to accomplish this:
```
144 # Device owners will need the last two characters of the thumbprint to accept SEMM ownership.
145 # For convenience we get the thumbprint here and present to the user.
146 $pw = ConvertTo-SecureString $password -AsPlainText -Force
147 $certPrint = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
148 $certPrint.Import($privateOwnerKey, $pw, [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::DefaultKeySet)
149 Write-Host "Thumbprint =" $certPrint.Thumbprint
150 # Device owners will need the last two characters of the thumbprint to accept SEMM ownership.
151 # For convenience we get the thumbprint here and present to the user.
152 $pw = ConvertTo-SecureString $password -AsPlainText -Force
153 $certPrint = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
154 $certPrint.Import($privateOwnerKey, $pw, [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::DefaultKeySet)
155 Write-Host "Thumbprint =" $certPrint.Thumbprint
```
Administrators with access to the certificate file (.pfx) can read the thumbprint at any time by opening the .pfx file in CertMgr. To view the thumbprint with CertMgr, follow this process:
@ -153,46 +159,47 @@ Administrators with access to the certificate file (.pfx) can read the thumbprin
### Configure permissions
The first region of the script where you will specify the configuration for Surface UEFI is the **Configure Permissions** region. This region begins at line 202 in the sample script with the comment **# Configure Permissions** and continues to line 238. The following code fragment first sets permissions to all Surface UEFI settings so that they may be modified by SEMM only, then adds explicit permissions to allow the local user to modify the Surface UEFI password, TPM, and front and rear cameras:
The first region of the script where you will specify the configuration for Surface UEFI is the **Configure Permissions** region. This region begins at line 210 in the sample script with the comment **# Configure Permissions** and continues to line 247. The following code fragment first sets permissions to all Surface UEFI settings so that they may be modified by SEMM only, then adds explicit permissions to allow the local user to modify the Surface UEFI password, TPM, and front and rear cameras:
```
202 # Configure Permissions
203 foreach ($uefiV2 IN $surfaceDevices.Values) {
204 # Here we define which "identities" will be allowed to modify which settings
205 # PermissionSignerOwner = The primary SEMM enterprise owner identity
206 # PermissionLocal = The user when booting to the UEFI pre-boot GUI
207 # PermissionSignerUser, PermissionSignerUser1, PermissionSignerUser2 =
208 # Additional user identities created so that the signer owner
209 # can delegate permission control for some settings.
210 $ownerOnly = [Microsoft.Surface.IUefiSetting]::PermissionSignerOwner
211 $ownerAndLocalUser = ([Microsoft.Surface.IUefiSetting]::PermissionSignerOwner -bor [Microsoft.Surface.IUefiSetting]::PermissionLocal)
212
213 # Make all permissions owner only by default
214 foreach ($setting IN $uefiV2.Settings.Values) {
215 $setting.ConfiguredPermissionFlags = $ownerOnly
216 }
217 # Allow the local user to change their own password
218 $uefiV2.SettingsById[501].ConfiguredPermissionFlags = $ownerAndLocalUser
219
220 # Allow the local user to change the state of the TPM
221 $uefiV2.Settings["Trusted Platform Module (TPM)"].ConfiguredPermissionFlags = $ownerAndLocalUser
222
223 # Allow the local user to change the state of the Front and Rear cameras
224 $uefiV2.SettingsById[302].ConfiguredPermissionFlags = $ownerAndLocalUser
225 $uefiV2.SettingsById[304].ConfiguredPermissionFlags = $ownerAndLocalUser
226
227
228 # Create a unique package name based on family and LSV.
229 # We will choose a name that can be parsed by later scripts.
230 $packageName = $uefiV2.SurfaceUefiFamily + "^Permissions^" + $lsv + ".pkg"
231 $fullPackageName = Join-Path -Path $packageRoot -ChildPath $packageName
232
233 # Build and sign the Permission package then save it to a file.
234 $permissionPackageStream = $uefiV2.BuildAndSignPermissionPackage($privateOwnerKey, $password, "", $null, $lsv)
235 $permissionPackage = New-Object System.IO.Filestream($fullPackageName, [System.IO.FileMode]::CreateNew, [System.IO.FileAccess]::Write)
236 $permissionPackageStream.CopyTo($permissionPackage)
237 $permissionPackage.Close()
238 }
210 # Configure Permissions
211 foreach ($uefiV2 IN $surfaceDevices.Values) {
212 if ($uefiV2.SurfaceUefiFamily -eq $Device.Model) {
213 Write-Host "Configuring permissions"
214 Write-Host $Device.Model
215 Write-Host "======================="
216
217 # Here we define which "identities" will be allowed to modify which settings
218 # PermissionSignerOwner = The primary SEMM enterprise owner identity
219 # PermissionLocal = The user when booting to the UEFI pre-boot GUI
220 # PermissionSignerUser, PermissionSignerUser1, PermissionSignerUser2 =
221 # Additional user identities created so that the signer owner
222 # can delegate permission control for some settings.
223 $ownerOnly = [Microsoft.Surface.IUefiSetting]::PermissionSignerOwner
224 $ownerAndLocalUser = ([Microsoft.Surface.IUefiSetting]::PermissionSignerOwner -bor [Microsoft.Surface.IUefiSetting]::PermissionLocal)
225
226 # Make all permissions owner only by default
227 foreach ($setting IN $uefiV2.Settings.Values) {
228 $setting.ConfiguredPermissionFlags = $ownerOnly
229 }
230
231 # Allow the local user to change their own password
232 $uefiV2.SettingsById[501].ConfiguredPermissionFlags = $ownerAndLocalUser
233
234 Write-Host ""
235
236 # Create a unique package name based on family and LSV.
237 # We will choose a name that can be parsed by later scripts.
238 $packageName = $uefiV2.SurfaceUefiFamily + "^Permissions^" + $lsv + ".pkg"
239 $fullPackageName = Join-Path -Path $packageRoot -ChildPath $packageName
240
241 # Build and sign the Permission package then save it to a file.
242 $permissionPackageStream = $uefiV2.BuildAndSignPermissionPackage($privateOwnerKey, $password, "", $null, $lsv)
243 $permissionPackage = New-Object System.IO.Filestream($fullPackageName, [System.IO.FileMode]::CreateNew, [System.IO.FileAccess]::Write)
244 $permissionPackageStream.CopyTo($permissionPackage)
245 $permissionPackage.Close()
246 }
247 }
```
Each **$uefiV2** variable identifies a Surface UEFI setting by setting name or ID, and then configures the permissions to one of the following values:
@ -204,69 +211,169 @@ You can find information about the available settings names and IDs for Surface
### Configure settings
The second region of the script where you will specify the configuration for Surface UEFI is the **Configure Settings** region of the ConfigureSEMM.ps1 script, which configures whether each setting is enabled or disabled. The sample script includes instructions to set all settings to their default values. The script then provides explicit instructions to disable IPv6 for PXE Boot and to leave the Surface UEFI Administrator password unchanged. You can find this region beginning with the **# Configure Settings** comment at line 282 through line 312 in the sample script. The region appears as follows:
The second region of the script where you will specify the configuration for Surface UEFI is the **Configure Settings** region of the ConfigureSEMM.ps1 script, which configures whether each setting is enabled or disabled. The sample script includes instructions to set all settings to their default values. The script then provides explicit instructions to disable IPv6 for PXE Boot and to leave the Surface UEFI Administrator password unchanged. You can find this region beginning with the **# Configure Settings** comment at line 291 through line 335 in the sample script. The region appears as follows:
```
282 # Configure Settings
283 foreach ($uefiV2 IN $surfaceDevices.Values) {
284 # In this demo, we will start by setting every setting to the default factory setting.
285 # You may want to start by doing this in your scripts
286 # so that every setting gets set to a known state.
287 foreach ($setting IN $uefiV2.Settings.Values) {
288 $setting.ConfiguredValue = $setting.DefaultValue
289 }
290
291 # If you want to set something to a different value from the default,
292 # here are examples of how to accomplish this.
293 $uefiV2.Settings["IPv6 for PXE Boot"].ConfiguredValue = "Disabled"
294
295 # If you want to leave the setting unmodified, set it to $null
296 # PowerShell has issues setting things to $null so ClearConfiguredValue()
297 # is supplied to do this explicitly.
298 # Here is an example of leaving the UEFI administrator password as-is,
299 # even after we initially set it to factory default above.
300 $uefiV2.SettingsById[501].ClearConfiguredValue()
301
302 # Create a unique package name based on family and LSV.
303 # We will choose a name that can be parsed by later scripts.
304 $packageName = $uefiV2.SurfaceUefiFamily + "^Settings^" + $lsv + ".pkg"
305 $fullPackageName = Join-Path -Path $packageRoot -ChildPath $packageName
306
307 # Build and sign the Settings package then save it to a file.
308 $settingsPackageStream = $uefiV2.BuildAndSignSecuredSettingsPackage($privateOwnerKey, $password, "", $null, $lsv)
309 $settingsPackage = New-Object System.IO.Filestream($fullPackageName, [System.IO.FileMode]::CreateNew, [System.IO.FileAccess]::Write)
310 $settingsPackageStream.CopyTo($settingsPackage)
311 $settingsPackage.Close()
312 }
291 # Configure Settings
292 foreach ($uefiV2 IN $surfaceDevices.Values) {
293 if ($uefiV2.SurfaceUefiFamily -eq $Device.Model) {
294 Write-Host "Configuring settings"
295 Write-Host $Device.Model
296 Write-Host "===================="
297
298 # In this demo, we will start by setting every setting to the default factory setting.
299 # You may want to start by doing this in your scripts
300 # so that every setting gets set to a known state.
301 foreach ($setting IN $uefiV2.Settings.Values) {
302 $setting.ConfiguredValue = $setting.DefaultValue
303 }
304
305 $EnabledValue = "Enabled"
306 $DisabledValue = "Disabled"
307
308 # If you want to set something to a different value from the default,
309 # here are examples of how to accomplish this.
310 # This disables IPv6 PXE boot by name:
311 $uefiV2.Settings["IPv6 for PXE Boot"].ConfiguredValue = $DisabledValue
312
313 # This disables IPv6 PXE Boot by ID:
314 $uefiV2.SettingsById[400].ConfiguredValue = $DisabledValue
315
316 Write-Host ""
317
318 # If you want to leave the setting unmodified, set it to $null
319 # PowerShell has issues setting things to $null so ClearConfiguredValue()
320 # is supplied to do this explicitly.
321 # Here is an example of leaving the UEFI administrator password as-is,
322 # even after we initially set it to factory default above.
323 $uefiV2.SettingsById[501].ClearConfiguredValue()
324
325 # Create a unique package name based on family and LSV.
326 # We will choose a name that can be parsed by later scripts.
327 $packageName = $uefiV2.SurfaceUefiFamily + "^Settings^" + $lsv + ".pkg"
328 $fullPackageName = Join-Path -Path $packageRoot -ChildPath $packageName
329
330 # Build and sign the Settings package then save it to a file.
331 $settingsPackageStream = $uefiV2.BuildAndSignSecuredSettingsPackage($privateOwnerKey, $password, "", $null, $lsv)
332 $settingsPackage = New-Object System.IO.Filestream($fullPackageName, [System.IO.FileMode]::CreateNew, [System.IO.FileAccess]::Write)
333 $settingsPackageStream.CopyTo($settingsPackage)
334 $settingsPackage.Close()
335 }
```
Like the permissions set in the **Configure Permissions** section of the script, the configuration of each Surface UEFI setting is performed by defining the **$uefiV2** variable. For each line defining the **$uefiV2** variable, a Surface UEFI setting is identified by setting name or ID and the configured value is set to **Enabled** or **Disabled**.
If you do not want to alter the configuration of a Surface UEFI setting, for example to ensure that the Surface UEFI administrator password is not cleared by the action of resetting all Surface UEFI settings to their default, you can use **ClearConfiguredValue()** to enforce that this setting will not be altered. In the sample script, this is used on line 300 to prevent the clearing of the Surface UEFI Administrator password, identified in the sample script by its setting ID, **501**.
If you do not want to alter the configuration of a Surface UEFI setting, for example to ensure that the Surface UEFI administrator password is not cleared by the action of resetting all Surface UEFI settings to their default, you can use **ClearConfiguredValue()** to enforce that this setting will not be altered. In the sample script, this is used on line 323 to prevent the clearing of the Surface UEFI Administrator password, identified in the sample script by its setting ID, **501**.
You can find information about the available settings names and IDs for Surface UEFI in the [Settings Names and IDs](#settings-names-and-ids) section later in this article.
### Settings registry key
To identify enrolled systems for Configuration Manager, the ConfigureSEMM.ps1 script writes a registry key that can be used to identify enrolled systems as having been installed with the SEMM configuration script. This key can be found at the following location:
To identify enrolled systems for Configuration Manager, the ConfigureSEMM.ps1 script writes registry keys that can be used to identify enrolled systems as having been installed with the SEMM configuration script. These keys can be found at the following location:
`HKLM\SOFTWARE\Microsoft\Surface\SEMM\Enabled_Version1000`
`HKLM\SOFTWARE\Microsoft\Surface\SEMM`
The following code fragment, found on lines 352-363, is used to write this registry key:
The following code fragment, found on lines 380-477, is used to write these registry keys:
```
352 $SurfaceRegKey = "HKLM:\SOFTWARE\Microsoft\Surface\SEMM"
353 New-RegKey $SurfaceRegKey
354 $SurfaceRegValue = Get-ItemProperty $SurfaceRegKey Enabled_Version1000 -ErrorAction SilentlyContinue
355
356 If ($SurfaceRegValue -eq $null)
357 {
358 New-ItemProperty -Path $SurfaceRegKey -Name Enabled_Version1000 -PropertyType String -Value 1 | Out-Null
359 }
360 Else
361 {
362 Set-ItemProperty -Path $SurfaceRegKey -Name Enabled_Version1000 -Value 1
363 }
380 # For SCCM or other management solutions that wish to know what version is applied, tattoo the LSV and current DateTime (in UTC) to the registry:
381 $UTCDate = (Get-Date).ToUniversalTime().ToString()
382 $certIssuer = $certPrint.Issuer
383 $certSubject = $certPrint.Subject
384
385 $SurfaceRegKey = "HKLM:\SOFTWARE\Microsoft\Surface\SEMM"
386 New-RegKey $SurfaceRegKey
387 $LSVRegValue = Get-ItemProperty $SurfaceRegKey LSV -ErrorAction SilentlyContinue
388 $DateTimeRegValue = Get-ItemProperty $SurfaceRegKey LastConfiguredUTC -ErrorAction SilentlyContinue
389 $OwnershipSessionIdRegValue = Get-ItemProperty $SurfaceRegKey OwnershipSessionId -ErrorAction SilentlyContinue
390 $PermissionSessionIdRegValue = Get-ItemProperty $SurfaceRegKey PermissionSessionId -ErrorAction SilentlyContinue
391 $SettingsSessionIdRegValue = Get-ItemProperty $SurfaceRegKey SettingsSessionId -ErrorAction SilentlyContinue
392 $IsResetRegValue = Get-ItemProperty $SurfaceRegKey IsReset -ErrorAction SilentlyContinue
393 $certUsedRegValue = Get-ItemProperty $SurfaceRegKey CertName -ErrorAction SilentlyContinue
394 $certIssuerRegValue = Get-ItemProperty $SurfaceRegKey CertIssuer -ErrorAction SilentlyContinue
395 $certSubjectRegValue = Get-ItemProperty $SurfaceRegKey CertSubject -ErrorAction SilentlyContinue
396
397
398 If ($LSVRegValue -eq $null)
399 {
400 New-ItemProperty -Path $SurfaceRegKey -Name LSV -PropertyType DWORD -Value $lsv | Out-Null
401 }
402 Else
403 {
404 Set-ItemProperty -Path $SurfaceRegKey -Name LSV -Value $lsv
405 }
406
407 If ($DateTimeRegValue -eq $null)
408 {
409 New-ItemProperty -Path $SurfaceRegKey -Name LastConfiguredUTC -PropertyType String -Value $UTCDate | Out-Null
410 }
411 Else
412 {
413 Set-ItemProperty -Path $SurfaceRegKey -Name LastConfiguredUTC -Value $UTCDate
414 }
415
416 If ($OwnershipSessionIdRegValue -eq $null)
417 {
418 New-ItemProperty -Path $SurfaceRegKey -Name OwnershipSessionId -PropertyType String -Value $ownerSessionIdValue | Out-Null
419 }
420 Else
421 {
422 Set-ItemProperty -Path $SurfaceRegKey -Name OwnershipSessionId -Value $ownerSessionIdValue
423 }
424
425 If ($PermissionSessionIdRegValue -eq $null)
426 {
427 New-ItemProperty -Path $SurfaceRegKey -Name PermissionSessionId -PropertyType String -Value $permissionSessionIdValue | Out-Null
428 }
429 Else
430 {
431 Set-ItemProperty -Path $SurfaceRegKey -Name PermissionSessionId -Value $permissionSessionIdValue
432 }
433
434 If ($SettingsSessionIdRegValue -eq $null)
435 {
436 New-ItemProperty -Path $SurfaceRegKey -Name SettingsSessionId -PropertyType String -Value $settingsSessionIdValue | Out-Null
437 }
438 Else
439 {
440 Set-ItemProperty -Path $SurfaceRegKey -Name SettingsSessionId -Value $settingsSessionIdValue
441 }
442
443 If ($IsResetRegValue -eq $null)
444 {
445 New-ItemProperty -Path $SurfaceRegKey -Name IsReset -PropertyType DWORD -Value 0 | Out-Null
446 }
447 Else
448 {
449 Set-ItemProperty -Path $SurfaceRegKey -Name IsReset -Value 0
450 }
451
452 If ($certUsedRegValue -eq $null)
453 {
454 New-ItemProperty -Path $SurfaceRegKey -Name CertName -PropertyType String -Value $certName | Out-Null
455 }
456 Else
457 {
458 Set-ItemProperty -Path $SurfaceRegKey -Name CertName -Value $certName
459 }
460
461 If ($certIssuerRegValue -eq $null)
462 {
463 New-ItemProperty -Path $SurfaceRegKey -Name CertIssuer -PropertyType String -Value $certIssuer | Out-Null
464 }
465 Else
466 {
467 Set-ItemProperty -Path $SurfaceRegKey -Name CertIssuer -Value $certIssuer
468 }
469
470 If ($certSubjectRegValue -eq $null)
471 {
472 New-ItemProperty -Path $SurfaceRegKey -Name CertSubject -PropertyType String -Value $certSubject | Out-Null
473 }
474 Else
475 {
476 Set-ItemProperty -Path $SurfaceRegKey -Name CertSubject -Value $certSubject
477 }
```
### Settings names and IDs

1
mdop/agpm/TOC.md
View File

@ -240,5 +240,6 @@
###### [AGPM Server Connection Settings](agpm-server-connection-settings.md)
###### [Feature Visibility Settings](feature-visibility-settings.md)
##### [Other Enhancements to the GPMC](other-enhancements-to-the-gpmc.md)
## [Troubleshooting AGPM Upgrades](troubleshooting-agpm40-upgrades.md)
## [Resources for AGPM](resources-for-agpm.md)

2
mdop/agpm/index.md
View File

@ -1,7 +1,7 @@
---
title: Advanced Group Policy Management
description: Advanced Group Policy Management
author: jamiejdt
author: dansimp
ms.assetid: 493ca3c3-c3d6-4bb1-9430-dc1e43c86bb0
ms.pagetype: mdop
ms.mktglfcycl: manage

41
mdop/agpm/troubleshooting-agpm40-upgrades.md Normal file
View File

@ -0,0 +1,41 @@
---
title: Troubleshooting AGPM Upgrades
description: Troubleshooting AGPM Upgrades
author: jedodson
ms.assetid: 1abbf0c1-fd32-46a8-a3ba-c005f066523d
ms.reviewer:
manager: dansimp
ms.author: jedodson
ms.pagetype: mdop
ms.mktglfcycl: manage
ms.sitesec: library
ms.prod: w10
ms.date: 06/16/2016
---
# Troubleshooting AGPM Upgrades
This section lists common issues that you may encounter when you upgrade your Advanced Group Policy Management (AGPM) server to a newer version (e.g. AGPM 4.0 to AGPM 4.3). To diagnose issues not listed here, it may be helpful to view the [Troubleshooting AGPM](troubleshooting-agpm-agpm40.md) or for an AGPM Administrator (Full Control) to use logging and tracing. For more information, see [Configure Logging and Tracing](configure-logging-and-tracing-agpm40.md).
## What problems are you having?
- [Failed to generate a HTML GPO difference report (Error code 80004003)](#bkmk-error-80004003)
### <a href="" id="bkmk-error-80004003"></a>Failed to generate a HTML GPO difference report (Error code 80004003)
- **Cause**: You have installed the AGPM upgrade package with an incorrect account.
- **Solution**: You will need to be an AGPM administrator in order to fix this issue.
- Ensure you know the username & password of your **AGPM service account**.
- Log onto your AGPM server interactively as your AGPM service account.
- This is critically important, as the install will fail if you use a different account.
- Shutdown the AGPM service.
- Install the required hotfix.
- Connect to AGPM using an AGPM client to test that your difference reports are now functioning.

4
mdop/appv-v4/app-v-45-sp2-release-notes.md
View File

@ -73,11 +73,11 @@ When this has been completed, install the App-V 4.5 SP2 Clients by using Setup.m
When installing Microsoft Application Error Reporting, use the following command if you are installing or upgrading to the App-V 4.5 SP2 Desktop Client:
**    msiexec /i dw20shared.msi APPGUID={C6FC75B9-7D86-4C44-8BDB-EAFE1F0E200D}  allusers=1 reboot=suppress REINSTALL=all REINSTALLMODE=vomus**
**msiexec /i dw20shared.msi APPGUID={C6FC75B9-7D86-4C44-8BDB-EAFE1F0E200D}  allusers=1 reboot=suppress REINSTALL=all REINSTALLMODE=vomus**
Alternatively, if you are installing or upgrading to the App-V 4.5 SP2 Client for Remote Desktop Services (formerly Terminal Services), use the following command:
**    msiexec /i dw20shared.msi APPGUID={ECF80BBA-CA07-4A74-9ED6-E064F38AF1F5} allusers=1 reboot=suppress REINSTALL=all REINSTALLMODE=vomus**
**msiexec /i dw20shared.msi APPGUID={ECF80BBA-CA07-4A74-9ED6-E064F38AF1F5} allusers=1 reboot=suppress REINSTALL=all REINSTALLMODE=vomus**
**Note**  
- The APPGUID parameter references the product code of the App-V Clients that you install or upgrade. The product code is unique for each Setup.msi. You can use the Orca Database Editor or a similar tool to examine Windows Installer files and determine the product code. This step is required for all installations or upgrades to App-V 4.5 SP2.

2
mdop/appv-v4/how-to-configure-a-read-only-cache-on-the-app-v-client--rds--sp1.md
View File

@ -156,7 +156,7 @@ Instead of changing the AppFS key FILENAME value every time that a new cache fil
3. On the VDI Master VM Image, open a Command Prompt window by using the **Run as administrator** option and grant remote link permissions so that the VM can access the symbolic link on the VDI Host operating system. By default, remote link permissions are disabled.
**     fsutil behavior set SymlinkEvaluation R2R:1**
**fsutil behavior set SymlinkEvaluation R2R:1**
**Note**  
On the storage server, appropriate link permissions must be enabled. Depending on the location of link and the Sftfs.fsd file, the permissions are **L2L:1** or **L2R:1** or **R2L:1** or **R2R:1**.

2
mdop/appv-v4/how-to-configure-a-read-only-cache-on-the-app-v-client--vdi-.md
View File

@ -167,7 +167,7 @@ Instead of modifying the AppFS key FILENAME value every time that a new cache fi
3. On the VDI Master VM Image, open a Command Prompt window by using the **Run as administrator** option and grant remote link permissions so that the VM can access the symbolic link on the VDI Host operating system. By default, remote link permissions are disabled.
**     fsutil behavior set SymlinkEvaluation R2R:1**
**fsutil behavior set SymlinkEvaluation R2R:1**
**Note**  
On the storage server, appropriate link permissions must be enabled. Depending on the location of link and the Sftfs.fsd file, the permissions are **L2L:1** or **L2R:1** or **R2L:1** or **R2R:1**.

34
mdop/appv-v4/how-to-manually-install-the-application-virtualization-client.md
View File

@ -13,10 +13,8 @@ ms.prod: w8
ms.date: 08/30/2016
---
# How to Manually Install the Application Virtualization Client
There are two types of Application Virtualization Client components: the Application Virtualization Desktop Client, which is designed for installation on desktop computers, and the Application Virtualization Client for Remote Desktop Services (formerly Terminal Services), which you can install on Remote Desktop Session Host (RD Session Host) servers . Although the two client installer programs are different, you can use the following procedure to manually install either the Application Virtualization Desktop Client on a single desktop computer or the Application Virtualization Client for Remote Desktop Services on a single RD Session Host server. In a production environment, you most likely will install the Application Virtualization Desktop Client on multiple desktop computers with an automated scripted installation process. For information about how to install multiple clients by using a scripted installation process, see [How to Install the Client by Using the Command Line](how-to-install-the-client-by-using-the-command-line-new.md).
**Note**
@ -24,13 +22,9 @@ There are two types of Application Virtualization Client components: the Applica
2. If you have any configuration on the users computer that depends on the client install path, note that the Application Virtualization (App-V) 4.5 client uses a different install folder than previous versions. By default, a new install of the Application Virtualization (App-V) 4.5 client will install to the \\Program Files\\Microsoft Application Virtualization Client folder. If an earlier version of the client is already installed, installing the App-V client will perform an upgrade into the existing installation folder.
**Note**
For App-V version 4.6 and later, when the App-V client is installed, SFTLDR.DLL is installed in the Windows\\system32 directory. If the App-V client is installed on a 64-bit system, SFTLDR\_WOW64.DLL is installed in the Windows\\SysWOW64 directory.
**To manually install Application Virtualization Desktop Client**
1. After you have obtained the correct installer archive file and saved it to your computer, make sure you are logged on with an account having administrator rights on the computer and double-click the file to expand the archive.
@ -52,13 +46,9 @@ For App-V version 4.6 and later, when the App-V client is installed, SFTLDR.DLL
**Note**
For App-V version 4.6 and later, the wizard will also install Microsoft Visual C++ 2008 SP1 Redistributable Package (x86).
For more information about installing Microsoft Visual C++ 2008 SP1 Redistributable Package (x86), see <https://go.microsoft.com/fwlink/?LinkId=150700> (https://go.microsoft.com/fwlink/?LinkId=150700).
For more information about installing Microsoft Visual C++ 2008 SP1 Redistributable Package (x86), see [https://go.microsoft.com/fwlink/?LinkId=150700](https://go.microsoft.com/fwlink/?LinkId=150700).
~~~
If prompted, click **Install**. Installation progress is displayed, and the status changes from **Pending** to **Installing**. Installation status changes to **Succeeded** as each step is completed successfully.
~~~
6. When the **Microsoft Application Virtualization Desktop Client InstallShield Wizard** is displayed, click **Next**.
@ -85,8 +75,6 @@ If prompted, click **Install**. Installation progress is displayed, and the stat
**Note**
This path must be different for every user, so it should include a user-specific environment variable or a mapped drive or something else that will resolve to a unique path for each user.
4. When you have finished making the changes, click **Next**.
13. On the **Cache Size Settings** screen, you can accept or change the default cache size. Click one of the following radio buttons to choose how to manage the cache space:
@ -98,11 +86,7 @@ If prompted, click **Install**. Installation progress is displayed, and the stat
**Important**
To ensure that the cache has sufficient space allocated for all packages that might be deployed, use the **Use free disk space threshold** setting when you configure the client so that the cache can grow as needed. Alternatively, determine in advance how much disk space will be needed for the App-V cache, and at installation time, set the cache size accordingly. For more information about the cache space management feature, in the Microsoft Application Virtualization (App-V) Operations Guide, see **How to Use the Cache Space Management Feature**.
~~~
Click **Next** to continue.
~~~
14. In the following sections of the **Runtime Package Policy Configuration** screen, you can change the parameters that affect how the Application Virtualization client behaves during runtime:
@ -117,11 +101,7 @@ Click **Next** to continue.
**Note**
When you install the App-V client to use with a read-only cache, for example, with a VDI server implementation, set **What applications to Auto Load** to **Do not automatically load applications** to prevent the client from trying to update applications in the read-only cache.
~~~
Click **Next** to continue.
~~~
15. On the **Publishing Server** screen, select the **Set up a Publishing Server now** check box if you want to define a publishing server, or click **Next** if you want to complete this later. To define a publishing server, specify the following information:
@ -144,20 +124,8 @@ Click **Next** to continue.
**Note**
If the installation fails for any reason, you might need to restart the computer before trying the install again.
## Related topics
[How to Install the Client by Using the Command Line](how-to-install-the-client-by-using-the-command-line-new.md)
[Stand-Alone Delivery Scenario Overview](stand-alone-delivery-scenario-overview.md)

2
mdop/appv-v4/index.md
View File

@ -1,7 +1,7 @@
---
title: Application Virtualization 4
description: Application Virtualization 4
author: jamiejdt
author: dansimp
ms.assetid: 9da557bc-f433-47d3-8af7-68ec4ff9bd3f
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy

24
mdop/appv-v4/microsoft-application-virtualization-46-service-pack-2-privacy-statement.md
View File

@ -76,7 +76,7 @@ This section is divided into two parts: (1) features in all versions of App-V an
Microsoft Error Reporting provides a service that allows you to report problems you may be having with App-V to Microsoft and to receive information that may help you avoid or solve such problems.
**Information Collected, Processed, or Transmitted: **
**Information Collected, Processed, or Transmitted:**
For information about the information collected, processed, or transmitted by Microsoft Error Reporting, see the Microsoft Error Reporting privacy statement at <https://go.microsoft.com/fwlink/?linkid=50293>.
@ -84,7 +84,7 @@ For information about the information collected, processed, or transmitted by Mi
We use the error reporting data to solve customer problems and improve our software and services.
**Choice/Control: **
**Choice/Control:**
App-V does not change your Microsoft Error Reporting settings. If you previously turned on error reporting, it will send Microsoft the information about the errors you encountered. When Microsoft needs additional data to analyze the problem, you will be prompted to review the data and choose whether or not to send it.  App-V will always respect your Microsoft Error Reporting settings.
@ -98,7 +98,7 @@ Enterprise customers can use Group Policy to configure how Microsoft Error Repor
Microsoft Update is a service that provides Windows updates as well as updates for other Microsoft software, including App-V.  For details about what information is collected, how it is used and how to change your settings, see the Update Services Privacy Statement at <https://go.microsoft.com/fwlink/?linkid=50142>.
**Choice/Control: **
**Choice/Control:**
If Microsoft Update is not enabled, you can opt-in during setup and subsequent checks for updates will follow the machine-wide schedule. You can update this option from the Microsoft Update Control Panel item.
@ -108,7 +108,7 @@ If Microsoft Update is not enabled, you can opt-in during setup and subsequent c
The product will collect various configuration items, including UserID, MachineID and SecurityGroup details, to be able to enforce settings on managed nodes. The data is stored in the App-V SQL database and transmitted across the App-V server and client components to enforce the configuration on the managed node.
**Information Collected, Processed, or Transmitted: **
**Information Collected, Processed, or Transmitted:**
User and machine information and configuration content
@ -116,7 +116,7 @@ User and machine information and configuration content
The information is used to enforce the application access configuration on the managed nodes within the enterprise. The information does not leave the enterprise.
**Choice/Control: **
**Choice/Control:**
By default, the product does not have any data. All data is entered and enabled by the admin and can be viewed in the Management console. The feature cannot be disabled as this is the product functionality. To disable this, App-V will need to be uninstalled.
@ -130,7 +130,7 @@ None of this information is sent out of the enterprise.
It captures package history and asset information as part of the package.
**Information Collected, Processed, or Transmitted: **
**Information Collected, Processed, or Transmitted:**
Information about the package and the sequencing environment is collected and stored in the package manifest during sequencing.
@ -138,7 +138,7 @@ Information about the package and the sequencing environment is collected and st
The information will be used by the admin to track the updates done to a package during its lifecycle. It will also be used by software deployment systems to track the package deployments within the organization.
**Choice/Control: **
**Choice/Control:**
This feature is always enabled and cannot be turned off.
@ -152,7 +152,7 @@ This administrator information will be stored in the package and can be viewed b
The product will collect a variety of reporting data points, including the username, to allow reporting on the usage of the product.
**Information Collected, Processed, or Transmitted: **
**Information Collected, Processed, or Transmitted:**
Information about the machine, package and application usage are collected from every machine that reporting is enabled on.
@ -160,7 +160,7 @@ Information about the machine, package and application usage are collected from
The information is used to report on application usage within the enterprise. The information does not leave the enterprise.
**Choice/Control: **
**Choice/Control:**
By default, the product does not have any data. Data is only collected once the reporting feature is enabled on the App-V Client. To disable the collection of reporting data, the reporting feature must be disabled on all clients.
@ -178,7 +178,7 @@ This section addresses specific features available in App-V 4.6 SP1 and later.
The Customer Experience Improvement Program (“CEIP”) collects basic information about your hardware configuration and how you use our software and services in order to identify trends and usage patterns. CEIP also collects the type and number of errors you encounter, software and hardware performance, and the speed of services. We will not collect your name, address, or other contact information.
**Information Collected, Processed, or Transmitted: **
**Information Collected, Processed, or Transmitted:**
For more information about the information collected, processed, or transmitted by CEIP, see the CEIP privacy statement at <https://go.microsoft.com/fwlink/?LinkID=52097>.
@ -186,7 +186,7 @@ For more information about the information collected, processed, or transmitted
We use this information to improve the quality, reliability, and performance of Microsoft software and services.
**Choice/Control: **
**Choice/Control:**
CEIP is optional and the opt-in status can be updated during install or post install from the GUI.  
@ -196,7 +196,7 @@ CEIP is optional and the opt-in status can be updated during install or post ins
Customers can use Application Package Accelerators to automatically package complex applications without installing the application. The App-V sequencer allows you to create package accelerators for each virtual package. You can then use these package accelerators to automatically re-create the same virtual package in the future. You may also use package accelerators released by Microsoft or other third parties to simplify and automate packaging of complex applications.
**Information Collected, Processed, or Transmitted: **
**Information Collected, Processed, or Transmitted:**
Application Package Accelerators may contain information such as computer names, user account information, and information about applications included in the Package Accelerator file.

4
mdop/appv-v4/planning-for-client-security.md
View File

@ -34,7 +34,7 @@ By default, at installation the App-V client is configured with the minimum perm
By default, the installation of the client registers file type associations (FTAs) for OSD files, which enables users to start applications directly from OSD files instead of the published shortcuts. If a user with local administrator rights receives an OSD file containing malicious code, either in e-mail or downloaded from a Web site, the user can open the OSD file and start the application even if the client has been set to restrict the **Add Application** permission. You can unregister the FTAs for the OSD to reduce this risk. Also, consider blocking this extension in the e-mail system and at the firewall. For more information about configuring Outlook to block extensions, see <https://go.microsoft.com/fwlink/?LinkId=133278>.
**Security Note:  **
**Security Note:**
Starting with App-V version 4.6, the file type association is no longer created for OSD files during a new installation of the client, although the existing settings will be maintained during an upgrade from version 4.2 or 4.5 of the App-V client. If for any reason it is essential to create the file type association, you can create the following registry keys and set their values as shown:
@ -50,7 +50,7 @@ During installation, you can use the **RequireAuthorizationIfCached** parameter
Antivirus software running on an App-V Client computer can detect and report an infected file in the virtual environment. However, it cannot disinfect the file. If a virus is detected in the virtual environment, the antivirus software would perform the configured quarantine or repair operation in the cache, not in the actual package. Configure the antivirus software with an exception for the sftfs.fsd file. This file is the cache file that stores packages on the App-V Client.
**Security Note:  **
**Security Note:**
If a virus is detected in an application or package deployed in the production environment, replace the application or package with a virus-free version.

2
mdop/appv-v4/security-and-protection-overview.md
View File

@ -21,7 +21,7 @@ Microsoft Application Virtualization 4.5 provides the following enhanced securi
- Application Virtualization now supports Transport Layer Security (TLS) using X.509 V3 certificates. Provided that a server certificate has been provisioned to the planned Application Virtualization Management or Streaming Server, the installation will default to secure, using the RTSPS protocol over port 322. Using RTSPS ensures that communication between the Application Virtualization Servers and the Application Virtualization Clients is signed and encrypted. If no certificate is assigned to the server during the Application Virtualization Server installation, the communication will be set to RTSP over port 554.
**Security Note:  **
**Security Note:**
To help provide a secure setup of the server, you must make sure that RTSP ports are disabled even if you have all packages configured to use RTSPS.

2
mdop/appv-v5/index.md
View File

@ -1,7 +1,7 @@
---
title: Application Virtualization 5
description: Application Virtualization 5
author: jamiejdt
author: dansimp
ms.assetid: e82eb44b-9ccd-41aa-923b-71400230ad23
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy

2
mdop/dart-v10/index.md
View File

@ -1,7 +1,7 @@
---
title: Diagnostics and Recovery Toolset 10
description: Diagnostics and Recovery Toolset 10
author: jamiejdt
author: dansimp
ms.assetid: 64403eca-ff05-4327-ac33-bdcc96e706c8
ms.pagetype: mdop
ms.mktglfcycl: support

2
mdop/dart-v7/index.md
View File

@ -1,7 +1,7 @@
---
title: Diagnostics and Recovery Toolset 7 Administrator's Guide
description: Diagnostics and Recovery Toolset 7 Administrator's Guide
author: jamiejdt
author: dansimp
ms.assetid: bf89eccd-fc03-48ff-9019-a8640e11dd99
ms.pagetype: mdop
ms.mktglfcycl: support

2
mdop/dart-v8/index.md
View File

@ -1,7 +1,7 @@
---
title: Diagnostics and Recovery Toolset 8 Administrator's Guide
description: Diagnostics and Recovery Toolset 8 Administrator's Guide
author: jamiejdt
author: dansimp
ms.assetid: 33685dd7-844f-4864-b504-3ef384ef01de
ms.pagetype: mdop
ms.mktglfcycl: support

2
mdop/index.md
View File

@ -2,7 +2,7 @@
title: MDOP Information Experience
description: MDOP Information Experience
ms.assetid: 12b8ab56-3267-450d-bb22-1c7e44cb8e52
author: jamiejdt
author: dansimp
ms.pagetype: mdop
ms.mktglfcycl: manage
ms.sitesec: library

68
mdop/mbam-v1/index.md
View File

@ -1,7 +1,7 @@
---
title: Microsoft BitLocker Administration and Monitoring 1 Administrator's Guide
description: Microsoft BitLocker Administration and Monitoring 1 Administrator's Guide
author: jamiejdt
author: dansimp
ms.assetid: 4086e721-db24-4439-bdcd-ac5ef901811f
ms.pagetype: mdop, security
ms.mktglfcycl: manage
@ -10,46 +10,36 @@ ms.prod: w8
ms.date: 04/19/2017
---
# Microsoft BitLocker Administration and Monitoring 1 Administrator's Guide
Microsoft BitLocker Administration and Monitoring (MBAM) provides a simplified administrative interface that you can use to manage BitLocker drive encryption. With MBAM, you can select BitLocker encryption policy options that are appropriate to your enterprise and then use them to monitor client compliance with those policies. You can also report on the encryption status of an individual computer and on the entire enterprise. In addition, you can access recovery key information when users forget their PIN or password, or when their BIOS or boot record changes.
<a href="" id="getting-started-with-mbam-1-0"></a>[Getting Started with MBAM 1.0](getting-started-with-mbam-10.md)
[About MBAM 1.0](about-mbam-10.md)**|**[Evaluating MBAM 1.0](evaluating-mbam-10.md)**|**[High Level Architecture for MBAM 1.0](high-level-architecture-for-mbam-10.md)**|**[Accessibility for MBAM 1.0](accessibility-for-mbam-10.md)**|**[Privacy Statement for MBAM 1.0](privacy-statement-for-mbam-10.md)
<a href="" id="planning-for-mbam-1-0"></a>[Planning for MBAM 1.0](planning-for-mbam-10.md)
[Preparing your Environment for MBAM 1.0](preparing-your-environment-for-mbam-10.md)**|**[MBAM 1.0 Deployment Prerequisites](mbam-10-deployment-prerequisites.md)**|**[Planning to Deploy MBAM 1.0](planning-to-deploy-mbam-10.md)**|**[MBAM 1.0 Supported Configurations](mbam-10-supported-configurations.md)**|**[MBAM 1.0 Planning Checklist](mbam-10-planning-checklist.md)
<a href="" id="deploying-mbam-1-0"></a>[Deploying MBAM 1.0](deploying-mbam-10.md)
[Deploying the MBAM 1.0 Server Infrastructure](deploying-the-mbam-10-server-infrastructure.md)**|**[Deploying MBAM 1.0 Group Policy Objects](deploying-mbam-10-group-policy-objects.md)**|**[Deploying the MBAM 1.0 Client](deploying-the-mbam-10-client.md)**|**[Deploying the MBAM 1.0 Language Release Update](deploying-the-mbam-10-language-release-update.md)**|**[MBAM 1.0 Deployment Checklist](mbam-10-deployment-checklist.md)
<a href="" id="operations-for-mbam-1-0"></a>[Operations for MBAM 1.0](operations-for-mbam-10.md)
[Administering MBAM 1.0 Features](administering-mbam-10-features.md)**|**[Monitoring and Reporting BitLocker Compliance with MBAM 1.0](monitoring-and-reporting-bitlocker-compliance-with-mbam-10.md)**|**[Performing BitLocker Management with MBAM](performing-bitlocker-management-with-mbam.md)**|**[Administering MBAM 1.0 by Using PowerShell](administering-mbam-10-by-using-powershell.md)
<a href="" id="troubleshooting-mbam-1-0"></a>[Troubleshooting MBAM 1.0](troubleshooting-mbam-10.md)
### More Information
<a href="" id="release-notes-for-mbam-1-0"></a>[Release Notes for MBAM 1.0](release-notes-for-mbam-10.md)
View updated product information and known issues for MBAM 1.0.
<a href="" id="mdop-techcenter-page"></a>[MDOP TechCenter Page](https://go.microsoft.com/fwlink/p/?LinkId=225286)
Learn about the latest MDOP information and resources.
<a href="" id="mdop-information-experience"></a>[MDOP Information Experience](https://go.microsoft.com/fwlink/p/?LinkId=236032)
Find documentation, videos, and other resources for MDOP technologies. You can also [send us feedback](mailto:MDOPDocs@microsoft.com) or learn about updates by following us on [Facebook](https://go.microsoft.com/fwlink/p/?LinkId=242445) or [Twitter](https://go.microsoft.com/fwlink/p/?LinkId=242447).
 
 
- [Getting Started with MBAM 1.0](getting-started-with-mbam-10.md)
- [About MBAM 1.0](about-mbam-10.md)
- [Release Notes for MBAM 1.0](release-notes-for-mbam-10.md)
- [Evaluating MBAM 1.0](evaluating-mbam-10.md)
- [High Level Architecture for MBAM 1.0](high-level-architecture-for-mbam-10.md)
- [Accessibility for MBAM 1.0](accessibility-for-mbam-10.md)
- [Privacy Statement for MBAM 1.0](privacy-statement-for-mbam-10.md)
- [Planning for MBAM 1.0](planning-for-mbam-10.md)
- [Preparing your Environment for MBAM 1.0](preparing-your-environment-for-mbam-10.md)
- [MBAM 1.0 Deployment Prerequisites](mbam-10-deployment-prerequisites.md)
- [Planning to Deploy MBAM 1.0](planning-to-deploy-mbam-10.md)
- [MBAM 1.0 Supported Configurations](mbam-10-supported-configurations.md)
- [MBAM 1.0 Planning Checklist](mbam-10-planning-checklist.md)
- [Deploying MBAM 1.0](deploying-mbam-10.md)
- [Deploying the MBAM 1.0 Server Infrastructure](deploying-the-mbam-10-server-infrastructure.md)
- [Deploying MBAM 1.0 Group Policy Objects](deploying-mbam-10-group-policy-objects.md)
- [Deploying the MBAM 1.0 Client](deploying-the-mbam-10-client.md)
- [Deploying the MBAM 1.0 Language Release Update](deploying-the-mbam-10-language-release-update.md)
- [MBAM 1.0 Deployment Checklist](mbam-10-deployment-checklist.md)
- [Operations for MBAM 1.0](operations-for-mbam-10.md)
- [Administering MBAM 1.0 Features](administering-mbam-10-features.md)
- [Monitoring and Reporting BitLocker Compliance with MBAM 1.0](monitoring-and-reporting-bitlocker-compliance-with-mbam-10.md)
- [Performing BitLocker Management with MBAM](performing-bitlocker-management-with-mbam.md)
- [Administering MBAM 1.0 by Using PowerShell](administering-mbam-10-by-using-powershell.md)
- [Troubleshooting MBAM 1.0](troubleshooting-mbam-10.md)
## More Information
- [MDOP Information Experience](https://go.microsoft.com/fwlink/p/?LinkId=236032)
Find documentation, videos, and other resources for MDOP technologies.

62
mdop/mbam-v2/index.md
View File

@ -1,7 +1,7 @@
---
title: Microsoft BitLocker Administration and Monitoring 2 Administrator's Guide
description: Microsoft BitLocker Administration and Monitoring 2 Administrator's Guide
author: jamiejdt
author: dansimp
ms.assetid: fdb43f62-960a-4811-8802-50efdf04b4af
ms.pagetype: mdop, security
ms.mktglfcycl: manage
@ -10,43 +10,47 @@ ms.prod: w8
ms.date: 04/19/2017
---
# Microsoft BitLocker Administration and Monitoring 2 Administrator's Guide
Microsoft BitLocker Administration and Monitoring (MBAM) 2.0 provides a simplified administrative interface that you can use to manage BitLocker drive encryption. In BitLocker Administration and Monitoring 2.0, you can select BitLocker drive encryption policy options that are appropriate for your enterprise, and then use them to monitor client compliance with those policies. You can also report on the encryption status of an individual computer and on the enterprise as a whole. In addition, you can access recovery key information when users forget their PIN or password or when their BIOS or boot record changes.
<a href="" id="getting-started-with-mbam-2-0"></a>[Getting Started with MBAM 2.0](getting-started-with-mbam-20-mbam-2.md)
[About MBAM 2.0](about-mbam-20-mbam-2.md)**|**[Release Notes for MBAM 2.0](release-notes-for-mbam-20-mbam-2.md)**|**[About MBAM 2.0 SP1](about-mbam-20-sp1.md)**|**[Release Notes for MBAM 2.0 SP1](release-notes-for-mbam-20-sp1.md)**|**[Evaluating MBAM 2.0](evaluating-mbam-20-mbam-2.md)**|**[High-Level Architecture for MBAM 2.0](high-level-architecture-for-mbam-20-mbam-2.md)**|**[Accessibility for MBAM 2.0](accessibility-for-mbam-20-mbam-2.md)
<a href="" id="planning-for-mbam-2-0"></a>[Planning for MBAM 2.0](planning-for-mbam-20-mbam-2.md)
[Preparing your Environment for MBAM 2.0](preparing-your-environment-for-mbam-20-mbam-2.md)**|**[MBAM 2.0 Deployment Prerequisites](mbam-20-deployment-prerequisites-mbam-2.md)**|**[Planning to Deploy MBAM 2.0](planning-to-deploy-mbam-20-mbam-2.md)**|**[MBAM 2.0 Supported Configurations](mbam-20-supported-configurations-mbam-2.md)**|**[MBAM 2.0 Planning Checklist](mbam-20-planning-checklist-mbam-2.md)
<a href="" id="deploying-mbam-2-0"></a>[Deploying MBAM 2.0](deploying-mbam-20-mbam-2.md)
[Deploying the MBAM 2.0 Server Infrastructure](deploying-the-mbam-20-server-infrastructure-mbam-2.md)**|**[Deploying MBAM 2.0 Group Policy Objects](deploying-mbam-20-group-policy-objects-mbam-2.md)**|**[Deploying the MBAM 2.0 Client](deploying-the-mbam-20-client-mbam-2.md)**|**[MBAM 2.0 Deployment Checklist](mbam-20-deployment-checklist-mbam-2.md)**|**[Upgrading from Previous Versions of MBAM](upgrading-from-previous-versions-of-mbam.md)
<a href="" id="operations-for-mbam-2-0"></a>[Operations for MBAM 2.0](operations-for-mbam-20-mbam-2.md)
[Using MBAM with Configuration Manager](using-mbam-with-configuration-manager.md)**|**[Administering MBAM 2.0 Features](administering-mbam-20-features-mbam-2.md)**|**[Monitoring and Reporting BitLocker Compliance with MBAM 2.0](monitoring-and-reporting-bitlocker-compliance-with-mbam-20-mbam-2.md)**|**[Performing BitLocker Management with MBAM](performing-bitlocker-management-with-mbam-mbam-2.md)**|**[Maintaining MBAM 2.0](maintaining-mbam-20-mbam-2.md)**|**[Security and Privacy for MBAM 2.0](security-and-privacy-for-mbam-20-mbam-2.md)**|** [Administering MBAM 2.0 Using PowerShell](administering-mbam-20-using-powershell-mbam-2.md)
<a href="" id="troubleshooting-mbam-2-0"></a>[Troubleshooting MBAM 2.0](troubleshooting-mbam-20-mbam-2.md)
### More Information
## Outline
- [Getting Started with MBAM 2.0](getting-started-with-mbam-20-mbam-2.md)
- [About MBAM 2.0](about-mbam-20-mbam-2.md)
- [Release Notes for MBAM 2.0](release-notes-for-mbam-20-mbam-2.md)
- [About MBAM 2.0 SP1](about-mbam-20-sp1.md)
- [Release Notes for MBAM 2.0 SP1](release-notes-for-mbam-20-sp1.md)
- [Evaluating MBAM 2.0](evaluating-mbam-20-mbam-2.md)
- [High-Level Architecture for MBAM 2.0](high-level-architecture-for-mbam-20-mbam-2.md)
- [Accessibility for MBAM 2.0](accessibility-for-mbam-20-mbam-2.md)
- [Planning for MBAM 2.0](planning-for-mbam-20-mbam-2.md)
- [Preparing your Environment for MBAM 2.0](preparing-your-environment-for-mbam-20-mbam-2.md)
- [MBAM 2.0 Deployment Prerequisites](mbam-20-deployment-prerequisites-mbam-2.md)
- [Planning to Deploy MBAM 2.0](planning-to-deploy-mbam-20-mbam-2.md)
- [MBAM 2.0 Supported Configurations](mbam-20-supported-configurations-mbam-2.md)
- [MBAM 2.0 Planning Checklist](mbam-20-planning-checklist-mbam-2.md)
- [Deploying MBAM 2.0](deploying-mbam-20-mbam-2.md)
- [Deploying the MBAM 2.0 Server Infrastructure](deploying-the-mbam-20-server-infrastructure-mbam-2.md)
- [Deploying MBAM 2.0 Group Policy Objects](deploying-mbam-20-group-policy-objects-mbam-2.md)
- [Deploying the MBAM 2.0 Client](deploying-the-mbam-20-client-mbam-2.md)
- [MBAM 2.0 Deployment Checklist](mbam-20-deployment-checklist-mbam-2.md)
- [Upgrading from Previous Versions of MBAM](upgrading-from-previous-versions-of-mbam.md)
- [Operations for MBAM 2.0](operations-for-mbam-20-mbam-2.md)
- [Using MBAM with Configuration Manager](using-mbam-with-configuration-manager.md)
- [Administering MBAM 2.0 Features](administering-mbam-20-features-mbam-2.md)
- [Monitoring and Reporting BitLocker Compliance with MBAM 2.0](monitoring-and-reporting-bitlocker-compliance-with-mbam-20-mbam-2.md)
- [Performing BitLocker Management with MBAM](performing-bitlocker-management-with-mbam-mbam-2.md)
- [Maintaining MBAM 2.0](maintaining-mbam-20-mbam-2.md)
- [Security and Privacy for MBAM 2.0](security-and-privacy-for-mbam-20-mbam-2.md)
- [Administering MBAM 2.0 Using PowerShell](administering-mbam-20-using-powershell-mbam-2.md)
- [Troubleshooting MBAM 2.0](troubleshooting-mbam-20-mbam-2.md)
View updated product information and known issues for MBAM 2.0.
## More Information
- [MDOP TechCenter Page](https://go.microsoft.com/fwlink/p/?LinkId=225286)
- [MDOP Information Experience](index.md)
Learn about the latest MDOP information and resources.
- [MDOP Information Experience](https://go.microsoft.com/fwlink/p/?LinkId=236032)
Find documentation, videos, and other resources for MDOP technologies. You can also [send us feedback](mailto:MDOPDocs@microsoft.com) or learn about updates by following us on [Facebook](https://go.microsoft.com/fwlink/p/?LinkId=242445) or [Twitter](https://go.microsoft.com/fwlink/p/?LinkId=242447).
Find documentation, videos, and other resources for MDOP technologies.
 

2
mdop/mbam-v25/apply-hotfix-for-mbam-25-sp1.md
View File

@ -19,7 +19,7 @@ author: shortpatti
This topic describes the process for applying the hotfixes for Microsoft BitLocker Administration and Monitoring (MBAM) Server 2.5 SP1
### Before you begin, download the latest hotfix of Microsoft BitLocker Administration and Monitoring (MBAM) Server 2.5 SP1
[Desktop Optimization Pack](https://www.microsoft.com/en-us/download/details.aspx?id=57157)
[Desktop Optimization Pack](https://www.microsoft.com/en-us/download/details.aspx?id=58345)
#### Steps to update the MBAM Server for existing MBAM environment
1. Remove MBAM server feature (do this by opening the MBAM Server Configuration Tool, then selecting Remove Features).

88
mdop/mbam-v25/index.md
View File

@ -1,7 +1,7 @@
---
title: Microsoft BitLocker Administration and Monitoring 2.5
description: Microsoft BitLocker Administration and Monitoring 2.5
author: jamiejdt
author: dansimp
ms.assetid: fd81d7de-b166-47e8-b6c7-d984830762b6
ms.pagetype: mdop, security
ms.mktglfcycl: manage
@ -10,49 +10,56 @@ ms.prod: w10
ms.date: 04/19/2017
---
# Microsoft BitLocker Administration and Monitoring 2.5
Microsoft BitLocker Administration and Monitoring (MBAM) 2.5 provides a simplified administrative interface that you can use to manage BitLocker Drive Encryption. You configure MBAM Group Policy Templates that enable you to set BitLocker Drive Encryption policy options that are appropriate for your enterprise, and then use them to monitor client compliance with those policies. You can also report on the encryption status of an individual computer and on the enterprise as a whole. In addition, you can access recovery key information when users forget their PIN or password or when their BIOS or boot record changes. For a more detailed description of MBAM, see [About MBAM 2.5](about-mbam-25.md).
To get the MBAM software, see [How Do I Get MDOP](https://go.microsoft.com/fwlink/?LinkId=322049) (https://go.microsoft.com/fwlink/?LinkId=322049).
To obtain MBAM, see [How Do I Get MDOP](index.md#how-to-get-mdop).
<a href="" id="getting-started-with-mbam-2-5"></a>[Getting Started with MBAM 2.5](getting-started-with-mbam-25.md)
[About MBAM 2.5](about-mbam-25.md)**|**[Release Notes for MBAM 2.5](release-notes-for-mbam-25.md)**|**[About MBAM 2.5 SP1](about-mbam-25-sp1.md)**|**[Release Notes for MBAM 2.5 SP1](release-notes-for-mbam-25-sp1.md)**|**[Evaluating MBAM 2.5 in a Test Environment](evaluating-mbam-25-in-a-test-environment.md)**|**[High-Level Architecture for MBAM 2.5](high-level-architecture-for-mbam-25.md)**|**[Accessibility for MBAM 2.5](accessibility-for-mbam-25.md)
<a href="" id="planning-for-mbam-2-5"></a>[Planning for MBAM 2.5](planning-for-mbam-25.md)
[Preparing your Environment for MBAM 2.5](preparing-your-environment-for-mbam-25.md)**|**[MBAM 2.5 Deployment Prerequisites](mbam-25-deployment-prerequisites.md)**|**[Planning for MBAM 2.5 Group Policy Requirements](planning-for-mbam-25-group-policy-requirements.md)**|**[Planning for MBAM 2.5 Groups and Accounts](planning-for-mbam-25-groups-and-accounts.md)**|**[Planning How to Secure the MBAM Websites](planning-how-to-secure-the-mbam-websites.md)**|**[Planning to Deploy MBAM 2.5](planning-to-deploy-mbam-25.md)**|**[MBAM 2.5 Supported Configurations](mbam-25-supported-configurations.md)**|**[Planning for MBAM 2.5 High Availability](planning-for-mbam-25-high-availability.md)**|**[MBAM 2.5 Security Considerations](mbam-25-security-considerations.md)**|**[MBAM 2.5 Planning Checklist](mbam-25-planning-checklist.md)
<a href="" id="deploying-mbam-2-5"></a>[Deploying MBAM 2.5](deploying-mbam-25.md)
[Deploying the MBAM 2.5 Server Infrastructure](deploying-the-mbam-25-server-infrastructure.md)**|**[Deploying MBAM 2.5 Group Policy Objects](deploying-mbam-25-group-policy-objects.md)**|**[Deploying the MBAM 2.5 Client](deploying-the-mbam-25-client.md)**|**[MBAM 2.5 Deployment Checklist](mbam-25-deployment-checklist.md)**|**[Upgrading to MBAM 2.5 or MBAM 2.5 SP1 from Previous Versions](upgrading-to-mbam-25-or-mbam-25-sp1-from-previous-versions.md)**|**[Removing MBAM Server Features or Software](removing-mbam-server-features-or-software.md)
<a href="" id="operations-for-mbam-2-5"></a>[Operations for MBAM 2.5](operations-for-mbam-25.md)
[Administering MBAM 2.5 Features](administering-mbam-25-features.md)**|**[Monitoring and Reporting BitLocker Compliance with MBAM 2.5](monitoring-and-reporting-bitlocker-compliance-with-mbam-25.md)**|**[Performing BitLocker Management with MBAM 2.5](performing-bitlocker-management-with-mbam-25.md)**|**[Maintaining MBAM 2.5](maintaining-mbam-25.md)**|**[Using Windows PowerShell to Administer MBAM 2.5](using-windows-powershell-to-administer-mbam-25.md)
<a href="" id="troubleshooting-mbam-2-5"></a>[Troubleshooting MBAM 2.5](troubleshooting-mbam-25.md)
<a href="" id="technical-reference-for-mbam-2-5"></a>[Technical Reference for MBAM 2.5](technical-reference-for-mbam-25.md)
[Client Event Logs](client-event-logs.md)**|**[Server Event Logs](server-event-logs.md)
### More Information
## Outline
- <a href="" id="getting-started-with-mbam-2-5"></a>[Getting Started with MBAM 2.5](getting-started-with-mbam-25.md)
- [About MBAM 2.5](about-mbam-25.md)
- [Release Notes for MBAM 2.5](release-notes-for-mbam-25.md)
- [About MBAM 2.5 SP1](about-mbam-25-sp1.md)
- [Release Notes for MBAM 2.5 SP1](release-notes-for-mbam-25-sp1.md)
- [Evaluating MBAM 2.5 in a Test Environment](evaluating-mbam-25-in-a-test-environment.md)
- [High-Level Architecture for MBAM 2.5](high-level-architecture-for-mbam-25.md)
- [Accessibility for MBAM 2.5](accessibility-for-mbam-25.md)
- <a href="" id="planning-for-mbam-2-5"></a>[Planning for MBAM 2.5](planning-for-mbam-25.md)
- [Preparing your Environment for MBAM 2.5](preparing-your-environment-for-mbam-25.md)
- [MBAM 2.5 Deployment Prerequisites](mbam-25-deployment-prerequisites.md)
- [Planning for MBAM 2.5 Group Policy Requirements](planning-for-mbam-25-group-policy-requirements.md)
- [Planning for MBAM 2.5 Groups and Accounts](planning-for-mbam-25-groups-and-accounts.md)
- [Planning How to Secure the MBAM Websites](planning-how-to-secure-the-mbam-websites.md)
- [Planning to Deploy MBAM 2.5](planning-to-deploy-mbam-25.md)
- [MBAM 2.5 Supported Configurations](mbam-25-supported-configurations.md)
- [Planning for MBAM 2.5 High Availability](planning-for-mbam-25-high-availability.md)
- [MBAM 2.5 Security Considerations](mbam-25-security-considerations.md)
- [MBAM 2.5 Planning Checklist](mbam-25-planning-checklist.md)
- <a href="" id="deploying-mbam-2-5"></a>[Deploying MBAM 2.5](deploying-mbam-25.md)
- [Deploying the MBAM 2.5 Server Infrastructure](deploying-the-mbam-25-server-infrastructure.md)
- [Deploying MBAM 2.5 Group Policy Objects](deploying-mbam-25-group-policy-objects.md)
- [Deploying the MBAM 2.5 Client](deploying-the-mbam-25-client.md)
- [MBAM 2.5 Deployment Checklist](mbam-25-deployment-checklist.md)
- [Upgrading to MBAM 2.5 or MBAM 2.5 SP1 from Previous Versions](upgrading-to-mbam-25-or-mbam-25-sp1-from-previous-versions.md)
- [Removing MBAM Server Features or Software](removing-mbam-server-features-or-software.md)
- <a href="" id="operations-for-mbam-2-5"></a>[Operations for MBAM 2.5](operations-for-mbam-25.md)
- [Administering MBAM 2.5 Features](administering-mbam-25-features.md)
- [Monitoring and Reporting BitLocker Compliance with MBAM 2.5](monitoring-and-reporting-bitlocker-compliance-with-mbam-25.md)
- [Performing BitLocker Management with MBAM 2.5](performing-bitlocker-management-with-mbam-25.md)
- [Maintaining MBAM 2.5](maintaining-mbam-25.md)
- [Using Windows PowerShell to Administer MBAM 2.5](using-windows-powershell-to-administer-mbam-25.md)
- <a href="" id="troubleshooting-mbam-2-5"></a>[Troubleshooting MBAM 2.5](troubleshooting-mbam-25.md)
- <a href="" id="technical-reference-for-mbam-2-5"></a>[Technical Reference for MBAM 2.5](technical-reference-for-mbam-25.md)
- [Client Event Logs](client-event-logs.md)
- [Server Event Logs](server-event-logs.md)
View updated product information and known issues for MBAM 2.5.
## More Information
- [MDOP TechCenter Page](https://go.microsoft.com/fwlink/p/?LinkId=225286)
- [MDOP Information Experience](index.md)
Learn about the latest MDOP information and resources.
- [MDOP Information Experience](https://go.microsoft.com/fwlink/p/?LinkId=236032)
Find documentation, videos, and other resources for MDOP technologies. You can also [send us feedback](mailto:MDOPDocs@microsoft.com) or learn about updates by following us on [Facebook](https://go.microsoft.com/fwlink/p/?LinkId=242445) or [Twitter](https://go.microsoft.com/fwlink/p/?LinkId=242447).
Find documentation, videos, and other resources for MDOP technologies.
- [MBAM Deployment Guide](https://www.microsoft.com/download/details.aspx?id=38398)
@ -61,16 +68,3 @@ To get the MBAM software, see [How Do I Get MDOP](https://go.microsoft.com/fwlin
- [Apply Hotfixes on MBAM 2.5 SP1 Server](apply-hotfix-for-mbam-25-sp1.md)
Guide of how to apply MBAM 2.5 SP1 Server hotfixes
## Got a suggestion for MBAM?
- Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring).
- For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
 
 

12
mdop/medv-v1/how-to-configure-image-pre-staging.md
View File

@ -72,17 +72,17 @@ Image pre-staging is useful only for the initial image download. It is not suppo
**NT AUTHORITY\\Authenticated Users:(OI)(CI)(special access:)**
**                                READ\_CONTROL**
**READ\_CONTROL**
**                                                                                SYNCHRONIZE**
**SYNCHRONIZE**
**                                                                                FILE\_GENERIC\_READ**
**FILE\_GENERIC\_READ**
**                                                                                                FILE\_READ\_DATA**
**FILE\_READ\_DATA**
**                                                                                FILE\_READ\_EA**
**FILE\_READ\_EA**
**                                                                                FILE\_READ\_ATTRIBUTES**
**FILE\_READ\_ATTRIBUTES**
**NT AUTHORITY\\SYSTEM:(OI)(CI)F**

2
mdop/medv-v1/index.md
View File

@ -1,7 +1,7 @@
---
title: Microsoft Enterprise Desktop Virtualization Planning, Deployment, and Operations Guide
description: Microsoft Enterprise Desktop Virtualization Planning, Deployment, and Operations Guide
author: jamiejdt
author: dansimp
ms.assetid: 7bc3e120-df77-4f4c-bc8e-7aaa4c2a6525
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy

2
mdop/medv-v2/index.md
View File

@ -1,7 +1,7 @@
---
title: Microsoft Enterprise Desktop Virtualization 2.0
description: Microsoft Enterprise Desktop Virtualization 2.0
author: jamiejdt
author: dansimp
ms.assetid: 84109be0-4613-42e9-85fc-fcda8de6e4c4
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy

2
mdop/solutions/index.md
View File

@ -1,7 +1,7 @@
---
title: MDOP Solutions and Scenarios
description: MDOP Solutions and Scenarios
author: jamiejdt
author: dansimp
ms.assetid: 1cb18bef-fbae-4e96-a4f1-90cf111c3b5f
ms.pagetype: mdop
ms.mktglfcycl: deploy

2
mdop/uev-v1/index.md
View File

@ -1,7 +1,7 @@
---
title: Microsoft User Experience Virtualization (UE-V) 1.0
description: Microsoft User Experience Virtualization (UE-V) 1.0
author: jamiejdt
author: dansimp
ms.assetid: 7c2b59f6-bbe9-4373-8b08-c1738665a37b
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy

2
mdop/uev-v2/get-started-with-ue-v-2x-new-uevv2.md
View File

@ -193,7 +193,7 @@ Youll need to deploy a settings storage location, a standard network share wh
**Security Note:  **
**Security Note:**
If you create the settings storage share on a computer running a Windows Server operating system, configure UE-V to verify that either the local Administrators group or the current user is the owner of the folder where settings packages are stored. To enable this additional security, specify this setting in the Windows Server Registry Editor:

2
mdop/uev-v2/index.md
View File

@ -1,7 +1,7 @@
---
title: Microsoft User Experience Virtualization (UE-V) 2.x
description: Microsoft User Experience Virtualization (UE-V) 2.x
author: jamiejdt
author: dansimp
ms.assetid: b860fed0-b846-415d-bdd6-ba60231a64be
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy

8
windows/application-management/remove-provisioned-apps-during-update.md
View File

@ -162,10 +162,14 @@ Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\Deprovisioned\Microsoft.ZuneMusic_8wekyb3d8bbwe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\Deprovisioned\Microsoft.ZuneVideo_8wekyb3d8bbwe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\Deprovisioned\Microsoft.3DBuilder_8wekyb3d8bbwe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\Deprovisioned\Microsoft.HEVCVideoExtension_8wekyb3d8bbwe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\Deprovisioned\Microsoft.Messaging_8wekyb3d8bbwe]
```
[Get-AppxPackage](https://docs.microsoft.com/powershell/module/appx/get-appxpackage)
[Get-AppxPackage -allusers](https://docs.microsoft.com/powershell/module/appx/get-appxpackage)
[Remove-AppxPackage](https://docs.microsoft.com/powershell/module/appx/remove-appxpackage)

3
windows/application-management/sideload-apps-in-windows-10.md
View File

@ -19,6 +19,9 @@ ms.date: 05/20/2019
- Windows 10
- Windows 10 Mobile
> [!NOTE]
> As of Windows Insider Build 18956, sideloading is enabled by default. Now, you can deploy a signed package onto a device without a special configuration.
"Line-of-Business" (LOB) apps are present in a wide range of businesses and organizations. Organizations value these apps because they solve problems unique to each business.
When you sideload an app, you deploy a signed app package to a device. You maintain the signing, hosting, and deployment of these apps. Sideloading was also available with Windows 8 and Windows 8.1

2
windows/client-management/advanced-troubleshooting-802-authentication.md
View File

@ -17,7 +17,7 @@ ms.topic: troubleshooting
## Overview
This is a general troubleshooting of 802.1X wireless and wired clients. With 802.1X and wireless troubleshooting, it's important to know how the flow of authentication works, and then figuring out where it's breaking. It involves a lot of third party devices and software. Most of the time, we have to identify where the problem is, and another vendor has to fix it. Since we don't make access points or wwitches, it won't be an end-to-end Microsoft solution.
This is a general troubleshooting of 802.1X wireless and wired clients. With 802.1X and wireless troubleshooting, it's important to know how the flow of authentication works, and then figuring out where it's breaking. It involves a lot of third party devices and software. Most of the time, we have to identify where the problem is, and another vendor has to fix it. Since we don't make access points or switches, it won't be an end-to-end Microsoft solution.
## Scenarios

20
windows/client-management/mdm/applocker-csp.md
View File

@ -156,22 +156,8 @@ Each of the previous nodes contains one or more of the following leaf nodes:
<tr class="odd">
<td><p><strong>Policy</strong></p></td>
<td><p>Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy.</p>
<p>Policy nodes are a Base64-encoded blob of the binary policy representation. The binary policy may be signed or unsigned.</p>
<p>For CodeIntegrity/Policy, you can use the <a href="https://go.microsoft.com/fwlink/p/?LinkId=724364" data-raw-source="[certutil -encode](https://go.microsoft.com/fwlink/p/?LinkId=724364)">certutil -encode</a> command line tool to encode the data to base-64.</p>
<p>Here is a sample certutil invocation:</p>
```
certutil -encode WinSiPolicy.p7b WinSiPolicy.cer
```
<p>An alternative to using certutil would be to use the following PowerShell invocation:</p>
```
[Convert]::ToBase64String($(Get-Content -Encoding Byte -ReadCount 0 -Path <bin file>))
```
<p>If you are using hybrid MDM management with System Center Configuration Manager or using Intune, ensure that you are using Base64 as the Data type when using Custom OMA-URI functionality to apply the Code Integrity policy.</p>
<p>Data type is string. Supported operations are Get, Add, Delete, and Replace.</p></td>
<p>For nodes, other than CodeIntegrity, policy leaf data type is string. Supported operations are Get, Add, Delete, and Replace.</p>
<p>For CodeIntegrity/Policy, data type is Base64. Supported operations are Get, Add, Delete, and Replace.</td>
</tr>
<tr class="even">
<td><p><strong>EnforcementMode</strong></p></td>
@ -186,6 +172,8 @@ certutil -encode WinSiPolicy.p7b WinSiPolicy.cer
</tbody>
</table>
> [!NOTE]
> To use Code Integrity Policy, you first need to convert the policies to binary format using the ConvertFrom-CIPolicy cmdlet. Then a Base64-encoded blob of the binary policy representation should be created (for example, using the [certutil -encode](https://go.microsoft.com/fwlink/p/?LinkId=724364) command line tool) and added to the Applocker-CSP.
## <a href="" id="productname"></a>Find publisher and product name of apps

5
windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md
View File

@ -24,13 +24,16 @@ Summary of steps to enable a policy:
- Use the Group Policy Editor to determine whether there are parameters necessary to enable the policy.
- Create the data payload for the SyncML.
See [Support Tip: Ingesting Office ADMX-backed policies using Microsoft Intune](https://techcommunity.microsoft.com/t5/Intune-Customer-Success/Support-Tip-Ingesting-Office-ADMX-Backed-policies-using/ba-p/354824) for a walk-through using Intune.
See [Support Tip: Ingesting Office ADMX-backed policies using Microsoft Intune](https://techcommunity.microsoft.com/t5/Intune-Customer-Success/Support-Tip-Ingesting-Office-ADMX-Backed-policies-using/ba-p/354824) and [Deploying ADMX-Backed policies using Microsoft Intune](https://blogs.technet.microsoft.com/senthilkumar/2018/05/21/intune-deploying-admx-backed-policies-using-microsoft-intune/) for a walk-through using Intune.
>[!TIP]
>Intune has added a number of ADMX-backed administrative templates in public preview. Check if the policy settings you need are available in a template before using the SyncML method described below. [Learn more about Intune's administrative templates.](https://docs.microsoft.com/intune/administrative-templates-windows)
## Enable a policy
> [!NOTE]
> See [Understanding ADMX-backed policies](https://docs.microsoft.com/en-us/windows/client-management/mdm/understanding-admx-backed-policies).
1. Find the policy from the list [ADMX-backed policies](policy-configuration-service-provider.md#admx-backed-policies). You need the following information listed in the policy description.
- GP English name
- GP name

2
windows/client-management/mdm/policy-csp-remotemanagement.md
View File

@ -365,7 +365,7 @@ If you disable or do not configure this policy setting, the WinRM service will n
The service listens on the addresses specified by the IPv4 and IPv6 filters. The IPv4 filter specifies one or more ranges of IPv4 addresses, and the IPv6 filter specifies one or more ranges of IPv6addresses. If specified, the service enumerates the available IP addresses on the computer and uses only addresses that fall within one of the filter ranges.
You should use an asterisk (*) to indicate that the service listens on all available IP addresses on the computer. When * is used, other ranges in the filter are ignored. If the filter is left blank, the service does not listen on any addresses.
You should use an asterisk (\*) to indicate that the service listens on all available IP addresses on the computer. When \* is used, other ranges in the filter are ignored. If the filter is left blank, the service does not listen on any addresses.
For example, if you want the service to listen only on IPv4 addresses, leave the IPv6 filter empty.

4
windows/client-management/mdm/policy-csp-update.md
View File

@ -1053,7 +1053,7 @@ Supported values:
<!--/Scope-->
<!--Description-->
Added in Windows 10, version 1607. Allows the IT admin to set which branch a device receives their updates from.
Added in Windows 10, version 1607. Allows the IT admin to set which branch a device receives their updates from. As of 1903, the branch readiness levels of Semi-Annual Channel (Targeted) and Semi-Annual Channel have been combined into one Semi-Annual Channel set with a value of 16. For devices on 1903 and later releases, the value of 32 is not a supported value.
<!--/Description-->
<!--ADMXMapped-->
@ -1072,7 +1072,7 @@ The following list shows the supported values:
- 4 {0x4} - Windows Insider build - Slow (added in Windows 10, version 1709)
- 8 {0x8} - Release Windows Insider build (added in Windows 10, version 1709)
- 16 {0x10} - (default) Semi-annual Channel (Targeted). Device gets all applicable feature updates from Semi-annual Channel (Targeted).
- 32 {0x20} - Semi-annual Channel. Device gets feature updates from Semi-annual Channel.
- 32 {0x20} - Semi-annual Channel. Device gets feature updates from Semi-annual Channel. (*Only applicable to releases prior to 1903)
<!--/SupportedValues-->
<!--/Policy-->

12
windows/client-management/mdm/windowslicensing-csp.md
View File

@ -196,7 +196,7 @@ Values:
**CheckApplicability**
``` syntax
```xml
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Exec>
@ -223,7 +223,7 @@ Values:
**Edition**
``` syntax
```xml
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Get>
@ -241,7 +241,7 @@ Values:
**LicenseKeyType**
``` syntax
```xml
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Get>
@ -259,7 +259,7 @@ Values:
**Status**
``` syntax
```xml
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Get>
@ -277,7 +277,7 @@ Values:
**UpgradeEditionWithProductKey**
``` syntax
```xml
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Exec>
@ -304,7 +304,7 @@ Values:
**UpgradeEditionWithLicense**
``` syntax
```xml
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Exec>

2
windows/client-management/mdm/windowssecurityauditing-csp.md
View File

@ -39,7 +39,7 @@ Supported operations are Get and Replace.
Enable logging of audit events.
``` syntax
```xml
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Replace>

2
windows/configuration/customize-and-export-start-layout.md
View File

@ -176,7 +176,7 @@ If the Start layout is applied by Group Policy or MDM, and the policy is removed
2. [Export the Start layout](#export-the-start-layout).
3. Open the layout .xml file. There is a `<DefaultLayoutOverride>` element. Add `LayoutCustomizationRestrictionType="OnlySpecifiedGroups"` to the **DefaultLayoutOverride** element as follows:
``` syntax
```xml
<DefaultLayoutOverride LayoutCustomizationRestrictionType="OnlySpecifiedGroups">
```

2
windows/configuration/guidelines-for-assigned-access-app.md
View File

@ -68,7 +68,7 @@ In Windows 10, version 1803 and later, you can install the **Kiosk Browser** app
Kiosk Browser settings | Use this setting to
--- | ---
Blocked URL Exceptions | Specify URLs that people can navigate to, even though the URL is in your blocked URL list. You can use wildcards. <br><br>For example, if you want people to be limited to `contoso.com` only, you would add `contoso.com` to blocked URL exception list and then block all other URLs.
Blocked URL Exceptions | Specify URLs that people can navigate to, even though the URL is in your blocked URL list. You can use wildcards. <br><br>For example, if you want people to be limited to `http://contoso.com` only, you would add `.contoso.com` to blocked URL exception list and then block all other URLs.
Blocked URLs | Specify URLs that people can't navigate to. You can use wildcards. <br><br>If you want to limit people to a specific site, add `https://*` to the blocked URL list, and then specify the site to be allowed in the blocked URL exceptions list.
Default URL | Specify the URL that Kiosk Browser will open with. **Tip!** Make sure your blocked URLs don't include your default URL.
Enable End Session Button | Show a button in Kiosk Browser that people can use to reset the browser. End Session will clear all browsing data and navigate back to the default URL.

12
windows/configuration/kiosk-xml.md
View File

@ -26,7 +26,7 @@ ms.topic: article
## Full XML sample
>[!NOTE]
>Updated for Windows 10, version 1903, and Windows 10 Prerelease
>Updated for Windows 10, version 1903, and Windows 10 Insider Preview (19H2, 20H1 builds).
```xml
<?xml version="1.0" encoding="utf-8" ?>
@ -255,7 +255,7 @@ This sample demonstrates that both UWP and Win32 apps can be configured to autom
```
## [Preview] Global Profile Sample XML
Global Profile is currently supported in Windows 10 Prerelease. Global Profile is designed for scenarios where a user does not have a designated profile, yet IT Admin still wants the user to run in lock down mode, or used as mitigation when a profile cannot be determined for an user.
Global Profile is currently supported in Windows 10 Insider Preview (19H2, 20H1 builds). Global Profile is designed for scenarios where a user does not have a designated profile, yet IT Admin still wants the user to run in lock down mode, or used as mitigation when a profile cannot be determined for an user.
This sample demonstrates that only a global profile is used, no active user configured. Global profile will be applied when every non-admin account logs in
```xml
@ -394,7 +394,7 @@ Below sample shows dedicated profile and global profile mixed usage, aauser woul
```
## [Preview] Folder Access sample xml
In Windows 10 1809 release, folder access is locked down that when common file dialog is opened, IT Admin can specify if user has access to the Downloads folder, or no access to any folder at all. This restriction has be redesigned for finer granulatity and easier use, available in current Windows 10 Prerelease.
In Windows 10, version 1809, folder access is locked down so that when common file dialog is opened, IT Admin can specify if the user has access to the Downloads folder, or no access to any folder at all. This restriction has been redesigned for finer granulatity and easier use, and is available in Windows 10 Insider Preview (19H2, 20H1 builds).
IT Admin now can specify user access to Downloads folder, Removable drives, or no restrictions at all. Note that Downloads and Removable Drives can be allowed at the same time.
@ -636,7 +636,7 @@ IT Admin now can specify user access to Downloads folder, Removable drives, or n
## XSD for AssignedAccess configuration XML
>[!NOTE]
>Updated for Windows 10, version 1903 and Windows 10 Prerelease.
>Updated for Windows 10, version 1903 and Windows 10 Insider Preview (19H2, 20H1 builds).
Below schema is for AssignedAccess Configuration up to Windows 10 1803 release.
```xml
@ -859,7 +859,7 @@ Here is the schema for new features introduced in Windows 10 1809 release
</xs:schema>
```
Schema for Windows 10 prerelease
Schema for Windows 10 Insider Preview (19H2, 20H1 builds)
```xml
<?xml version="1.0" encoding="utf-8"?>
<xs:schema
@ -889,7 +889,7 @@ Schema for Windows 10 prerelease
</xs:schema>
```
To authorize a compatible configuration XML that includes 1809 or prerelease elements and attributes, always include the namespace of these add-on schemas, and decorate the attributes and elements accordingly with the namespace alias. e.g. to configure auto-launch feature which is added in 1809 release, use below sample, notice an alias r1809 is given to the 201810 namespace for 1809 release, and the alias is tagged on AutoLaunch and AutoLaunchArguments inline.
To authorize a compatible configuration XML that includes elements and attributes from Windows 10, version 1809 or newer, always include the namespace of these add-on schemas, and decorate the attributes and elements accordingly with the namespace alias. For example, to configure the auto-launch feature which is added in Windows 10, version 1809, use the following sample. Notice an alias r1809 is given to the 201810 namespace for Windows 10, version 1809, and the alias is tagged on AutoLaunch and AutoLaunchArguments inline.
```xml
<AssignedAccessConfiguration
xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config"

2
windows/configuration/mobile-devices/settings-that-can-be-locked-down.md
View File

@ -462,7 +462,7 @@ Quick action buttons are locked down in exactly the same way as Settings pages/g
You can specify the quick actions as follows:
``` syntax
```xml
<Settings>
<System name="QuickActions_Launcher_AllSettings" />
<System name="QuickActions_Launcher_DeviceDiscovery" />

3
windows/configuration/start-layout-xml-desktop.md
View File

@ -53,6 +53,7 @@ The XML schema for `LayoutModification.xml` requires the following order for tag
1. TopMFUApps
1. CustomTaskbarLayoutCollection
1. InkWorkspaceTopApps
1. StartLayoutCollection
Comments are not supported in the `LayoutModification.xml` file.
@ -66,6 +67,8 @@ Comments are not supported in the `LayoutModification.xml` file.
>- Do not add multiple rows of comments.
The following table lists the supported elements and attributes for the LayoutModification.xml file.
> [!NOTE]
> RequiredStartGroupsCollection and AppendGroup syntax only apply when the Import-StartLayout method is used for building and deploying Windows images.
| Element | Attributes | Description |
| --- | --- | --- |

18
windows/configuration/ue-v/uev-application-template-schema-reference.md
View File

@ -241,7 +241,7 @@ Version identifies the version of the settings location template for administrat
**Hint:** You can save notes about version changes using XML comment tags `<!-- -->`, for example:
``` syntax
```xml
<!--
Version History
@ -280,7 +280,7 @@ Author identifies the creator of the settings location template. Two optional ch
Processes contains at least one `<Process>` element, which in turn contains the following child elements: **Filename**, **Architecture**, **ProductName**, **FileDescription**, **ProductVersion**, and **FileVersion**. The Filename child element is mandatory and the others are optional. A fully populated element contains tags similar to this example:
``` syntax
```xml
<Process>
<Filename>MyApplication.exe</Filename>
<Architecture>Win64</Architecture>
@ -355,7 +355,7 @@ UE-V does not support ARM processors in this version.
ProductName is an optional element used to identify a product for administrative purposes or reporting. ProductName differs from Filename in that there are no regular expression restrictions on its value. This allows for more easily understood descriptions of a process where the executable name may not be obvious. For example:
``` syntax
```xml
<Process>
<Filename>MyApplication.exe</Filename>
<ProductName>My Application 6.x by Contoso.com</ProductName>
@ -375,7 +375,7 @@ FileDescription is an optional tag that allows for an administrative description
For example, in a suited application, it might be useful to provide reminders about the function of two executables (MyApplication.exe and MyApplicationHelper.exe), as shown here:
``` syntax
```xml
<Processes>
<Process>
@ -409,7 +409,7 @@ The product and file version elements may be left unspecified. Doing so makes th
Product version: 1.0 specified in the UE-V template generator produces the following XML:
``` syntax
```xml
<ProductVersion>
<Major Minimum="1" Maximum="1" />
<Minor Minimum="0" Maximum="0" />
@ -420,7 +420,7 @@ Product version: 1.0 specified in the UE-V template generator produces the follo
File version: 5.0.2.1000 specified in the UE-V template generator produces the following XML:
``` syntax
```xml
<FileVersion>
<Major Minimum="5" Maximum="5" />
<Minor Minimum="0" Maximum="0" />
@ -433,7 +433,7 @@ File version: 5.0.2.1000 specified in the UE-V template generator produces the f
Only the Minimum attribute is present. Maximum must be included in a range as well.
``` syntax
```xml
<ProductVersion>
<Major Minimum="2" />
</ProductVersion>
@ -443,7 +443,7 @@ Only the Minimum attribute is present. Maximum must be included in a range as we
Only the Minor element is present. Major must be included as well.
``` syntax
```xml
<ProductVersion>
<Minor Minimum="0" Maximum="0" />
</ProductVersion>
@ -463,7 +463,7 @@ Including a FileVersion element for an application allows for more granular fine
The child elements and syntax rules for FileVersion are identical to those of ProductVersion.
``` syntax
```xml
<Process>
<Filename>MSACCESS.EXE</Filename>
<Architecture>Win32</Architecture>

4
windows/configuration/ue-v/uev-manage-administrative-backup-and-restore.md
View File

@ -26,7 +26,7 @@ As an administrator of User Experience Virtualization (UE-V), you can restore ap
To restore settings when a user adopts a new device, you can put a settings location template in **backup** or **roam (default)** profile using the Set-UevTemplateProfile PowerShell cmdlet. This lets computer settings sync to the new computer, in addition to user settings. Templates assigned to the backup profile are backed up for that device and configured on a per-device basis. To backup settings for a template, use the following cmdlet in Windows PowerShell:
``` syntax
```powershell
Set-UevTemplateProfile -ID <TemplateID> -Profile <backup>
```
@ -38,7 +38,7 @@ When replacing a users device, UE-V automatically restores settings if the us
You can also use the Windows PowerShell cmdlet, Restore-UevBackup, to restore settings from a different device. To clone the settings packages for the new device, use the following cmdlet in Windows PowerShell:
``` syntax
```powershell
Restore-UevBackup -ComputerName <Computer name>
```

6
windows/configuration/ue-v/uev-managing-settings-location-templates-using-windows-powershell-and-wmi.md
View File

@ -172,7 +172,7 @@ The UE-V Windows PowerShell features enable you to manage a group of settings te
4. Unregister all the previously registered versions of the templates by typing the following command.
``` syntax
```powershell
Unregister-UevTemplate -All
```
@ -180,7 +180,7 @@ The UE-V Windows PowerShell features enable you to manage a group of settings te
5. Register the updated templates by typing the following command.
``` syntax
```powershell
Register-UevTemplate <path to template folder>\*.xml
```
@ -192,7 +192,7 @@ By listing a Windows app in the Windows app list, you specify whether that app i
To display the Package Family Name of installed Windows apps, at a Windows PowerShell command prompt, enter:
``` syntax
```powershell
Get-AppxPackage | Sort-Object PackageFamilyName | Format-Table PackageFamilyName
```

2
windows/configuration/ue-v/uev-synchronizing-microsoft-office-with-uev.md
View File

@ -131,7 +131,7 @@ You can deploy UE-V settings location template with the following methods:
- **Registering template with PowerShell**. If you use Windows PowerShell to manage computers, run the following Windows PowerShell command as Administrator to register this settings location template:
``` syntax
```powershell
Register-UevTemplate -Path <Path_to_Template>
```

7
windows/deployment/deploy-windows-mdt/assign-applications-using-roles-in-mdt.md
View File

@ -11,7 +11,8 @@ ms.mktglfcycl: deploy
ms.localizationpriority: medium
ms.sitesec: library
ms.pagetype: mdt
audience: itpro author: greg-lindsay
audience: itpro
author: greg-lindsay
ms.topic: article
---
@ -48,7 +49,7 @@ When the database is populated, you can use the MDT simulation environment to si
1. On PC0001, log on as **CONTOSO\\MDT\_BA**.
2. Modify the C:\\MDT\\CustomSettings.ini file to look like the following:
``` syntax
```
[Settings]
Priority=CSettings, CRoles, RApplications, Default
[Default]
@ -113,7 +114,7 @@ When the database is populated, you can use the MDT simulation environment to si
3. Using an elevated Windows PowerShell prompt (run as Administrator), run the following commands. Press **Enter** after each command:
``` syntax
``` powershell
Set-Location C:\MDT
.\Gather.ps1

7
windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md
View File

@ -11,7 +11,8 @@ ms.mktglfcycl: deploy
ms.localizationpriority: medium
ms.sitesec: library
ms.pagetype: mdt
audience: itpro author: greg-lindsay
audience: itpro
author: greg-lindsay
ms.topic: article
---
@ -87,7 +88,7 @@ Setting up DFS-R for replication is a quick and straightforward process. You pre
When you have multiple deployment servers sharing the same content, you need to configure the Bootstrap.ini file with information about which server to connect to based on where the client is located. In MDT, that can be done by using the DefaultGateway property.
1. On MDT01, using Notepad, navigate to the **E:\\MDTProduction\\Control** folder and modify the Boostrap.ini file to look like this:
``` syntax
```
[Settings]
Priority=DefaultGateway, Default
[DefaultGateway]
@ -153,7 +154,7 @@ When you have multiple deployment servers sharing the same content, you need to
2. In the **Advanced** tab, set the quota to **8192 MB**.
In this scenario the size of the deployment share is known, but you might need to change the values for your environment. A good rule of thumb is to get the size of the 16 largest files and make sure they fit in the staging area. Here is a Windows PowerShell example that calculates the size of the 16 largest files in the E:\\MDTProduction deployment share:
``` syntax
``` powershell
(Get-ChildItem E:\MDTProduction -Recurse | Sort-Object Length -Descending | Select-Object -First 16 | Measure-Object -Property Length -Sum).Sum /1GB
```

13
windows/deployment/deploy-windows-mdt/configure-mdt-deployment-share-rules.md
View File

@ -11,7 +11,8 @@ ms.mktglfcycl: deploy
ms.localizationpriority: medium
ms.sitesec: library
ms.pagetype: mdt
audience: itpro author: greg-lindsay
audience: itpro
author: greg-lindsay
ms.topic: article
---
@ -36,7 +37,7 @@ Before adding the more advanced components like scripts, databases, and web serv
If you have a small test environment, or simply want to assign settings to a very limited number of machines, you can edit the rules to assign settings directly for a given MAC Address. If you have many machines, it makes sense to use the database instead.
``` syntax
```
[Settings]
Priority=MacAddress, Default
[Default]
@ -51,7 +52,7 @@ In the preceding sample, you set the PC00075 computer name for a machine with a
Another way to assign a computer name is to identify the machine via its serial number.
``` syntax
```
[Settings]
Priority=SerialNumber, Default
[Default]
@ -66,7 +67,7 @@ In this sample, you set the PC00075 computer name for a machine with a serial nu
You also can configure the rules engine to use a known property, like a serial number, to generate a computer name on the fly.
``` syntax
```
[Settings]
Priority=Default
[Default]
@ -83,7 +84,7 @@ Be careful when using the serial number to assign computer names. A serial numbe
To avoid assigning a computer name longer than 15 characters, you can configure the rules in more detail by adding VBScript functions, as follows:
``` syntax
```
[Settings]
Priority=Default
[Default]
@ -97,7 +98,7 @@ In the preceding sample, you still configure the rules to set the computer name
In the rules, you find built-in properties that use a Windows Management Instrumentation (WMI) query to determine whether the machine you are deploying is a laptop, desktop, or server. In this sample, we assume you want to add laptops to different OUs in Active Directory. Note that ByLaptopType is not a reserved word; rather, it is the name of the section to read.
``` syntax
```
[Settings]
Priority=ByLaptopType, Default
[Default]

7
windows/deployment/deploy-windows-mdt/configure-mdt-for-userexit-scripts.md
View File

@ -11,7 +11,8 @@ ms.mktglfcycl: deploy
ms.localizationpriority: medium
ms.sitesec: library
ms.pagetype: mdt
audience: itpro author: greg-lindsay
audience: itpro
author: greg-lindsay
ms.topic: article
---
@ -23,7 +24,7 @@ In this topic, you will learn how to configure the MDT rules engine to use a Use
You can call a UserExit by referencing the script in your rules. Then you can configure a property to be set to the result of a function of the VBScript. In this example, we have a VBScript named Setname.vbs (provided in the book sample files, in the UserExit folder).
``` syntax
```
[Settings]
Priority=Default
[Default]
@ -38,7 +39,7 @@ The UserExit=Setname.vbs calls the script and then assigns the computer name to
The Setname.vbs script takes the MAC Address passed from the rules. The script then does some string manipulation to add a prefix (PC) and remove the semicolons from the MAC Address.
``` syntax
```
Function UserExit(sType, sWhen, sDetail, bSkip)
UserExit = Success
End Function

31
windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md
View File

@ -11,7 +11,8 @@ ms.mktglfcycl: deploy
ms.localizationpriority: medium
ms.sitesec: library
ms.pagetype: mdt
audience: itpro author: greg-lindsay
audience: itpro
author: greg-lindsay
ms.topic: article
---
@ -63,7 +64,7 @@ In order to write the reference image back to the deployment share, you need to
1. On MDT01, log on as **CONTOSO\\Administrator**.
2. Modify the NTFS permissions for the **E:\\MDTBuildLab\\Captures** folder by running the following command in an elevated Windows PowerShell prompt:
``` syntax
```
icacls E:\MDTBuildLab\Captures /grant '"MDT_BA":(OI)(CI)(M)'
```
@ -170,7 +171,7 @@ If you need to add many applications, you can take advantage of the PowerShell s
1. On MDT01, log on as **CONTOSO\\Administrator**.
2. Import the snap-in and create the PSDrive by running the following commands in an elevated PowerShell prompt:
``` syntax
``` powershell
Import-Module "C:\Program Files\Microsoft Deployment Toolkit\bin\MicrosoftDeploymentToolkit.psd1"
New-PSDrive -Name "DS001" -PSProvider MDTProvider -Root "E:\MDTBuildLab"
```
@ -182,7 +183,7 @@ In these steps we assume that you have downloaded Microsoft Visual C++ 2005 SP1
2. Create the application by running the following commands in an elevated PowerShell prompt:
``` syntax
``` powershell
$ApplicationName = "Install - Microsoft Visual C++ 2005 SP1 - x86"
$CommandLine = "vcredist_x86.exe /Q"
$ApplicationSourcePath = "E:\Downloads\VC++2005SP1x86"
@ -196,7 +197,7 @@ In these steps we assume that you have downloaded Microsoft Visual C++ 2005 SP1
1. On MDT01, log on as **CONTOSO\\Administrator**.
2. Create the application by running the following commands in an elevated PowerShell prompt:
``` syntax
``` powershell
$ApplicationName = "Install - Microsoft Visual C++ 2005 SP1 - x64"
$CommandLine = "vcredist_x64.exe /Q"
$ApplicationSourcePath = "E:\Downloads\VC++2005SP1x64"
@ -210,7 +211,7 @@ In these steps we assume that you have downloaded Microsoft Visual C++ 2008 SP1
1. On MDT01, log on as **CONTOSO\\Administrator**.
2. Create the application by running the following commands in an elevated PowerShell prompt:
``` syntax
``` powershell
$ApplicationName = "Install - Microsoft Visual C++ 2008 SP1 - x86"
$CommandLine = "vcredist_x86.exe /Q"
$ApplicationSourcePath = "E:\Downloads\VC++2008SP1x86"
@ -224,7 +225,7 @@ In these steps we assume that you have downloaded Microsoft Visual C++ 2008 SP1
1. On MDT01, log on as **CONTOSO\\Administrator**.
2. Create the application by running the following commands in an elevated PowerShell prompt:
``` syntax
``` powershell
$ApplicationName = "Install - Microsoft Visual C++ 2008 SP1 - x64"
$CommandLine = "vcredist_x64.exe /Q"
$ApplicationSourcePath = "E:\Downloads\VC++2008SP1x64"
@ -238,7 +239,7 @@ In these steps we assume that you have downloaded Microsoft Visual C++ 2010 SP1
1. On MDT01, log on as **CONTOSO\\Administrator**.
2. Create the application by running the following commands in an elevated PowerShell prompt:
``` syntax
``` powershell
$ApplicationName = "Install - Microsoft Visual C++ 2010 SP1 - x86"
$CommandLine = "vcredist_x86.exe /Q"
$ApplicationSourcePath = "E:\Downloads\VC++2010SP1x86"
@ -252,7 +253,7 @@ In these steps we assume that you have downloaded Microsoft Visual C++ 2010 SP1
1. On MDT01, log on as **CONTOSO\\Administrator**.
2. Create the application by running the following commands in an elevated PowerShell prompt:
``` syntax
``` powershell
$ApplicationName = "Install - Microsoft Visual C++ 2010 SP1 - x64"
$CommandLine = "vcredist_x64.exe /Q"
$ApplicationSourcePath = "E:\Downloads\VC++2010SP1x64"
@ -266,7 +267,7 @@ In these steps we assume that you have downloaded Microsoft Visual C++ 2012 Upda
1. On MDT01, log on as **CONTOSO\\Administrator**.
2. Create the application by running the following commands in an elevated PowerShell prompt:
``` syntax
``` powershell
$ApplicationName = "Install - Microsoft Visual C++ 2012 Update 4 - x86"
$CommandLine = "vcredist_x86.exe /Q"
$ApplicationSourcePath = "E:\Downloads\VC++2012Ux86"
@ -280,7 +281,7 @@ In these steps we assume that you have downloaded Microsoft Visual C++ 2012 Upda
1. On MDT01, log on as **CONTOSO\\Administrator**.
2. Create the application by running the following commands in an elevated PowerShell prompt:
``` syntax
``` powershell
$ApplicationName = "Install - Microsoft Visual C++ 2012 Update 4 - x64"
$CommandLine = "vcredist_x64.exe /Q"
$ApplicationSourcePath = "E:\Downloads\VC++2012Ux64"
@ -405,7 +406,7 @@ In MDT, there are always two rule files: the CustomSettings.ini file and the Boo
For that reason, add only a minimal set of rules to Bootstrap.ini, such as which deployment server and share to connect to - the DEPLOYROOT value. Put the other rules in CustomSettings.ini because that file is updated immediately when you click OK. By taking the following steps, you will configure the rules for the MDT Build Lab deployment share:
1. Using the Deployment Workbench, right-click the **MDT Build Lab deployment share** and select **Properties**.
2. Select the **Rules** tab and modify using the following information:
``` syntax
```
[Settings]
Priority=Default
[Default]
@ -444,7 +445,7 @@ For that reason, add only a minimal set of rules to Bootstrap.ini, such as which
3. Click **Edit Bootstrap.ini** and modify using the following information:
``` syntax
```
[Settings]
Priority=Default
[Default]
@ -501,7 +502,7 @@ The CustomSettings.ini file is normally stored on the server, in the Deployment
The Bootstrap.ini file is available via the deployment share's Properties dialog box, or via the E:\\MDTBuildLab\\Control folder on MDT01.
``` syntax
```
[Settings]
Priority=Default
[Default]
@ -529,7 +530,7 @@ So, what are these settings?
The CustomSettings.ini file, whose content you see on the Rules tab of the deployment share Properties dialog box, contains most of the properties used in the configuration.
``` syntax
```
[Settings]
Priority=Default
[Default]

17
windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md
View File

@ -11,7 +11,8 @@ ms.mktglfcycl: deploy
ms.localizationpriority: medium
ms.sitesec: library
ms.pagetype: mdt
audience: itpro author: greg-lindsay
audience: itpro
author: greg-lindsay
ms.topic: article
---
@ -175,11 +176,13 @@ When you import drivers to the MDT driver repository, MDT creates a single insta
- Surface Pro 3
The preceding folder names are selected because they match the actual make and model values that MDT reads from the machines during deployment. You can find out the model values for your machines via the following command in Windows PowerShell:
``` syntax
``` powershell
Get-WmiObject -Class:Win32_ComputerSystem
```
Or, you can use this command in a normal command prompt:
``` syntax
```
wmic csproduct get name
```
@ -312,7 +315,7 @@ In this section, you will learn how to configure the MDT Build Lab deployment sh
2. Right-click the **MDT Production** deployment share and select **Properties**.
3. Select the **Rules** tab and modify using the following information:
``` syntax
```
[Settings]
Priority=Default
[Default]
@ -349,7 +352,7 @@ In this section, you will learn how to configure the MDT Build Lab deployment sh
```
4. Click **Edit Bootstrap.ini** and modify using the following information:
``` syntax
```
[Settings]
Priority=Default
[Default]
@ -393,7 +396,7 @@ The rules for the MDT Production deployment share are somewhat different from th
### The Bootstrap.ini file
This is the MDT Production Bootstrap.ini without the user credentials (except domain information):
``` syntax
```
[Settings]
Priority=Default
[Default]
@ -405,7 +408,7 @@ SkipBDDWelcome=YES
### The CustomSettings.ini file
This is the CustomSettings.ini file with the new join domain information:
``` syntax
```
[Settings]
Priority=Default
[Default]

6
windows/deployment/deploy-windows-mdt/integrate-configuration-manager-with-mdt.md
View File

@ -11,7 +11,8 @@ ms.prod: w10
ms.localizationpriority: medium
ms.mktglfcycl: deploy
ms.sitesec: library
audience: itpro author: greg-lindsay
audience: itpro
author: greg-lindsay
ms.topic: article
---
@ -27,6 +28,9 @@ MDT is a free, supported download from Microsoft that adds approximately 280 enh
As noted above, MDT adds many enhancements to Configuration Manager. While these enhancements are called Zero Touch, that name does not reflect how deployment is conducted. The following sections provide a few samples of the 280 enhancements that MDT adds to Configuration Manager.
> [!Note]
> Microsoft Deployment Toolkit requires you to install [Windows PowerShell 2.0 Engine](https://docs.microsoft.com/powershell/scripting/install/installing-the-windows-powershell-2.0-engine) on your server.
### MDT enables dynamic deployment
When MDT is integrated with Configuration Manager, the task sequence takes additional instructions from the MDT rules. In its most simple form, these settings are stored in a text file, the CustomSettings.ini file, but you can store the settings in Microsoft SQL Server databases, or have Microsoft Visual Basic Scripting Edition (VBScripts) or web services provide the settings used.

5
windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md
View File

@ -11,7 +11,8 @@ ms.mktglfcycl: deploy
ms.localizationpriority: medium
ms.sitesec: library
ms.pagetype: mdt
audience: itpro author: greg-lindsay
audience: itpro
author: greg-lindsay
ms.topic: article
---
@ -100,7 +101,7 @@ By default MDT stores the log files locally on the client. In order to capture a
1. On MDT01, log on as **CONTOSO\\Administrator**.
2. Create and share the **E:\\Logs** folder by running the following commands in an elevated Windows PowerShell prompt:
``` syntax
``` powershell
New-Item -Path E:\Logs -ItemType directory
New-SmbShare -Name Logs$ -Path E:\Logs -ChangeAccess EVERYONE
icacls E:\Logs /grant '"MDT_BA":(OI)(CI)(M)'

5
windows/deployment/deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md
View File

@ -11,7 +11,8 @@ ms.mktglfcycl: deploy
ms.localizationpriority: medium
ms.sitesec: library
ms.pagetype: mdt
audience: itpro author: greg-lindsay
audience: itpro
author: greg-lindsay
ms.topic: article
---
@ -42,7 +43,7 @@ When preparing for the computer replace, you need to create a folder in which to
1. On MDT01, log on as **CONTOSO\\Administrator**.
2. Create and share the **E:\\MigData** folder by running the following three commands in an elevated Windows PowerShell prompt:
``` syntax
``` powershell
New-Item -Path E:\MigData -ItemType directory
New-SmbShare ?Name MigData$ ?Path E:\MigData
-ChangeAccess EVERYONE

9
windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md
View File

@ -11,7 +11,8 @@ ms.mktglfcycl: deploy
ms.localizationpriority: medium
ms.sitesec: library
ms.pagetype: mdt
audience: itpro author: greg-lindsay
audience: itpro
author: greg-lindsay
ms.topic: article
---
@ -136,11 +137,13 @@ cscript.exe SetConfig.vbs SecurityChip Active
```
## <a href="" id="sec03"></a>Configure the Windows 10 task sequence to enable BitLocker
When configuring a task sequence to run any BitLocker tool, either directly or using a custom script, it is helpful if you also add some logic to detect whether the BIOS is already configured on the machine. In this task sequence, we are using a sample script (ZTICheckforTPM.wsf) from the Deployment Guys web page to check the status on the TPM chip. You can download this script from the Deployment Guys Blog post, [Check to see if the TPM is enabled](https://go.microsoft.com/fwlink/p/?LinkId=619549). In the following task sequence, we have added five actions:
When configuring a task sequence to run any BitLocker tool, either directly or using a custom script, it is helpful if you also add some logic to detect whether the BIOS is already configured on the machine. In the following task sequence, we are using a sample script (ZTICheckforTPM.wsf) from the Deployment Guys web page to check the status on the TPM chip. You can download this script from the Deployment Guys Blog post, [Check to see if the TPM is enabled](https://go.microsoft.com/fwlink/p/?LinkId=619549).
In the following task sequence, we added five actions:
- **Check TPM Status.** Runs the ZTICheckforTPM.wsf script to determine if TPM is enabled. Depending on the status, the script will set the TPMEnabled and TPMActivated properties to either true or false.
- **Configure BIOS for TPM.** Runs the vendor tools (in this case, HP, Dell, and Lenovo). To ensure this action is run only when necessary, add a condition so the action is run only when the TPM chip is not already activated. Use the properties from the ZTICheckforTPM.wsf.
**Note**  
It is common for organizations wrapping these tools in scripts to get additional logging and error handling.
It is common for organizations to wrap these tools in scripts to get additional logging and error handling.
- **Restart computer.** Self-explanatory, reboots the computer.
- **Check TPM Status.** Runs the ZTICheckforTPM.wsf script one more time.

5
windows/deployment/deploy-windows-mdt/simulate-a-windows-10-deployment-in-a-test-environment.md
View File

@ -11,7 +11,8 @@ ms.mktglfcycl: deploy
ms.localizationpriority: medium
ms.sitesec: library
ms.pagetype: mdt
audience: itpro author: greg-lindsay
audience: itpro
author: greg-lindsay
ms.topic: article
---
@ -39,7 +40,7 @@ For the purposes of this topic, you already will have either downloaded and inst
Figure 6. The C:\\MDT folder with the files added for the simulation environment.
10. Using an elevated Windows PowerShell prompt (run as Administrator), run the following commands. Press Enter after each command:
``` syntax
``` powershell
Set-Location C:\MDT
.\Gather.ps1
```

7
windows/deployment/deploy-windows-mdt/use-web-services-in-mdt.md
View File

@ -11,7 +11,8 @@ ms.mktglfcycl: deploy
ms.localizationpriority: medium
ms.pagetype: mdt
ms.sitesec: library
audience: itpro author: greg-lindsay
audience: itpro
author: greg-lindsay
ms.topic: article
---
@ -92,7 +93,7 @@ Figure 20. The result from the MDT Sample web service.
After verifying the web service using Internet Explorer, you are ready to do the same test in the MDT simulation environment.
1. On PC0001, edit the CustomSettings.ini file in the **C:\\MDT** folder to look like the following:
``` syntax
```
[Settings]
Priority=Default, GetComputerName
[Default]
@ -108,7 +109,7 @@ After verifying the web service using Internet Explorer, you are ready to do the
2. Save the CustomSettings.ini file.
3. Using an elevated Windows PowerShell prompt (run as Administrator), run the following commands. Press **Enter** after each command:
``` syntax
```
Set-Location C:\MDT
.\Gather.ps1
```

7
windows/deployment/deploy-windows-sccm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md
View File

@ -10,7 +10,8 @@ ms.prod: w10
ms.localizationpriority: medium
ms.mktglfcycl: deploy
ms.sitesec: library
audience: itpro author: greg-lindsay
audience: itpro
author: greg-lindsay
ms.topic: article
---
@ -59,7 +60,7 @@ To support additional server-side logging in Configuration Manager, you create a
2. Type the following commands, pressing **Enter** after each one:
``` syntax
```
New-Item -Path E:\Logs -ItemType directory
New-SmbShare -Name Logs$ -Path E:\Logs -ChangeAccess EVERYONE
icacls E:\Logs /grant '"CM_NAA":(OI)(CI)(M)'
@ -74,7 +75,7 @@ This section will show you how to configure the rules (the Windows 10 x64 Settin
2. Using Notepad, edit the CustomSetting.ini file with the following settings:
``` syntax
```
[Settings]
Priority=Default
Properties=OSDMigrateConfigFiles,OSDMigrateMode

5
windows/deployment/deploy-windows-sccm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md
View File

@ -10,7 +10,8 @@ ms.prod: w10
ms.localizationpriority: medium
ms.mktglfcycl: deploy
ms.sitesec: library
audience: itpro author: greg-lindsay
audience: itpro
author: greg-lindsay
ms.topic: article
---
@ -90,7 +91,7 @@ In order for the Configuration Manager Join Domain Account (CM\_JD) to join mach
2. In an elevated Windows PowerShell prompt (run as Administrator), run the following commands, pressing **Enter** after each command:
``` syntax
```
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force
Set-Location C:\Setup\Scripts

44
windows/deployment/deploy-windows-to-go.md
View File

@ -4,13 +4,15 @@ description: This topic helps you to deploy Windows To Go in your organization.
ms.assetid: cfe550be-ffbd-42d1-ab4d-80efae49b07f
ms.reviewer:
manager: laurawi
ms.audience: itpro author: greg-lindsay
ms.audience: itpro
author: greg-lindsay
keywords: deployment, USB, device, BitLocker, workspace, security, data
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: mobility
audience: itpro author: greg-lindsay
audience: itpro
author: greg-lindsay
ms.topic: article
---
@ -106,7 +108,7 @@ The following Windows PowerShell cmdlet or cmdlets perform the same function as
2. In the Windows PowerShell session type the following commands to partition a master boot record (MBR) disk for use with a FAT32 system partition and an NTFS-formatted operating system partition. This disk layout can support computers that use either UEFI or BIOS firmware:
``` syntax
```
# The following command will set $Disk to all USB drives with >20 GB of storage
$Disk = Get-Disk | Where-Object {$_.Path -match "USBSTOR" -and $_.Size -gt 20Gb -and -not $_.IsBoot }
@ -145,7 +147,7 @@ The following Windows PowerShell cmdlet or cmdlets perform the same function as
>[!TIP]
>The index number must be set correctly to a valid Enterprise image in the .WIM file.
``` syntax
```
#The WIM file must contain a sysprep generalized image.
dism /apply-image /imagefile:n:\imagefolder\deploymentimages\mywtgimage.wim /index:1 /applydir:W:\
```
@ -154,14 +156,14 @@ The following Windows PowerShell cmdlet or cmdlets perform the same function as
~~~
``` syntax
```
W:\Windows\System32\bcdboot W:\Windows /f ALL /s S:
```
~~~
5. Apply SAN policy—OFFLINE\_INTERNAL - “4” to prevent the operating system from automatically bringing online any internally connected disk. This is done by creating and saving a **san\_policy.xml** file on the disk. The following example illustrates this step:
``` syntax
```
<?xml version='1.0' encoding='utf-8' standalone='yes'?>
<unattend xmlns="urn:schemas-microsoft-com:unattend">
<settings pass="offlineServicing">
@ -193,13 +195,13 @@ W:\Windows\System32\bcdboot W:\Windows /f ALL /s S:
6. Place the **san\_policy.xml** file created in the previous step into the root directory of the Windows partition on the Windows To Go drive (W: from the previous examples) and run the following command:
``` syntax
```
Dism.exe /Image:W:\ /Apply-Unattend:W:\san_policy.xml
```
7. Create an answer file (unattend.xml) that disables the use of Windows Recovery Environment with Windows To Go. You can use the following code sample to create a new answer file or you can paste it into an existing answer file:
``` syntax
```
<?xml version="1.0" encoding="utf-8"?>
<unattend xmlns="urn:schemas-microsoft-com:unattend">
<settings pass="oobeSystem">
@ -299,7 +301,7 @@ Making sure that Windows To Go workspaces are effective when used off premises i
1. Start the host computer and sign in using a user account with privileges to add workstations to the domain and then run the following command from an elevated command prompt replacing the example placeholder parameters (denoted by &lt;&gt;) with the ones applicable for your environment:
``` syntax
```
djoin /provision /domain <exampledomain.com> /machine <examplewindowstogo_workspace_name> /certtemplate <WorkstationAuthentication_template> /policynames <DirectAccess Client Policy: {GUID}> /savefile <C:\example\path\domainmetadatafile> /reuse
```
@ -312,7 +314,7 @@ Making sure that Windows To Go workspaces are effective when used off premises i
4. From the Windows PowerShell command prompt run:
``` syntax
```
# The following command will set $Disk to all USB drives with >20 GB of storage
$Disk = Get-Disk | Where-Object {$_.Path -match "USBSTOR" -and $_.Size -gt 20Gb -and -not $_.IsBoot }
@ -353,7 +355,7 @@ Making sure that Windows To Go workspaces are effective when used off premises i
>[!TIP]
>The index number must be set correctly to a valid Enterprise image in the .WIM file.
``` syntax
```
#The WIM file must contain a sysprep generalized image.
dism /apply-image /imagefile:n:\imagefolder\deploymentimages\mywtgimage.wim /index:1 /applydir:W:\
```
@ -361,13 +363,13 @@ dism /apply-image /imagefile:n:\imagefolder\deploymentimages\mywtgimage.wim /ind
6. After those commands have completed, run the following command:
``` syntax
```
djoin /requestodj /loadfile C:\example\path\domainmetadatafile /windowspath W:\Windows
```
7. Next, we will need to edit the unattend.xml file to configure the first run (OOBE) settings. In this example we are hiding the Microsoft Software License Terms (EULA) page, configuring automatic updates to install important and recommended updates automatically, and identifying this workspace as part of a private office network. You can use other OOBE settings that you have configured for your organization if desired. For more information about the OOBE settings, see [OOBE](https://go.microsoft.com/fwlink/p/?LinkId=619172):
``` syntax
```
<?xml version="1.0" encoding="utf-8"?>
<unattend xmlns="urn:schemas-microsoft-com:unattend">
<settings pass="oobeSystem">
@ -460,7 +462,7 @@ BitLocker recovery keys are the keys that can be used to unlock a BitLocker prot
>[!NOTE]
>If you used the [manual method for creating a workspace](https://go.microsoft.com/fwlink/p/?LinkId=619174) you should have already provisioned the Windows To Go drive. If so, you can continue on to the next step.
``` syntax
```
# The following command will set $Disk to all USB drives with >20 GB of storage
$Disk = Get-Disk | Where-Object {$_.Path -match "USBSTOR" -and $_.Size -gt 20Gb -and -not $_.IsBoot }
@ -499,20 +501,20 @@ BitLocker recovery keys are the keys that can be used to unlock a BitLocker prot
>[!TIP]
>The index number must be set correctly to a valid Enterprise image in the .WIM file.
``` syntax
```
#The WIM file must contain a sysprep generalized image.
dism /apply-image /imagefile:n:\imagefolder\deploymentimages\mywtgimage.wim /index:1 /applydir:W:\
```
5. In the same PowerShell session use the following cmdlet to add a recovery key to the drive:
``` syntax
```
$BitlockerRecoveryProtector = Add-BitLockerKeyProtector W: -RecoveryPasswordProtector
```
6. Next, use the following cmdlets to save the recovery key to a file:
``` syntax
```
#The BitLocker Recovery key is essential if for some reason you forget the BitLocker password
#This recovery key can also be backed up into Active Directory using manage-bde.exe or the
#PowerShell cmdlet Backup-BitLockerKeyProtector.
@ -522,7 +524,7 @@ BitLocker recovery keys are the keys that can be used to unlock a BitLocker prot
7. Then, use the following cmdlets to add the password as a secure string. If you omit the password the cmdlet will prompt you for the password before continuing the operation:
``` syntax
```
# Create a variable to store the password
$spwd = ConvertTo-SecureString -String <password> -AsplainText Force
Enable-BitLocker W: -PasswordProtector $spwd
@ -586,7 +588,7 @@ The sample script creates an unattend file that streamlines the deployment proce
3. Configure the PowerShell execution policy. By default PowerShells execution policy is set to Restricted; that means that scripts wont run until you have explicitly given them permission to. To configure PowerShells execution policy to allow the script to run, use the following command from an elevated PowerShell prompt:
``` syntax
```
Set-ExecutionPolicy RemoteSigned
```
@ -601,7 +603,7 @@ The sample script creates an unattend file that streamlines the deployment proce
#### Windows To Go multiple drive provisioning sample script
``` syntax
```
<#
.SYNOPSIS
Windows To Go multiple drive provisioning sample script.
@ -976,7 +978,7 @@ Before provisioning your Windows To Go drive you need to consider if your worksp
In the PowerShell provisioning script, after the image has been applied, you can add the following commands that will correctly set the keyboard settings. The following example uses the Japanese keyboard layout:
``` syntax
```
reg load HKLM\WTG-Keyboard ${OSDriveLetter}:\Windows\System32\config\SYSTEM > info.log
reg add HKLM\WTG-Keyboard\ControlSet001\Services\i8042prt\Parameters /v LayerDriver /d JPN:kbd106dll /t REG_SZ /f
reg add HKLM\WTG-Keyboard\ControlSet001\Services\i8042prt\Parameters /v OverrideKeyboardIdentifier /d PCAT_106KEY /t REG_SZ /f

7
windows/deployment/planning/compatibility-fix-database-management-strategies-and-deployment.md
View File

@ -9,7 +9,8 @@ ms.prod: w10
ms.mktglfcycl: plan
ms.pagetype: appcompat
ms.sitesec: library
audience: itpro author: greg-lindsay
audience: itpro
author: greg-lindsay
ms.date: 04/19/2017
ms.topic: article
---
@ -128,7 +129,7 @@ In order to meet the two requirements above, we recommend that you use one of th
~~~
``` syntax
```
msidbCustomActionTypeVBScript + msidbCustomActionTypeInScript + msidbCustomActionTypeNoImpersonate = 0x0006 + 0x0400 + 0x0800 = 0x0C06 = 3078 decimal)
```
~~~
@ -146,7 +147,7 @@ You must ensure that you call the script at a time when it will receive elevated
The following examples show an installation of a custom compatibility-fix database based on an .msi file.
``` syntax
```
'InstallSDB.vbs
Function Install
Dim WshShell

5
windows/deployment/update/feature-update-user-install.md
View File

@ -4,7 +4,8 @@ description: Learn how to manually deploy feature updates
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
audience: itpro author: greg-lindsay
audience: itpro
author: greg-lindsay
ms.localizationpriority: medium
ms.author: greglin
ms.date: 07/10/2018
@ -69,6 +70,7 @@ foreach ($k in $iniSetupConfigKeyValuePair.Keys)
#Write content to file
New-Item $iniFilePath -ItemType File -Value $iniSetupConfigContent -Force
<#
Disclaimer
Sample scripts are not supported under any Microsoft standard support program or service. The sample scripts is
provided AS IS without warranty of any kind. Microsoft further disclaims all implied warranties including, without
@ -78,6 +80,7 @@ Microsoft, its authors, or anyone else involved in the creation, production, or
for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption,
loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample script
or documentation, even if Microsoft has been advised of the possibility of such damages.
#>
```
>[!NOTE]

5
windows/deployment/update/waas-configure-wufb.md
View File

@ -6,7 +6,8 @@ description: You can use Group Policy or your mobile device management (MDM) ser
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
audience: itpro author: greg-lindsay
audience: itpro
author: greg-lindsay
ms.localizationpriority: medium
ms.author: greglin
ms.topic: article
@ -28,7 +29,7 @@ ms.topic: article
You can use Group Policy or your mobile device management (MDM) service to configure Windows Update for Business settings for your devices. The sections in this topic provide the Group Policy and MDM policies for Windows 10, version 1511 and above. The MDM policies use the OMA-URI setting from the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx).
> [!IMPORTANT]
>For Windows Update for Business policies to be honored, the diagnostic data level of the device must be set to **1 (Basic)** or higher. If it is set to **0 (Security)**, Windows Update for Business policies will have no effect. For instructions, see [Configure the operating system diagnostic data level](https://docs.microsoft.com/windows/configuration/configure-windows-diagnostic-data-in-your-organization#diagnostic-data-levels).
> Beginning with Windows 10, version 1903, organizations can use Windows Update for Business policies, regardless of the diagnostic data level chosen. If the diagnostic data level is set to **0 (Security)**, Windows Update for Business policies will still be honored. For instructions, see [Configure the operating system diagnostic data level](https://docs.microsoft.com/windows/configuration/configure-windows-diagnostic-data-in-your-organization#diagnostic-data-levels).
Some Windows Update for Business policies are not applicable or behave differently for devices running Windows 10 Mobile Enterprise. Specifically, policies pertaining to Feature Updates will not be applied to Windows 10 Mobile Enterprise. All Windows 10 Mobile updates are recognized as Quality Updates, and can only be deferred or paused using the Quality Update policy settings. Additional information is provided in this topic and in [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md).

5
windows/deployment/update/waas-delivery-optimization-reference.md
View File

@ -7,7 +7,8 @@ keywords: oms, operations management suite, wdav, updates, downloads, log analyt
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
audience: itpro author: greg-lindsay
audience: itpro
author: greg-lindsay
ms.localizationpriority: medium
ms.author: greglin
ms.collection: M365-modern-desktop
@ -116,7 +117,7 @@ Download mode dictates which download sources clients are allowed to use when do
### Group ID
By default, peer sharing on clients using the group download mode is limited to the same domain in Windows 10, version 1511, and the same domain and AD DS site in Windows 10, version 1607. By using the Group ID setting, you can optionally create a custom group that contains devices that should participate in Delivery Optimization but do not fall within those domain or AD DS site boundaries, including devices in another domain. Using Group ID, you can further restrict the default group (for example, you could create a sub-group representing an office building), or extend the group beyond the domain, allowing devices in multiple domains in your organization to be peers. This setting requires the custom group to be specified as a GUID on each device that participates in the custom group.
By default, peer sharing on clients using the group download mode is limited to the same domain in Windows 10, version 1511, and the same domain and Active Directory Domain Services site in Windows 10, version 1607. By using the Group ID setting, you can optionally create a custom group that contains devices that should participate in Delivery Optimization but do not fall within those domain or Active Directory Domain Services site boundaries, including devices in another domain. Using Group ID, you can further restrict the default group (for example, you could create a sub-group representing an office building), or extend the group beyond the domain, allowing devices in multiple domains in your organization to be peers. This setting requires the custom group to be specified as a GUID on each device that participates in the custom group.
[//]: # (SCCM Boundary Group option; GroupID Source policy)

5
windows/deployment/update/waas-delivery-optimization.md
View File

@ -7,7 +7,8 @@ keywords: oms, operations management suite, wdav, updates, downloads, log analyt
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
audience: itpro author: greg-lindsay
audience: itpro
author: greg-lindsay
ms.localizationpriority: medium
ms.author: greglin
ms.collection: M365-modern-desktop
@ -116,7 +117,7 @@ For the payloads (optional):
**Does Delivery Optimization use multicast?**: No. It relies on the cloud service for peer discovery, resulting in a list of peers and their IP addresses. Client devices then connect to their peers to obtain download files over TCP/IP.
**How does Delivery Optimization deal with congestion on the router from peer-to-peer activity on the LAN?**: Starting in Windows 10, version 1903, Delivery Optimizatio uses LEDBAT to relieve such congestion. For more details see this post on the [Networking Blog](https://techcommunity.microsoft.com/t5/Networking-Blog/Windows-Transport-converges-on-two-Congestion-Providers-Cubic/ba-p/339819).
**How does Delivery Optimization deal with congestion on the router from peer-to-peer activity on the LAN?**: Starting in Windows 10, version 1903, Delivery Optimization uses LEDBAT to relieve such congestion. For more details see this post on the [Networking Blog](https://techcommunity.microsoft.com/t5/Networking-Blog/Windows-Transport-converges-on-two-Congestion-Providers-Cubic/ba-p/339819).
## Troubleshooting

6
windows/deployment/update/waas-overview.md
View File

@ -5,9 +5,11 @@ keywords: updates, servicing, current, deployment, semi-annual channel, feature,
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
audience: itpro author: greg-lindsay
audience: itpro
author: greg-lindsay
ms.localizationpriority: medium
ms.audience: itpro author: greg-lindsay
ms.audience: itpro
author: greg-lindsay
ms.date: 09/24/2018
ms.reviewer:
manager: laurawi

8
windows/deployment/update/waas-servicing-differences.md
View File

@ -7,9 +7,11 @@ keywords: updates, servicing, current, deployment, semi-annual channel, feature,
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
audience: itpro author: greg-lindsay
audience: itpro
author: greg-lindsay
ms.localizationpriority: medium
ms.audience: itpro author: greg-lindsay
ms.audience: itpro
author: greg-lindsay
ms.topic: article
ms.collection: M365-modern-desktop
---
@ -19,7 +21,7 @@ ms.collection: M365-modern-desktop
>
> **February 15, 2019: This document has been corrected and edited to reflect that security-only updates for legacy OS versions are not cumulative. They were previously identified as cumulative similar to monthly rollups, which is inaccurate.**
Today, many enterprise customers have a mix of modern and legacy client and server operating systems. Managing the servicing and updating differences between those legacy operating systems and Windows 10 versions adds a level of complexity that is not well understood. This can be confusing. With the end of support for legacy [Windows 7 SP1](https://support.microsoft.com/help/4057281/windows-7-support-will-end-on-january-14-2020) and Windows Server 2008 R2 variants on January 14, 2020, System Administrators have a critical need critical to understand how best to leverage a modern workplace to support system updates.
Today, many enterprise customers have a mix of modern and legacy client and server operating systems. Managing the servicing and updating differences between those legacy operating systems and Windows 10 versions adds a level of complexity that is not well understood. This can be confusing. With the end of support for legacy [Windows 7 SP1](https://support.microsoft.com/help/4057281/windows-7-support-will-end-on-january-14-2020) and Windows Server 2008 R2 variants on January 14, 2020, System Administrators have a critical need to understand how best to leverage a modern workplace to support system updates.
The following provides an initial overview of how updating client and server differs between the Windows 10-era Operating Systems (such as, Windows 10 version 1709, Windows Server 2016) and legacy operating systems (such as Windows 7, Windows 8.1, Windows Server 2008 R2, Windows Server 2012 R2).

6
windows/deployment/update/waas-wu-settings.md
View File

@ -4,9 +4,11 @@ description: Additional settings to control the behavior of Windows Update (WU)
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
audience: itpro author: greg-lindsay
audience: itpro
author: greg-lindsay
ms.localizationpriority: medium
ms.audience: itpro author: greg-lindsay
ms.audience: itpro
author: greg-lindsay
ms.date: 07/27/2017
ms.reviewer:
manager: laurawi

2
windows/deployment/update/windows-analytics-get-started.md
View File

@ -78,7 +78,7 @@ To enable data sharing, configure your proxy server to whitelist the following e
>[!NOTE]
>Microsoft has a strong commitment to providing the tools and resources that put you in control of your privacy. As a result, Microsoft doesn't collect the following data from devices located in European countries (EEA and Switzerland):
>- Windows diagnostic data from Windows 8.1 devices
>- App usage data for Windows 7 devices
>- App usage data and [Internet Explorer site discovery](../upgrade/upgrade-readiness-additional-insights#site-discovery) features for Windows 7 devices

5
windows/deployment/upgrade/setupdiag.md
View File

@ -9,7 +9,8 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: deploy
audience: itpro author: greg-lindsay
audience: itpro
author: greg-lindsay
ms.localizationpriority: medium
ms.topic: article
---
@ -334,7 +335,7 @@ Each rule name and its associated unique rule identifier are listed with a descr
- For an example, see [Sample registry key](#sample-registry-key).
05/17/2019 - SetupDiag v1.4.1.0 is released with 53 rules, as a standalone tool available from the Download Center.
- This release dds the ability to find and diagnose reset and recovery failures (Push Button Reset).
- This release adds the ability to find and diagnose reset and recovery failures (Push Button Reset).
12/18/2018 - SetupDiag v1.4.0.0 is released with 53 rules, as a standalone tool available from the Download Center.
- This release includes major improvements in rule processing performance: ~3x faster rule processing performance!

5
windows/deployment/upgrade/upgrade-readiness-deployment-script.md
View File

@ -8,7 +8,8 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: deploy
audience: itpro author: greg-lindsay
audience: itpro
author: greg-lindsay
ms.topic: article
ms.collection: M365-analytics
---
@ -186,5 +187,5 @@ Error creating or updating registry key: **CommercialId** at **HKLM:\SOFTWARE\Mi
>
> Then run the Enterprise Config script (RunConfig.bat) again.
>
> If the script still fails, then send mail to <strong>uasupport@microsoft.com</strong> including log files from the RunConfig.bat script. These log files are stored on the drive that is specified in the RunConfig.bat file. By default this is set to **%SystemDrive%\UADiagnostics**. The log file is named with the format **UA_yyyy_mm_dd_hh_mm_ss_machineID.txt**. There will be some additional logs generated under your **\<system drive>\Windows\Temp** directory with the names similar to **AslLog_....txt**. You should send those logs as well.
> If the script still fails, then contact support@microsoft.com and share the log files from the RunConfig.bat script. These log files are stored on the drive that is specified in the RunConfig.bat file. By default this is set to **%SystemDrive%\UADiagnostics**. The log file is named with the format **UA_yyyy_mm_dd_hh_mm_ss_machineID.txt**. There will be some additional logs generated under your **\<system drive>\Windows\Temp** directory with the names similar to **AslLog_....txt**. You should send those logs as well.

5
windows/deployment/upgrade/windows-10-upgrade-paths.md
View File

@ -9,7 +9,8 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: medium
ms.pagetype: mobile
audience: itpro author: greg-lindsay
audience: itpro
author: greg-lindsay
ms.topic: article
---
@ -27,7 +28,7 @@ This topic provides a summary of available upgrade paths to Windows 10. You can
>
> **Windows 10 LTSC/LTSB**: Due to [naming changes](https://docs.microsoft.com/windows/deployment/update/waas-overview#naming-changes), product versions that display Windows 10 LTSB will be replaced with Windows 10 LTSC in subsequent feature updates. The term LTSC is used here to refer to all long term servicing versions.
>
> In-place upgrade from Windows 7, Windows 8.1, or [Windows 10 semi-annual channel](https://docs.microsoft.com/windows/release-information/) to Windows 10 LTSC is not supported. **Note**: Windows 10 LTSC 2015 did not block this upgrade path. This was corrected in the Windows 10 LTSC 2016 release, which will now only allow data-only and clean install options. You can upgrade from Windows 10 LTSC to Windows 10 semi-annual channel, provided that you upgrade to the same or a newer build version. For example, Windows 10 Enterprise 2016 LTSB can be upgraded to Windows 10 Enterprise version 1607 or later. Upgrade is supported using the in-place upgrade process (using Windows setup).
> In-place upgrade from Windows 7, Windows 8.1, or [Windows 10 semi-annual channel](https://docs.microsoft.com/windows/release-information/) to Windows 10 LTSC is not supported. **Note**: Windows 10 LTSC 2015 did not block this upgrade path. This was corrected in the Windows 10 LTSC 2016 release, which will now only allow data-only and clean install options. You can upgrade from Windows 10 LTSC to Windows 10 semi-annual channel, provided that you upgrade to the same or a newer build version. For example, Windows 10 Enterprise 2016 LTSB can be upgraded to Windows 10 Enterprise version 1607 or later. Upgrade is supported using the in-place upgrade process (using Windows setup). You will need to use the Product Key switch if you want to keep your apps. If you don't use the switch the option 'Keep personal files and apps' will be grayed out. The command line would be **setup.exe /pkey xxxxx-xxxxx-xxxxx-xxxxx-xxxxx**, using your relevant Windows 10 SAC product key. For example, if using a KMS, the command line would be **setup.exe /pkey NPPR9-FWDCX-D2C8J-H872K-2YT43**.
>
> **Windows N/KN**: Windows "N" and "KN" SKUs (editions without media-related functionality) follow the same upgrade paths shown below. If the pre-upgrade and post-upgrade editions are not the same type (e.g. Windows 8.1 Pro N to Windows 10 Pro), personal data will be kept but applications and settings will be removed during the upgrade process.
>

7
windows/deployment/usmt/offline-migration-reference.md
View File

@ -8,7 +8,8 @@ ms.author: greglin
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
audience: itpro author: greg-lindsay
audience: itpro
author: greg-lindsay
ms.date: 04/19/2017
ms.topic: article
---
@ -104,7 +105,7 @@ It is possible to run the ScanState tool while the drive remains encrypted by su
User-group membership is not preserved during offline migrations. You must configure a **&lt;ProfileControl&gt;** section in the Config.xml file to specify the groups that the migrated users should be made members of. The following example places all migrated users into the Users group:
``` syntax
``` xml
<Configuration>
<ProfileControl>
<localGroups>
@ -242,7 +243,7 @@ Syntax: &lt;failOnMultipleWinDir&gt;1&lt;/failOnMultipleWinDir&gt; or Syntax: &l
The following XML example illustrates some of the elements discussed earlier in this topic.
``` syntax
``` xml
<offline>
<winDir>
<path>C:\Windows</path>

27
windows/deployment/usmt/understanding-migration-xml-files.md
View File

@ -8,7 +8,8 @@ ms.author: greglin
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
audience: itpro author: greg-lindsay
audience: itpro
author: greg-lindsay
ms.date: 04/19/2017
ms.topic: article
---
@ -225,7 +226,7 @@ You can use multiple XML files with the ScanState and LoadState tools. Each of t
For example, you can use all of the XML migration file types for a single migration, as in the following example:
``` syntax
```
Scanstate <store> /config:c:\myFolder\config.xml /i:migapps.xml /i:migdocs.xml /i:customrules.xml
```
@ -258,14 +259,14 @@ To generate the XML migration rules file for a source computer:
3. At the command prompt, type:
``` syntax
```
cd /d <USMTpath>
scanstate.exe /genmigxml: <filepath.xml>
```
Where *&lt;USMTpath&gt;* is the location on your source computer where you have saved the USMT files and tools, and *&lt;filepath.xml&gt;* is the full path to a file where you can save the report. For example, type:
``` syntax
```
cd /d c:\USMT
scanstate.exe /genmigxml:"C:\Documents and Settings\USMT Tester\Desktop\genMig.xml"
```
@ -313,13 +314,13 @@ The MigDocs.xml file calls the **GenerateDocPatterns** function, which takes thr
**Usage:**
``` syntax
```
MigXmlHelper.GenerateDocPatterns ("<ScanProgramFiles>", "<IncludePatterns>", "<SystemDrive>")
```
To create include data patterns for only the system drive:
``` syntax
``` xml
<include filter='MigXmlHelper.IgnoreIrrelevantLinks()'>
<objectSet>
<script>MigXmlHelper.GenerateDocPatterns ("FALSE","TRUE","TRUE")</script>
@ -329,7 +330,7 @@ To create include data patterns for only the system drive:
To create an include rule to gather files for registered extensions from the %PROGRAMFILES% directory:
``` syntax
``` xml
<include filter='MigXmlHelper.IgnoreIrrelevantLinks()'>
<objectSet>
<script>MigXmlHelper.GenerateDocPatterns ("TRUE","TRUE","FALSE")</script>
@ -339,7 +340,7 @@ To create an include rule to gather files for registered extensions from the %PR
To create exclude data patterns:
``` syntax
``` xml
<exclude filter='MigXmlHelper.IgnoreIrrelevantLinks()'>
<objectSet>
<script>MigXmlHelper.GenerateDocPatterns ("FALSE","FALSE","FALSE")</script>
@ -440,7 +441,7 @@ To exclude the new text document.txt file as well as any .txt files in “new fo
To exclude Rule 1, there needs to be an exact match of the file name. However, for Rule 2, you can create a pattern to exclude files by using the file name extension.
``` syntax
``` xml
<exclude>
<objectSet>
<pattern type="File">D:\Newfolder\[new text document.txt]</pattern>
@ -453,7 +454,7 @@ To exclude Rule 1, there needs to be an exact match of the file name. However, f
If you do not know the file name or location of the file, but you do know the file name extension, you can use the **GenerateDrivePatterns** function. However, the rule will be less specific than the default include rule generated by the MigDocs.xml file, so it will not have precedence. You must use the &lt;UnconditionalExclude&gt; element to give this rule precedence over the default include rule. For more information about the order of precedence for XML migration rules, see [Conflicts and Precedence](usmt-conflicts-and-precedence.md).
``` syntax
``` xml
<unconditionalExclude>
<objectSet>
<script>MigXmlHelper.GenerateDrivePatterns ("*[*.txt]", "Fixed")</script>
@ -465,7 +466,7 @@ If you do not know the file name or location of the file, but you do know the fi
If you want the &lt;UnconditionalExclude&gt; element to apply to both the system and user context, you can create a third component using the **UserandSystem** context. Rules in this component will be run in both contexts.
``` syntax
``` xml
<component type="Documents" context="UserandSystem">
<displayName>MigDocExcludes</displayName>
<role role="Data">
@ -490,7 +491,7 @@ The application data directory is the most common location that you would need t
This rule will include .pst files that are located in the default location, but are not linked to Microsoft Outlook. Use the user context to run this rule for each user on the computer.
``` syntax
``` xml
<include filter='MigXmlHelper.IgnoreIrrelevantLinks()'>
<objectSet>
<pattern type="File">%CSIDL_LOCAL_APPDATA%\Microsoft\Outlook\*[*.pst]</pattern>
@ -502,7 +503,7 @@ This rule will include .pst files that are located in the default location, but
For locations outside the user profile, such as the Program Files folder, you can add the rule to the system context component.
``` syntax
``` xml
<include filter='MigXmlHelper.IgnoreIrrelevantLinks()'>
<objectSet>
<pattern type="File">%CSIDL_PROGRAM_FILES%\*[*.pst]</pattern>

5
windows/deployment/usmt/usmt-best-practices.md
View File

@ -8,7 +8,8 @@ ms.author: greglin
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
audience: itpro author: greg-lindsay
audience: itpro
author: greg-lindsay
ms.date: 04/19/2017
ms.topic: article
---
@ -98,7 +99,7 @@ As the authorized administrator, it is your responsibility to protect the privac
Although it is not a requirement, it is good practice for &lt;CustomFileName&gt; to match the name of the file. For example, the following is from the MigApp.xml file:
``` syntax
``` xml
<?xml version="1.0" encoding="UTF-8"?>
<migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/migapp">
```

7
windows/deployment/usmt/usmt-configxml-file.md
View File

@ -8,7 +8,8 @@ ms.author: greglin
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
audience: itpro author: greg-lindsay
audience: itpro
author: greg-lindsay
ms.date: 04/19/2017
ms.topic: article
---
@ -95,7 +96,7 @@ The following example specifies that all locked files, regardless of their locat
Additionally, the order in the **&lt;ErrorControl&gt;** section implies priority. In this example, the first **&lt;nonFatal&gt;** tag takes precedence over the second **&lt;fatal&gt;** tag. This precedence is applied, regardless of how many tags are listed.
``` syntax
``` xml
<ErrorControl>
<fileError>
<nonFatal errorCode="33">* [*]</nonFatal>
@ -265,7 +266,7 @@ The **&lt;ErrorControl&gt;** section can be configured to conditionally ignore f
``` syntax
``` xml
<Policy>
<HardLinkStoreControl>
<fileLocked>

11
windows/deployment/usmt/usmt-conflicts-and-precedence.md
View File

@ -8,7 +8,8 @@ ms.author: greglin
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
audience: itpro author: greg-lindsay
audience: itpro
author: greg-lindsay
ms.date: 04/19/2017
ms.topic: article
---
@ -68,7 +69,7 @@ If you have an &lt;include&gt; rule in one component and a &lt;locationModify&gt
The following .xml file migrates all files from C:\\Userdocs, including .mp3 files, because the &lt;exclude&gt; rule is specified in a separate component.
``` syntax
``` xml
<migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/UserDocs">
<component type="Documents" context="System">
<displayName>User Documents</displayName>
@ -102,7 +103,7 @@ The following .xml file migrates all files from C:\\Userdocs, including .mp3 fil
Specifying `migrate="no"` in the Config.xml file is the same as deleting the corresponding component from the migration .xml file. However, if you set `migrate="no"` for My Documents, but you have a rule similar to the one shown below in a migration .xml file (which includes all of the .doc files from My Documents), then only the .doc files will be migrated, and all other files will be excluded.
``` syntax
``` xml
<include>
<objectSet>
<pattern type="File">%CSIDL_PERSONAL%\* [*.doc] </pattern>
@ -135,7 +136,7 @@ If there are conflicting rules within a component, the most specific rule is app
In the following example, mp3 files will not be excluded from the migration. This is because directory names take precedence over the file extensions.
``` syntax
``` xml
<include>
<objectSet>
<pattern type="File">C:\Data\* [*]</pattern>
@ -390,7 +391,7 @@ The destination computer contains the following files:
You have a custom .xml file that contains the following code:
``` syntax
``` xml
<include>
<objectSet>
<pattern type="File">c:\data\* [*]</pattern>

9
windows/deployment/usmt/usmt-custom-xml-examples.md
View File

@ -8,7 +8,8 @@ ms.author: greglin
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
audience: itpro author: greg-lindsay
audience: itpro
author: greg-lindsay
ms.topic: article
---
@ -36,7 +37,7 @@ Because the tables in this topic are wide, you may need to adjust the width of i
The following is a template for the sections that you need to migrate your application. The template is not functional on its own, but you can use it to write your own .xml file.
``` syntax
``` xml
<migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/migtestapp">
<component type="Application">
<!-- Name of the application -->
@ -195,7 +196,7 @@ This table describes the behavior in the following example .xml file.
``` syntax
``` xml
<migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/testfilemig">
<component type="Application" context="System">
<displayName>File Migration Test</displayName>
@ -231,7 +232,7 @@ This table describes the behavior in the following example .xml file.
The behavior for this custom .xml file is described within the &lt;`displayName`&gt; tags in the code.
``` syntax
``` xml
<migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/test">
<component type="Documents" context="System">

5
windows/deployment/usmt/usmt-hard-link-migration-store.md
View File

@ -8,7 +8,8 @@ ms.author: greglin
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
audience: itpro author: greg-lindsay
audience: itpro
author: greg-lindsay
ms.date: 04/19/2017
ms.topic: article
---
@ -209,7 +210,7 @@ You must use the **/nocompress** option with the **/HardLink** option.
The following XML sample specifies that files locked by an application under the \\Users directory can remain in place during the migration. It also specifies that locked files that are not located in the \\Users directory should result in the **File in Use** error. It is important to exercise caution when specifying the paths using the **File in Use&lt;createhardlink&gt;** tag in order to minimize scenarios that make the hard-link migration store more difficult to delete.
``` syntax
``` xml
<Policies>
<HardLinkStoreControl>
<fileLocked>

21
windows/deployment/usmt/usmt-include-files-and-settings.md
View File

@ -8,7 +8,8 @@ ms.author: greglin
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
audience: itpro author: greg-lindsay
audience: itpro
author: greg-lindsay
ms.date: 04/19/2017
ms.topic: article
---
@ -37,7 +38,7 @@ In this topic:
The following .xml file migrates a single registry key.
``` syntax
``` xml
<migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/test">
<component type="Application" context="System">
<displayName>Component to migrate only registry value string</displayName>
@ -63,7 +64,7 @@ The following examples show how to migrate a folder from a specific drive, and f
- **Including subfolders.** The following .xml file migrates all files and subfolders from C:\\EngineeringDrafts to the destination computer.
``` syntax
``` xml
<migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/test">
<component type="Documents" context="System">
<displayName>Component to migrate all Engineering Drafts Documents including subfolders</displayName>
@ -82,7 +83,7 @@ The following examples show how to migrate a folder from a specific drive, and f
- **Excluding subfolders.** The following .xml file migrates all files from C:\\EngineeringDrafts, but it does not migrate any subfolders within C:\\EngineeringDrafts.
``` syntax
``` xml
<migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/test">
<component type="Documents" context="System">
<displayName>Component to migrate all Engineering Drafts Documents without subfolders</displayName>
@ -103,7 +104,7 @@ The following examples show how to migrate a folder from a specific drive, and f
The following .xml file migrates all files and subfolders of the EngineeringDrafts folder from any drive on the computer. If multiple folders exist with the same name, then all files with this name are migrated.
``` syntax
``` xml
<migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/test">
<component type="Documents" context="System">
<displayName>Component to migrate all Engineering Drafts Documents folder on any drive on the computer </displayName>
@ -123,7 +124,7 @@ The following .xml file migrates all files and subfolders of the EngineeringDraf
The following .xml file migrates all files and subfolders of the EngineeringDrafts folder from any location on the C:\\ drive. If multiple folders exist with the same name, they are all migrated.
``` syntax
``` xml
<migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/test">
<component type="Documents" context="System">
<displayName>Component to migrate all Engineering Drafts Documents EngineeringDrafts folder from where ever it exists on the C: drive </displayName>
@ -146,7 +147,7 @@ The following .xml file migrates all files and subfolders of the EngineeringDraf
The following .xml file migrates .mp3 files located in the specified drives on the source computer into the C:\\Music folder on the destination computer.
``` syntax
``` xml
<migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/test">
<component type="Documents" context="System">
<displayName>All .mp3 files to My Documents</displayName>
@ -176,7 +177,7 @@ The following examples show how to migrate a file from a specific folder, and ho
- **To migrate a file from a folder.** The following .xml file migrates only the Sample.doc file from C:\\EngineeringDrafts on the source computer to the destination computer.
``` syntax
``` xml
<migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/test">
<component type="Documents" context="System">
<displayName>Component to migrate all Engineering Drafts Documents</displayName>
@ -195,13 +196,13 @@ The following examples show how to migrate a file from a specific folder, and ho
- **To migrate a file from any location.** To migrate the Sample.doc file from any location on the C:\\ drive, use the &lt;pattern&gt; element, as the following example shows. If multiple files exist with the same name on the C:\\ drive, all of files with this name are migrated.
``` syntax
``` xml
<pattern type="File"> C:\* [Sample.doc] </pattern>
```
To migrate the Sample.doc file from any drive on the computer, use &lt;script&gt; as the following example shows. If multiple files exist with the same name, all files with this name are migrated.
``` syntax
``` xml
<script>MigXmlHelper.GenerateDrivePatterns("* [sample.doc]", "Fixed")</script>
```

21
windows/deployment/usmt/usmt-log-files.md
View File

@ -8,7 +8,8 @@ ms.author: greglin
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
audience: itpro author: greg-lindsay
audience: itpro
author: greg-lindsay
ms.date: 04/19/2017
ms.topic: article
---
@ -252,7 +253,7 @@ The following examples describe common scenarios in which you can use the diagno
Lets imagine that we have the following directory structure and that we want the “data” directory to be included in the migration along with the “New Text Document.txt” file in the “New Folder.” The directory of **C:\\data** contains:
``` syntax
```
01/21/2009 10:08 PM <DIR> .
01/21/2009 10:08 PM <DIR> ..
01/21/2009 10:08 PM <DIR> New Folder
@ -263,7 +264,7 @@ Lets imagine that we have the following directory structure and that we want
The directory of **C:\\data\\New Folder** contains:
``` syntax
```
01/21/2009 10:08 PM <DIR> .
01/21/2009 10:08 PM <DIR> ..
01/21/2009 10:08 PM 0 New Text Document.txt
@ -294,7 +295,7 @@ To migrate these files you author the following migration XML:
However, upon testing the migration you notice that the “New Text Document.txt” file isnt included in the migration. To troubleshoot this failure, the migration can be repeated with the environment variable MIG\_ENABLE\_DIAG set such that the diagnostic log is generated. Upon searching the diagnostic log for the component “DATA1”, the following XML section is discovered:
``` syntax
``` xml
<MigUnitList>
<MigUnit Name="&lt;System&gt;\DATA1 (CMXEAgent)" Context="System" ConfidenceLevel="100" Group="Applications" Role="UserData" Agent="CMXEAgent" Selected="true" Supported="true">
<Patterns Type="Include">
@ -315,13 +316,13 @@ Analysis of this XML section reveals the migunit that was created when the migra
An analysis of the XML elements reference topic reveals that the &lt;pattern&gt; tag needs to be modified as follows:
``` syntax
``` xml
<pattern type="File">c:\data\* [*]</pattern>
```
When the migration is preformed again with the modified tag, the diagnostic log reveals the following:
``` syntax
``` xml
<MigUnitList>
<MigUnit Name="&lt;System&gt;\DATA1 (CMXEAgent)" Context="System" ConfidenceLevel="100" Group="Applications" Role="UserData" Agent="CMXEAgent" Selected="true" Supported="true">
<Patterns Type="Include">
@ -346,7 +347,7 @@ This diagnostic log confirms that the modified &lt;pattern&gt; value enables the
In this scenario, you have the following directory structure and you want all files in the “data” directory to migrate, except for text files. The **C:\\Data** folder contains:
``` syntax
```
Directory of C:\Data
01/21/2009 10:08 PM <DIR> .
@ -359,7 +360,7 @@ Directory of C:\Data
The **C:\\Data\\New Folder\\** contains:
``` syntax
```
01/21/2009 10:08 PM <DIR> .
01/21/2009 10:08 PM <DIR> ..
01/21/2009 10:08 PM 0 New Text Document.txt
@ -396,7 +397,7 @@ You author the following migration XML:
However, upon testing the migration you notice that all the text files are still included in the migration. In order to troubleshoot this issue, the migration can be performed with the environment variable MIG\_ENABLE\_DIAG set so that the diagnostic log is generated. Upon searching the diagnostic log for the component “DATA1”, the following XML section is discovered:
``` syntax
``` xml
<MigUnitList>
<MigUnit Name="&lt;System&gt;\DATA1 (CMXEAgent)" Context="System" ConfidenceLevel="100" Group="Applications" Role="UserData" Agent="CMXEAgent" Selected="true" Supported="true">
<Patterns Type="Include">
@ -453,7 +454,7 @@ Upon reviewing the diagnostic log, you confirm that the files are still migratin
Your revised migration XML script excludes the files from migrating, as confirmed in the diagnostic log:
``` syntax
``` xml
<MigUnitList>
<MigUnit Name="&lt;System&gt;\DATA1 (CMXEAgent)" Context="System" ConfidenceLevel="100" Group="Applications" Role="UserData" Agent="CMXEAgent" Selected="true" Supported="true">
<Patterns Type="Include">

9
windows/deployment/usmt/usmt-reroute-files-and-settings.md
View File

@ -8,7 +8,8 @@ ms.author: greglin
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
audience: itpro author: greg-lindsay
audience: itpro
author: greg-lindsay
ms.date: 04/19/2017
ms.topic: article
---
@ -31,7 +32,7 @@ In this topic:
The following custom .xml file migrates the directories and files from C:\\EngineeringDrafts into the My Documents folder of every user. %CSIDL\_PERSONAL% is the virtual folder representing the My Documents desktop item, which is equivalent to CSIDL\_MYDOCUMENTS.
``` syntax
``` xml
<migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/test">
<component type="Documents" context="User">
<displayName>Engineering Drafts Documents to Personal Folder</displayName>
@ -60,7 +61,7 @@ The following custom .xml file migrates the directories and files from C:\\Engin
The following custom .xml file reroutes .mp3 files located in the fixed drives on the source computer into the C:\\Music folder on the destination computer.
``` syntax
``` xml
<migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/test">
<component type="Documents" context="System">
<displayName>All .mp3 files to My Documents</displayName>
@ -88,7 +89,7 @@ The following custom .xml file reroutes .mp3 files located in the fixed drives o
The following custom .xml file migrates the Sample.doc file from C:\\EngineeringDrafts into the My Documents folder of every user. %CSIDL\_PERSONAL% is the virtual folder representing the My Documents desktop item, which is equivalent to CSIDL\_MYDOCUMENTS.
``` syntax
``` xml
<migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/test">
<component type="Documents" context="User">
<displayName>Sample.doc into My Documents</displayName>

125
windows/deployment/usmt/usmt-xml-elements-library.md
View File

@ -8,7 +8,8 @@ ms.author: greglin
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
audience: itpro author: greg-lindsay
audience: itpro
author: greg-lindsay
ms.date: 04/19/2017
ms.topic: article
---
@ -138,7 +139,7 @@ Syntax:
The following example is from the MigApp.xml file:
``` syntax
``` xml
<addObjects>
<object>
<location type="Registry">%HklmWowSoftware%\Microsoft\Office\12.0\Common\Migration\Office [UpgradeVersion]</location>
@ -212,7 +213,7 @@ Syntax:
The following example is from the MigApp.xml file:
``` syntax
``` xml
<object>
<location type="Registry">%HklmWowSoftware%\Microsoft\Office\12.0\Common\Migration\Office [Lang]</location>
<attributes>DWORD</attributes>
@ -275,7 +276,7 @@ Syntax:
The following example is from the MigApp.xml file:
``` syntax
``` xml
<object>
<location type="Registry">%HklmWowSoftware%\Microsoft\Office\12.0\Common\Migration\Office [Lang]</location>
<attributes>DWORD</attributes>
@ -455,7 +456,7 @@ For example,
In the code sample below, the &lt;condition&gt; elements, A and B, are joined together by the AND operator because they are in separate &lt;conditions&gt; sections. For example:
``` syntax
``` xml
<detection>
<conditions>
<condition>A</condition>
@ -468,7 +469,7 @@ In the code sample below, the &lt;condition&gt; elements, A and B, are joined to
However, in the code sample below, the &lt;condition&gt; elements, A and B, are joined together by the OR operator because they are in the same &lt;conditions&gt; section.
``` syntax
``` xml
<detection>
<conditions>
<condition>A</condition>
@ -826,7 +827,7 @@ For example:
~~~
For example:
``` syntax
``` xml
<condition negation="Yes">MigXmlHelper.DoesStringContentEqual("File","%USERNAME%","")</condition>
```
~~~
@ -914,7 +915,7 @@ For example:
~~~
For example:
``` syntax
``` xml
<objectSet>
<condition negation="Yes">MigXmlHelper.IsSameObject("File","%CSIDL_FAVORITES%","%CSIDL_COMMON_FAVORITES%")</condition>
<pattern type="File">%CSIDL_FAVORITES%\* [*]</pattern>
@ -1055,7 +1056,7 @@ Syntax:
The following example is from the MigApp.xml file:
``` syntax
``` xml
<environment name="GlobalEnv">
<conditions>
<condition negation="Yes">MigXmlHelper.IsNative64Bit()</condition>
@ -1152,13 +1153,13 @@ The following functions generate patterns out of the content of an object. These
~~~
For example:
``` syntax
``` xml
<content filter="MigXmlHelper.ExtractSingleFile(',','%system%')">
```
and
``` syntax
``` xml
<content filter="MigXmlHelper.ExtractSingleFile(NULL,'%CSIDL_COMMON_FONTS%')">
```
~~~
@ -1243,7 +1244,7 @@ and
~~~
For example:
``` syntax
``` xml
<objectSet>
<content filter='MigXmlHelper.ExtractDirectory (NULL, "1")'>
<objectSet>
@ -1365,7 +1366,7 @@ The following functions change the content of objects as they are migrated. Thes
~~~
For example:
``` syntax
``` xml
<contentModify script="MigXmlHelper.ConvertToString('1')">
<objectSet>
<pattern type="Registry">HKCU\Control Panel\Desktop [ScreenSaveUsePassword]</pattern>
@ -1622,7 +1623,7 @@ Syntax:
The following code sample shows how the &lt;description&gt; element defines the "My custom component" description.:
``` syntax
``` xml
<description>My custom component<description>
```
@ -1677,7 +1678,7 @@ Syntax:
For example:
``` syntax
``` xml
<destinationCleanup>
<objectSet>
<pattern type="Registry">HKCU\Software\Lotus\123\99.0\DDE Preferences\* [*]</pattern>
@ -1807,7 +1808,7 @@ Syntax:
The following example is from the MigApp.xml file.
``` syntax
``` xml
<detects>
<detect>
<condition>MigXmlHelper.DoesFileVersionMatch("%Lotus123InstPath%\123w.exe","ProductVersion","9.*")</condition>
@ -1878,7 +1879,7 @@ Syntax:
For example:
``` syntax
``` xml
<detection name="AdobePhotoshopCS">
<conditions>
<condition>MigXmlHelper.DoesObjectExist("Registry","HKCU\Software\Adobe\Photoshop\8.0")</condition>
@ -1889,7 +1890,7 @@ For example:
and
``` syntax
``` xml
<role role="Settings">
<detection>
<conditions>
@ -1945,7 +1946,7 @@ Syntax:
For example:
``` syntax
``` xml
<displayName>Command Prompt settings</displayName>
```
@ -2012,7 +2013,7 @@ Syntax:
In this scenario, you want to generate the location of objects at run time depending on the configuration of the destination computer. For example, you must do this if an application writes data in the directory where it is installed, and users can install the application anywhere on the computer. If the application writes a registry value hklm\\software\\companyname\\install \[path\] and then updates this value with the location where the application is installed, then the only way for you to migrate the required data correctly is to define an environment variable. For example:
``` syntax
``` xml
<environment>
<variable name="INSTALLPATH">
<script>MigXmlHelper.GetStringContent("Registry","\software\companyname\install [path]")</script>
@ -2022,7 +2023,7 @@ In this scenario, you want to generate the location of objects at run time depen
Then you can use an include rule as follows. You can use any of the [&lt;script&gt; functions](#scriptfunctions) to perform similar tasks.
``` syntax
``` xml
<include>
<objectSet>
<pattern type="File">%INSTALLPATH%\ [*.xyz]</pattern>
@ -2032,7 +2033,7 @@ Then you can use an include rule as follows. You can use any of the [&lt;script&
Second, you can also filter registry values that contain data that you need. The following example extracts the first string (before the separator ",") in the value of the registry Hklm\\software\\companyname\\application\\ \[Path\].
``` syntax
``` xml
<environment>
<variable name="APPPATH">
<objectSet>
@ -2050,7 +2051,7 @@ Second, you can also filter registry values that contain data that you need. The
In this scenario, you want to migrate five files named File1.txt, File2.txt, and so on, from %SYSTEMDRIVE%\\data\\userdata\\dir1\\dir2\\. To do this you must have the following &lt;include&gt; rule in an .xml file:
``` syntax
``` xml
<include>
<objectSet>
<pattern type="File">%SYSTEMDRIVE%\data\userdata\dir1\dir2 [File1.txt]</pattern>
@ -2064,7 +2065,7 @@ In this scenario, you want to migrate five files named File1.txt, File2.txt, and
Instead of typing the path five times, you can create a variable for the location as follows:
``` syntax
``` xml
<environment>
<variable name="DATAPATH">
<text>%SYSTEMDRIVE%\data\userdata\dir1\dir2 </text>
@ -2074,7 +2075,7 @@ Instead of typing the path five times, you can create a variable for the locatio
Then, you can specify the variable in an &lt;include&gt; rule as follows:
``` syntax
``` xml
<include>
<objectSet>
<pattern type="File">%DATAPATH% [File1.txt]</pattern>
@ -2133,7 +2134,7 @@ Syntax:
For example, from the MigUser.xml file:
``` syntax
``` xml
<exclude>
<objectSet>
<pattern type="File">%CSIDL_MYMUSIC%\* [*]</pattern>
@ -2190,7 +2191,7 @@ Syntax:
Example:
``` syntax
``` xml
<migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/miguser">
<!-- This component migrates My Video files -->
<component type="System" context="System">
@ -2297,7 +2298,7 @@ Syntax:
For example, if you want to migrate all \*.doc files from the source computer, specifying the following code under the &lt;component&gt; element:
``` syntax
``` xml
<extensions>
<extension>doc</extension>
<extensions>
@ -2305,7 +2306,7 @@ For example, if you want to migrate all \*.doc files from the source computer, s
is the same as specifying the following code below the &lt;rules&gt; element:
``` syntax
``` xml
<include>
<objectSet>
<script>MigXmlHelper.GenerateDrivePatterns ("* [*.doc]", "Fixed")</script>
@ -2418,7 +2419,7 @@ Syntax:
The following example is from the MigUser.xml file:
``` syntax
``` xml
<component type="Documents" context="User">
<displayName _locID="miguser.myvideo">My Video</displayName>
<paths>
@ -2501,7 +2502,7 @@ The following functions return a Boolean value. You can use them to migrate cert
For example:
``` syntax
``` xml
<include filter='MigXmlHelper.IgnoreIrrelevantLinks()'>
<objectSet>
<pattern type="File">%CSIDL_COMMON_VIDEO%\* [*]</pattern>
@ -2517,7 +2518,7 @@ The following functions return a Boolean value. You can use them to migrate cert
In the following example, HKCU\\Control Panel\\International \[Locale\] will be included in the store, but it will not be migrated to the destination computer:
``` syntax
``` xml
<include filter="MigXmlHelper.NeverRestore()">
<objectSet>
<pattern type="Registry">HKCU\Control Panel\International [Locale]</pattern>
@ -2634,7 +2635,7 @@ Syntax:
The following example is from the MigApp.xml file:
``` syntax
``` xml
<addObjects>
<object>
<location type="Registry">%HklmWowSoftware%\Microsoft\Office\12.0\Common\Migration\Office [UpgradeVersion]</location>
@ -2695,7 +2696,7 @@ Syntax:
The following example is from the MigApp.xml file:
``` syntax
``` xml
<locationModify script="MigXmlHelper.RelativeMove('%CSIDL_APPDATA%\Microsoft\Office','%CSIDL_APPDATA%')">
<objectSet>
<pattern type="File">%CSIDL_APPDATA%\Microsoft\Office\ [Access10.pip]</pattern>
@ -2740,7 +2741,7 @@ The following functions change the location of objects as they are migrated when
~~~
For example:
``` syntax
``` xml
<locationModify script="MigXmlHelper.ExactMove('HKCU\Keyboard Layout\Toggle [HotKey]')">
<objectSet>
<pattern type="Registry">HKCU\Keyboard Layout\Toggle []</pattern>
@ -2817,7 +2818,7 @@ For example:
~~~
For example:
``` syntax
``` xml
<include>
<objectSet>
<pattern type="File">%CSIDL_COMMON_FAVORITES%\* [*]</pattern>
@ -2923,7 +2924,7 @@ Syntax:
The following example is from the MigUser.xml file:
``` syntax
``` xml
<rules>
<include filter='MigXmlHelper.IgnoreIrrelevantLinks()'>
<objectSet>
@ -2948,7 +2949,7 @@ These functions control how collisions are resolved.
For example:
``` syntax
``` xml
<merge script="MigXmlHelper.DestinationPriority()">
<objectSet>
<pattern type="Registry">HKCU\Software\Microsoft\Office\9.0\PhotoDraw\ [MyPictures]</pattern>
@ -3037,7 +3038,7 @@ These functions control how collisions are resolved.
For example:
``` syntax
``` xml
<merge script="MigXmlHelper.SourcePriority()">
<objectSet>
<pattern type="Registry">%HklmWowSoftware%\Microsoft\Office\12.0\Common\Migration\Publisher [UpgradeVersion]</pattern>
@ -3097,7 +3098,7 @@ Syntax:
The following example is from the MigApp.xml file:
``` syntax
``` xml
<migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/migapp">
</migration>
```
@ -3138,7 +3139,7 @@ This filter helper function can be used to filter the migration of files based o
``` syntax
``` xml
<component context="System" type="Application">
<displayName>File_size</displayName>
<role role="Data">
@ -3194,7 +3195,7 @@ Syntax:
The following example is from the MigApp.xml file:
``` syntax
``` xml
<addObjects>
<object>
<location type="Registry">%HklmWowSoftware%\Microsoft\Office\12.0\Common\Migration\Office [UpgradeVersion]</location>
@ -3230,7 +3231,7 @@ Syntax:
The following example is from the MigUser.xml file:
``` syntax
``` xml
<component type="Documents" context="User">
<displayName _locID="miguser.mymusic">My Music</displayName>
<paths>
@ -3273,7 +3274,7 @@ This is an internal USMT element. Do not use this element.
You can use this element to specify multiple objects. You can specify multiple &lt;pattern&gt; elements for each &lt;objectSet&gt; element and they will be combined. If you are specifying files, you may want to use GenerateDrivePatterns with &lt;script&gt; instead. GenerateDrivePatterns is basically the same as a &lt;pattern&gt; rule, without the drive letter specification. For example, the following two lines of code are similar:
``` syntax
``` xml
<pattern type="File">C:\Folder\* [Sample.doc]</pattern>
<script>MigXmlHelper.GenerateDrivePatterns("\Folder\* [Sample.doc]","Fixed"</script>
```
@ -3336,13 +3337,13 @@ For example:
- To migrate a single registry key:
``` syntax
``` xml
<pattern type="Registry">HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache [Persistent]</pattern>
```
- To migrate the EngineeringDrafts folder and any subfolders from the C: drive:
``` syntax
``` xml
<pattern type="File">C:\EngineeringDrafts\* [*]</pattern>
```
@ -3352,13 +3353,13 @@ For example:
- To migrate the Sample.doc file from C:\\EngineeringDrafts:
``` syntax
``` xml
<pattern type="File"> C:\EngineeringDrafts\ [Sample.doc]</pattern>
```
- To migrate the Sample.doc file from where ever it exists on the C: drive use pattern in the following way. If multiple files exist with the same name on the C: drive, then all of these files will be migrated.
``` syntax
``` xml
<pattern type="File"> C:\* [Sample.doc] </pattern>
```
@ -3484,7 +3485,7 @@ Syntax:
The following example is from the MigUser.xml file. For more examples, see the MigApp.xml file:
``` syntax
``` xml
<component type="System" context="User">
<displayName _locID="miguser.startmenu">Start Menu</displayName>
<paths>
@ -3571,7 +3572,7 @@ Syntax:
The following example is from the MigUser.xml file:
``` syntax
``` xml
<component type="Documents" context="User">
<displayName _locID="miguser.mymusic">My Music</displayName>
<paths>
@ -3679,7 +3680,7 @@ Examples:
To migrate the Sample.doc file from any drive on the source computer, use &lt;script&gt; as follows. If multiple files exist with the same name, all such files will get migrated.
``` syntax
``` xml
<script>MigXmlHelper.GenerateDrivePatterns("* [sample.doc]", "Fixed")</script>
```
@ -3744,7 +3745,7 @@ These functions return either a string or a pattern.
~~~
For example:
``` syntax
``` xml
<variable name="MSNMessengerInstPath">
<script>MigXmlHelper.GetStringContent("Registry","%HklmWowSoftware%\Microsoft\MSNMessenger [InstallationDirectory]")</script>
</variable>
@ -3849,7 +3850,7 @@ If GenerateUserPattens('File','%userprofile% \[\*.doc\]','FALSE') is called whil
The following is example code for this scenario. The first &lt;rules&gt; element migrates all.doc files on the source computer with the exception of those inside C:\\Documents and Settings. The second &lt;rules&gt; elements will migrate all .doc files from C:\\Documents and Settings with the exception of the .doc files in the profiles of the other users. Because the second &lt;rules&gt; element will be processed in each migrated user context, the end result will be the desired behavior. The end result is the one we expected.
``` syntax
``` xml
<rules context="System">
<include>
<objectSet>
@ -3915,7 +3916,7 @@ This helper function invokes the document finder to scan the system for all file
``` syntax
``` xml
<!-- This component migrates data in user context -->
<component type="Documents" context="User">
<displayName>MigDocUser</displayName>
@ -3942,7 +3943,7 @@ The following scripts have no return value. You can use the following errors wit
- **AskForLogoff()**. Prompts the user to log off at the end of the migration. For example:
``` syntax
``` xml
<processing when="apply-success">
<script>MigXmlHelper.AskForLogoff()</script>
</processing>
@ -3952,7 +3953,7 @@ The following scripts have no return value. You can use the following errors wit
- **KillExplorer()**. Stops Explorer.exe for the current user context. This allows access to certain keys and files that are kept open when Explorer.exe is running. For example:
``` syntax
``` xml
<processing when="pre-apply">
<script>MigXmlHelper.KillExplorer()</script>
</processing>
@ -3960,7 +3961,7 @@ The following scripts have no return value. You can use the following errors wit
- **RegisterFonts(FileEncodedLocation)**. Registers the given font or all of the fonts in the given directory. For example:
``` syntax
``` xml
<processing when="apply-success">
<script>MigXmlHelper.RegisterFonts("%CSIDL_COMMON_FONTS%")</script>
</processing>
@ -3970,7 +3971,7 @@ The following scripts have no return value. You can use the following errors wit
- **RestartExplorer().** Restarts Explorer.exe at the end of the migration. For example:
``` syntax
``` xml
<processing when="post-apply">
<script>MigXmlHelper.RestartExplorer()</script>
</processing>
@ -4020,7 +4021,7 @@ Syntax:
For example:
``` syntax
``` xml
<variable name="QuickTime5or6DataSys">
<text>%CSIDL_COMMON_APPDATA%\QuickTime</text>
</variable>
@ -4045,7 +4046,7 @@ Syntax:
The following .xml file excludes all .mp3 files from migration. For additional examples of how to use this element, see the [Exclude Files and Settings](usmt-exclude-files-and-settings.md).
``` syntax
``` xml
<migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/excludefiles">
<component context="System" type="Documents">
<displayName>Test</displayName>
@ -4116,7 +4117,7 @@ Syntax:
The following example is from the MigApp.xml file:
``` syntax
``` xml
<environment>
<variable name="HklmWowSoftware">
<text>HKLM\Software</text>
@ -4168,7 +4169,7 @@ Syntax:
For example:
``` syntax
``` xml
<version>4.*</version>
```

9
windows/deployment/usmt/xml-file-requirements.md
View File

@ -8,7 +8,8 @@ ms.author: greglin
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
audience: itpro author: greg-lindsay
audience: itpro
author: greg-lindsay
ms.date: 04/19/2017
ms.topic: article
---
@ -20,20 +21,20 @@ When creating custom .xml files, note the following requirements:
- **The file must be in Unicode Transformation Format-8 (UTF-8).** You must save the file in this format, and you must specify the following syntax at the beginning of each .xml file:
``` syntax
``` xml
<?xml version="1.0" encoding="UTF-8"?>
```
- **The file must have a unique migration urlid**. The urlid of each file that you specify on the command line must be different. If two migration .xml files have the same urlid, the second .xml file that is specified on the command line will not be processed. This is because USMT uses the urlid to define the components within the file. For example, you must specify the following syntax at the beginning of each file:
``` syntax
``` xml
<?xml version="1.0" encoding="UTF-8"?>
<migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/<CustomFileName>">
```
- **Each component in the file must have a display name in order for it to appear in the Config.xml file.** This is because the Config.xml file defines the components by the display name and the migration urlid. For example, specify the following syntax:
``` syntax
``` xml
<displayName>My Application</displayName>
```

5
windows/deployment/volume-activation/scenario-proxy-activation-vamt.md
View File

@ -9,7 +9,8 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: activation
audience: itpro author: greg-lindsay
audience: itpro
author: greg-lindsay
ms.date: 04/25/2017
ms.topic: article
---
@ -143,7 +144,7 @@ In this step, you export VAMT from the workgroups host computer and save it i
1. Select the products to which you want to apply CIDs. If needed, sort and filter the list to find the products.
2. In the right-side **Selected Items** menu, click **Activate**, click **Apply Confirmation ID**, and then select the appropriate credential option. If you click the **Alternate Credentials** option, you will be prompted to enter an alternate user name and password.
VAMT displays the **Applying Confirmation Id** dialog box while it installs the CIDs on the selected products. When VAMT finishes installing the CIDs, the status appears in the **Action Sataus** column of the dialog box. Click **Close** to close the dialog box. You can also click the **Automatically close when done** check box when the dialog box appears.
VAMT displays the **Applying Confirmation Id** dialog box while it installs the CIDs on the selected products. When VAMT finishes installing the CIDs, the status appears in the **Action Status** column of the dialog box. Click **Close** to close the dialog box. You can also click the **Automatically close when done** check box when the dialog box appears.
The same status appears under the **Status of Last Action** column in the product list view in the center pane.
## Step 13: (Optional) Reactivating Reimaged Computers in the Isolated Lab

19
windows/deployment/volume-activation/use-vamt-in-windows-powershell.md
View File

@ -9,7 +9,8 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: activation
audience: itpro author: greg-lindsay
audience: itpro
author: greg-lindsay
ms.date: 04/25/2017
ms.topic: article
---
@ -32,11 +33,11 @@ The Volume Activation Management Tool (VAMT) PowerShell cmdlets can be used to p
For example, if the Windows ADK is installed in the default location of `C:\Program Files(x86)\Windows Kits\10`, type:
``` ps1
``` powershell
cd “C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\VAMT 3.0”
```
- Import the VAMT PowerShell module. To import the module, type the following at a command prompt:
``` syntax
``` powershell
Import-Module .\VAMT.psd1
```
Where **Import-Module** imports a module only into the current session. To import the module into all sessions, add an **Import-Module** command to a Windows PowerShell profile. For more information about profiles, type `get-help about_profiles`.
@ -44,11 +45,11 @@ The Volume Activation Management Tool (VAMT) PowerShell cmdlets can be used to p
## To Get Help for VAMT PowerShell cmdlets
You can view all of the help sections for a VAMT PowerShell cmdlet, or you can view only the section that you are interested in. To view all of the Help content for a VAMT cmdlet, type:
``` ps1
``` powershell
get-help <cmdlet name> -all
```
For example, type:
``` ps1
``` powershell
get-help get-VamtProduct -all
```
@ -58,18 +59,18 @@ The update-help cmdlet is not supported for VAMT PowerShell cmdlets. To view onl
**To view VAMT PowerShell Help sections**
1. To get the syntax to use with a cmdlet, type the following at a command prompt:
``` ps1
``` powershell
get-help <cmdlet name>
```
For example, type:
``` ps1
``` powershell
get-help get-VamtProduct
```
2. To see examples using a cmdlet, type:
``` ps1
``` powershell
get-help <cmdlet name> -examples
```
For example, type:
``` ps1
``` powershell
get-help get-VamtProduct -examples
```

3
windows/deployment/windows-autopilot/autopilot-device-guidelines.md
View File

@ -9,7 +9,8 @@ ms.mktglfcycl: deploy
ms.localizationpriority: medium
ms.sitesec: library
ms.pagetype: deploy
audience: itpro author: greg-lindsay
audience: itpro
author: greg-lindsay
ms.author: greglin
ms.collection: M365-modern-desktop
ms.topic: article

5
windows/deployment/windows-autopilot/index.md
View File

@ -9,7 +9,8 @@ ms.mktglfcycl: deploy
ms.localizationpriority: medium
ms.sitesec: library
ms.pagetype: deploy
audience: itpro author: greg-lindsay
audience: itpro
author: greg-lindsay
ms.author: greglin
ms.collection: M365-modern-desktop
ms.topic: article
@ -57,7 +58,7 @@ This guide is intended for use by an IT-specialist, system architect, or busines
<tr><td><a href="add-devices.md">Registering devices</a><td>The process of registering a device with the Windows Autopilot deployment service is described.
<tr><td><a href="profiles.md">Configuring device profiles</a><td>The device profile settings that specifie its behavior when it is deployed are described.
<tr><td><a href="enrollment-status.md">Enrollment status page</a><td>Settings that are available on the Enrollment Status Page are described.
<tr><td><a href="bitlocker.md">Bitlocker encryption</a><td> Available options for configuring BitLocker on Windows Autopilot devices are described.
<tr><td><a href="bitlocker.md">BitLocker encryption</a><td> Available options for configuring BitLocker on Windows Autopilot devices are described.
<tr><td><a href="troubleshooting.md">Troubleshooting Windows Autopilot</a><td>Diagnotic event information and troubleshooting procedures are provided.
<tr><td><a href="known-issues.md">Known issues</a><td>A list of current known issues and solutions is provided.
</table>

5
windows/deployment/windows-autopilot/self-deploying.md
View File

@ -9,7 +9,8 @@ ms.mktglfcycl: deploy
ms.localizationpriority: medium
ms.sitesec: library
ms.pagetype: deploy
audience: itpro author: greg-lindsay
audience: itpro
author: greg-lindsay
ms.author: greglin
ms.collection: M365-modern-desktop
ms.topic: article
@ -29,7 +30,7 @@ Self-deploying mode joins the device into Azure Active Directory, enrolls the de
Self-deploying mode is designed to deploy Windows 10 as a kiosk, digital signage device, or a shared device. When setting up a kiosk, you can leverage the new Kiosk Browser, an app built on Microsoft Edge that can be used to create a tailored, MDM-managed browsing experience. When combined with MDM policies to create a local account and configure it to automatically log on, the complete configuration of the device can be automated. Find out more about these options by reading simplifying kiosk management for IT with Windows 10. See [Set up a kiosk or digital sign in Intune or other MDM service](https://docs.microsoft.com/windows/configuration/setup-kiosk-digital-signage#set-up-a-kiosk-or-digital-sign-in-intune-or-other-mdm-service) for additional details.
>[!NOTE]
>Self-deploying mode does not presently associate a user with the device (since no user ID or password is specified as part of the process). As a result, some Azure AD and Intune capabilities (such as BitLocker recovery, installation of apps from the Company Portal, or Conditional Access) may not be available to a user that signs into the device.
>Self-deploying mode does not presently associate a user with the device (since no user ID or password is specified as part of the process). As a result, some Azure AD and Intune capabilities (such as BitLocker recovery, installation of apps from the Company Portal, or Conditional Access) may not be available to a user that signs into the device. For more information see [Windows Autopilot scenarios and capabilities](windows-autopilot-scenarios.md) and [Setting the BitLocker encryption algorithm for Autopilot devices](bitlocker.md).
![The user experience with Windows Autopilot self-deploying mode](images/self-deploy-welcome.png)

8
windows/deployment/windows-autopilot/white-glove.md
View File

@ -7,9 +7,11 @@ ms.mktglfcycl: deploy
ms.localizationpriority: low
ms.sitesec: library
ms.pagetype: deploy
audience: itpro author: greg-lindsay
audience: itpro
author: greg-lindsay
manager: laurawi
ms.audience: itpro author: greg-lindsay
ms.audience: itpro
author: greg-lindsay
ms.collection: M365-modern-desktop
ms.topic: article
---
@ -44,7 +46,7 @@ In addition to [Windows Autopilot requirements](windows-autopilot-requirements.m
## Preparation
Devices slated for WG provisioning are registered for Autopilot via the normal registration process.
Devices slated for white glove provisioning are registered for Autopilot via the normal registration process.
To be ready to try out Windows Autopilot for white glove deployment, ensure that you can first successfully use existing Windows Autopilot user-driven scenarios:

6
windows/deployment/windows-deployment-scenarios-and-tools.md
View File

@ -4,12 +4,14 @@ description: To successfully deploy the Windows 10 operating system and applica
ms.assetid: 0d6cee1f-14c4-4b69-b29a-43b0b327b877
ms.reviewer:
manager: laurawi
ms.audience: itpro author: greg-lindsay
ms.audience: itpro
author: greg-lindsay
keywords: deploy, volume activation, BitLocker, recovery, install, installation, VAMT, MDT, USMT, WDS
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
audience: itpro author: greg-lindsay
audience: itpro
author: greg-lindsay
ms.topic: article
---

2
windows/privacy/diagnostic-data-viewer-overview.md
View File

@ -45,7 +45,7 @@ Before you can use this tool for viewing Windows diagnostic data, you must turn
Download the app from the [Microsoft Store Diagnostic Data Viewer](https://www.microsoft.com/en-us/store/p/diagnostic-data-viewer/9n8wtrrsq8f7?rtc=1) page.
>[!Important]
>It's possible that your Windows machine may not have the Microsoft Store available (e.g. Windows Server). If this is the case, please check out [Diagnostic Data Viewer for PowerShell](https://go.microsoft.com/fwlink/?linkid=2094264).
>It's possible that your Windows device doesn't have the Microsoft Store available (for example, Windows Server). If this is the case, see [Diagnostic Data Viewer for PowerShell](https://go.microsoft.com/fwlink/?linkid=2023830).
### Start the Diagnostic Data Viewer
You can start this app from the **Settings** panel.

8
windows/security/identity-protection/credential-guard/additional-mitigations.md
View File

@ -71,7 +71,7 @@ Then on the devices that are running Windows Defender Credential Guard, enroll t
**Enrolling devices in a certificate**
Run the following command:
``` syntax
```powershell
CertReq -EnrollCredGuardCert MachineAuthentication
```
@ -87,7 +87,7 @@ Beginning with the Windows Server 2008 R2 domain functional level, domain contro
- The [get-IssuancePolicy.ps1](#bkmk-getscript) shows all of the issuance policies that are available on the certificate authority.
From a Windows PowerShell command prompt, run the following command:
``` syntax
```powershell
.\get-IssuancePolicy.ps1 LinkedToGroup:All
```
@ -96,7 +96,7 @@ Beginning with the Windows Server 2008 R2 domain functional level, domain contro
- The [set-IssuancePolicyToGroupLink.ps1](#bkmk-setscript) creates a Universal security group, creates an organizational unit, and links the issuance policy to that Universal security group.
From a Windows PowerShell command prompt, run the following command:
``` syntax
```powershell
.\set-IssuancePolicyToGroupLink.ps1 IssuancePolicyName:"<name of issuance policy>" groupOU:"<Name of OU to create>" groupName:”<name of Universal security group to create>"
```
@ -143,7 +143,7 @@ Here is a list of scripts mentioned in this topic.
Save this script file as get-IssuancePolicy.ps1.
``` syntax
```powershell
#######################################
## Parameters to be defined ##
## by the user ##

6
windows/security/identity-protection/credential-guard/credential-guard-manage.md
View File

@ -107,6 +107,7 @@ You can do this by using either the Control Panel or the Deployment Image Servic
> You can also enable Windows Defender Credential Guard by setting the registry entries in the [FirstLogonCommands](https://msdn.microsoft.com/library/windows/hardware/dn922797.aspx) unattend setting.
<span id="hardware-readiness-tool"/>
### Enable Windows Defender Credential Guard by using the Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool
You can also enable Windows Defender Credential Guard by using the [Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337).
@ -115,7 +116,7 @@ You can also enable Windows Defender Credential Guard by using the [Windows Defe
DG_Readiness_Tool_v3.5.ps1 -Enable -AutoReboot
```
> [!IMPORTANT]
> When running the Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool on a non-English operating system, within the script, change `*$OSArch = $(gwmi win32_operatingsystem).OSArchitecture` to be `$OSAch = $((gwmi win32_operatingsystem).OSArchitecture).tolower()` instead, in order for the tool to work.
> When running the Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool on a non-English operating system, within the script, change `$OSArch = $(gwmi win32_operatingsystem).OSArchitecture` to be `$OSArch = $((gwmi win32_operatingsystem).OSArchitecture).tolower()` instead, in order for the tool to work.
> This is a known issue.
### Review Windows Defender Credential Guard performance
@ -200,6 +201,7 @@ To disable Windows Defender Credential Guard, you can use the following set of p
For more info on virtualization-based security and Windows Defender Device Guard, see [Windows Defender Device Guard deployment guide](/windows/device-security/device-guard/device-guard-deployment-guide).
<span id="turn-off-with-hardware-readiness-tool"/>
#### Disable Windows Defender Credential Guard by using the Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool
You can also disable Windows Defender Credential Guard by using the [Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337).
@ -208,7 +210,7 @@ You can also disable Windows Defender Credential Guard by using the [Windows Def
DG_Readiness_Tool_v3.6.ps1 -Disable -AutoReboot
```
> [!IMPORTANT]
> When running the Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool on a non-English operating system, within the script, change `*$OSArch = $(gwmi win32_operatingsystem).OSArchitecture` to be `$OSAch = $((gwmi win32_operatingsystem).OSArchitecture).tolower()` instead, in order for the tool to work.
> When running the Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool on a non-English operating system, within the script, change `*$OSArch = $(gwmi win32_operatingsystem).OSArchitecture` to be `$OSArch = $((gwmi win32_operatingsystem).OSArchitecture).tolower()` instead, in order for the tool to work.
> This is a known issue.
#### Disable Windows Defender Credential Guard for a virtual machine

10
windows/security/identity-protection/credential-guard/credential-guard-not-protected-scenarios.md
View File

@ -96,7 +96,7 @@ Then on the devices that are running Windows Defender Credential Guard, enroll t
**Enrolling devices in a certificate**
Run the following command:
``` syntax
```powershell
CertReq -EnrollCredGuardCert MachineAuthentication
```
@ -112,7 +112,7 @@ Beginning with the Windows Server 2008 R2 domain functional level, domain contro
- The [get-IssuancePolicy.ps1](#bkmk-getscript) shows all of the issuance policies that are available on the certificate authority.
From a Windows PowerShell command prompt, run the following command:
``` syntax
```powershell
.\get-IssuancePolicy.ps1 LinkedToGroup:All
```
@ -121,7 +121,7 @@ Beginning with the Windows Server 2008 R2 domain functional level, domain contro
- The [set-IssuancePolicyToGroupLink.ps1](#bkmk-setscript) creates a Universal security group, creates an organizational unit, and links the issuance policy to that Universal security group.
From a Windows PowerShell command prompt, run the following command:
``` syntax
```powershell
.\set-IssuancePolicyToGroupLink.ps1 IssuancePolicyName:"<name of issuance policy>" groupOU:"<Name of OU to create>" groupName:”<name of Universal security group to create>"
```
@ -172,7 +172,7 @@ Here is a list of scripts mentioned in this topic.
Save this script file as get-IssuancePolicy.ps1.
``` syntax
```powershell
#######################################
## Parameters to be defined ##
## by the user ##
@ -363,7 +363,7 @@ write-host "There are no issuance policies which are not mapped to groups"
Save the script file as set-IssuancePolicyToGroupLink.ps1.
``` syntax
```powershell
#######################################
## Parameters to be defined ##
## by the user ##

Some files were not shown because too many files have changed in this diff Show More