: /Get-packages
```
@@ -193,7 +199,8 @@ After you run this command, you'll see the **Install pending** and **Uninstall P
7. Unload the hive. To do this, highlight **OfflineComponentHive**, and then select **File** > **Unload hive**.
- 
+ > [!div class="mx-imgBorder"]
+ > 
8. Select **HKEY_LOCAL_MACHINE**, go to **File** > **Load Hive**, navigate to ***OSdriveLetter*:\Windows\System32\config**, select the file that's named **SYSTEM** (with no extension), and then select **Open**. When you're prompted, enter the name **OfflineSystemHive** for the new hive.
@@ -213,27 +220,22 @@ After you run this command, you'll see the **Install pending** and **Uninstall P
3. Make sure that the following registry keys exist under **Services**:
- * ACPI
+ * ACPI
+ * DISK
+ * VOLMGR
+ * PARTMGR
+ * VOLSNAP
+ * VOLUME
- * DISK
-
- * VOLMGR
-
- * PARTMGR
-
- * VOLSNAP
-
- * VOLUME
+ If these keys exist, check each one to make sure that it has a value that's named **Start**, and that it's set to **0**. If it's not, set the value to **0**.
-If these keys exist, check each one to make sure that it has a value that's named **Start**, and that it's set to **0**. If it's not, set the value to **0**.
+ If any of these keys don't exist, you can try to replace the current registry hive by using the hive from **RegBack**. To do this, run the following commands:
-If any of these keys don't exist, you can try to replace the current registry hive by using the hive from **RegBack**. To do this, run the following commands:
-
-```cmd
-cd OSdrive:\Windows\System32\config
-ren SYSTEM SYSTEM.old
-copy OSdrive:\Windows\System32\config\RegBack\SYSTEM OSdrive:\Windows\System32\config\
-```
+ ```console
+ cd OSdrive:\Windows\System32\config
+ ren SYSTEM SYSTEM.old
+ copy OSdrive:\Windows\System32\config\RegBack\SYSTEM OSdrive:\Windows\System32\config\
+ ```
#### Check upper and lower filter drivers
@@ -248,25 +250,23 @@ Check whether there are any non-Microsoft upper and lower filter drivers on the
You might find these filter drivers in some of the following registry entries. These entries are under **ControlSet** and are designated as **Default**:
-\Control\Class\\{4D36E96A-E325-11CE-BFC1-08002BE10318}
+ \Control\Class\\{4D36E96A-E325-11CE-BFC1-08002BE10318}
+ \Control\Class\\{4D36E967-E325-11CE-BFC1-08002BE10318}
+ \Control\Class\\{4D36E97B-E325-11CE-BFC1-08002BE10318}
+ \Control\Class\\{71A27CDD-812A-11D0-BEC7-08002BE2092F}
-\Control\Class\\{4D36E967-E325-11CE-BFC1-08002BE10318}
+ > [!div class="mx-imgBorder"]
+ > 
-\Control\Class\\{4D36E97B-E325-11CE-BFC1-08002BE10318}
+ If an **UpperFilters** or **LowerFilters** entry is non-standard (for example, it's not a Windows default filter driver, such as PartMgr), remove the entry. To remove it, double-click it in the right pane, and then delete only that value.
-\Control\Class\\{71A27CDD-812A-11D0-BEC7-08002BE2092F}
+ >[!NOTE]
+ >There could be multiple entries.
-
+ These entries might affect us because there might be an entry in the **Services** branch that has a START type set to 0 or 1, which means that it's loaded at the Boot or Automatic part of the boot process. Also, either the file that's referred to is missing or corrupted, or it might be named differently than what's listed in the entry.
-If an **UpperFilters** or **LowerFilters** entry is non-standard (for example, it's not a Windows default filter driver, such as PartMgr), remove the entry. To remove it, double-click it in the right pane, and then delete only that value.
-
->[!NOTE]
->There could be multiple entries.
-
-These entries might affect us because there might be an entry in the **Services** branch that has a START type set to 0 or 1, which means that it's loaded at the Boot or Automatic part of the boot process. Also, either the file that's referred to is missing or corrupted, or it might be named differently than what's listed in the entry.
-
->[!NOTE]
->If there's a service that's set to **0** or **1** that corresponds to an **UpperFilters** or **LowerFilters** entry, setting the service to disabled in the **Services** registry (as discussed in steps 2 and 3 of the Check services section) without removing the **Filter Driver** entry causes the computer to crash and generate a 0x7b Stop error.
+ >[!NOTE]
+ >If there's a service that's set to **0** or **1** that corresponds to an **UpperFilters** or **LowerFilters** entry, setting the service to disabled in the **Services** registry (as discussed in steps 2 and 3 of the Check services section) without removing the **Filter Driver** entry causes the computer to crash and generate a 0x7b Stop error.
### Running SFC and Chkdsk
diff --git a/windows/deployment/windows-10-subscription-activation.md b/windows/deployment/windows-10-subscription-activation.md
index e974dc183f..021fb986f8 100644
--- a/windows/deployment/windows-10-subscription-activation.md
+++ b/windows/deployment/windows-10-subscription-activation.md
@@ -91,7 +91,7 @@ The following figure illustrates how deploying Windows 10 has evolved with each
> The following requirements do not apply to general Windows 10 activation on Azure. Azure activation requires a connection to Azure KMS only, and supports workgroup, Hybrid, and Azure AD-joined VMs. In most scenarios, activation of Azure VMs happens automatically. For more information, see [Understanding Azure KMS endpoints for Windows product activation of Azure Virtual Machines](https://docs.microsoft.com/azure/virtual-machines/troubleshooting/troubleshoot-activation-problems#understanding-azure-kms-endpoints-for-windows-product-activation-of-azure-virtual-machines).
> [!NOTE]
-> Currently, Subscription Activation is only available on commercial tenants and is not currently available on US GCC or GCC High tenants.
+> Currently, Subscription Activation is only available on commercial tenants and is currently not available on US GCC, GCC High, or DoD tenants.
For Microsoft customers with Enterprise Agreements (EA) or Microsoft Products & Services Agreements (MPSA), you must have the following:
@@ -215,7 +215,7 @@ If you’re running Windows 7, it can be more work. A wipe-and-load approach w
The following policies apply to acquisition and renewal of licenses on devices:
- Devices that have been upgraded will attempt to renew licenses about every 30 days, and must be connected to the Internet to successfully acquire or renew a license.
- If a device is disconnected from the Internet until its current subscription expires, the operating system will revert to Windows 10 Pro or Windows 10 Pro Education. As soon as the device is connected to the Internet again, the license will automatically renew.
-- Up to five devices can be upgraded for each user license.
+- Up to five devices can be upgraded for each user license. If the user license is used for a sixth device, the operating system on the computer to which a user has not logged in the longest will revert to Windows 10 Pro or Windows 10 Pro Education.
- If a device meets the requirements and a licensed user signs in on that device, it will be upgraded.
Licenses can be reallocated from one user to another user, allowing you to optimize your licensing investment against changing needs.
diff --git a/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md
index 8a07ad9b20..0ee2f4c1df 100644
--- a/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md
+++ b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md
@@ -31,7 +31,7 @@ In this topic you'll learn how to set-up a Windows Autopilot deployment for a VM
> [!NOTE]
> Although there are [multiple platforms](add-devices.md#registering-devices) available to enable Autopilot, this lab primarily uses Intune.
-
+>
> Hyper-V and a VM are not required for this lab. You can also use a physical device. However, the instructions assume that you are using a VM. To use a physical device, skip the instructions to install Hyper-V and create a VM. All references to 'device' in the guide refer to the client device, either physical or virtual.
The following video provides an overview of the process:
@@ -47,13 +47,13 @@ These are the things you'll need to complete this lab:
| Windows 10 installation media | Windows 10 Professional or Enterprise (ISO file) for a supported version of Windows 10, semi-annual channel. If you do not already have an ISO to use, a link is provided to download an evaluation version of Windows 10 Enterprise. |
| Internet access | If you are behind a firewall, see the detailed networking requirements. Otherwise, just ensure that you have a connection to the Internet. |
| Hyper-V or a physical device running Windows 10 | The guide assumes that you will use a Hyper-V VM, and provides instructions to install and configure Hyper-V if needed. To use a physical device, skip the steps to install and configure Hyper-V. |
-| A Premium Intune account | This guide will describe how to obtain a free 30-day trial premium account that can be used to complete the lab. |
+| An account with Azure AD Premium license | This guide will describe how to obtain a free 30-day trial Azure AD Premium subscription that can be used to complete the lab. |
## Procedures
A summary of the sections and procedures in the lab is provided below. Follow each section in the order it is presented, skipping the sections that do not apply to you. Optional procedures are provided in the appendix.
-> If you already have Hyper-V and a Windows 10 VM, you can skip directly to the [Capture the hardware ID](#capture-the-hardware-id) step. The VM must be running Windows 10, version 1903 or a later version.
+If you already have Hyper-V and a Windows 10 VM, you can skip directly to the [Capture the hardware ID](#capture-the-hardware-id) step. The VM must be running Windows 10, version 1903 or a later version.
[Verify support for Hyper-V](#verify-support-for-hyper-v)
[Enable Hyper-V](#enable-hyper-v)
@@ -113,7 +113,7 @@ Install-WindowsFeature -Name Hyper-V -IncludeManagementTools
When you are prompted to restart the computer, choose **Yes**. The computer might restart more than once.
-> Alternatively, you can install Hyper-V using the Control Panel in Windows under **Turn Windows features on or off** for a client operating system, or using Server Manager's **Add Roles and Features Wizard** on a server operating system, as shown below:
+Alternatively, you can install Hyper-V using the Control Panel in Windows under **Turn Windows features on or off** for a client operating system, or using Server Manager's **Add Roles and Features Wizard** on a server operating system, as shown below:
@@ -132,21 +132,27 @@ Now that Hyper-V is enabled, we need to create a VM running Windows 10. We can [
To use Windows PowerShell, we just need to know two things:
1. The location of the Windows 10 ISO file.
- - In the example, we assume the location is **c:\iso\win10-eval.iso**.
+
+ In the example, we assume the location is **c:\iso\win10-eval.iso**.
+
2. The name of the network interface that connects to the Internet.
- - In the example, we use a Windows PowerShell command to determine this automatically.
+
+ In the example, we use a Windows PowerShell command to determine this automatically.
After we have set the ISO file location and determined the name of the appropriate network interface, we can install Windows 10.
### Set ISO file location
-You can download an ISO file for an evaluation version of the latest release of Windows 10 Enterprise [here](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise).
-- When asked to select a platform, choose **64 bit**.
+You can download an ISO file for an evaluation version of the latest release of Windows 10 Enterprise from [Evaluation Center](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise).
+
+When asked to select a platform, choose **64 bit**.
After you download this file, the name will be extremely long (ex: 19042.508.200927-1902.20h2_release_svc_refresh_CLIENTENTERPRISEEVAL_OEMRET_x64FRE_en-us.iso).
1. So that it is easier to type and remember, rename the file to **win10-eval.iso**.
+
2. Create a directory on your computer named **c:\iso** and move the **win10-eval.iso** file there, so the path to the file is **c:\iso\win10-eval.iso**.
+
3. If you wish to use a different name and location for the file, you must modify the Windows PowerShell commands below to use your custom name and directory.
### Determine network adapter name
@@ -239,7 +245,8 @@ After the VM restarts, during OOBE, it's fine to select **Set up for personal us
Once the installation is complete, sign in and verify that you are at the Windows 10 desktop, then create your first Hyper-V checkpoint. Checkpoints are used to restore the VM to a previous state.
- 
+ > [!div class="mx-imgBorder"]
+ > 
To create a checkpoint, open an elevated Windows PowerShell prompt on the computer running Hyper-V (not on the VM) and run the following:
@@ -252,9 +259,9 @@ Click on the **WindowsAutopilot** VM in Hyper-V Manager and verify that you see
## Capture the hardware ID
> [!NOTE]
-> Normally, the Device ID is captured by the OEM as they run the OA3 Tool on each device in the factory. The OEM then submits the 4K HH created by the OA3 Tool to Microsoft by submitting it with a Computer Build Report (CBR). For purposes of this lab, you are acting as the OEM (capturing the 4K HH), but you're not going to use the OA3 Tool to capture the full 4K HH for various reasons (you'd have to install the OA3 tool, your device couldn't have a volume license version of Windows, it's a more complicated process than using a PS script, etc.). Instead, you'll simulate running the OA3 tool by running a PowerShell script, which captures the device 4K HH just like the OA3 tool.
+> Normally, the Device ID is captured by the OEM as they run the OA3 Tool on each device in the factory. The OEM then submits the 4K HH created by the OA3 Tool to Microsoft by submitting it with a Computer Build Report (CBR). For purposes of this lab, you are acting as the OEM (capturing the 4K HH), but you're not going to use the OA3 Tool to capture the full 4K HH for various reasons (you'd have to install the OA3 tool, your device couldn't have a volume license version of Windows, it's a more complicated process than using a PowerShell script, etc.). Instead, you'll simulate running the OA3 tool by running a PowerShell script, which captures the device 4K HH just like the OA3 tool.
-Follow these steps to run the PS script:
+Follow these steps to run the PowerShell script:
1. **On the client VM**: Open an elevated Windows PowerShell prompt and run the following commands. These commands are the same regardless of whether you are using a VM or a physical device:
@@ -267,62 +274,62 @@ Follow these steps to run the PS script:
Get-WindowsAutopilotInfo.ps1 -OutputFile AutopilotHWID.csv
```
-When you are prompted to install the NuGet package, choose **Yes**.
+1. When you are prompted to install the NuGet package, choose **Yes**.
-See the sample output below. A 'dir' command is issued at the end to show the file that was created.
+ See the sample output below. A **dir** command is issued at the end to show the file that was created.
-
-PS C:\> md c:\HWID
+ ```console
+ PS C:\> md c:\HWID
+
+ Directory: C:\
+
+
+ Mode LastWriteTime Length Name
+ ---- ------------- ------ ----
+ d----- 11/13/2020 3:00 PM HWID
+
+
+ PS C:\Windows\system32> Set-Location c:\HWID
+ PS C:\HWID> Set-ExecutionPolicy -Scope Process -ExecutionPolicy Unrestricted -Force
+ PS C:\HWID> Install-Script -Name Get-WindowsAutopilotInfo -Force
+
+ NuGet provider is required to continue
+ PowerShellGet requires NuGet provider version '2.8.5.201' or newer to interact with NuGet-based repositories. The NuGet
+ provider must be available in 'C:\Program Files\PackageManagement\ProviderAssemblies' or
+ 'C:\Users\user1\AppData\Local\PackageManagement\ProviderAssemblies'. You can also install the NuGet provider by running
+ 'Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force'. Do you want PowerShellGet to install and
+ import the NuGet provider now?
+ [Y] Yes [N] No [S] Suspend [?] Help (default is "Y"): Y
+ PS C:\HWID> $env:Path += ";C:\Program Files\WindowsPowerShell\Scripts"
+ PS C:\HWID> Get-WindowsAutopilotInfo.ps1 -OutputFile AutopilotHWID.csv
+ Gathered details for device with serial number: 1804-7078-6805-7405-0796-0675-17
+ PS C:\HWID> dir
+
+
+ Directory: C:\HWID
+
+
+ Mode LastWriteTime Length Name
+ ---- ------------- ------ ----
+ -a---- 11/13/2020 3:01 PM 8184 AutopilotHWID.csv
+
+
+ PS C:\HWID>
+ ```
+
+1. Verify that there is an **AutopilotHWID.csv** file in the **c:\HWID** directory that is about 8 KB in size. This file contains the complete 4K HH.
- Directory: C:\
+ > [!NOTE]
+ > Although the .csv extension might be associated with Microsoft Excel, you cannot view the file properly by double-clicking it. To correctly parse the comma delimiters and view the file in Excel, you must use the **Data** > **From Text/CSV** function in Excel to import the appropriate data columns. You don't need to view the file in Excel unless you are curious. The file format will be validated when it is imported into Autopilot. An example of the data in this file is shown below.
+ 
-Mode LastWriteTime Length Name
----- ------------- ------ ----
-d----- 11/13/2020 3:00 PM HWID
+ You will need to upload this data into Intune to register your device for Autopilot, so the next step is to transfer this file to the computer you will use to access the Azure portal. If you are using a physical device instead of a VM, you can copy the file to a USB stick. If you’re using a VM, you can right-click the AutopilotHWID.csv file and copy it, then right-click and paste the file to your desktop (outside the VM).
+ If you have trouble copying and pasting the file, just view the contents in Notepad on the VM and copy the text into Notepad outside the VM. Do not use another text editor to do this.
-PS C:\Windows\system32> Set-Location c:\HWID
-PS C:\HWID> Set-ExecutionPolicy -Scope Process -ExecutionPolicy Unrestricted -Force
-PS C:\HWID> Install-Script -Name Get-WindowsAutopilotInfo -Force
-
-NuGet provider is required to continue
-PowerShellGet requires NuGet provider version '2.8.5.201' or newer to interact with NuGet-based repositories. The NuGet
- provider must be available in 'C:\Program Files\PackageManagement\ProviderAssemblies' or
-'C:\Users\user1\AppData\Local\PackageManagement\ProviderAssemblies'. You can also install the NuGet provider by running
- 'Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force'. Do you want PowerShellGet to install and
-import the NuGet provider now?
-[Y] Yes [N] No [S] Suspend [?] Help (default is "Y"): Y
-PS C:\HWID> $env:Path += ";C:\Program Files\WindowsPowerShell\Scripts"
-PS C:\HWID> Get-WindowsAutopilotInfo.ps1 -OutputFile AutopilotHWID.csv
-Gathered details for device with serial number: 1804-7078-6805-7405-0796-0675-17
-PS C:\HWID> dir
-
-
- Directory: C:\HWID
-
-
-Mode LastWriteTime Length Name
----- ------------- ------ ----
--a---- 11/13/2020 3:01 PM 8184 AutopilotHWID.csv
-
-
-PS C:\HWID>
-
-
-Verify that there is an **AutopilotHWID.csv** file in the **c:\HWID** directory that is about 8 KB in size. This file contains the complete 4K HH.
-
-> [!NOTE]
-> Although the .csv extension might be associated with Microsoft Excel, you cannot view the file properly by double-clicking it. To correctly parse the comma delimiters and view the file in Excel, you must use the **Data** > **From Text/CSV** function in Excel to import the appropriate data columns. You don't need to view the file in Excel unless you are curious. The file format will be validated when it is imported into Autopilot. An example of the data in this file is shown below.
-
-
-
-You will need to upload this data into Intune to register your device for Autopilot, so the next step is to transfer this file to the computer you will use to access the Azure portal. If you are using a physical device instead of a VM, you can copy the file to a USB stick. If you’re using a VM, you can right-click the AutopilotHWID.csv file and copy it, then right-click and paste the file to your desktop (outside the VM).
-
-If you have trouble copying and pasting the file, just view the contents in Notepad on the VM and copy the text into Notepad outside the VM. Do not use another text editor to do this.
-
-> [!NOTE]
-> When copying and pasting to or from VMs, avoid clicking other things with your mouse cursor between the copy and paste process as this can empty or overwrite the clipboard and require that you start over. Go directly from copy to paste.
+ > [!NOTE]
+ > When copying and pasting to or from VMs, avoid clicking other things with your mouse cursor between the copy and paste process as this can empty or overwrite the clipboard and require that you start over. Go directly from copy to paste.
## Reset the VM back to Out-Of-Box-Experience (OOBE)
@@ -446,14 +453,17 @@ Pick one:
The Autopilot deployment profile wizard will ask for a device group, so we must create one first. To create a device group:
1. In the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), choose **Groups** > **New group**.
+
2. In the **Group** blade:
1. For **Group type**, choose **Security**.
2. Type a **Group name** and **Group description** (ex: Autopilot Lab).
3. Azure AD roles can be assigned to the group: **No**
4. For **Membership type**, choose **Assigned**.
+
3. Click **Members** and add the Autopilot VM to the group. See the following example:
- 
+ > [!div class="mx-imgBorder"]
+ > 
4. Click **Create**.
@@ -461,11 +471,13 @@ The Autopilot deployment profile wizard will ask for a device group, so we must
To create a Windows Autopilot profile, scroll back to the left hand pane and click **Devices**, then under **Enroll devices | Windows enrollment** select **Deployment Profiles**.
-
+> [!div class="mx-imgBorder"]
+> 
Click on **Create profile** and then select **Windows PC**.
-
+> [!div class="mx-imgBorder"]
+> 
On the **Create profile** blade, use the following values:
@@ -481,7 +493,7 @@ Click **Next** to continue with the **Out-of-box experience (OOBE)** settings:
|---|---|
| Deployment mode | User-driven |
| Join to Azure AD as | Azure AD joined |
-| Microsoft Sofware License Terms | Hide |
+| Microsoft Software License Terms | Hide |
| Privacy Settings | Hide |
| Hide change account options | Hide |
| User account type | Standard |
@@ -504,6 +516,7 @@ Click **Next** to continue with the **Assignments** settings:
Click on **OK** and then click on **Create**.
+> [!NOTE]
> If you want to add an app to your profile via Intune, the OPTIONAL steps for doing so can be found in [Appendix B: Adding apps to your profile](#appendix-b-adding-apps-to-your-profile).
### Create a Windows Autopilot deployment profile using MSfB
@@ -524,15 +537,18 @@ To CREATE the profile:
Select your device from the **Devices** list:
-
+> [!div class="mx-imgBorder"]
+> 
On the Autopilot deployment dropdown menu, select **Create new profile**:
-
+> [!div class="mx-imgBorder"]
+> 
Name the profile, choose your desired settings, and then click **Create**:
-
+> [!div class="mx-imgBorder"]
+> 
The new profile is added to the Autopilot deployment list.
@@ -540,11 +556,13 @@ To ASSIGN the profile:
To assign (or reassign) the profile to a device, select the checkboxes next to the device you registered for this lab, then select the profile you want to assign from the **Autopilot deployment** dropdown menu as shown:
-
+> [!div class="mx-imgBorder"]
+> 
Confirm the profile was successfully assigned to the intended device by checking the contents of the **Profile** column:
-
+> [!div class="mx-imgBorder"]
+> 
> [!IMPORTANT]
> The new profile will only be applied if the device has not been started, and gone through OOBE. Settings from a different profile can't be applied when another profile has been applied. Windows would need to be reinstalled on the device for the second profile to be applied to the device.
@@ -553,7 +571,8 @@ Confirm the profile was successfully assigned to the intended device by checking
If you shut down your VM after the last reset, it's time to start it back up again, so it can progress through the Autopilot OOBE experience but do not attempt to start your device again until the **PROFILE STATUS** for your device in Intune has changed from **Not assigned** to **Assigning** and finally **Assigned**:
-
+> [!div class="mx-imgBorder"]
+> 
Also, make sure to wait at least 30 minutes from the time you've [configured company branding](#configure-company-branding), otherwise these changes might not show up.
@@ -568,7 +587,8 @@ Also, make sure to wait at least 30 minutes from the time you've [configured com
Soon after reaching the desktop, the device should show up in Intune as an **enabled** Autopilot device. Go into the Intune Azure portal, and select **Devices > All devices**, then **Refresh** the data to verify that your device has changed from disabled to enabled, and the name of the device is updated.
-
+> [!div class="mx-imgBorder"]
+> 
Once you select a language and a keyboard layout, your company branded sign-in screen should appear. Provide your Azure Active Directory credentials and you're all done.
@@ -585,18 +605,20 @@ To use the device (or VM) for other purposes after completion of this lab, you w
You need to delete (or retire, or factory reset) the device from Intune before deregistering the device from Autopilot. To delete the device from Intune (not Azure Active Directory), log into the MEM admin center, then navigate to **Intune > Devices > All Devices**. Select the device you want to delete, then click the Delete button along the top menu.
-
+> [!div class="mx-imgBorder"]
+> 
This will remove the device from Intune management, and it will disappear from **Intune > Devices > All devices**. But this does not yet deregister the device from Autopilot, so the device should still appear under **Intune > Device Enrollment > Windows Enrollment > Windows Autopilot Deployment Program > Devices**.
The **Intune > Devices > All Devices** list and the **Intune > Device Enrollment > Windows Enrollment > Windows Autopilot Deployment Program > Devices** list mean different things and are two completely separate datastores. The former (All devices) is the list of devices currently enrolled into Intune.
> [!NOTE]
-> A device will only appear in the All devices list once it has booted. The latter (Windows Autopilot Deployment Program > Devices) is the list of devices currently registered from that Intune account into the Autopilot program - which may or may not be enrolled to Intune.
+> A device will only appear in the All devices list once it has booted. The latter (**Windows Autopilot Deployment Program** > **Devices**) is the list of devices currently registered from that Intune account into the Autopilot program - which may or may not be enrolled to Intune.
To remove the device from the Autopilot program, select the device and click **Delete**. You will get a popup dialog box to confirm deletion.
-
+> [!div class="mx-imgBorder"]
+> 
At this point, your device has been unenrolled from Intune and also deregistered from Autopilot. After several minutes, click the **Sync** button, followed by the **Refresh** button to confirm the device is no longer listed in the Autopilot program:
@@ -610,7 +632,7 @@ Starting with Windows 8, the host computer's microprocessor must support second
To verify your computer supports SLAT, open an administrator command prompt, type **systeminfo**, press ENTER, scroll down, and review the section displayed at the bottom of the output, next to Hyper-V Requirements. See the following example:
-
+```console
C:>systeminfo
...
@@ -618,15 +640,16 @@ Hyper-V Requirements: VM Monitor Mode Extensions: Yes
Virtualization Enabled In Firmware: Yes
Second Level Address Translation: Yes
Data Execution Prevention Available: Yes
-
+```
In this example, the computer supports SLAT and Hyper-V.
+> [!NOTE]
> If one or more requirements are evaluated as **No** then the computer does not support installing Hyper-V. However, if only the virtualization setting is incompatible, you might be able to enable virtualization in the BIOS and change the **Virtualization Enabled In Firmware** setting from **No** to **Yes**. The location of this setting will depend on the manufacturer and BIOS version, but is typically found associated with the BIOS security settings.
You can also identify Hyper-V support using [tools](https://blogs.msdn.microsoft.com/taylorb/2008/06/19/hyper-v-will-my-computer-run-hyper-v-detecting-intel-vt-and-amd-v/) provided by the processor manufacturer, the [msinfo32](https://technet.microsoft.com/library/cc731397.aspx) tool, or you can download the [Coreinfo](https://technet.microsoft.com/sysinternals/cc835722) utility and run it, as shown in the following example:
-
+```console
C:>coreinfo -v
Coreinfo v3.31 - Dump information on system CPU and memory topology
@@ -639,7 +662,7 @@ Microcode signature: 0000001B
HYPERVISOR - Hypervisor is present
VMX * Supports Intel hardware-assisted virtualization
EPT * Supports Intel extended page tables (SLAT)
-
+```
> [!NOTE]
> A 64-bit operating system is required to run Hyper-V.
@@ -662,7 +685,8 @@ Download the Notepad++ msi package [here](https://www.hass.de/content/notepad-ms
Run the IntuneWinAppUtil tool, supplying answers to the three questions, for example:
-
+> [!div class="mx-imgBorder"]
+> 
After the tool finishes running, you should have an .intunewin file in the Output folder, which you can now upload into Intune using the following steps.
@@ -680,7 +704,8 @@ Under **App Type**, select **Windows app (Win32)**:
On the **App package file** blade, browse to the **npp.7.6.3.installer.x64.intunewin** file in your output folder, open it, then click **OK**:
-
+> [!div class="mx-imgBorder"]
+> 
On the **App Information Configure** blade, provide a friendly name, description, and publisher, such as:
@@ -688,8 +713,10 @@ On the **App Information Configure** blade, provide a friendly name, description
On the **Program Configuration** blade, supply the install and uninstall commands:
+```console
Install: msiexec /i "npp.7.6.3.installer.x64.msi" /q
Uninstall: msiexec /x "{F188A506-C3C6-4411-BE3A-DA5BF1EA6737}" /q
+```
> [!NOTE]
> Likely, you do not have to write the install and uninstall commands yourself because the [IntuneWinAppUtil.exe command-line tool](https://github.com/Microsoft/Microsoft-Win32-Content-Prep-Tool) automatically generated them when it converted the .msi file into a .intunewin file.
@@ -702,11 +729,13 @@ Click **OK** to save your input and activate the **Requirements** blade.
On the **Requirements Configuration** blade, specify the **OS architecture** and the **Minimum OS version**:
-
+> [!div class="mx-imgBorder"]
+> 
Next, configure the **Detection rules**. For our purposes, we will select manual format:
-
+> [!div class="mx-imgBorder"]
+> 
Click **Add** to define the rule properties. For **Rule type**, select **MSI**, which will automatically import the right MSI product code into the rule:
@@ -716,7 +745,8 @@ Click **OK** twice to save, as you back out to the main **Add app** blade again
**Return codes**: For our purposes, leave the return codes at their default values:
-
+> [!div class="mx-imgBorder"]
+> 
Click **OK** to exit.
@@ -726,11 +756,13 @@ Click the **Add** button to finalize and save your app package.
Once the indicator message says the addition has completed.
-
+> [!div class="mx-imgBorder"]
+> 
You will be able to find your app in your app list:
-
+> [!div class="mx-imgBorder"]
+> 
#### Assign the app to your Intune profile
@@ -739,19 +771,22 @@ You will be able to find your app in your app list:
In the **Intune > Client Apps > Apps** pane, select the app package you already created to reveal its properties blade. Then click **Assignments** from the menu:
-
+> [!div class="mx-imgBorder"]
+> 
Select **Add Group** to open the **Add group** pane that is related to the app.
-For our purposes, select **Required** from the **Assignment type** dropdown menu:
+For our purposes, select **Required** from the **Assignment type** dropdown menu.
+> [!NOTE]
> **Available for enrolled devices** means users install the app from the Company Portal app or Company Portal website.
Select **Included Groups** and assign the groups you previously created that will use this app:
-
+> [!div class="mx-imgBorder"]
+> 
In the **Select groups** pane, click the **Select** button.
@@ -761,7 +796,8 @@ In the **Add group** pane, select **OK**.
In the app **Assignments** pane, select **Save**.
-
+> [!div class="mx-imgBorder"]
+> 
At this point, you have completed steps to add a Win32 app to Intune.
@@ -783,15 +819,17 @@ Under **App Type**, select **Office 365 Suite > Windows 10**:
Under the **Configure App Suite** pane, select the Office apps you want to install. For the purposes of this labe we have only selected Excel:
-
+> [!div class="mx-imgBorder"]
+> 
Click **OK**.
In the **App Suite Information** pane, enter a unique suite name, and a suitable description.
-> Enter the name of the app suite as it is displayed in the company portal. Make sure that all suite names that you use are unique. If the same app suite name exists twice, only one of the apps is displayed to users in the company portal.
+Enter the name of the app suite as it is displayed in the company portal. Make sure that all suite names that you use are unique. If the same app suite name exists twice, only one of the apps is displayed to users in the company portal.
-
+> [!div class="mx-imgBorder"]
+> 
Click **OK**.
@@ -808,19 +846,21 @@ Click **OK** and then click **Add**.
In the **Intune > Client Apps > Apps** pane, select the Office package you already created to reveal its properties blade. Then click **Assignments** from the menu:
-
+> [!div class="mx-imgBorder"]
+> 
Select **Add Group** to open the **Add group** pane that is related to the app.
-For our purposes, select **Required** from the **Assignment type** dropdown menu:
+For our purposes, select **Required** from the **Assignment type** dropdown menu.
-> **Available for enrolled devices** means users install the app from the Company Portal app or Company Portal website.
+**Available for enrolled devices** means users install the app from the Company Portal app or Company Portal website.
Select **Included Groups** and assign the groups you previously created that will use this app:
-
+> [!div class="mx-imgBorder"]
+> 
In the **Select groups** pane, click the **Select** button.
diff --git a/windows/security/identity-protection/access-control/active-directory-security-groups.md b/windows/security/identity-protection/access-control/active-directory-security-groups.md
index e408ad9ba8..76ef2c7179 100644
--- a/windows/security/identity-protection/access-control/active-directory-security-groups.md
+++ b/windows/security/identity-protection/access-control/active-directory-security-groups.md
@@ -1853,7 +1853,7 @@ The Enterprise Key Admins group was introduced in Windows Server 2016.
| Default container | CN=Users, DC=<domain>, DC= |
| Default members | None |
| Default member of | None |
-| Protected by ADMINSDHOLDER? | No |
+| Protected by ADMINSDHOLDER? | Yes |
| Safe to move out of default container? | Yes |
| Safe to delegate management of this group to non-Service admins? | No |
| Default User Rights | None |
@@ -2331,7 +2331,7 @@ The Key Admins group applies to versions of the Windows Server operating system
| Default container | CN=Users, DC=<domain>, DC= |
| Default members | None |
| Default member of | None |
-| Protected by ADMINSDHOLDER? | No |
+| Protected by ADMINSDHOLDER? | Yes |
| Safe to move out of default container? | Yes |
| Safe to delegate management of this group to non-Service admins? | No |
| Default User Rights | None |
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-manage.md b/windows/security/identity-protection/credential-guard/credential-guard-manage.md
index 27f4be1157..5f85322714 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-manage.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-manage.md
@@ -263,11 +263,10 @@ To disable Windows Defender Credential Guard, you can use the following set of p
>bcdedit /set vsmlaunchtype off
>```
-> [!NOTE]
-> Credential Guard and Device Guard are not currently supported when using Azure IaaS VMs. These options will be made available with future Gen 2 VMs.
+For more info on virtualization-based security and HVCI, see [Enable virtualization-based protection of code integrity](/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity).
-For more info on virtualization-based security and HVCI, see [Enable virtualization-based protection of code integrity](/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity
-).
+> [!NOTE]
+> Credential Guard and Device Guard are not supported when using Azure Gen 1 VMs. These options are available with Gen 2 VMs only.
@@ -292,5 +291,3 @@ From the host, you can disable Windows Defender Credential Guard for a virtual m
Set-VMSecurity -VMName -VirtualizationBasedSecurityOptOut $true
```
-
-
diff --git a/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md b/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md
index 81f95a98be..869b04185e 100644
--- a/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md
+++ b/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md
@@ -46,17 +46,31 @@ The following video provides an overview of Windows Sandbox.
## Installation
1. Ensure that your machine is using Windows 10 Pro or Enterprise, build version 18305 or later.
+
2. Enable virtualization on the machine.
- If you're using a physical machine, make sure virtualization capabilities are enabled in the BIOS.
- - If you're using a virtual machine, run the following PowerShell command to enable nested virtualization:
**Set-VMProcessor -VMName \ -ExposeVirtualizationExtensions $true**
-1. Use the search bar on the task bar and type **Turn Windows Features on and off** to access the Windows Optional Features tool. Select **Windows Sandbox** and then **OK**. Restart the computer if you're prompted.
+ - If you're using a virtual machine, run the following PowerShell command to enable nested virtualization:
+
+ ```powershell
+ Set-VMProcessor -VMName \ -ExposeVirtualizationExtensions $true
+ ```
+
+3. Use the search bar on the task bar and type **Turn Windows Features on and off** to access the Windows Optional Features tool. Select **Windows Sandbox** and then **OK**. Restart the computer if you're prompted.
+
+ If the **Windows Sandbox** option is unavailable, your computer doesn't meet the requirements to run Windows Sandbox. If you think this is incorrect, review the prerequisite list as well as steps 1 and 2.
+
+ > [!NOTE]
+ > To enable Sandbox using PowerShell, open PowerShell as Administrator and run **Enable-WindowsOptionalFeature -FeatureName "Containers-DisposableClientVM" -All -Online**.
+
+4. Locate and select **Windows Sandbox** on the Start menu to run it for the first time.
- - If the **Windows Sandbox** option is unavailable, your computer doesn't meet the requirements to run Windows Sandbox. If you think this is incorrect, review the prerequisite list as well as steps 1 and 2.
-1. Locate and select **Windows Sandbox** on the Start menu to run it for the first time.
## Usage
1. Copy an executable file (and any other files needed to run the application) from the host and paste them into the **Windows Sandbox** window.
+
2. Run the executable file or installer inside the sandbox.
-3. When you're finished experimenting, close the sandbox. A dialog box will state that all sandbox content will be discarded and permanently deleted. Select **ok**.
+
+3. When you're finished experimenting, close the sandbox. A dialog box will state that all sandbox content will be discarded and permanently deleted. Select **Ok**.
+
4. Confirm that your host machine doesn't exhibit any of the modifications that you made in Windows Sandbox.