diff --git a/.openpublishing.publish.config.json b/.openpublishing.publish.config.json index 2d2913c2b1..340a768d75 100644 --- a/.openpublishing.publish.config.json +++ b/.openpublishing.publish.config.json @@ -426,7 +426,7 @@ "Pdf" ] }, - "need_generate_pdf_url_template": false, + "need_generate_pdf_url_template": true, "Targets": { "Pdf": { "template_folder": "_themes.pdf" diff --git a/windows/deployment/TOC.md b/windows/deployment/TOC.md index 73fce9589a..babe4c7aa6 100644 --- a/windows/deployment/TOC.md +++ b/windows/deployment/TOC.md @@ -1,44 +1,176 @@ -# [Deploy Windows 10](index.md) -## [What's new in Windows 10 deployment](deploy-whats-new.md) -## [Plan for Windows 10 deployment](planning/index.md) -### [Windows 10 Enterprise FAQ for IT Pros](planning/windows-10-enterprise-faq-itpro.md) -### [Windows 10 deployment considerations](planning/windows-10-deployment-considerations.md) -### [Windows 10 compatibility](planning/windows-10-compatibility.md) -### [Windows 10 infrastructure requirements](planning/windows-10-infrastructure-requirements.md) -### [Windows To Go: feature overview](planning/windows-to-go-overview.md) -#### [Best practice recommendations for Windows To Go](planning/best-practice-recommendations-for-windows-to-go.md) -#### [Deployment considerations for Windows To Go](planning/deployment-considerations-for-windows-to-go.md) -#### [Prepare your organization for Windows To Go](planning/prepare-your-organization-for-windows-to-go.md) -#### [Security and data protection considerations for Windows To Go](planning/security-and-data-protection-considerations-for-windows-to-go.md) -#### [Windows To Go: frequently asked questions](planning/windows-to-go-frequently-asked-questions.md) -### [Application Compatibility Toolkit (ACT) Technical Reference](planning/act-technical-reference.md) -#### [SUA User's Guide](planning/sua-users-guide.md) -##### [Using the SUA Wizard](planning/using-the-sua-wizard.md) -##### [Using the SUA Tool](planning/using-the-sua-tool.md) -###### [Tabs on the SUA Tool Interface](planning/tabs-on-the-sua-tool-interface.md) -###### [Showing Messages Generated by the SUA Tool](planning/showing-messages-generated-by-the-sua-tool.md) -###### [Applying Filters to Data in the SUA Tool](planning/applying-filters-to-data-in-the-sua-tool.md) -###### [Fixing Applications by Using the SUA Tool](planning/fixing-applications-by-using-the-sua-tool.md) -#### [Compatibility Administrator User's Guide](planning/compatibility-administrator-users-guide.md) -##### [Using the Compatibility Administrator Tool](planning/using-the-compatibility-administrator-tool.md) -###### [Available Data Types and Operators in Compatibility Administrator](planning/available-data-types-and-operators-in-compatibility-administrator.md) -###### [Searching for Fixed Applications in Compatibility Administrator](planning/searching-for-fixed-applications-in-compatibility-administrator.md) -###### [Searching for Installed Compatibility Fixes with the Query Tool in Compatibility Administrator](planning/searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator.md) -###### [Creating a Custom Compatibility Fix in Compatibility Administrator](planning/creating-a-custom-compatibility-fix-in-compatibility-administrator.md) -###### [Creating a Custom Compatibility Mode in Compatibility Administrator](planning/creating-a-custom-compatibility-mode-in-compatibility-administrator.md) -###### [Creating an AppHelp Message in Compatibility Administrator](planning/creating-an-apphelp-message-in-compatibility-administrator.md) -###### [Viewing the Events Screen in Compatibility Administrator](planning/viewing-the-events-screen-in-compatibility-administrator.md) -###### [Enabling and Disabling Compatibility Fixes in Compatibility Administrator](planning/enabling-and-disabling-compatibility-fixes-in-compatibility-administrator.md) -###### [Installing and Uninstalling Custom Compatibility Databases in Compatibility Administrator](planning/installing-and-uninstalling-custom-compatibility-databases-in-compatibility-administrator.md) -##### [Managing Application-Compatibility Fixes and Custom Fix Databases](planning/managing-application-compatibility-fixes-and-custom-fix-databases.md) -###### [Understanding and Using Compatibility Fixes](planning/understanding-and-using-compatibility-fixes.md) -###### [Compatibility Fix Database Management Strategies and Deployment](planning/compatibility-fix-database-management-strategies-and-deployment.md) -###### [Testing Your Application Mitigation Packages](planning/testing-your-application-mitigation-packages.md) -##### [Using the Sdbinst.exe Command-Line Tool](planning/using-the-sdbinstexe-command-line-tool.md) -#### [Compatibility Fixes for Windows 10, Windows 8, Windows 7, and Windows Vista](planning/compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md) -### [Change history for Plan for Windows 10 deployment](planning/change-history-for-plan-for-windows-10-deployment.md) -## [Windows 10 deployment scenarios](windows-10-deployment-scenarios.md) -## Upgrade Windows +# [Deploy, Upgrade and Update Windows 10](index.md) + +## Deploy Windows 10 +### [What's new in Windows 10 deployment](deploy-whats-new.md) + +### [Plan for Windows 10 deployment](planning/index.md) +#### [Windows 10 Enterprise FAQ for IT Pros](planning/windows-10-enterprise-faq-itpro.md) +#### [Windows 10 deployment considerations](planning/windows-10-deployment-considerations.md) +#### [Windows 10 compatibility](planning/windows-10-compatibility.md) +#### [Windows 10 infrastructure requirements](planning/windows-10-infrastructure-requirements.md) +#### [Windows To Go: feature overview](planning/windows-to-go-overview.md) +##### [Best practice recommendations for Windows To Go](planning/best-practice-recommendations-for-windows-to-go.md) +##### [Deployment considerations for Windows To Go](planning/deployment-considerations-for-windows-to-go.md) +##### [Prepare your organization for Windows To Go](planning/prepare-your-organization-for-windows-to-go.md) +##### [Security and data protection considerations for Windows To Go](planning/security-and-data-protection-considerations-for-windows-to-go.md) +##### [Windows To Go: frequently asked questions](planning/windows-to-go-frequently-asked-questions.md) +#### [Application Compatibility Toolkit (ACT) Technical Reference](planning/act-technical-reference.md) +##### [SUA User's Guide](planning/sua-users-guide.md) +###### [Using the SUA Wizard](planning/using-the-sua-wizard.md) +###### [Using the SUA Tool](planning/using-the-sua-tool.md) +####### [Tabs on the SUA Tool Interface](planning/tabs-on-the-sua-tool-interface.md) +####### [Showing Messages Generated by the SUA Tool](planning/showing-messages-generated-by-the-sua-tool.md) +####### [Applying Filters to Data in the SUA Tool](planning/applying-filters-to-data-in-the-sua-tool.md) +####### [Fixing Applications by Using the SUA Tool](planning/fixing-applications-by-using-the-sua-tool.md) +##### [Compatibility Administrator User's Guide](planning/compatibility-administrator-users-guide.md) +###### [Using the Compatibility Administrator Tool](planning/using-the-compatibility-administrator-tool.md) +####### [Available Data Types and Operators in Compatibility Administrator](planning/available-data-types-and-operators-in-compatibility-administrator.md) +####### [Searching for Fixed Applications in Compatibility Administrator](planning/searching-for-fixed-applications-in-compatibility-administrator.md) +####### [Searching for Installed Compatibility Fixes with the Query Tool in Compatibility Administrator](planning/searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator.md) +####### [Creating a Custom Compatibility Fix in Compatibility Administrator](planning/creating-a-custom-compatibility-fix-in-compatibility-administrator.md) +####### [Creating a Custom Compatibility Mode in Compatibility Administrator](planning/creating-a-custom-compatibility-mode-in-compatibility-administrator.md) +####### [Creating an AppHelp Message in Compatibility Administrator](planning/creating-an-apphelp-message-in-compatibility-administrator.md) +####### [Viewing the Events Screen in Compatibility Administrator](planning/viewing-the-events-screen-in-compatibility-administrator.md) +####### [Enabling and Disabling Compatibility Fixes in Compatibility Administrator](planning/enabling-and-disabling-compatibility-fixes-in-compatibility-administrator.md) +####### [Installing and Uninstalling Custom Compatibility Databases in Compatibility Administrator](planning/installing-and-uninstalling-custom-compatibility-databases-in-compatibility-administrator.md) +###### [Managing Application-Compatibility Fixes and Custom Fix Databases](planning/managing-application-compatibility-fixes-and-custom-fix-databases.md) +####### [Understanding and Using Compatibility Fixes](planning/understanding-and-using-compatibility-fixes.md) +####### [Compatibility Fix Database Management Strategies and Deployment](planning/compatibility-fix-database-management-strategies-and-deployment.md) +####### [Testing Your Application Mitigation Packages](planning/testing-your-application-mitigation-packages.md) +###### [Using the Sdbinst.exe Command-Line Tool](planning/using-the-sdbinstexe-command-line-tool.md) +##### [Compatibility Fixes for Windows 10, Windows 8, Windows 7, and Windows Vista](planning/compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md) +#### [Change history for Plan for Windows 10 deployment](planning/change-history-for-plan-for-windows-10-deployment.md) + +### [Windows 10 deployment scenarios](windows-10-deployment-scenarios.md) + +### [Windows 10 deployment tools reference](windows-10-deployment-tools-reference.md) +#### [Windows 10 deployment tools](windows-deployment-scenarios-and-tools.md) +#### [Windows ADK for Windows 10 scenarios for IT Pros](windows-adk-scenarios-for-it-pros.md) +#### [Volume Activation Management Tool (VAMT) Technical Reference](volume-activation/volume-activation-management-tool.md) +##### [Introduction to VAMT](volume-activation/introduction-vamt.md) +##### [Active Directory-Based Activation Overview](volume-activation/active-directory-based-activation-overview.md) +##### [Install and Configure VAMT](volume-activation/install-configure-vamt.md) +###### [VAMT Requirements](volume-activation/vamt-requirements.md) +###### [Install VAMT](volume-activation/install-vamt.md) +###### [Configure Client Computers](volume-activation/configure-client-computers-vamt.md) +##### [Add and Manage Products](volume-activation/add-manage-products-vamt.md) +###### [Add and Remove Computers](volume-activation/add-remove-computers-vamt.md) +###### [Update Product Status](volume-activation/update-product-status-vamt.md) +###### [Remove Products](volume-activation/remove-products-vamt.md) +##### [Manage Product Keys](volume-activation/manage-product-keys-vamt.md) +###### [Add and Remove a Product Key](volume-activation/add-remove-product-key-vamt.md) +###### [Install a Product Key](volume-activation/install-product-key-vamt.md) +###### [Install a KMS Client Key](volume-activation/install-kms-client-key-vamt.md) +##### [Manage Activations](volume-activation/manage-activations-vamt.md) +###### [Perform Online Activation](volume-activation/online-activation-vamt.md) +###### [Perform Proxy Activation](volume-activation/proxy-activation-vamt.md) +###### [Perform KMS Activation](volume-activation/kms-activation-vamt.md) +###### [Perform Local Reactivation](volume-activation/local-reactivation-vamt.md) +###### [Activate an Active Directory Forest Online](volume-activation/activate-forest-vamt.md) +###### [Activate by Proxy an Active Directory Forest](volume-activation/activate-forest-by-proxy-vamt.md) +##### [Manage VAMT Data](volume-activation/manage-vamt-data.md) +###### [Import and Export VAMT Data](volume-activation/import-export-vamt-data.md) +###### [Use VAMT in Windows PowerShell](volume-activation/use-vamt-in-windows-powershell.md) +##### [VAMT Step-by-Step Scenarios](volume-activation/vamt-step-by-step.md) +###### [Scenario 1: Online Activation](volume-activation/scenario-online-activation-vamt.md) +###### [Scenario 2: Proxy Activation](volume-activation/scenario-proxy-activation-vamt.md) +###### [Scenario 3: KMS Client Activation](volume-activation/scenario-kms-activation-vamt.md) +##### [VAMT Known Issues](volume-activation/vamt-known-issues.md) +#### [User State Migration Tool (USMT) Technical Reference](usmt/usmt-technical-reference.md) +##### [User State Migration Tool (USMT) Overview Topics](usmt/usmt-topics.md) +###### [User State Migration Tool (USMT) Overview](usmt/usmt-overview.md) +###### [Getting Started with the User State Migration Tool (USMT)](usmt/getting-started-with-the-user-state-migration-tool.md) +###### [Windows Upgrade and Migration Considerations](upgrade/windows-upgrade-and-migration-considerations.md) +##### [User State Migration Tool (USMT) How-to topics](usmt/usmt-how-to.md) +###### [Exclude Files and Settings](usmt/usmt-exclude-files-and-settings.md) +###### [Extract Files from a Compressed USMT Migration Store](usmt/usmt-extract-files-from-a-compressed-migration-store.md) +###### [Include Files and Settings](usmt/usmt-include-files-and-settings.md) +###### [Migrate Application Settings](usmt/migrate-application-settings.md) +###### [Migrate EFS Files and Certificates](usmt/usmt-migrate-efs-files-and-certificates.md) +###### [Migrate User Accounts](usmt/usmt-migrate-user-accounts.md) +###### [Reroute Files and Settings](usmt/usmt-reroute-files-and-settings.md) +###### [Verify the Condition of a Compressed Migration Store](usmt/verify-the-condition-of-a-compressed-migration-store.md) +##### [User State Migration Tool (USMT) Troubleshooting](usmt/usmt-troubleshooting.md) +###### [Common Issues](usmt/usmt-common-issues.md) +###### [Frequently Asked Questions](usmt/usmt-faq.md) +###### [Log Files](usmt/usmt-log-files.md) +###### [Return Codes](usmt/usmt-return-codes.md) +###### [USMT Resources](usmt/usmt-resources.md) +##### [User State Migration Toolkit (USMT) Reference](usmt/usmt-reference.md) +###### [USMT Requirements](usmt/usmt-requirements.md) +###### [USMT Best Practices](usmt/usmt-best-practices.md) +###### [How USMT Works](usmt/usmt-how-it-works.md) +###### [Plan Your Migration](usmt/usmt-plan-your-migration.md) +####### [Common Migration Scenarios](usmt/usmt-common-migration-scenarios.md) +####### [What Does USMT Migrate?](usmt/usmt-what-does-usmt-migrate.md) +####### [Choose a Migration Store Type](usmt/usmt-choose-migration-store-type.md) +######## [Migration Store Types Overview](usmt/migration-store-types-overview.md) +######## [Estimate Migration Store Size](usmt/usmt-estimate-migration-store-size.md) +######## [Hard-Link Migration Store](usmt/usmt-hard-link-migration-store.md) +######## [Migration Store Encryption](usmt/usmt-migration-store-encryption.md) +####### [Determine What to Migrate](usmt/usmt-determine-what-to-migrate.md) +######## [Identify Users](usmt/usmt-identify-users.md) +######## [Identify Applications Settings](usmt/usmt-identify-application-settings.md) +######## [Identify Operating System Settings](usmt/usmt-identify-operating-system-settings.md) +######## [Identify File Types, Files, and Folders](usmt/usmt-identify-file-types-files-and-folders.md) +####### [Test Your Migration](usmt/usmt-test-your-migration.md) +###### [User State Migration Tool (USMT) Command-line Syntax](usmt/usmt-command-line-syntax.md) +####### [ScanState Syntax](usmt/usmt-scanstate-syntax.md) +####### [LoadState Syntax](usmt/usmt-loadstate-syntax.md) +####### [UsmtUtils Syntax](usmt/usmt-utilities.md) +###### [USMT XML Reference](usmt/usmt-xml-reference.md) +####### [Understanding Migration XML Files](usmt/understanding-migration-xml-files.md) +####### [Config.xml File](usmt/usmt-configxml-file.md) +####### [Customize USMT XML Files](usmt/usmt-customize-xml-files.md) +####### [Custom XML Examples](usmt/usmt-custom-xml-examples.md) +####### [Conflicts and Precedence](usmt/usmt-conflicts-and-precedence.md) +####### [General Conventions](usmt/usmt-general-conventions.md) +####### [XML File Requirements](usmt/xml-file-requirements.md) +####### [Recognized Environment Variables](usmt/usmt-recognized-environment-variables.md) +####### [XML Elements Library](usmt/usmt-xml-elements-library.md) +###### [Offline Migration Reference](usmt/offline-migration-reference.md) + +### [Deploy Windows 10 with System Center 2012 R2 Configuration Manager](deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md) +#### [Integrate Configuration Manager with MDT](deploy-windows-mdt/integrate-configuration-manager-with-mdt.md) +#### [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](deploy-windows-sccm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md) +#### [Create a custom Windows PE boot image with Configuration Manager](deploy-windows-sccm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md) +#### [Add a Windows 10 operating system image using Configuration Manager](deploy-windows-sccm/add-a-windows-10-operating-system-image-using-configuration-manager.md) +#### [Create an application to deploy with Windows 10 using Configuration Manager](deploy-windows-sccm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md) +#### [Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](deploy-windows-sccm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md) +#### [Create a task sequence with Configuration Manager and MDT](deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md) +#### [Finalize the operating system configuration for Windows 10 deployment with Configuration Manager](deploy-windows-sccm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md) +#### [Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-sccm/deploy-windows-10-using-pxe-and-configuration-manager.md) +#### [Monitor the Windows 10 deployment with Configuration Manager](deploy-windows-sccm/monitor-windows-10-deployment-with-configuration-manager.md) +#### [Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](deploy-windows-sccm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md) +#### [Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](deploy-windows-sccm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md) +#### [Perform an in-place upgrade to Windows 10 using Configuration Manager](upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md) +#### [Deploy Windows 10 in a test lab using System Center Configuration Manager](windows-10-poc-sc-config-mgr.md) + +### [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md) +#### [Get started with the Microsoft Deployment Toolkit (MDT)](deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit.md) +##### [Key features in MDT](deploy-windows-mdt/key-features-in-mdt.md) +##### [MDT Lite Touch components](deploy-windows-mdt/mdt-lite-touch-components.md) +##### [Prepare for deployment with MDT](deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md) +#### [Create a Windows 10 reference image](deploy-windows-mdt/create-a-windows-10-reference-image.md) +#### [Deploy a Windows 10 image using MDT](deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md) +#### [Build a distributed environment for Windows 10 deployment](deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md) +#### [Refresh a Windows 7 computer with Windows 10](deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md) +#### [Replace a Windows 7 computer with a Windows 10 computer](deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md) +#### [Perform an in-place upgrade to Windows 10 with MDT](upgrade/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md) +#### [Configure MDT settings](deploy-windows-mdt/configure-mdt-settings.md) +##### [Set up MDT for BitLocker](deploy-windows-mdt/set-up-mdt-for-bitlocker.md) +##### [Configure MDT deployment share rules](deploy-windows-mdt/configure-mdt-deployment-share-rules.md) +##### [Configure MDT for UserExit scripts](deploy-windows-mdt/configure-mdt-for-userexit-scripts.md) +##### [Simulate a Windows 10 deployment in a test environment](deploy-windows-mdt/simulate-a-windows-10-deployment-in-a-test-environment.md) +##### [Use the MDT database to stage Windows 10 deployment information](deploy-windows-mdt/use-the-mdt-database-to-stage-windows-10-deployment-information.md) +##### [Assign applications using roles in MDT](deploy-windows-mdt/assign-applications-using-roles-in-mdt.md) +##### [Use web services in MDT](deploy-windows-mdt/use-web-services-in-mdt.md) +##### [Use Orchestrator runbooks with MDT](deploy-windows-mdt/use-orchestrator-runbooks-with-mdt.md) +#### [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md) + +### [Step by step guide: Configure a test lab to deploy Windows 10](windows-10-poc.md) + +## Upgrade to Windows 10 ### [Windows 10 upgrade paths](upgrade/windows-10-upgrade-paths.md) ### [Windows 10 edition upgrade](upgrade/windows-10-edition-upgrades.md) ### [Deploy Windows To Go in your organization](deploy-windows-to-go.md) @@ -55,47 +187,8 @@ ##### [Step 3: Deploy Windows](upgrade/upgrade-readiness-deploy-windows.md) ##### [Additional insights](upgrade/upgrade-readiness-additional-insights.md) #### [Troubleshoot Upgrade Readiness](upgrade/troubleshoot-upgrade-readiness.md) -## [Step by step guide: Configure a test lab to deploy Windows 10](windows-10-poc.md) -### [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md) -### [Deploy Windows 10 in a test lab using System Center Configuration Manager](windows-10-poc-sc-config-mgr.md) -## [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md) -### [Get started with the Microsoft Deployment Toolkit (MDT)](deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit.md) -#### [Key features in MDT](deploy-windows-mdt/key-features-in-mdt.md) -#### [MDT Lite Touch components](deploy-windows-mdt/mdt-lite-touch-components.md) -#### [Prepare for deployment with MDT](deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md) -### [Create a Windows 10 reference image](deploy-windows-mdt/create-a-windows-10-reference-image.md) -### [Deploy a Windows 10 image using MDT](deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md) -### [Build a distributed environment for Windows 10 deployment](deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md) -### [Refresh a Windows 7 computer with Windows 10](deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md) -### [Replace a Windows 7 computer with a Windows 10 computer](deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md) -### [Perform an in-place upgrade to Windows 10 with MDT](upgrade/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md) -### [Configure MDT settings](deploy-windows-mdt/configure-mdt-settings.md) -#### [Set up MDT for BitLocker](deploy-windows-mdt/set-up-mdt-for-bitlocker.md) -#### [Configure MDT deployment share rules](deploy-windows-mdt/configure-mdt-deployment-share-rules.md) -#### [Configure MDT for UserExit scripts](deploy-windows-mdt/configure-mdt-for-userexit-scripts.md) -#### [Simulate a Windows 10 deployment in a test environment](deploy-windows-mdt/simulate-a-windows-10-deployment-in-a-test-environment.md) -#### [Use the MDT database to stage Windows 10 deployment information](deploy-windows-mdt/use-the-mdt-database-to-stage-windows-10-deployment-information.md) -#### [Assign applications using roles in MDT](deploy-windows-mdt/assign-applications-using-roles-in-mdt.md) -#### [Use web services in MDT](deploy-windows-mdt/use-web-services-in-mdt.md) -#### [Use Orchestrator runbooks with MDT](deploy-windows-mdt/use-orchestrator-runbooks-with-mdt.md) -## [Deploy Windows 10 with System Center 2012 R2 Configuration Manager](deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md) -### [Integrate Configuration Manager with MDT](deploy-windows-mdt/integrate-configuration-manager-with-mdt.md) -### [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](deploy-windows-sccm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md) -### [Create a custom Windows PE boot image with Configuration Manager](deploy-windows-sccm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md) -### [Add a Windows 10 operating system image using Configuration Manager](deploy-windows-sccm/add-a-windows-10-operating-system-image-using-configuration-manager.md) -### [Create an application to deploy with Windows 10 using Configuration Manager](deploy-windows-sccm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md) -### [Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](deploy-windows-sccm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md) -### [Create a task sequence with Configuration Manager and MDT](deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md) -### [Finalize the operating system configuration for Windows 10 deployment with Configuration Manager](deploy-windows-sccm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md) -### [Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-sccm/deploy-windows-10-using-pxe-and-configuration-manager.md) -### [Monitor the Windows 10 deployment with Configuration Manager](deploy-windows-sccm/monitor-windows-10-deployment-with-configuration-manager.md) -### [Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](deploy-windows-sccm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md) -### [Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](deploy-windows-sccm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md) -### [Perform an in-place upgrade to Windows 10 using Configuration Manager](upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md) -## [Resolve Windows 10 upgrade errors](upgrade/resolve-windows-10-upgrade-errors.md) -## [Convert MBR partition to GPT](mbr-to-gpt.md) -## [Configure a PXE server to load Windows PE](configure-a-pxe-server-to-load-windows-pe.md) -## [Sideload apps in Windows 10](/windows/application-management/sideload-apps-in-windows-10) +### [Resolve Windows 10 upgrade errors](upgrade/resolve-windows-10-upgrade-errors.md) + ## [Update Windows 10](update/index.md) ### [Quick guide to Windows as a service](update/waas-quick-start.md) ### [Overview of Windows as a service](update/waas-overview.md) @@ -117,11 +210,17 @@ ### [Deploy Windows 10 updates using Windows Server Update Services](update/waas-manage-updates-wsus.md) ### [Deploy Windows 10 updates using System Center Configuration Manager](update/waas-manage-updates-configuration-manager.md) ### [Manage device restarts after updates](update/waas-restart.md) +### [Manage additional Windows Update settings](update/waas-wu-settings.md) ### [Windows Insider Program for Business](update/waas-windows-insider-for-business.md) #### [Windows Insider Program for Business using Azure Active Directory](update/waas-windows-insider-for-business-aad.md) #### [Windows Insider Program for Business Frequently Asked Questions](update/waas-windows-insider-for-business-faq.md) ### [Change history for Update Windows 10](update/change-history-for-update-windows-10.md) +## [Convert MBR partition to GPT](mbr-to-gpt.md) +## [Configure a PXE server to load Windows PE](configure-a-pxe-server-to-load-windows-pe.md) +## [Sideload apps in Windows 10](/windows/application-management/sideload-apps-in-windows-10) +## [Windows 10 Enterprise E3 in CSP Overview](windows-10-enterprise-e3-overview.md) + ## [Volume Activation [client]](volume-activation/volume-activation-windows-10.md) ### [Plan for volume activation [client]](volume-activation/plan-for-volume-activation-client.md) ### [Activate using Key Management Service [client]](volume-activation/activate-using-key-management-service-vamt.md) @@ -130,91 +229,5 @@ ### [Monitor activation [client]](volume-activation/monitor-activation-client.md) ### [Use the Volume Activation Management Tool [client]](volume-activation/use-the-volume-activation-management-tool-client.md) ### [Appendix: Information sent to Microsoft during activation [client]](volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md) -## [Windows 10 Enterprise E3 in CSP Overview](windows-10-enterprise-e3-overview.md) -## [Windows 10 deployment tools reference](windows-10-deployment-tools-reference.md) -### [Windows 10 deployment tools](windows-deployment-scenarios-and-tools.md) -### [Windows ADK for Windows 10 scenarios for IT Pros](windows-adk-scenarios-for-it-pros.md) -### [Volume Activation Management Tool (VAMT) Technical Reference](volume-activation/volume-activation-management-tool.md) -#### [Introduction to VAMT](volume-activation/introduction-vamt.md) -#### [Active Directory-Based Activation Overview](volume-activation/active-directory-based-activation-overview.md) -#### [Install and Configure VAMT](volume-activation/install-configure-vamt.md) -##### [VAMT Requirements](volume-activation/vamt-requirements.md) -##### [Install VAMT](volume-activation/install-vamt.md) -##### [Configure Client Computers](volume-activation/configure-client-computers-vamt.md) -#### [Add and Manage Products](volume-activation/add-manage-products-vamt.md) -##### [Add and Remove Computers](volume-activation/add-remove-computers-vamt.md) -##### [Update Product Status](volume-activation/update-product-status-vamt.md) -##### [Remove Products](volume-activation/remove-products-vamt.md) -#### [Manage Product Keys](volume-activation/manage-product-keys-vamt.md) -##### [Add and Remove a Product Key](volume-activation/add-remove-product-key-vamt.md) -##### [Install a Product Key](volume-activation/install-product-key-vamt.md) -##### [Install a KMS Client Key](volume-activation/install-kms-client-key-vamt.md) -#### [Manage Activations](volume-activation/manage-activations-vamt.md) -##### [Perform Online Activation](volume-activation/online-activation-vamt.md) -##### [Perform Proxy Activation](volume-activation/proxy-activation-vamt.md) -##### [Perform KMS Activation](volume-activation/kms-activation-vamt.md) -##### [Perform Local Reactivation](volume-activation/local-reactivation-vamt.md) -##### [Activate an Active Directory Forest Online](volume-activation/activate-forest-vamt.md) -##### [Activate by Proxy an Active Directory Forest](volume-activation/activate-forest-by-proxy-vamt.md) -#### [Manage VAMT Data](volume-activation/manage-vamt-data.md) -##### [Import and Export VAMT Data](volume-activation/import-export-vamt-data.md) -##### [Use VAMT in Windows PowerShell](volume-activation/use-vamt-in-windows-powershell.md) -#### [VAMT Step-by-Step Scenarios](volume-activation/vamt-step-by-step.md) -##### [Scenario 1: Online Activation](volume-activation/scenario-online-activation-vamt.md) -##### [Scenario 2: Proxy Activation](volume-activation/scenario-proxy-activation-vamt.md) -##### [Scenario 3: KMS Client Activation](volume-activation/scenario-kms-activation-vamt.md) -#### [VAMT Known Issues](volume-activation/vamt-known-issues.md) -### [User State Migration Tool (USMT) Technical Reference](usmt/usmt-technical-reference.md) -#### [User State Migration Tool (USMT) Overview Topics](usmt/usmt-topics.md) -##### [User State Migration Tool (USMT) Overview](usmt/usmt-overview.md) -##### [Getting Started with the User State Migration Tool (USMT)](usmt/getting-started-with-the-user-state-migration-tool.md) -##### [Windows Upgrade and Migration Considerations](upgrade/windows-upgrade-and-migration-considerations.md) -#### [User State Migration Tool (USMT) How-to topics](usmt/usmt-how-to.md) -##### [Exclude Files and Settings](usmt/usmt-exclude-files-and-settings.md) -##### [Extract Files from a Compressed USMT Migration Store](usmt/usmt-extract-files-from-a-compressed-migration-store.md) -##### [Include Files and Settings](usmt/usmt-include-files-and-settings.md) -##### [Migrate Application Settings](usmt/migrate-application-settings.md) -##### [Migrate EFS Files and Certificates](usmt/usmt-migrate-efs-files-and-certificates.md) -##### [Migrate User Accounts](usmt/usmt-migrate-user-accounts.md) -##### [Reroute Files and Settings](usmt/usmt-reroute-files-and-settings.md) -##### [Verify the Condition of a Compressed Migration Store](usmt/verify-the-condition-of-a-compressed-migration-store.md) -#### [User State Migration Tool (USMT) Troubleshooting](usmt/usmt-troubleshooting.md) -##### [Common Issues](usmt/usmt-common-issues.md) -##### [Frequently Asked Questions](usmt/usmt-faq.md) -##### [Log Files](usmt/usmt-log-files.md) -##### [Return Codes](usmt/usmt-return-codes.md) -##### [USMT Resources](usmt/usmt-resources.md) -#### [User State Migration Toolkit (USMT) Reference](usmt/usmt-reference.md) -##### [USMT Requirements](usmt/usmt-requirements.md) -##### [USMT Best Practices](usmt/usmt-best-practices.md) -##### [How USMT Works](usmt/usmt-how-it-works.md) -##### [Plan Your Migration](usmt/usmt-plan-your-migration.md) -###### [Common Migration Scenarios](usmt/usmt-common-migration-scenarios.md) -###### [What Does USMT Migrate?](usmt/usmt-what-does-usmt-migrate.md) -###### [Choose a Migration Store Type](usmt/usmt-choose-migration-store-type.md) -####### [Migration Store Types Overview](usmt/migration-store-types-overview.md) -####### [Estimate Migration Store Size](usmt/usmt-estimate-migration-store-size.md) -####### [Hard-Link Migration Store](usmt/usmt-hard-link-migration-store.md) -####### [Migration Store Encryption](usmt/usmt-migration-store-encryption.md) -###### [Determine What to Migrate](usmt/usmt-determine-what-to-migrate.md) -####### [Identify Users](usmt/usmt-identify-users.md) -####### [Identify Applications Settings](usmt/usmt-identify-application-settings.md) -####### [Identify Operating System Settings](usmt/usmt-identify-operating-system-settings.md) -####### [Identify File Types, Files, and Folders](usmt/usmt-identify-file-types-files-and-folders.md) -###### [Test Your Migration](usmt/usmt-test-your-migration.md) -##### [User State Migration Tool (USMT) Command-line Syntax](usmt/usmt-command-line-syntax.md) -###### [ScanState Syntax](usmt/usmt-scanstate-syntax.md) -###### [LoadState Syntax](usmt/usmt-loadstate-syntax.md) -###### [UsmtUtils Syntax](usmt/usmt-utilities.md) -##### [USMT XML Reference](usmt/usmt-xml-reference.md) -###### [Understanding Migration XML Files](usmt/understanding-migration-xml-files.md) -###### [Config.xml File](usmt/usmt-configxml-file.md) -###### [Customize USMT XML Files](usmt/usmt-customize-xml-files.md) -###### [Custom XML Examples](usmt/usmt-custom-xml-examples.md) -###### [Conflicts and Precedence](usmt/usmt-conflicts-and-precedence.md) -###### [General Conventions](usmt/usmt-general-conventions.md) -###### [XML File Requirements](usmt/xml-file-requirements.md) -###### [Recognized Environment Variables](usmt/usmt-recognized-environment-variables.md) -###### [XML Elements Library](usmt/usmt-xml-elements-library.md) -##### [Offline Migration Reference](usmt/offline-migration-reference.md) -## [Change history for Deploy Windows 10](change-history-for-deploy-windows-10.md) \ No newline at end of file + +## [Change history for Deploy, Upgrade and Update Windows 10](change-history-for-deploy-windows-10.md) \ No newline at end of file diff --git a/windows/deployment/index.md b/windows/deployment/index.md index 2ef5fbaf96..95945c8749 100644 --- a/windows/deployment/index.md +++ b/windows/deployment/index.md @@ -9,34 +9,60 @@ localizationpriority: high author: greg-lindsay --- -# Deploy Windows 10 -Learn about deploying Windows 10 for IT professionals. +# Deploy, Upgrade and Update Windows 10 +Learn about deployment in Windows 10 for IT professionals. This includes deploying the operating system, upgrading to it from previous version and updating Windows 10. ## In this section + +### Deploy Windows 10 |Topic |Description | |------|------------| |[What's new in Windows 10 deployment](deploy-whats-new.md) |See this topic for a summary of new features and some recent changes related to deploying Windows 10 in your organization. | +|[Plan for Windows 10 deployment](planning/index.md) | This topic provides information about Windows 10 deployment considerations. It also provides details to assist in Windows 10 deployment planning. | |[Windows 10 deployment scenarios](windows-10-deployment-scenarios.md) |To successfully deploy the Windows 10 operating system in your organization, it is important to understand the different ways that it can be deployed, especially now that there are new scenarios to consider. Choosing among these scenarios, and understanding the key capabilities and limitations of each, is a key task. | -|[Manage Windows upgrades with Upgrade Readiness](upgrade/manage-windows-upgrades-with-upgrade-readiness.md) |With Upgrade Readiness, enterprises now have the tools to plan and manage the upgrade process end to end, allowing them to adopt new Windows releases more quickly. With Windows telemetry enabled, Upgrade Readiness collects system, application, and driver data for analysis. We then identify compatibility issues that can block an upgrade and suggest fixes when they are known to Microsoft. The Upgrade Readiness workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded. | -|[Step by step guide: Configure a test lab to deploy Windows 10](windows-10-poc.md) |This guide contains instructions to configure a proof of concept (PoC) environment requiring a minimum amount of resources. The guide makes extensive use of Windows PowerShell and Hyper-V. Subsequent companion guides contain steps to deploy Windows 10 using the PoC environment. After completing this guide, see the following Windows 10 PoC deployment guides: [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md), [Deploy Windows 10 in a test lab using System Center Configuration Manager](windows-10-poc-sc-config-mgr.md). | -|[Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md) |This guide will walk you through the process of deploying Windows 10 in an enterprise environment using the Microsoft Deployment Toolkit (MDT). | +|[Windows 10 deployment tools reference](windows-10-deployment-tools-reference.md) |Learn about the tools available to deploy Windows 10. | |[Deploy Windows 10 with System Center 2012 R2 Configuration Manager](deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md) |If you have Microsoft System Center 2012 R2 Configuration Manager in your environment, you will most likely want to use it to deploy Windows 10. This topic will show you how to set up Configuration Manager for operating system deployment and how to integrate Configuration Manager with the Microsoft Deployment Toolkit (MDT) or. | -|[Resolve Windows 10 upgrade errors](upgrade/resolve-windows-10-upgrade-errors.md) |This topic provides a brief introduction to Windows 10 installation processes, and provides resolution procedures that IT administrators can use to resolve issues with Windows 10 upgrade. | -|[Convert MBR partition to GPT](mbr-to-gpt.md) |This topic provides detailed instructions for using the MBR2GPT partition conversion tool. | -|[Configure a PXE server to load Windows PE](configure-a-pxe-server-to-load-windows-pe.md) |This guide describes how to configure a PXE server to load Windows PE by booting a client computer from the network. | -|[Windows 10 edition upgrade](upgrade/windows-10-edition-upgrades.md) |With Windows 10, you can quickly upgrade from one edition of Windows 10 to another, provided the upgrade path is supported. | +|[Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md) |This guide will walk you through the process of deploying Windows 10 in an enterprise environment using the Microsoft Deployment Toolkit (MDT). | +|[Step by step guide: Configure a test lab to deploy Windows 10](windows-10-poc.md) |This guide contains instructions to configure a proof of concept (PoC) environment requiring a minimum amount of resources. The guide makes extensive use of Windows PowerShell and Hyper-V. Subsequent companion guides contain steps to deploy Windows 10 using the PoC environment. After completing this guide, see the following Windows 10 PoC deployment guides: [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md), [Deploy Windows 10 in a test lab using System Center Configuration Manager](windows-10-poc-sc-config-mgr.md). | + +### Upgrade to Windows 10 +|Topic |Description | +|------|------------| |[Windows 10 upgrade paths](upgrade/windows-10-upgrade-paths.md) |You can upgrade directly to Windows 10 from a previous operating system. | +|[Windows 10 edition upgrade](upgrade/windows-10-edition-upgrades.md) |With Windows 10, you can quickly upgrade from one edition of Windows 10 to another, provided the upgrade path is supported. | |[Deploy Windows To Go in your organization](deploy-windows-to-go.md) |This topic helps you to deploy Windows To Go in your organization. Before you begin deployment, make sure that you have reviewed the topics [Windows To Go: feature overview](planning/windows-to-go-overview.md) and [Prepare your organization for Windows To Go](planning/prepare-your-organization-for-windows-to-go.md) to ensure that you have the correct hardware and are prepared to complete the deployment. You can then use the steps in this topic to start your Windows To Go deployment. | |[Upgrade a Windows Phone 8.1 to Windows 10 Mobile with Mobile Device Management](upgrade/upgrade-windows-phone-8-1-to-10.md) |This topic describes how to upgrade eligible Windows Phone 8.1 devices to Windows 10 Mobile. | +|[Manage Windows upgrades with Upgrade Readiness](upgrade/manage-windows-upgrades-with-upgrade-readiness.md) |With Upgrade Readiness, enterprises now have the tools to plan and manage the upgrade process end to end, allowing them to adopt new Windows releases more quickly. With Windows telemetry enabled, Upgrade Readiness collects system, application, and driver data for analysis. We then identify compatibility issues that can block an upgrade and suggest fixes when they are known to Microsoft. The Upgrade Readiness workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded. | +|[Resolve Windows 10 upgrade errors](upgrade/resolve-windows-10-upgrade-errors.md) |This topic provides a brief introduction to Windows 10 installation processes, and provides resolution procedures that IT administrators can use to resolve issues with Windows 10 upgrade. | + +### Update Windows 10 +|Topic |Description | +|------|------------| +| [Quick guide to Windows as a service](update/waas-quick-start.md) | Provides a brief summary of the key points for the new servicing model for Windows 10. | +| [Overview of Windows as a service](update/waas-overview.md) | Explains the differences in building, deploying, and servicing Windows 10; introduces feature updates, quality updates, and the different servicing branches; compares servicing tools. | +| [Prepare servicing strategy for Windows 10 updates](update/waas-servicing-strategy-windows-10-updates.md) | Explains the decisions you need to make in your servicing strategy. | +| [Build deployment rings for Windows 10 updates](update/waas-deployment-rings-windows-10-updates.md) | Explains how to make use of servicing branches and update deferrals to manage Windows 10 updates. | +| [Assign devices to servicing branches for Windows 10 updates](update/waas-servicing-branches-windows-10-updates.md) | Explains how to assign devices to Current Branch (CB) or Current Branch for Business (CBB) for feature and quality updates, and how to enroll devices in Windows Insider. | +| [Monitor Windows Updates with Update Compliance](update/update-compliance-monitor.md) | Explains how to use Windows Analytics: Update Compliance to monitor and manage Windows Updates on devices in your organization. | +| [Optimize update delivery for Windows 10 updates](update/waas-optimize-windows-10-updates.md) | Explains the benefits of using Delivery Optimization or BranchCache for update distribution. | +| [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](update/waas-mobile-updates.md) | Explains updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile. | +| [Deploy updates using Windows Update for Business](update/waas-manage-updates-wufb.md) | Explains how to use Windows Update for Business to manage when devices receive updates directly from Windows Update. Includes walkthroughs for configuring Windows Update for Business using Group Policy and Microsoft Intune. | +| [Deploy Windows 10 updates using Windows Server Update Services (WSUS)](update/waas-manage-updates-wsus.md) | Explains how to use WSUS to manage Windows 10 updates. | +| [Deploy Windows 10 updates using System Center Configuration Manager](update/waas-manage-updates-configuration-manager.md) | Explains how to use Configuration Manager to manage Windows 10 updates. | +| [Manage device restarts after updates](update/waas-restart.md) | Explains how to manage update related device restarts. | +| [Manage additional Windows Update settings](update/waas-wu-settings.md) | Provides details about settings available to control and configure Windows Update | +| [Windows Insider Program for Business](update/waas-windows-insider-for-business.md) | Explains how the Windows Insider Program for Business works and how to become an insider. | + +### Additional topics +|Topic |Description | +|------|------------| +|[Convert MBR partition to GPT](mbr-to-gpt.md) |This topic provides detailed instructions for using the MBR2GPT partition conversion tool. | +|[Configure a PXE server to load Windows PE](configure-a-pxe-server-to-load-windows-pe.md) |This guide describes how to configure a PXE server to load Windows PE by booting a client computer from the network. | |[Sideload apps in Windows 10](/windows/application-management/sideload-apps-in-windows-10) |Sideload line-of-business apps in Windows 10. | |[Volume Activation [client]](volume-activation/volume-activation-windows-10.md) |This guide is designed to help organizations that are planning to use volume activation to deploy and activate Windows 10, including organizations that have used volume activation for earlier versions of Windows. | -|[Windows 10 deployment tools reference](windows-10-deployment-tools-reference.md) |Learn about the tools available to deploy Windows 10. | |[Change history for Deploy Windows 10](change-history-for-deploy-windows-10.md) |This topic lists new and updated topics in the Deploy Windows 10 documentation for [Windows 10 and Windows 10 Mobile](/windows/windows-10). | -## Related topics -- [Windows 10 and Windows 10 Mobile](/windows/windows-10) -     diff --git a/windows/deployment/update/index.md b/windows/deployment/update/index.md index dad9a37627..bc18ab0d95 100644 --- a/windows/deployment/update/index.md +++ b/windows/deployment/update/index.md @@ -40,7 +40,8 @@ Windows as a service provides a new way to think about building, deploying, and | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md) | Explains how to use Windows Update for Business to manage when devices receive updates directly from Windows Update. Includes walkthroughs for configuring Windows Update for Business using Group Policy and Microsoft Intune. | | [Deploy Windows 10 updates using Windows Server Update Services (WSUS)](waas-manage-updates-wsus.md) | Explains how to use WSUS to manage Windows 10 updates. | | [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) | Explains how to use Configuration Manager to manage Windows 10 updates. | -| [Manage device restarts after updates](waas-restart.md) | Explains how to use Group Policy to manage device restarts. | +| [Manage device restarts after updates](waas-restart.md) | Explains how to manage update related device restarts. | +| [Manage additional Windows Update settings](waas-wu-settings.md) | Provides details about settings available to control and configure Windows Update | | [Windows Insider Program for Business](waas-windows-insider-for-business.md) | Explains how the Windows Insider Program for Business works and how to become an insider. | >[!TIP] diff --git a/windows/deployment/update/waas-configure-wufb.md b/windows/deployment/update/waas-configure-wufb.md index 0a1d7e7ce0..2df47d49ca 100644 --- a/windows/deployment/update/waas-configure-wufb.md +++ b/windows/deployment/update/waas-configure-wufb.md @@ -2,7 +2,7 @@ title: Configure Windows Update for Business (Windows 10) description: You can use Group Policy or your mobile device management (MDM) service to configure Windows Update for Business settings for your devices. ms.prod: w10 -ms.mktglfcycl: manage +ms.mktglfcycl: deploy ms.sitesec: library author: DaniHalfin localizationpriority: high diff --git a/windows/deployment/update/waas-delivery-optimization.md b/windows/deployment/update/waas-delivery-optimization.md index 070e8de2d1..919c9ff1d3 100644 --- a/windows/deployment/update/waas-delivery-optimization.md +++ b/windows/deployment/update/waas-delivery-optimization.md @@ -2,7 +2,7 @@ title: Configure Delivery Optimization for Windows 10 updates (Windows 10) description: Delivery Optimization is a new peer-to-peer distribution method in Windows 10 ms.prod: w10 -ms.mktglfcycl: manage +ms.mktglfcycl: deploy ms.sitesec: library author: DaniHalfin localizationpriority: high diff --git a/windows/deployment/update/waas-restart.md b/windows/deployment/update/waas-restart.md index da651bccc2..4d57b5a82a 100644 --- a/windows/deployment/update/waas-restart.md +++ b/windows/deployment/update/waas-restart.md @@ -2,7 +2,7 @@ title: Manage device restarts after updates (Windows 10) description: tbd ms.prod: w10 -ms.mktglfcycl: manage +ms.mktglfcycl: deploy ms.sitesec: library author: DaniHalfin localizationpriority: high diff --git a/windows/deployment/update/waas-servicing-branches-windows-10-updates.md b/windows/deployment/update/waas-servicing-branches-windows-10-updates.md index d92a5becf5..494677a20d 100644 --- a/windows/deployment/update/waas-servicing-branches-windows-10-updates.md +++ b/windows/deployment/update/waas-servicing-branches-windows-10-updates.md @@ -2,7 +2,7 @@ title: Assign devices to servicing branches for Windows 10 updates (Windows 10) description: tbd ms.prod: w10 -ms.mktglfcycl: manage +ms.mktglfcycl: deploy ms.sitesec: library author: DaniHalfin localizationpriority: high diff --git a/windows/deployment/update/waas-wu-settings.md b/windows/deployment/update/waas-wu-settings.md new file mode 100644 index 0000000000..b2d249199f --- /dev/null +++ b/windows/deployment/update/waas-wu-settings.md @@ -0,0 +1,177 @@ +--- +title: Manage additional Windows Update settings (Windows 10) +description: Additional settings to control the behavior of Windows Update (WU) in Windows 10 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: DaniHalfin +localizationpriority: high +--- + +# Manage additional Windows Update settings + + +**Applies to** + +- Windows 10 +- Windows 10 Mobile + +> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) + +You can use Group Policy settings or mobile device management (MDM) to configure the behavior of Windows Update (WU) on your Windows 10 devices. You can configure the update detection frequency, select when updates are received, specify the update service location and more. + +>[!IMPORTANT] +>In Windows 10, any Group Policy user configuration settings for Windows Update were deprecated and are no longer supported on this platform. + +## Summary of Windows Update settings + +| Group Policy setting | MDM setting | Supported from version | +| --- | --- | --- | +| [Specify Intranet Microsoft update service location](#specify-intranet-microsoft-update-service-location) | [UpdateServiceUrl](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-updateserviceurl) and [UpdateServiceUrlAlternate](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-updateserviceurlalternate) | All | +| [Automatic Updates Detection Frequency](#automatic-updates-detection-frequency) | [DetectionFrequency](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-detectionfrequency) | 1703 | +| [Remove access to use all Windows Update features](#remove-access-to-use-all-windows-update-features) | | All | +| [Do not connect to any Windows Update Internet locations](#do-not-connect-to-any-windows-update-internet-locations) | | All | +| [Enable client-side targeting](#enable-client-side-targeting) | | All | +| [Allow signed updates from an intranet Microsoft update service location](#allow-signed-updates-from-an-intranet-microsoft-update-service-location) | [AllowNonMicrosoftSignedUpdate](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-allownonmicrosoftsignedupdate) | All | +| [Do not include drivers with Windows Updates](#do-not-include-drivers-with-windows-updates) | [ExcludeWUDriversInQualityUpdate](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-excludewudriversinqualityupdate) | 1607 | +| [Configure Automatic Updates](#configure-automatic-updates) | [AllowAutoUpdate](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-allowautoupdate) | All | + +>[!IMPORTANT] +>Additional information about settings to manage device restarts and restart notifications for updates is available on **[Manage device restarts after updates](waas-restart.md)**. +> +>Additional settings that configure when Feature and Quality updates are received are detailed on **[Configure Windows Update for Business](waas-configure-wufb.md)**. + +## Scanning for updates + +With Windows 10, admins have a lot of flexibility in configuring how their devices scan and receive updates. + +[Specify Intranet Microsoft update service location](#specify-intranet-microsoft-update-service-location) allows admins to point devices to an internal Microsoft update service location, while [Do not connect to any Windows Update Internet locations](#do-not-connect-to-any-windows-update-internet-locations) gives them to option to restrict devices to just that internal update service. [Automatic Updates Detection Frequency](#automatic-updates-detection-frequency) controls how frequently devices scan for updates. + +You can make custom device groups that'll work with your internal Microsoft update service by using [Enable client-side targeting](#enable-client-side-targeting). You can also make sure your devices receive updates that were not signed by Microsoft from your internal Microsoft update service, through [Allow signed updates from an intranet Microsoft update service location](#allow-signed-updates-from-an-intranet-microsoft-update-service-location). + +Finally, to make sure the updating experience is fully controlled by the admins, you can [Remove access to use all Windows Update features](#remove-access-to-use-all-windows-update-features) for users. + +For additional settings that configure when Feature and Quality updates are received, see [Configure Windows Update for Business](waas-configure-wufb.md). + +### Specify Intranet Microsoft update service location + +Specifies an intranet server to host updates from Microsoft Update. You can then use this update service to automatically update computers on your network. +This setting lets you specify a server on your network to function as an internal update service. The Automatic Updates client will search this service for updates that apply to the computers on your network. + +To use this setting in Group Policy, go to **Computer Configuration\Administrative Templates\Windows Components\Windows Update\Specify Intranet Microsoft update service location**. You must set two server name values: the server from which the Automatic Updates client detects and downloads updates, and the server to which updated workstations upload statistics. You can set both values to be the same server. An optional server name value can be specified to configure Windows Update Agent to download updates from an alternate download server instead of the intranet update service. + +If the setting is set to **Enabled**, the Automatic Updates client connects to the specified intranet Microsoft update service (or alternate download server), instead of Windows Update, to search for and download updates. Enabling this setting means that end users in your organization don’t have to go through a firewall to get updates, and it gives you the opportunity to test updates after deploying them. +If the setting is set to **Disabled** or **Not Configured**, and if Automatic Updates is not disabled by policy or user preference, the Automatic Updates client connects directly to the Windows Update site on the Internet. + +The alternate download server configures the Windows Update Agent to download files from an alternative download server instead of the intranet update service. +The option to download files with missing Urls allows content to be downloaded from the Alternate Download Server when there are no download Urls for files in the update metadata. This option should only be used when the intranet update service does not provide download Urls in the update metadata for files which are present on the alternate download server. + +>[!NOTE] +>If the "Configure Automatic Updates" policy is disabled, then this policy has no effect. +> +>If the "Alternate Download Server" is not set, it will use the intranet update service by default to download updates. +> +>The option to "Download files with no Url..." is only used if the "Alternate Download Server" is set. + +To configure this policy with MDM, use [UpdateServiceUrl](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-updateserviceurl) and [UpdateServiceUrlAlternate](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-updateserviceurlalternate). + +### Automatic Updates detection frequency + +Specifies the hours that Windows will use to determine how long to wait before checking for available updates. The exact wait time is determined by using the hours specified here minus zero to twenty percent of the hours specified. For example, if this policy is used to specify a 20-hour detection frequency, then all clients to which this policy is applied will check for updates anywhere between 16 to 20 hours. + +To set this setting with Group Policy, navigate to **Computer Configuration\Administrative Templates\Windows Components\Windows Update\Automatic Updates detection frequency**. + +If the setting is set to **Enabled**, Windows will check for available updates at the specified interval. +If the setting is set to **Disabled** or **Not Configured**, Windows will check for available updates at the default interval of 22 hours. + +>[!NOTE] +>The “Specify intranet Microsoft update service location” setting must be enabled for this policy to have effect. +> +>If the “Configure Automatic Updates” policy is disabled, this policy has no effect. + +To configure this policy with MDM, use [DetectionFrequency](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-detectionfrequency). + +### Remove access to use all Windows Update features + +By enabling the Group Policy setting under **Computer Configuration\Administrative Templates\Windows Components\Windows update\Remove access to use all Windows update features**, administrators can disable the "Check for updates" option for users. Any background update scans, downloads and installations will continue to work as configured. + +### Do not connect to any Windows Update Internet locations + +Even when Windows Update is configured to receive updates from an intranet update service, it will periodically retrieve information from the public Windows Update service to enable future connections to Windows Update, and other services like Microsoft Update or the Microsoft Store. + +Use **Computer Configuration\Administrative Templates\Windows Components\Windows update\Do not connect to any Windows Update Internet locations** to enable this policy. When enabled, this policy will disable the functionality described above, and may cause connection to public services such as the Microsoft Store, Windows Update for Business and Delivery Optimization to stop working. + +>[!NOTE] +>This policy applies only when the device is configured to connect to an intranet update service using the "Specify intranet Microsoft update service location" policy. + +### Enable client-side targeting + +Specifies the target group name or names that should be used to receive updates from an intranet Microsoft update service. This allows admins to configure device groups that will receive different updates from sources like WSUS or SCCM. + +This Group Policy setting can be found under **Computer Configuration\Administrative Templates\Windows Components\Windows update\Enable client-side targeting**. +If the setting is set to **Enabled**, the specified target group information is sent to the intranet Microsoft update service which uses it to determine which updates should be deployed to this computer. +If the setting is set to **Disabled** or **Not Configured**, no target group information will be sent to the intranet Microsoft update service. + +If the intranet Microsoft update service supports multiple target groups, this policy can specify multiple group names separated by semicolons. Otherwise, a single group must be specified. + +>[!NOTE] +>This policy applies only when the intranet Microsoft update service the device is directed to is configured to support client-side targeting. If the “Specify intranet Microsoft update service location” policy is disabled or not configured, this policy has no effect. + +### Allow signed updates from an intranet Microsoft update service location + +This policy setting allows you to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found on an intranet Microsoft update service location. + +To configure this setting in Group Policy, go to **Computer Configuration\Administrative Templates\Windows Components\Windows update\Allow signed updates from an intranet Microsoft update service location**. + +If you enable this policy setting, Automatic Updates accepts updates received through an intranet Microsoft update service location, as specified by [Specify Intranet Microsoft update service location](#specify-intranet-microsoft-update-service-location), if they are signed by a certificate found in the “Trusted Publishers” certificate store of the local computer. +If you disable or do not configure this policy setting, updates from an intranet Microsoft update service location must be signed by Microsoft. + +>[!NOTE] +>Updates from a service other than an intranet Microsoft update service must always be signed by Microsoft and are not affected by this policy setting. + +To configure this policy with MDM, use [AllowNonMicrosoftSignedUpdate](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-allownonmicrosoftsignedupdate). + + +## Installing updates + +To add more flexibility to the update process, settings are available to control update installation. + +[Configure Automatic Updates](#configure-automatic-updates) offers 4 different options for automatic update installation, while [Do not include drivers with Windows Updates](#do-not-include-drivers-with-windows-updates) makes sure drivers are not installed with the rest of the received updates. + +### Do not include drivers with Windows Updates + +Allows admins to exclude Windows Update (WU) drivers during updates. + +To configure this setting in Group Policy, use **Computer Configuration\Administrative Templates\Windows Components\Windows update\Do not include drivers with Windows Updates**. +Enable this policy to not include drivers with Windows quality updates. +If you disable or do not configure this policy, Windows Update will include updates that have a Driver classification. + +### Configure Automatic Updates + +Enables the IT admin to manage automatic update behavior to scan, download, and install updates. + +When enabling this setting through Group Policy, under **Computer Configuration\Administrative Templates\Windows Components\Windows update\Configure Automatic Updates**, you must select one of the four options: + +**2 - Notify for download and auto install** - When Windows finds updates that apply to this device, users will be notified that updates are ready to be downloaded. After going to **Settings > Update & security > Windows Update**, users can download and install any available updates. + +**3 - Auto download and notify for Install** - Windows finds updates that apply to the device and downloads them in the background (the user is not notified or interrupted during this process). When the downloads are complete, users will be notified that they are ready to install. After going to **Settings > Update & security > Windows Update**, users can install them. + +**4 - Auto download and schedule the install** - Specify the schedule using the options in the Group Policy Setting. For more information about this setting, see [Schedule update installation](waas-restart.md#schedule-update-installation). + +**5 - Allow local admin to choose setting** - With this option, local administrators will be allowed to use the settings app to select a configuration option of their choice. Local administrators will not be allowed to disable the configuration for Automatic Updates. + +If this setting is set to *Disabled*, any updates that are available on Windows Update must be downloaded and installed manually. To do this, users must go to **Settings > Update & security > Windows Update**. + +If this setting is set to *Not Configured*, an administrator can still configure Automatic Updates through the settings app, under **Settings > Update & security > Windows Update > Advanced options**. + + + +## Related topics + +- [Update Windows 10 in the enterprise](index.md) +- [Overview of Windows as a service](waas-overview.md) +- [Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md) +- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md) +- [Configure BranchCache for Windows 10 updates](waas-branchcache.md) +- [Configure Windows Update for Business](waas-configure-wufb.md) +- [Manage device restarts after updates](waas-restart.md) \ No newline at end of file diff --git a/windows/threat-protection/images/wanna1.png b/windows/threat-protection/images/wanna1.png new file mode 100644 index 0000000000..e90d1cc12c Binary files /dev/null and b/windows/threat-protection/images/wanna1.png differ diff --git a/windows/threat-protection/images/wanna2.png b/windows/threat-protection/images/wanna2.png new file mode 100644 index 0000000000..7b4a1dcd97 Binary files /dev/null and b/windows/threat-protection/images/wanna2.png differ diff --git a/windows/threat-protection/images/wanna3.png b/windows/threat-protection/images/wanna3.png new file mode 100644 index 0000000000..9b0b176366 Binary files /dev/null and b/windows/threat-protection/images/wanna3.png differ diff --git a/windows/threat-protection/images/wanna4.png b/windows/threat-protection/images/wanna4.png new file mode 100644 index 0000000000..17fefde707 Binary files /dev/null and b/windows/threat-protection/images/wanna4.png differ diff --git a/windows/threat-protection/images/wanna5.png b/windows/threat-protection/images/wanna5.png new file mode 100644 index 0000000000..92ecf67d20 Binary files /dev/null and b/windows/threat-protection/images/wanna5.png differ diff --git a/windows/threat-protection/images/wanna6.png b/windows/threat-protection/images/wanna6.png new file mode 100644 index 0000000000..26824af34d Binary files /dev/null and b/windows/threat-protection/images/wanna6.png differ diff --git a/windows/threat-protection/images/wanna7.png b/windows/threat-protection/images/wanna7.png new file mode 100644 index 0000000000..634bd1449d Binary files /dev/null and b/windows/threat-protection/images/wanna7.png differ diff --git a/windows/threat-protection/images/wanna8.png b/windows/threat-protection/images/wanna8.png new file mode 100644 index 0000000000..59b42eb6f6 Binary files /dev/null and b/windows/threat-protection/images/wanna8.png differ diff --git a/windows/threat-protection/wannacrypt-ransomware-worm-targets-out-of-date-systems-wdsi.md b/windows/threat-protection/wannacrypt-ransomware-worm-targets-out-of-date-systems-wdsi.md new file mode 100644 index 0000000000..6d73bea83b --- /dev/null +++ b/windows/threat-protection/wannacrypt-ransomware-worm-targets-out-of-date-systems-wdsi.md @@ -0,0 +1,250 @@ +--- +title: WannaCrypt ransomware worm targets out-of-date systems +description: In this blog, we provide an early analysis of the end-to-end ransomware attack. Please note this threat is still under investigation. The attack is still active, and there is a possibility that the attacker will attempt to react to our detection response. +keywords: wannacry, wannacrypt, wanna, ransomware +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +localizationpriority: medium +author: iaanw +--- + +# WannaCrypt ransomware worm targets out-of-date systems + + +On May 12, 2017 we detected a new ransomware that spreads like a worm by leveraging vulnerabilities that have been previously fixed. While security updates are automatically applied in most computers, some users and enterprises may delay deployment of patches. Unfortunately, the ransomware, known as [WannaCrypt](https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:Win32/WannaCrypt), appears to have affected computers that have not applied the patch for these vulnerabilities. While the attack is unfolding, we remind users to install [MS17-010](https://technet.microsoft.com/en-us/library/security/ms17-010.aspx) if they have not already done so. + +Microsoft antimalware telemetry immediately picked up signs of this campaign. Our expert systems gave us visibility and context into this new attack as it happened, allowing [Windows Defender Antivirus](https://technet.microsoft.com/en-us/itpro/windows/keep-secure/windows-defender-in-windows-10) to deliver real-time defense. Through automated analysis, machine learning, and predictive modeling, we were able to rapidly protect against this malware. + +In this blog, we provide an early analysis of the end-to-end ransomware attack. Please note this threat is still under investigation. The attack is still active, and there is a possibility that the attacker will attempt to react to our detection response. + +## Attack vector + +Ransomware threats do not typically spread rapidly. Threats like WannaCrypt (also known as WannaCry, WanaCrypt0r, WCrypt, or WCRY) usually leverage social engineering or email as primary attack vector, relying on users downloading and executing a malicious payload. However, in this unique case, the ransomware perpetrators used publicly available exploit code for the patched SMB 'EternalBlue' vulnerability, [CVE-2017-0145](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0145), which can be triggered by sending a specially crafted packet to a targeted SMBv1 server. This vulnerability was fixed in security bulletin [MS17-010](https://technet.microsoft.com/en-us/library/security/ms17-010.aspx), which was released on March 14, 2017. + +WannaCrypt's spreading mechanism is borrowed from [well-known](https://packetstormsecurity.com/files/142464/MS17-010-SMBv1-SrvOs2FeaToNt-OOB-Remote-Code-Execution.html) [public SMB exploits](https://github.com/RiskSense-Ops/MS17-010), which armed this regular ransomware with worm-like functionalities, creating an entry vector for machines still unpatched even after the fix had become available. + +The exploit code used by WannaCrypt was designed to work only against unpatched Windows 7 and Windows Server 2008 (or earlier OS) systems, so Windows 10 PCs are not affected by this attack. + +We haven't found evidence of the exact initial entry vector used by this threat, but there are two scenarios that we believe are highly possible explanations for the spread of this ransomware: + +- Arrival through social engineering emails designed to trick users to run the malware and activate the worm-spreading functionality with the SMB exploit +- Infection through SMB exploit when an unpatched computer is addressable from other infected machines + +## Dropper + +The threat arrives as a dropper Trojan that has the following two components: + +1. A component that attempts to exploit the SMB CVE-2017-0145 vulnerability in other computers +2. The ransomware known as WannaCrypt + +The dropper tries to connect the following domains using the API `InternetOpenUrlA()`: + +- www[.]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com +- www[.]ifferfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com + +If connection to the domains is successful, the dropper does not infect the system further with ransomware or try to exploit other systems to spread; it simply stops execution. However, if the connection fails, the threat proceeds to drop the ransomware and creates a service on the system. + +In other words, unlike in most malware infections, **IT Administrators should NOT block these domains**. Note that the malware is not proxy-aware, so a local DNS record may be required. This does not need to point to the Internet, but can resolve to any accessible server which will accept connections on TCP 80. + +![Connection information from WannaCrypt code](images/wanna1.png) + +The threat creates a service named *mssecsvc2.0*, whose function is to exploit the SMB vulnerability in other computers accessible from the infected system: +``` +Service Name: mssecsvc2.0 +Service Description: (Microsoft Security Center (2.0) Service) +Service Parameters: '-m security' +``` + + ![Mssecsvc2.0 process details](images/wanna2.png) + +## WannaCrypt ransomware + +The ransomware component is a dropper that contains a password-protected .zip archive in its resource section. The document encryption routine and the files in the .zip archive contain support tools, a decryption tool, and the ransom message. In the samples we analyzed, the password for the .zip archive is 'WNcry@2ol7'. + +When run, WannaCrypt creates the following registry keys: + +- *HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\\ = '\\tasksche.exe'* +- *HKLM\SOFTWARE\WanaCrypt0r\\wd = '\'* + +It changes the wallpaper to a ransom message by modifying the following registry key: + +- *HKCU\Control Panel\Desktop\Wallpaper: '\\\@WanaDecryptor@.bmp'* + +It creates the following files in the malware's working directory: + +- *00000000.eky* +- *00000000.pky* +- *00000000.res* +- *274901494632976.bat* +- *@Please_Read_Me@.txt* +- *@WanaDecryptor@.bmp* +- *@WanaDecryptor@.exe* +- *b.wnry* +- *c.wnry* +- *f.wnry* +- *m.vbs* +- *msg\m_bulgarian.wnry* +- *msg\m_chinese (simplified).wnry* +- *msg\m_chinese (traditional).wnry* +- *msg\m_croatian.wnry* +- *msg\m_czech.wnry* +- *msg\m_danish.wnry* +- *msg\m_dutch.wnry* +- *msg\m_english.wnry* +- *msg\m_filipino.wnry* +- *msg\m_finnish.wnry* +- *msg\m_french.wnry* +- *msg\m_german.wnry* +- *msg\m_greek.wnry* +- *msg\m_indonesian.wnry* +- *msg\m_italian.wnry* +- *msg\m_japanese.wnry* +- *msg\m_korean.wnry* +- *msg\m_latvian.wnry* +- *msg\m_norwegian.wnry* +- *msg\m_polish.wnry* +- *msg\m_portuguese.wnry* +- *msg\m_romanian.wnry* +- *msg\m_russian.wnry* +- *msg\m_slovak.wnry* +- *msg\m_spanish.wnry* +- *msg\m_swedish.wnry* +- *msg\m_turkish.wnry* +- *msg\m_vietnamese.wnry* +- *r.wnry* +- *s.wnry* +- *t.wnry* +- *TaskData\Tor\libeay32.dll* +- *TaskData\Tor\libevent-2-0-5.dll* +- *TaskData\Tor\libevent_core-2-0-5.dll* +- *TaskData\Tor\libevent_extra-2-0-5.dll* +- *TaskData\Tor\libgcc_s_sjlj-1.dll* +- *TaskData\Tor\libssp-0.dll* +- *TaskData\Tor\ssleay32.dll* +- *TaskData\Tor\taskhsvc.exe* +- *TaskData\Tor\tor.exe* +- *TaskData\Tor\zlib1.dll* +- *taskdl.exe* +- *taskse.exe* +- *u.wnry* + +WannaCrypt may also create the following files: + +- *%SystemRoot%\tasksche.exe* +- *%SystemDrive%\intel\\\\tasksche.exe* +- *%ProgramData%\\\\tasksche.exe* + +It may create a randomly named service that has the following associated ImagePath: `cmd.exe /c '\tasksche.exe'`. + +It then searches the whole computer for any file with any of the following file name extensions: *.123, .jpeg , .rb , .602 , .jpg , .rtf , .doc , .js , .sch , .3dm , .jsp , .sh , .3ds , .key , .sldm , .3g2 , .lay , .sldm , .3gp , .lay6 , .sldx , .7z , .ldf , .slk , .accdb , .m3u , .sln , .aes , .m4u , .snt , .ai , .max , .sql , .ARC , .mdb , .sqlite3 , .asc , .mdf , .sqlitedb , .asf , .mid , .stc , .asm , .mkv , .std , .asp , .mml , .sti , .avi , .mov , .stw , .backup , .mp3 , .suo , .bak , .mp4 , .svg , .bat , .mpeg , .swf , .bmp , .mpg , .sxc , .brd , .msg , .sxd , .bz2 , .myd , .sxi , .c , .myi , .sxm , .cgm , .nef , .sxw , .class , .odb , .tar , .cmd , .odg , .tbk , .cpp , .odp , .tgz , .crt , .ods , .tif , .cs , .odt , .tiff , .csr , .onetoc2 , .txt , .csv , .ost , .uop , .db , .otg , .uot , .dbf , .otp , .vb , .dch , .ots , .vbs , .der' , .ott , .vcd , .dif , .p12 , .vdi , .dip , .PAQ , .vmdk , .djvu , .pas , .vmx , .docb , .pdf , .vob , .docm , .pem , .vsd , .docx , .pfx , .vsdx , .dot , .php , .wav , .dotm , .pl , .wb2 , .dotx , .png , .wk1 , .dwg , .pot , .wks , .edb , .potm , .wma , .eml , .potx , .wmv , .fla , .ppam , .xlc , .flv , .pps , .xlm , .frm , .ppsm , .xls , .gif , .ppsx , .xlsb , .gpg , .ppt , .xlsm , .gz , .pptm , .xlsx , .h , .pptx , .xlt , .hwp , .ps1 , .xltm , .ibd , .psd , .xltx , .iso , .pst , .xlw , .jar , .rar , .zip , .java , .raw.* + +WannaCrypt encrypts all files it finds and renames them by appending *.WNCRY* to the file name. For example, if a file is named *picture.jpg*, the ransomware encrypts and renames the file to *picture.jpg.WNCRY*. + +This ransomware also creates the file *@Please_Read_Me@.txt* in every folder where files are encrypted. The file contains the same ransom message shown in the replaced wallpaper image (see screenshot below). + +After completing the encryption process, the malware deletes the volume shadow copies by running the following command: +`cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet` + +It then replaces the desktop background image with the following message: + +![Example background image of WannaCrypt](images/wanna3.png) + +It also runs an executable showing a ransom note which indicates a $300 ransom in Bitcoins as well as a timer: + + ![Screenshot of WannaCrypt ransom notice](images/wanna4.png) + +The text is localized into the following languages: Bulgarian, Chinese (simplified), Chinese (traditional), Croatian, Czech, Danish, Dutch, English, Filipino, Finnish, French, German, Greek, Indonesian, Italian, Japanese, Korean, Latvian, Norwegian, Polish, Portuguese, Romanian, Russian, Slovak, Spanish, Swedish, Turkish, and Vietnamese. + +The ransomware also demonstrates the decryption capability by allowing the user to decrypt a few random files, free of charge. It then quickly reminds the user to pay the ransom to decrypt all the remaining files. + + ![Screenshot of decryption window](images/wanna5.png) + +## Spreading capability + +The worm functionality attempts to infect unpatched Windows machines in the local network. At the same time, it also executes massive scanning on Internet IP addresses to find and infect other vulnerable computers. This activity results in large SMB traffic from the infected host, which can be observed by SecOps personnel, as shown below. + +![Spreading scanning activity](images/wanna6.png) + +The Internet scanning routine randomly generates octets to form the IPv4 address. The malware then targets that IP to attempt to exploit CVE-2017-0145. The threat avoids infecting the IPv4 address if the randomly generated value for first octet is 127 or if the value is equal to or greater than 224, in order to skip local loopback interfaces. Once a vulnerable machine is found and infected, it becomes the next hop to infect other machines. The vicious infection cycle continues as the scanning routing discovers unpatched computers. + +When it successfully infects a vulnerable computer, the malware runs kernel-level shellcode that seems to have been copied from the public backdoor known as DOUBLEPULSAR, but with certain adjustments to drop and execute the ransomware dropper payload, both for x86 and x64 systems. + + ![Kernel-level shellcode used by WannaCrypt](images/wanna7.png) + + ![Kernel-level shellcode used by WannaCrypt](images/wanna8.png) + +## Protection against the WannaCrypt attack + +To get the latest protection from Microsoft, upgrade to [Windows 10](https://www.microsoft.com/en-us/windows/windows-10-upgrade). Keeping your computers [up-to-date](https://www.microsoft.com/en-us/security/portal/mmpc/help/updatefaqs.aspx) gives you the benefits of the latest features and proactive mitigations built into the latest versions of Windows. + +We recommend customers that have not yet installed the security update [MS17-010](https://technet.microsoft.com/en-us/library/security/ms17-010.aspx) do so as soon as possible. Until you can apply the patch, we also recommend two possible workarounds to reduce the attack surface: + +- Disable SMBv1 with the steps documented at [Microsoft Knowledge Base Article 2696547](https://support.microsoft.com/kb/2696547) and as [recommended previously](https://blogs.technet.microsoft.com/filecab/2016/09/16/stop-using-smb1/) +- Consider adding a rule on your router or firewall to block incoming SMB traffic on port 445 + +[Windows Defender Antivirus](https://technet.microsoft.com/en-us/itpro/windows/keep-secure/windows-defender-in-windows-10) detects this threat as [Ransom:Win32/WannaCrypt](https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:Win32/WannaCrypt) as of the *1.243.297.0* update. Windows Defender Antivirus uses cloud-based protection, helping to protect you from the latest threats. + +For enterprises, use [Device Guard](https://technet.microsoft.com/itpro/windows/keep-secure/device-guard-deployment-guide) to lock down devices and provide kernel-level virtualization-based security, allowing only trusted applications to run, effectively preventing malware from running. + +Use [Office 365 Advanced Threat Protection](https://blogs.office.com/2015/04/08/introducing-exchange-online-advanced-threat-protection/), which has machine learning capability that blocks dangerous email threats, such as the emails carrying ransomware. + +Monitor networks with [Windows Defender Advanced Threat Protection](http://www.microsoft.com/en-us/WindowsForBusiness/windows-atp), which alerts security operations teams about suspicious activities. Download this playbook to see how you can leverage Windows Defender ATP to detect, investigate, and mitigate ransomware in networks: [Windows Defender Advanced Threat Protection - Ransomware response playbook](https://www.microsoft.com/en-us/download/details.aspx?id=55090). + +## Resources + +Download English language security updates: [Windows Server 2003 SP2 x64](http://download.windowsupdate.com/d/csa/csa/secu/2017/02/windowsserver2003-kb4012598-x64-custom-enu_f24d8723f246145524b9030e4752c96430981211.exe), [Windows Server 2003 SP2 x86,](http://download.windowsupdate.com/c/csa/csa/secu/2017/02/windowsserver2003-kb4012598-x86-custom-enu_f617caf6e7ee6f43abe4b386cb1d26b3318693cf.exe) [Windows XP SP2 x64](http://download.windowsupdate.com/d/csa/csa/secu/2017/02/windowsserver2003-kb4012598-x64-custom-enu_f24d8723f246145524b9030e4752c96430981211.exe), [Windows XP SP3 x86](http://download.windowsupdate.com/d/csa/csa/secu/2017/02/windowsxp-kb4012598-x86-custom-enu_eceb7d5023bbb23c0dc633e46b9c2f14fa6ee9dd.exe), [Windows XP Embedded SP3 x86](http://download.windowsupdate.com/c/csa/csa/secu/2017/02/windowsxp-kb4012598-x86-embedded-custom-enu_8f2c266f83a7e1b100ddb9acd4a6a3ab5ecd4059.exe), [Windows 8 x86,](http://download.windowsupdate.com/c/msdownload/update/software/secu/2017/05/windows8-rt-kb4012598-x86_a0f1c953a24dd042acc540c59b339f55fb18f594.msu) [Windows 8 x64](http://download.windowsupdate.com/c/msdownload/update/software/secu/2017/05/windows8-rt-kb4012598-x64_f05841d2e94197c2dca4457f1b895e8f632b7f8e.msu) + +Download localized language security updates: [Windows Server 2003 SP2 x64](http://www.microsoft.com/downloads/details.aspx?FamilyId=d3cb7407-3339-452e-8371-79b9c301132e), [Windows Server 2003 SP2 x86](http://www.microsoft.com/downloads/details.aspx?FamilyId=350ec04d-a0ba-4a50-9be3-f900dafeddf9), [Windows XP SP2 x64](http://www.microsoft.com/downloads/details.aspx?FamilyId=5fbaa61b-15ce-49c7-9361-cb5494f9d6aa), [Windows XP SP3 x86](http://www.microsoft.com/downloads/details.aspx?FamilyId=7388c05d-9de6-4c6a-8b21-219df407754f), [Windows XP Embedded SP3 x86](http://www.microsoft.com/downloads/details.aspx?FamilyId=a1db143d-6ad2-4e7e-9e90-2a73316e1add), [Windows 8 x86](http://www.microsoft.com/downloads/details.aspx?FamilyId=6e2de6b7-9e43-4b42-aca2-267f24210340), [Windows 8 x64](http://www.microsoft.com/downloads/details.aspx?FamilyId=b08bb3f1-f156-4e61-8a68-077963bae8c0) + +MS17-010 Security Update: [https://technet.microsoft.com/en-us/library/security/ms17-010.aspx](https://technet.microsoft.com/en-us/library/security/ms17-010.aspx) + +Customer guidance for WannaCrypt attacks: [https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/](https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/) + +General information on ransomware: [https://www.microsoft.com/en-us/security/portal/mmpc/shared/ransomware.aspx](https://www.microsoft.com/en-us/security/portal/mmpc/shared/ransomware.aspx) + +## Indicators of compromise + +SHA1 of samples analyzed: + +- 51e4307093f8ca8854359c0ac882ddca427a813c +- e889544aff85ffaf8b0d0da705105dee7c97fe26 + +Files created: + +- %SystemRoot%\mssecsvc.exe +- %SystemRoot%\tasksche.exe +- %SystemRoot%\qeriuwjhrf +- b.wnry +- c.wnry +- f.wnry +- r.wnry +- s.wnry +- t.wnry +- u.wnry +- taskdl.exe +- taskse.exe +- 00000000.eky +- 00000000.res +- 00000000.pky +- @WanaDecryptor@.exe +- @Please_Read_Me@.txt +- m.vbs +- @WanaDecryptor@.exe.lnk +- @WanaDecryptor@.bmp +- 274901494632976.bat +- taskdl.exe +- Taskse.exe +- Files with '.wnry' extension +- Files with '.WNCRY' extension + +Registry keys created: + +- HKLM\SOFTWARE\WanaCrypt0r\wd + + + +*Karthik Selvaraj, Elia Florio, Andrea Lelli, and Tanmay Ganacharya*
*Microsoft Malware Protection Center* +