deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 21:37:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'master' into jreeds-rebrand-antivirus

Browse Source
This commit is contained in:
Jeff Reeds (Aquent LLC) 2020-06-01 12:33:03 -07:00
commit c72c19c4b7
102 changed files with 670 additions and 702 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
.openpublishing.redirection.json
View File

@ -14648,7 +14648,7 @@
},
{
"source_path": "windows/privacy/basic-level-windows-diagnostic-events-and-fields.md",
"redirect_url": "https://docs.microsoft.com/windows/privacy/required-windows-diagnostic-events-and-fields-2005",
"redirect_url": "https://docs.microsoft.com/windows/privacy/required-windows-diagnostic-events-and-fields-2004",
"redirect_document_id": true
},
{
@ -15952,6 +15952,11 @@
"redirect_document_id": true
},
{
"source_path": "devices/surface/using-the-sda-deployment-share.md",
"redirect_url": "https://docs.microsoft.com/surface/microsoft-surface-deployment-accelerator",
"redirect_document_id": true
},
{
"source_path": "windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-rules-in-windows-10-enterprise-e3.md",
"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction",
"redirect_document_id": true

2
devices/hololens/hololens-enroll-mdm.md
View File

@ -41,7 +41,7 @@ When auto-enrollment is enabled, no additional manual enrollment is needed. When
1. Select **Enroll into device management** and enter your organizational account. You will be redirected to your organization's sign in page.
1. Upon successful authentication to the MDM server, a success message is shown.
Your device is now enrolled with your MDM server. The device will need to restart to acquire policies, certificates, and apps. The Settings app will now reflect that the device is enrolled in device management.
Your device is now enrolled with your MDM server. The Settings app will now reflect that the device is enrolled in device management.
## Unenroll HoloLens from Intune

2
devices/hololens/hololens-release-notes.md
View File

@ -132,7 +132,7 @@ Many Windows apps now support both dark and light modes, and HoloLens 2 customer
- 3D Viewer
- Movies & TV
![Dark mode windows tiled](images/hololens-darkmode-tiled-picture.jpg)
![Dark mode windows tiled](images/DarkMode.jpg)
### System voice commands

2
devices/hololens/hololens2-language-support.md
View File

@ -62,7 +62,7 @@ The setup process configures your HoloLens for a specific region and language. Y
If the supported language that you're looking for is not in the menu, follow these steps:
1. Under **Preferred languages**, select **Add a language**.
2. Locater and add the language.
2. Locate and add the language.
3. Select the **Windows display language** menu again, and then select the language that you added in the previous step.
### To change the keyboard layout

BIN
devices/hololens/images/DarkMode.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 104 KiB

BIN
devices/hololens/images/MicrosoftHoloLensRecovery.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 12 KiB

2
devices/surface-hub/surface-hub-security.md
View File

@ -5,7 +5,7 @@ keywords: separate values with commas
ms.prod: surface-hub
ms.sitesec: library
author: coveminer
ms.author: v-jokai
ms.author: greglin
manager: laurawi
audience: Admin
ms.topic: article

2
devices/surface/TOC.md
View File

@ -38,12 +38,12 @@
### [Enable the Surface Laptop keyboard during MDT deployment](enable-surface-keyboard-for-windows-pe-deployment.md)
### [Upgrade Surface devices to Windows 10 with MDT](upgrade-surface-devices-to-windows-10-with-mdt.md)
### [Customize the OOBE for Surface deployments](customize-the-oobe-for-surface-deployments.md)
### [Using the Surface Deployment Accelerator deployment share](using-the-sda-deployment-share.md)
### [Surface System SKU reference](surface-system-sku-reference.md)
## Manage
### [Manage and deploy Surface driver and firmware updates](manage-surface-driver-and-firmware-updates.md)
### [Manage Surface driver updates in Configuration Manager](manage-surface-driver-updates-configuration-manager.md)
### [Optimize Wi-Fi connectivity for Surface devices](surface-wireless-connect.md)
### [Best practice power settings for Surface devices](maintain-optimal-power-settings-on-Surface-devices.md)
### [Surface Dock Firmware Update](surface-dock-firmware-update.md)

2
devices/surface/advanced-uefi-security-features-for-surface-pro-3.md
View File

@ -11,7 +11,7 @@ ms.mktglfcycl: manage
ms.pagetype: surface, devices, security
ms.sitesec: library
author: coveminer
ms.author: v-jokai
ms.author: greglin
ms.topic: article
---

2
devices/surface/assettag.md
View File

@ -6,7 +6,7 @@ ms.mktglfcycl: manage
ms.localizationpriority: medium
ms.sitesec: library
author: coveminer
ms.author: v-jokai
ms.author: greglin
ms.topic: article
ms.reviewer: hachidan
manager: laurawi

2
devices/surface/change-history-for-surface.md
View File

@ -7,7 +7,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: coveminer
ms.author: v-jokai
ms.author: greglin
ms.topic: article
ms.localizationpriority: medium
ms.audience: itpro

2
devices/surface/considerations-for-surface-and-system-center-configuration-manager.md
View File

@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.pagetype: surface, devices
ms.sitesec: library
author: coveminer
ms.author: v-jokai
ms.author: greglin
ms.topic: article
ms.localizationpriority: medium
ms.audience: itpro

2
devices/surface/customize-the-oobe-for-surface-deployments.md
View File

@ -11,7 +11,7 @@ ms.mktglfcycl: deploy
ms.pagetype: surface, devices
ms.sitesec: library
author: coveminer
ms.author: v-jokai
ms.author: greglin
ms.topic: article
ms.audience: itpro
---

2
devices/surface/deploy-surface-app-with-windows-store-for-business.md
View File

@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.pagetype: surface, store
ms.sitesec: library
author: coveminer
ms.author: v-jokai
ms.author: greglin
ms.topic: article
ms.localizationpriority: medium
ms.audience: itpro

2
devices/surface/deploy-windows-10-to-surface-devices-with-mdt.md
View File

@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.pagetype: surface
ms.sitesec: library
author: coveminer
ms.author: v-jokai
ms.author: greglin
ms.topic: article
ms.localizationpriority: medium
ms.audience: itpro

2
devices/surface/deploy.md
View File

@ -8,7 +8,7 @@ ms.sitesec: library
author: coveminer
ms.reviewer:
manager: laurawi
ms.author: v-jokai
ms.author: greglin
ms.topic: article
ms.localizationpriority: medium
ms.audience: itpro

2
devices/surface/documentation/surface-system-sku-reference.md
View File

@ -5,7 +5,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: coveminer
ms.author: v-jokai
ms.author: greglin
ms.topic: article
---
# Surface System SKU Reference

2
devices/surface/enable-peap-eap-fast-and-cisco-leap-on-surface-devices.md
View File

@ -11,7 +11,7 @@ ms.mktglfcycl: deploy
ms.pagetype: surface, devices
ms.sitesec: library
author: coveminer
ms.author: v-jokai
ms.author: greglin
ms.topic: article
---

2
devices/surface/enroll-and-configure-surface-devices-with-semm.md
View File

@ -7,7 +7,7 @@ ms.mktglfcycl: manage
ms.pagetype: surface, devices, security
ms.sitesec: library
author: coveminer
ms.author: v-jokai
ms.author: greglin
ms.topic: article
ms.localizationpriority: medium
ms.audience: itpro

2
devices/surface/ethernet-adapters-and-surface-device-deployment.md
View File

@ -11,7 +11,7 @@ ms.mktglfcycl: deploy
ms.pagetype: surface, devices
ms.sitesec: library
author: coveminer
ms.author: v-jokai
ms.author: greglin
ms.topic: article
ms.audience: itpro
---

BIN
devices/surface/images/manage-surface-driver-updates-1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 29 KiB

BIN
devices/surface/images/manage-surface-driver-updates-2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 5.8 KiB

BIN
devices/surface/images/manage-surface-driver-updates-3.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 8.7 KiB

BIN
devices/surface/images/manage-surface-driver-updates-4.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 68 KiB

2
devices/surface/ltsb-for-surface.md
View File

@ -6,7 +6,7 @@ ms.mktglfcycl: manage
ms.pagetype: surface, devices
ms.sitesec: library
author: coveminer
ms.author: v-jokai
ms.author: greglin
ms.topic: article
ms.reviewer:
manager: laurawi

2
devices/surface/maintain-optimal-power-settings-on-Surface-devices.md
View File

@ -5,7 +5,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: coveminer
ms.author: v-jokai
ms.author: greglin
ms.topic: article
ms.reviewer:
manager: laurawi

17
devices/surface/manage-surface-driver-and-firmware-updates.md
View File

@ -11,7 +11,7 @@ ms.mktglfcycl: manage
ms.pagetype: surface, devices
ms.sitesec: library
author: coveminer
ms.author: v-jokai
ms.author: greglin
ms.topic: article
ms.audience: itpro
---
@ -35,11 +35,10 @@ Microsoft Endpoint Configuration Manager allows you to synchronize and deploy Su
For detailed steps, see the following resources:
- [How to manage Surface driver updates in Configuration Manager.](https://support.microsoft.com/help/4098906/manage-surface-driver-updates-in-configuration-manager)
- [Deploy applications with Configuration Manager](https://docs.microsoft.com/configmgr/apps/deploy-use/deploy-applications).
- [How to manage Surface driver updates in Configuration Manager](https://docs.microsoft.com/surface/manage-surface-driver-updates-configuration-manager.md)
- [Deploy applications with Configuration Manager](https://docs.microsoft.com/configmgr/apps/deploy-use/deploy-applications)
- [Endpoint Configuration Manager documentation](https://docs.microsoft.com/configmgr/)
### Manage updates with Microsoft Deployment Toolkit
Included in Endpoint Configuration Manager, the Microsoft Deployment Toolkit (MDT) contains optional deployment tools that you may wish to use depending on your environment. These include the Windows Assessment and Deployment Kit (Windows ADK), Windows System Image Manager (Windows SIM), Deployment Image Servicing and Management (DISM), and User State Migration Tool (USMT). You can download the latest version of MDT from the [Microsoft Deployment Toolkit download page](https://www.microsoft.com/download/details.aspx?id=54259).
@ -54,7 +53,6 @@ Surface driver and firmware updates are packaged as Windows Installer (*.msi) fi
For instructions on how to deploy updates by using Endpoint Configuration Manager refer to [Deploy applications with Configuration Manager](https://docs.microsoft.com/configmgr/apps/deploy-use/deploy-applications). For instructions on how to deploy updates by using MDT, see [Deploy a Windows 10 image using MDT](https://docs.microsoft.com/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt).
**WindowsPE and Surface firmware and drivers**
Endpoint Configuration Manager and MDT both use the Windows Preinstallation Environment (WindowsPE) during the deployment process. WindowsPE only supports a limited set of basic drivers such as those for network adapters and storage controllers. Drivers for Windows components that are not part of WindowsPE might produce errors. As a best practice, you can prevent such errors by configuring the deployment process to use only the required drivers during the WindowsPE phase.
@ -67,7 +65,6 @@ Starting in Endpoint Configuration Manager, you can synchronize and deploy Micro
Downloadable .msi files are available for Surface devices from Surface Pro 2 and later. Information about .msi files for the newest Surface devices such as Surface Pro 7, Surface Pro X, and Surface Laptop 3 will be available from this page upon release.
## Managing firmware with DFCI
With Device Firmware Configuration Interface (DFCI) profiles built into Intune (now available in [public preview](https://docs.microsoft.com/intune/configuration/device-firmware-configuration-interface-windows)), Surface UEFI management extends the modern management stack down to the UEFI hardware level. DFCI supports zero-touch provisioning, eliminates BIOS passwords, provides control of security settings including boot options and built-in peripherals, and lays the groundwork for advanced security scenarios in the future. For more information, see:
@ -93,7 +90,6 @@ Specific versions of Windows 10 have separate .msi files, each containing all re
- Management engine (ME)
- Unified extensible firmware interface (UEFI)
### Downloading .msi files
1. Browse to [Download drivers and firmware for Surface](https://support.microsoft.com/help/4023482/surface-download-drivers-and-firmware) on the Microsoft Download Center.
@ -103,7 +99,6 @@ Specific versions of Windows 10 have separate .msi files, each containing all re
*Figure 1. Downloading Surface updates*
### Surface .msi naming convention
Since August 2019, .msi files have used the following naming convention:
@ -126,8 +121,9 @@ This file name provides the following information:
- **Revision of version:** 0 (first release of this version)
### Legacy Surface .msi naming convention
Legacy .msi files (files built before August 2019) followed the same overall naming formula but used a different method to derive the version number.
****
**Example**
- SurfacePro6_Win10_16299_1900307_0.msi
@ -143,8 +139,6 @@ This file name provides the following information:
- **Product version number:** 07 (Surface Pro 6 is officially the seventh version of Surface Pro)
- **Revision of version:** 0 (first release of this version)
## Learn more
- [Download drivers and firmware for Surface](https://support.microsoft.com/help/4023482/surface-download-drivers-and-firmware)
@ -157,4 +151,3 @@ This file name provides the following information:
- [Intune management of Surface UEFI settings](https://docs.microsoft.com/surface/surface-manage-dfci-guide)
- [Ignite 2019: Announcing remote management of Surface UEFI settings from Intune](https://techcommunity.microsoft.com/t5/Surface-IT-Pro-Blog/Ignite-2019-Announcing-remote-management-of-Surface-UEFI/ba-p/978333).
- [Build deployment rings for Windows 10 updates](https://docs.microsoft.com/windows/deployment/update/waas-deployment-rings-windows-10-updates)

181
devices/surface/manage-surface-driver-updates-configuration-manager.md Normal file
View File

@ -0,0 +1,181 @@
---
title: Manage Surface driver updates in Configuration Manager
description: This article describes the available options to manage and deploy firmware and driver updates for Surface devices.
ms.assetid: b64879c4-37eb-4fcf-a000-e05cbb3d26ea
ms.reviewer:
author: v-miegge
manager: laurawi
keywords: Surface, Surface Pro 3, firmware, update, device, manage, deploy, driver, USB
ms.localizationpriority: medium
ms.prod: w10
ms.mktglfcycl: manage
ms.pagetype: surface, devices
ms.sitesec: library
author: coveminer
ms.author: daclark
ms.topic: article
audience: itpro
---
# Manage Surface driver updates in Configuration Manager
## Summary
Starting in [Microsoft System Center Configuration Manager version 1710](https://docs.microsoft.com/sccm/core/plan-design/changes/whats-new-in-version-1710#software-updates), you can synchronize and deploy Microsoft Surface firmware and driver updates directly through the Configuration Manager client. The process resembles deploying regular updates. However, some additional configurations are required to get the Surface driver updates into your catalog.
## Prerequisites
To manage Surface driver updates, the following prerequisites must be met:
- You must use Configuration Manager version 1710 or a later version.
- All Software Update Points (SUPs) must run Windows Server 2016 or a later version. Otherwise, Configuration Manager ignores this setting and Surface drivers won't be synchronized.
> [!NOTE]
> If your environment doesnt meet the prerequisites, refer to the [alternative methods](https://support.microsoft.com/help/4098906/manage-surface-driver-updates-in-configuration-manager#1) to deploy Surface driver and firmware updates in the [FAQ](#frequently-asked-questions-faq) section.
## Useful log files
The following logs are especially useful when you manage Surface driver updates.
|Log name|Description|
|---|---|
|WCM.log|Records details about the software update point configuration and connections to the WSUS server for subscribed update categories, classifications, and languages.|
|WsyncMgr.log|Records details about the software updates sync process.|
These logs are located on the site server that manages the SUP, or on the SUP itself if it's installed directly on a site server.
For a complete list of Configuration Manager logs, see [Log files in System Center Configuration Manager](https://docs.microsoft.com/sccm/core/plan-design/hierarchy/log-files).
## Enabling Surface driver updates management
To enable Surface driver updates management in Configuration Manager, follow these steps:
1. In the Configuration Manager console, go to **Administration** > **Overview** > **Site Configuration** > **Sites**.
1. Select the site that contains the top-level SUP server for your environment.
1. On the ribbon, select **Configure Site Components**, and then select **Software Update Point**. Or, right-click the site, and then select **Configure Site Components** > **Software Update Point**.
1. On the **Classifications** tab, select the **Include Microsoft Surface drivers and firmware updates** check box.
![Software Update Point Component Properties](images/manage-surface-driver-updates-1.png)
1. When you're prompted by the following warning message, select **OK**.
![Configuration Manager](images/manage-surface-driver-updates-2.png)
1. On the Products tab, select the products that you want to update, and then select **OK**.
Most drivers belong to the following product groups:
- Windows 10 and later version drivers
- Windows 10 and later Upgrade & Servicing Drivers
- Windows 10 Anniversary Update and Later Servicing Drivers
- Windows 10 Anniversary Update and Later Upgrade & Servicing Drivers
- Windows 10 Creators Update and Later Servicing Drivers
- Windows 10 Creators Update and Later Upgrade & Servicing Drivers
- Windows 10 Fall Creators Update and Later Servicing Drivers
- Windows 10 Fall Creators Update and Later Upgrade & Servicing Drivers
- Windows 10 S and Later Servicing Drivers
- Windows 10 S Version 1709 and Later Servicing Drivers for testing
- Windows 10 S Version 1709 and Later Upgrade & Servicing Drivers for testing
> [!NOTE]
> Most Surface drivers belong to multiple Windows 10 product groups. You may not have to select all the products that are listed here. To help reduce the number of products that populate your Update Catalog, we recommend that you select only the products that are required by your environment for synchronization.
## Verifying the configuration
To verify that the SUP is configured correctly, follow these steps:
1. Open WsyncMgr.log, and then look for the following entry:
```console
Surface Drivers can be supported in this hierarchy since all SUPs are on Windows Server 2016, WCM SCF property Sync Catalog Drivers is set.
Sync Catalog Drivers SCF value is set to : 1
```
If either of the following entries is logged in WsyncMgr.log, recheck step 4 in the previous section:
```console
Sync Surface Drivers option is not set
Sync Catalog Drivers SCF value is set to : 0
```
1. Open WCM.log, and then look for an entry that resembles the following:
![WCM.log settings](images/manage-surface-driver-updates-3.png)
This entry is an XML element that lists every product group and classification that's currently synchronized by your SUP server. For example, you might see an entry that resembles the following:
```xml
<Categories>
<Category Id="Product:05eebf61-148b-43cf-80da-1c99ab0b8699"><![CDATA[Windows 10 and later drivers]]></Category>
<Category Id="Product:06da2f0c-7937-4e28-b46c-a37317eade73"><![CDATA[Windows 10 Creators Update and Later Upgrade & Servicing Drivers]]></Category>
<Category Id="Product:c1006636-eab4-4b0b-b1b0-d50282c0377e"><![CDATA[Windows 10 S and Later Servicing Drivers]]></Category>
</Categories>
```
If you can't find the products that you selected in step 6 in the previous section, double-check whether the SUP settings are saved.
You can also wait until the next synchronization finishes, and then check whether the Surface driver and firmware updates are listed in Software Updates in the Configuration Manager console. For example, the console might display the following information:
![All Software Updates Search Results](images/manage-surface-driver-updates-4.png)
## Manual synchronization
If you don't want to wait until the next synchronization, follow these steps to start a synchronization:
1. In the Configuration Manager console, go to **Software Library** > **Overview** > **Software Updates** > **All Software Updates**.
1. On the ribbon, select **Synchronize Software Updates**. Or, right-click **All Software Update**, and then select **Synchronize Software Update**.
1. Monitor the synchronization progress by looking for the following entries in WsyncMgr.log:
```console
Surface Drivers can be supported in this hierarchy since all SUPs are on Windows Server 2016, WCM SCF property Sync Catalog Drivers is set.
sync: SMS synchronizing categories
sync: SMS synchronizing categories, processed 0 out of 311 items (0%)
sync: SMS synchronizing categories, processed 311 out of 311 items (100%)
sync: SMS synchronizing categories, processed 311 out of 311 items (100%)
sync: SMS synchronizing updates
Synchronizing update 7eaa0148-c42b-45fd-a1ab-012c82972de6 - Microsoft driver update for Surface Type Cover Integration
Synchronizing update 2dcb07f8-37ec-41ef-8cd5-030bf24dc1d8 - Surface driver update for Surface Pen Pairing
Synchronizing update 63067414-ae52-422b-b3d1-0382a4d6519a - Surface driver update for Surface UEFI
Synchronizing update 8e4e3a41-a784-4dd7-9a42-041f43ddb775 - Surface driver update for Surface Integration
Synchronizing update 7f8baee8-419f-47e2-918a-045a15a188e7 - Microsoft driver update for Surface DTX
Synchronizing update aed66e05-719b-48cd-a0e7-059e50f67fdc - Microsoft driver update for Surface Base Firmware Update
Synchronizing update 8ffe1526-6e66-43cc-86e3-05ad92a24e3a - Surface driver update for Surface UEFI
Synchronizing update 74102899-0a49-48cf-97e6-05bde18a27ff - Microsoft driver update for Surface UEFI
```
## Deploying Surface firmware and driver updates
You can deploy Surface firmware and driver updates in the same manner as you deploy other updates.
For more information about deployment, see [System Center 2012 Configuration ManagerPart7: Software Updates (Deploy)](https://blogs.technet.microsoft.com/elie/2012/05/25/system-center-2012-configuration-managerpart7-software-updates-deploy/).
## Frequently asked questions (FAQ)
**After I follow the steps in this article, my Surface drivers are still not synchronized. Why?**
If you synchronize from an upstream Windows Server Update Services (WSUS) server, instead of Microsoft Update, make sure that the upstream WSUS server is configured to support and synchronize Surface driver updates. All downstream servers are limited to updates that are present in the upstream WSUS server database.
There are more than 68,000 updates that are classified as drivers in WSUS. To prevent non-Surface related drivers from synchronizing to Configuration Manager, Microsoft filters driver synchronization against an allow list. After the new allow list is published and incorporated into Configuration Manager, the new drivers are added to the console following the next synchronization. Microsoft aims to get the Surface drivers added to the allow list each month in line with Patch Tuesday to make them available for synchronization to Configuration Manager.
If your Configuration Manager environment is offline, a new allow list is imported every time you import [servicing updates](https://docs.microsoft.com/mem/configmgr/core/servers/manage/use-the-service-connection-tool) to Configuration Manager. You will also have to import a [new WSUS catalog](https://docs.microsoft.com/mem/configmgr/sum/get-started/synchronize-software-updates-disconnected) that contains the drivers before the updates are displayed in the Configuration Manager console. Because a stand-alone WSUS environment contains more drivers than a Configuration Manager SUP, we recommend that you establish a Configuration Manager environment that has online capabilities, and that you configure it to synchronize Surface drivers. This provides a smaller WSUS export that closely resembles the offline environment.
If your Configuration Manager environment is online and able to detect new updates, you will receive updates to the list automatically. If you dont see the expected drivers, please review the WCM.log and WsyncMgr.log for any synchronization failures.
**My Configuration Manager environment is offline, can I manually import Surface drivers into WSUS?**
No. Even if the update is imported into WSUS, the update won't be imported into the Configuration Manager console for deployment if it isn't listed in the allow list. You must use the [Service Connection Tool](https://docs.microsoft.com/mem/configmgr/core/servers/manage/use-the-service-connection-tool) to import servicing updates to Configuration Manager to update the allow list.
**What alternative methods do I have to deploy Surface driver and firmware updates?**
For information about how to deploy Surface driver and firmware updates through alternative channels, see [Manage Surface driver and firmware updates](https://docs.microsoft.com/surface/manage-surface-driver-and-firmware-updates). If you want to download the .msi or .exe file, and then deploy through traditional software deployment channels, see [Keeping Surface Firmware Updated with Configuration Manager](https://docs.microsoft.com/archive/blogs/thejoncallahan/keeping-surface-firmware-updated-with-configuration-manager).
## Additional Information
For more information about Surface driver and firmware updates, see the following articles:
- [Download the latest firmware and drivers for Surface devices](https://docs.microsoft.com/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices)
- [Manage Surface driver and firmware updates](https://docs.microsoft.com/surface/manage-surface-pro-3-firmware-updates)
- [Considerations for Surface and System Center Configuration Manager](https://docs.microsoft.com/surface/considerations-for-surface-and-system-center-configuration-manager)

2
devices/surface/manage-surface-uefi-settings.md
View File

@ -8,7 +8,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: devices, surface
author: coveminer
ms.author: v-jokai
ms.author: greglin
ms.topic: article
ms.reviewer:
manager: laurawi

2
devices/surface/microsoft-surface-brightness-control.md
View File

@ -6,7 +6,7 @@ ms.mktglfcycl: manage
ms.pagetype: surface, devices
ms.sitesec: library
author: coveminer
ms.author: v-jokai
ms.author: greglin
ms.topic: article
ms.reviewer: hachidan
manager: laurawi

2
devices/surface/support-solutions-surface.md
View File

@ -10,7 +10,7 @@ ms.mktglfcycl: support
ms.sitesec: library
ms.pagetype: surfacehub
author: coveminer
ms.author: v-jokai
ms.author: greglin
ms.topic: article
ms.date: 09/26/2019
ms.localizationpriority: medium

2
devices/surface/surface-book-quadro.md
View File

@ -6,7 +6,7 @@ ms.mktglfcycl: manage
ms.localizationpriority: medium
ms.sitesec: library
author: coveminer
ms.author: v-jokai
ms.author: greglin
ms.topic: article
ms.date: 5/06/2020
ms.reviewer: brrecord

2
devices/surface/surface-device-compatibility-with-windows-10-ltsc.md
View File

@ -7,7 +7,7 @@ ms.mktglfcycl: manage
ms.pagetype: surface, devices
ms.sitesec: library
author: coveminer
ms.author: v-jokai
ms.author: greglin
ms.topic: article
ms.localizationpriority: medium
ms.audience: itpro

2
devices/surface/surface-diagnostic-toolkit-command-line.md
View File

@ -5,7 +5,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: coveminer
ms.author: v-jokai
ms.author: greglin
ms.topic: article
ms.reviewer: hachidan
manager: laurawi

2
devices/surface/surface-diagnostic-toolkit-desktop-mode.md
View File

@ -5,7 +5,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: coveminer
ms.author: v-jokai
ms.author: greglin
ms.topic: article
ms.reviewer: hachidan
manager: laurawi

2
devices/surface/surface-diagnostic-toolkit-for-business-intro.md
View File

@ -5,7 +5,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: coveminer
ms.author: v-jokai
ms.author: greglin
ms.topic: article
ms.reviewer: cottmca
manager: laurawi

18
devices/surface/surface-dock-whats-new.md
View File

@ -8,14 +8,14 @@ ms.sitesec: library
author: coveminer
ms.author: greglin
ms.topic: article
ms.date: 5/06/2020
ms.date: 5/29/2020
ms.reviewer: brrecord
manager: laurawi
audience: itpro
---
# Whats new in Surface Dock 2
Surface Dock 2, the next generation Surface dock, lets users connect external monitors and multiple peripherals to obtain a fully modernized desktop experience from a Surface device. Built to maximize efficiency at the office, in a flexible workspace, or at home, Surface Dock 2 features seven ports, including two front-facing USB-C ports, with 15 watts of fast charging power for phone and accessories. Surface Dock 2 is designed to simplify IT management, enabling admins to automate firmware updates using Windows Update or centralize updates with internal software distribution tools. An extended set of management tools will be released via Windows update upon commercial distribution.
Surface Dock 2, the next generation Surface dock, lets users connect external monitors and multiple peripherals to obtain a fully modernized desktop experience from a Surface device. Built to maximize efficiency at the office, in a flexible workspace, or at home, Surface Dock 2 features seven ports, including two front-facing USB-C ports, with 15 watts of fast charging power for phone and accessories. Surface Dock 2 is designed to simplify IT management, enabling admins to automate firmware updates using Windows Update or centralize updates with internal software distribution tools. Surface Enterprise Management Mode (SEMM) now enables IT admins to secure ports on Surface Dock 2. For more information, see [Secure Surface Dock 2 ports with Surface Enterprise Management Mode](https://techcommunity.microsoft.com/t5/surface-it-pro-blog/secure-surface-dock-2-ports-with-surface-enterprise-management/ba-p/1418999).
## General system requirements
@ -29,7 +29,6 @@ Surface Dock 2, the next generation Surface dock, lets users connect external mo
- Surface Laptop 2
- Surface Go
- Surface Go with LTE Advanced
- Surface Studio 2
- Surface Pro 7
- Surface Laptop 3
- Surface Book 3
@ -86,7 +85,7 @@ Surface Dock 2, the next generation Surface dock, lets users connect external mo
|Surflink|Yes|Yes|
|USB-A|2 front facing USB 3.1 Gen 1<br>2 rear facing USB 3.1 Gen 1|2 rear facing USB 3.2 Gen 2 (7.5W power)|
|Mini Display port|2 rear facing (DP1.2)|None|
|USB-C|None|2 front facing USB 3.2 Gen 2<br>[15W power]<br>2 rear facing USB 3.2 Gen 2 (DP1.4a)<br>[7.5W power]|
|USB-C|None|2 front facing USB 3.2 Gen 2<br>(15W power)<br>2 rear facing USB 3.2 Gen 2 (DP1.4a)<br>(7.5W power)|
|3.5 mm Audio in/out|Yes|Yes|
|Ethernet|Yes, 1 gigabit|Yes 1 gigabit|
|DC power in|Yes|Yes|
@ -99,20 +98,18 @@ Surface Dock 2, the next generation Surface dock, lets users connect external mo
|Wake-on-LAN from Connected Standby<sup>1</sup>|Yes|Yes|
|Wake-on-LAN from S4/S5 sleep modes|No|Yes|
|Network PXE boot|Yes|Yes|
|SEMM host access control|No|Coming in Windows Update<sup>2</sup>|
|SEMM port access control<sup>3</sup>|No|Coming in Windows Update|
|SEMM host access control|No|Yes
|SEMM port access control<sup>2</sup>|No|Yes|
|Servicing support|MSI|Windows Update or MSI|
||||
1. *Devices must be configured for Wake on LAN via Surface Enterprise Management Mode (SEMM) or Device Firmware Control Interface (DFCI) to wake from Hibernation or Power-Off states. Wake from Hibernation or Power-Off is supported on Surface Pro 7, Surface Laptop 3, Surface Pro X, Surface Book 3, and Surface Go 2. Software license required for some features. Sold separately.*
2. *Pending release via Windows Update.*
3. *Software license required for some features. Sold separately.*
2. *Software license required for some features. Sold separately.*
## Streamlined device management
Following the public announcement of Surface Dock 2, Surface will release streamlined management functionality via Windows Update enabling IT admins to utilize the following enterprise-grade features:
Surface has released streamlined management functionality via Windows Update enabling IT admins to utilize the following enterprise-grade features:
- **Frictionless updates**. Update your docks silently and automatically, with Windows Update or Microsoft Endpoint Configuration Manager, (formerly System Center Configuration Manager - SCCM) or other MSI deployment tools.
- **Wake from the network**. Manage and access corporate devices without depending on users to keep their devices powered on. Even when a docked device is in sleep, hibernation, or power off mode, your team can wake from the network for service and management, using Endpoint Configuration Manager or other enterprise management tools.
@ -120,5 +117,6 @@ Following the public announcement of Surface Dock 2, Surface will release stream
## Next steps
- [Secure Surface Dock 2 ports with Surface Enterprise Management Mode](https://techcommunity.microsoft.com/t5/surface-it-pro-blog/secure-surface-dock-2-ports-with-surface-enterprise-management/ba-p/1418999)
- [Surface Enterprise Management Mode](surface-enterprise-management-mode.md)
- [Best practice power settings for Surface devices](maintain-optimal-power-settings-on-Surface-devices.md)

2
devices/surface/surface-manage-dfci-guide.md
View File

@ -6,7 +6,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: coveminer
ms.author: v-jokai
ms.author: greglin
ms.topic: article
ms.date: 11/13/2019
ms.reviewer: jesko

2
devices/surface/surface-pro-arm-app-management.md
View File

@ -6,7 +6,7 @@ ms.mktglfcycl: manage
ms.localizationpriority: high
ms.sitesec: library
author: coveminer
ms.author: v-jokai
ms.author: greglin
ms.topic: article
ms.date: 4/15/2020
ms.reviewer: jessko

2
devices/surface/surface-pro-arm-app-performance.md
View File

@ -6,7 +6,7 @@ ms.localizationpriority: medium
ms.mktglfcycl: manage
ms.sitesec: library
author: coveminer
ms.author: v-jokai
ms.author: greglin
ms.topic: article
ms.date: 10/03/2019
ms.reviewer: jessko

2
devices/surface/surface-system-sku-reference.md
View File

@ -7,7 +7,7 @@ ms.mktglfcycl: manage
ms.pagetype: surface, devices, security
ms.sitesec: library
author: coveminer
ms.author: v-jokai
ms.author: greglin
ms.topic: article
ms.date: 03/09/2020
ms.reviewer:

2
devices/surface/surface-wireless-connect.md
View File

@ -7,7 +7,7 @@ ms.sitesec: library
author: coveminer
ms.audience: itpro
ms.localizationpriority: medium
ms.author: v-jokai
ms.author: greglin
ms.topic: article
ms.reviewer: tokatz
manager: laurawi

2
devices/surface/unenroll-surface-devices-from-semm.md
View File

@ -7,7 +7,7 @@ ms.mktglfcycl: manage
ms.pagetype: surface, devices, security
ms.sitesec: library
author: coveminer
ms.author: v-jokai
ms.author: greglin
ms.topic: article
ms.reviewer:
manager: laurawi

2
devices/surface/upgrade-surface-devices-to-windows-10-with-mdt.md
View File

@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.pagetype: surface
ms.sitesec: library
author: coveminer
ms.author: v-jokai
ms.author: greglin
ms.topic: article
ms.localizationpriority: medium
ms.audience: itpro

2
devices/surface/use-system-center-configuration-manager-to-manage-devices-with-semm.md
View File

@ -7,7 +7,7 @@ ms.mktglfcycl: manage
ms.pagetype: surface, devices
ms.sitesec: library
author: coveminer
ms.author: v-jokai
ms.author: greglin
ms.topic: article
ms.reviewer:
manager: laurawi

172
devices/surface/using-the-sda-deployment-share.md
View File

@ -1,172 +0,0 @@
---
title: Using the Microsoft Surface Deployment Accelerator deployment share (Surface)
description: Explore the scenarios where you can use SDA to meet the deployment needs of your organization including Proof of Concept, pilot deployment, as well as import additional drivers and applications.
keywords: deploy, install, automate, deployment solution
ms.prod: w10
ms.mktglfcycl: deploy
ms.pagetype: surface, devices
ms.sitesec: library
author: coveminer
ms.author: v-jokai
ms.topic: article
ms.localizationpriority: medium
ms.audience: itpro
ms.reviewer:
manager: laurawi
---
# Using the Microsoft Surface Deployment Accelerator deployment share
With Microsoft Surface Deployment Accelerator (SDA), you can quickly and easily set up a deployment solution that is ready to deploy Windows to Surface devices. The prepared environment is built on powerful deployment technologies available from Microsoft, such as the [Microsoft Deployment Toolkit (MDT)](https://technet.microsoft.com/windows/dn475741), and is capable of immediately performing a deployment after configuration. See [Step-by-Step: Surface Deployment Accelerator](https://technet.microsoft.com/itpro/surface/step-by-step-surface-deployment-accelerator) for a comprehensive walkthrough of using the SDA wizard to set up a deployment share and perform a deployment.
For more information about SDA and information on how to download SDA, see [Microsoft Surface Deployment Accelerator (SDA)](https://technet.microsoft.com/itpro/surface/microsoft-surface-deployment-accelerator).
> [!NOTE]
> SDA is not supported on Surface Pro 7, Surface Pro X, and Surface Laptop 3. For more information refer to [Deploy Surface devices](deploy.md).
Using SDA provides these primary benefits:
* With SDA, you can create a ready-to-deploy environment that can deploy to target devices as fast as your download speeds allow. The wizard experience enables you to check a few boxes and then the automated process builds your deployment environment for you.
* With SDA, you prepare a deployment environment built on the industry leading deployment solution of MDT. With MDT you can scale from a relatively basic deployment of a few Surface devices to a solution capable of deploying to thousands of devices including all of the different makes and models in your organization and all of the applications required by each device and user.
This article explores four scenarios where you can use SDA to meet the needs of your organization. See [Deploy Windows 10](https://technet.microsoft.com/itpro/windows/deploy/index) to explore the capabilities of MDT and the Windows deployment technologies available from Microsoft in greater detail.
## Perform a Proof of Concept deployment
One of the primary scenarios for use of SDA is as a Proof of Concept. A *Proof of Concept* (PoC) enables you to test or evaluate the capabilities of a solution or technology. A PoC is often used to illustrate the benefits of the solution or technology to decision makers. For example, if you want to recommend Surface devices as a replacement of older point of sale (POS) systems, you could perform a PoC to demonstrate how Surface devices provide superior computing power, flexibility, and connectivity when compared to alternate options.
Using SDA to prepare a PoC of Surface devices enables you to very quickly prepare a demonstration of Surface device or devices, which gives you more time for customization or preparation. The flexibility of SDA even lets you import resources, like applications and drivers, from existing MDT deployment infrastructure. See the [Work with existing deployment shares](#work-with-existing-deployment-shares) section later in this article for more information.
SDA is also an excellent PoC of the capabilities of MDT. SDA demonstrates just how quickly an MDT deployment environment can be prepared and made ready for deployment to devices. It also shows just how flexible and customizable the MDT solution can be, with support for Windows 10 and Windows 8.1, for Microsoft Store and desktop applications, and several models of Surface devices.
Some recommendations for a successful PoC with SDA are:
* Keep your SDA deployment environment separate from your production network. This ensures optimal performance and reduces potential for conflicts during your PoC deployment.
* Use a fresh and updated instance of Windows Server to house your SDA deployment share to maintain the simplicity and performance of the demonstration environment.
* Test the deployment process before you demonstrate your PoC. This reduces the potential for unexpected situations and keeps the demonstration focused on the deployment process and Surface devices.
* Use offline files with SDA to further reduce installation times.
* For help with your PoC, contact [Surface Support](https://www.microsoft.com/surface/support/contact-us-business).
## Perform a pilot deployment
A pilot deployment differs from a PoC. Where a PoC is usually a closed demonstration that is performed prior to the deployment process in order to get approval for the use of certain technologies or solutions, a *pilot deployment* is performed during the deployment process as a limited scope deployment for testing and validation. The focus of a pilot deployment can be as narrow as only a handful of devices, or wide enough to include a significant portion of your organization.
>[!NOTE]
>A pilot deployment should not replace the testing process that should be performed regularly in the lab as the deployment environment is built and developed. A deployment solution should be tested in virtual and physical environments as new applications and drivers are added and when task sequences are modified and before a pilot deployment is performed.
For example, you are tasked with deploying Surface devices to mobile workers and you want to test the organizations MDT deployment process by providing a small number of devices to executives. You can use SDA to create an isolated Surface deployment environment and then copy the task sequence, applications, and drivers needed from the production deployment share. This not only enables you to quickly create a Surface deployment, but it also minimizes the risk to the production deployment process used for other types of devices.
For small organizations, the pilot deployment environment of SDA may suffice as a complete deployment solution. Even if you do not have an existing deployment environment, you can import drivers and applications (covered later in this article) to provide a complete deployment solution based on MDT. Even without previous knowledge of MDT or Windows deployment, you can follow the [Step-by-Step: Surface Deployment Accelerator](https://technet.microsoft.com/itpro/surface/step-by-step-surface-deployment-accelerator) article to get started with a deployment to Surface devices.
## Import additional drivers
The SDA deployment share includes all of the drivers needed for Surface devices. This includes the drivers for the components inside the Surface device, such as the wireless network adapter and the main chipset, as well as drivers for Surface accessories, such as the Surface Dock or Surface USB Ethernet adapters. The SDA deployment share does not, however, include drivers for third-party devices or peripherals.
For example, you may intend to use your Surface device with a thermal printer, credit card reader, and barcode scanner as a POS terminal. In this scenario, the thermal printer, credit card reader, and barcode scanner will very likely require installation of drivers to operate properly. You could potentially download and install these drivers from Windows Update when each peripheral is connected, or you could install the driver package from the manufacturer manually on each Surface device, but the ideal solution is to have these drivers already present in Windows so that when the peripheral is connected, it will just work.
Because SDA is built on MDT, adding the drivers to the SDA deployment share is easy and simple.
>[!NOTE]
>The drivers must be in the Setup Information File (.inf) format. If the drivers for your device come as an executable file (.exe), they may need to be extracted or installed to procure the .inf file. Some device drivers come packaged with applications, for example an all-in-one printer bundled with scan software. These applications will need to be installed separately from the drivers.
To import drivers for a peripheral device:
1. Download the drivers for your device from the manufacturer web site.
2. Open the MDT Deployment Workbench.
3. Expand the **Deployment Shares** node and expand the SDA deployment share.
4. Expand the **Out-of-Box Drivers** folder.
5. Select the folder of the Surface model for which you would like to include this driver.
6. Click **Import Drivers** to start the Import Drivers Wizard, as shown in Figure 1.
![Provide the location of your driver files](images/using-sda-driverfiles-fig1.png "Provide the location of your driver files")
*Figure 1. Provide the location of your driver files*
7. The Import Drivers Wizard presents a series of steps:
- **Specify Directory** Click **Browse** and navigate to the folder where you stored the drivers in Step 1.
- **Summary** Review the specified configuration on this page before you click **Next** to begin the import process.
- **Progress** While the drivers are imported, a progress bar is displayed on this page.
- **Confirmation** When the import process completes, the success of the process is displayed on this page. Click **Finish** to complete the Import Drivers Wizard.
8. Repeat Steps 5-7 for each Surface model on which you would like to include this driver.
9. Close the Deployment Workbench.
After the drivers are imported for the Surface model, the deployment task sequence will automatically select the drivers during the deployment process and include them in the Windows environment. When you connect your device, such as the barcode scanner in the example, Windows should automatically detect the device and you should be able to use it immediately.
>[!NOTE]
>You can even import drivers for other computer makes and models to support other devices. See **Step 5: Prepare the drivers repository** in [Deploy a Windows 10 image using MDT 2013 Update 2](https://technet.microsoft.com/itpro/windows/deploy/deploy-a-windows-10-image-using-mdt) for more information about how to import drivers for other makes and models.
## Import additional applications
As with drivers, the SDA deployment share can be pre-configured with apps like the Surface App and Microsoft Office 365. You can also add applications to the SDA deployment share and configure them to be installed on your Surface devices during deployment of Windows. In the ideal scenario, your Surface devices deployed with the SDA deployment share will include all of the applications needed to be ready for your end users.
In the previous example for including drivers for a POS system, you would also need to include POS software for processing transactions and recording the input from the barcode scanner and credit card reader. To import an application and prepare it for installation on your Surface devices during Windows deployment:
1. Download the application installation files or locate the installation media for your application.
2. Determine the command line instruction for silent installation, usually provided by the developer of the application. For Windows Installer files (.msi), see [Standard Installer Command-Line Options](https://msdn.microsoft.com/library/windows/desktop/aa372024) in the Windows Dev Center.
3. Open the MDT Deployment Workbench.
4. Expand the **Deployment Shares** node and expand the SDA deployment share.
5. Expand the **Applications** folder.
6. Click **New Application** to start the New Application Wizard, as shown in Figure 2.
![Provide the command to install your application](images/using-sda-installcommand-fig2.png "Provide the command to install your application")
*Figure 2: Provide the command to install your application*
7. Follow the steps of the New Application Wizard:
- **Application Type** Click **Application with Source Files**, and then click **Next**.
- **Details** Enter a name for the application in the **Application Name** field. Enter publisher, version, and language information in the **Publisher**, **Version**, and **Language** fields if desired. Click **Next**.
- **Source** Click **Browse** to navigate to and select the folder with the application installation files procured in Step 1, and then click **Next**.
- **Destination** Enter a name for the folder where the application files will be stored in the **Specify the Name of the Directory that Should Be Created** field or click **Next** to accept the default name.
- **Command Details** Enter the silent command-line instruction, for example `setup.msi /quiet /norestart`
- **Summary** Review the specified configuration on this page before you click **Next** to begin the import process.
- **Progress** While the installation files are imported, a progress bar is displayed on this page.
- **Confirmation** When the import process completes, the success of the process is displayed on this page. Click **Finish** to complete the New Application Wizard.
8. Click the **Task Sequences** folder, right-click **1 - Deploy Microsoft Surface**, and then click **Properties**.
9. Click the **Task Sequence** tab to view the steps that are included in the new task sequence.
10. Select the **Windows Update (Pre-Application Installation)** step, and then click **Add**.
11. Hover the mouse over **General** under the **Add** menu, and then click **Install Application**. This will add a new step after the selected step for the installation of a specific application as shown in Figure 3.
![A new Install Application step for Sample POS App](images/using-sda-newinstall-fig3.png "A new Install Application step for Sample POS App")
*Figure 3. A new Install Application step for Sample POS App*
12. On the **Properties** tab of the new **Install Application** step, enter **Install - Sample POS App** in the **Name** field, where *Sample POS App* is the name of your app.
13. Click **Install a Single Application**, and then click **Browse** to view available applications that have been imported into the deployment share.
14. Select your app from the list of applications, and then click **OK**.
15. Click **OK** to close the task sequence properties.
16. Close the Deployment Workbench.
## Work with existing deployment shares
One of the many benefits of an MDT deployment share is the simplicity of how deployment resources are stored. The MDT deployment share is, at its core, just a standard network file share. All deployment resources, such as Windows images, application installation files, and drivers, are stored in a share that can be browsed with File Explorer, copied and pasted, and moved just like any other file share, provided that you have the necessary permissions. This makes working with deployment resources extremely easy. MDT even allows you to make it easier by allowing you to open multiple deployment shares from the Deployment Workbench and to transfer or copy resources between them.
This ability gives SDA some extra capabilities when used in an environment with an existing MDT infrastructure. For example, if you install SDA on an isolated server to prepare a PoC and then log on to your production MDT deployment share from the Deployment Workbench on your SDA server, you can copy applications, drivers, task sequences, and other components into the SDA deployment share that is prepared with Surface apps and drivers. With this process, in a very short amount time, you can have a deployment environment ready to deploy your organizations precise requirements to Surface devices.
You can also use this capability in reverse. For example, you can copy the Surface drivers, deployment task sequences, and apps directly into a lab or testing environment following a successful PoC. Using these resources, you can immediately begin to integrate Surface deployment into your existing deployment infrastructure.

2
devices/surface/wake-on-lan-for-surface-devices.md
View File

@ -8,7 +8,7 @@ ms.pagetype: surface, devices
ms.sitesec: library
ms.localizationpriority: medium
author: coveminer
ms.author: v-jokai
ms.author: greglin
ms.topic: article
ms.reviewer: scottmca
manager: laurawi

1
mdop/appv-v5/how-to-revert-extension-points-from-an-app-v-50-package-to-an-app-v-46-package-for-a-specific-user.md
View File

@ -4,7 +4,6 @@ title: How to Revert Extension Points From an App-V 5.0 Package to an App-V 4.6
description: How to Revert Extension Points From an App-V 5.0 Package to an App-V 4.6 Package for a Specific User
ms.assetid: f1d2ab1f-0831-4976-b49f-169511d3382a
author: dansimp
ms.assetid: f1d2ab1f-0831-4976-b49f-169511d3382a
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library

1
mdop/appv-v5/how-to-use-an-app-v-46-sp1-application-from-an-app-v-50-application.md
View File

@ -4,7 +4,6 @@ title: How to Use an App-V 4.6 Application From an App-V 5.0 Application
description: How to Use an App-V 4.6 Application From an App-V 5.0 Application
ms.assetid: 4e78cb32-9c8b-478e-ae8b-c474a7e42487
author: msfttracyp
ms.assetid: 4e78cb32-9c8b-478e-ae8b-c474a7e42487
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library

3
mdop/mbam-v25/apply-hotfix-for-mbam-25-sp1.md
View File

@ -11,8 +11,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.prod: w10
ms.date: 8/30/2018
ms.author: pashort
author: shortpatti
ms.author: dansimp
---
# Applying hotfixes on MBAM 2.5 SP1

1
mdop/mbam-v25/deploy-mbam.md
View File

@ -8,7 +8,6 @@ ms.author: delhan
ms.sitesec: library
ms.prod: w10
ms.date: 09/16/2019
manager: dcscontentpm
---
# Deploying MBAM 2.5 in a standalone configuration

1
mdop/mbam-v25/troubleshooting-mbam-installation.md
View File

@ -8,7 +8,6 @@ ms.author: delhan
ms.sitesec: library
ms.prod: w10
ms.date: 09/16/2019
manager: dcscontentpm
---
# Troubleshooting MBAM 2.5 installation problems

3
mdop/mbam-v25/upgrade-mbam2.5-sp1.md
View File

@ -2,11 +2,10 @@
title: Upgrading from MBAM 2.5 to MBAM 2.5 SP1 Servicing Release Update
author: dansimp
ms.author: ksharma
manager:
manager: miaposto
audience: ITPro
ms.topic: article
ms.prod: w10
manager: miaposto
ms.localizationpriority: Normal
---

3
smb/cloud-mode-business-setup.md
View File

@ -2,7 +2,7 @@
title: Deploy and manage a full cloud IT solution for your business
description: Learn how to set up a cloud infrastructure for your business, acquire devices and apps, and configure and deploy policies to your devices.
keywords: smb, full cloud IT solution, small to medium business, deploy, setup, manage, Windows, Intune, Office 365
ms.prod:
ms.prod: w10
ms.technology:
ms.author: eravena
audience: itpro
@ -13,6 +13,7 @@ author: eavena
ms.reviewer:
manager: dansimp
ms.localizationpriority: medium
ms.topic: conceptual
---
# Get started: Deploy and manage a full cloud IT solution for your business

7
smb/index.md
View File

@ -2,16 +2,17 @@
title: Windows 10 for small to midsize businesses
description: Microsoft products and devices to transform and grow your businessLearn how to use Windows 10 for your small to midsize business.
keywords: Windows 10, SMB, small business, midsize business, business
ms.prod:
ms.prod: w10
ms.technology:
ms.topic: article
ms.author: celested
ms.author: dansimp
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: smb
author: CelesteDG
author: dansimp
ms.localizationpriority: medium
manager: dansimp
audience: itpro
---
# Windows 10 for SMB

1
store-for-business/microsoft-store-for-business-education-powershell-module.md
View File

@ -9,7 +9,6 @@ author: TrudyHa
ms.author: TrudyHa
ms.topic: conceptual
ms.localizationpriority: medium
ms.author:
ms.date: 10/22/2017
ms.reviewer:
manager: dansimp

4
windows/application-management/manage-windows-mixed-reality.md
View File

@ -13,7 +13,7 @@ ms.author: dansimp
ms.topic: article
---
# Enable or block Windows Mixed Reality apps in the enterprise
# Enable or block Windows Mixed Reality apps in enterprises
**Applies to**
@ -33,7 +33,7 @@ Organizations that use Windows Server Update Services (WSUS) must take action to
2. Windows Mixed Reality Feature on Demand (FOD) is downloaded from Windows Update. If access to Windows Update is blocked, you must manually install the Windows Mixed Reality FOD.
a. Download the FOD .cab file for [Windows 10, version 1903 and 1909](https://software-download.microsoft.com/download/pr/Microsoft-Windows-Holographic-Desktop-FOD-Package-31bf3856ad364e35-amd64.cab), [Windows 10, version 1809](https://software-download.microsoft.com/download/pr/microsoft-windows-holographic-desktop-fod-package31bf3856ad364e35amd64_1.cab), [Windows 10, version 1803](https://download.microsoft.com/download/9/9/3/9934B163-FA01-4108-A38A-851B4ACD1244/Microsoft-Windows-Holographic-Desktop-FOD-Package~31bf3856ad364e35~amd64~~.cab), or [Windows 10, version 1709](https://download.microsoft.com/download/6/F/8/6F816172-AC7D-4F45-B967-D573FB450CB7/Microsoft-Windows-Holographic-Desktop-FOD-Package.cab).
a. Download the FOD .cab file for [Windows 10, version 20H1](https://software-download.microsoft.com/download/pr/Microsoft-Windows-Holographic-Desktop-FOD-Package~31bf3856ad364e35~amd64~~.cab), [Windows 10, version 1903 and 1909](https://software-download.microsoft.com/download/pr/Microsoft-Windows-Holographic-Desktop-FOD-Package-31bf3856ad364e35-amd64.cab), [Windows 10, version 1809](https://software-download.microsoft.com/download/pr/microsoft-windows-holographic-desktop-fod-package31bf3856ad364e35amd64_1.cab), [Windows 10, version 1803](https://download.microsoft.com/download/9/9/3/9934B163-FA01-4108-A38A-851B4ACD1244/Microsoft-Windows-Holographic-Desktop-FOD-Package~31bf3856ad364e35~amd64~~.cab), or [Windows 10, version 1709](https://download.microsoft.com/download/6/F/8/6F816172-AC7D-4F45-B967-D573FB450CB7/Microsoft-Windows-Holographic-Desktop-FOD-Package.cab).
>[!NOTE]
>You must download the FOD .cab file that matches your operating system version.

8
windows/client-management/administrative-tools-in-windows-10.md
View File

@ -29,7 +29,7 @@ The tools in the folder might vary depending on which edition of Windows you are
![Screenshot of folder of admin tools](images/admin-tools-folder.png)
These tools were included in previous versions of Windows and the associated documentation for each tool should help you use these tools in Windows 10. The following list links to documentation for each tool.
These tools were included in previous versions of Windows and the associated documentation for each tool should help you use these tools in Windows 10. The following list provides links to documentation for each tool. The tools are located within the folder C:\Windows\System32\ or its subfolders.
@ -43,6 +43,8 @@ These tools were included in previous versions of Windows and the associated doc
- [ODBC Data Sources]( https://go.microsoft.com/fwlink/p/?LinkId=708494)
- [Performance Monitor](https://go.microsoft.com/fwlink/p/?LinkId=708495)
- [Print Management](https://go.microsoft.com/fwlink/p/?LinkId=708496)
- [Recovery Drive](https://support.microsoft.com/help/4026852/windows-create-a-recovery-drive)
- [Registry Editor](https://docs.microsoft.com/windows/win32/sysinfo/registry)
- [Resource Monitor](https://go.microsoft.com/fwlink/p/?LinkId=708497)
- [Services](https://go.microsoft.com/fwlink/p/?LinkId=708498)
- [System Configuration](https://go.microsoft.com/fwlink/p/?LinkId=708499)
@ -60,7 +62,3 @@ These tools were included in previous versions of Windows and the associated doc

4
windows/client-management/determine-appropriate-page-file-size.md
View File

@ -8,8 +8,8 @@ author: Deland-Han
ms.localizationpriority: medium
ms.author: delhan
ms.date: 8/28/2019
ms.reviewer:
manager: dcscontentpm
ms.reviewer: dcscontentpm
manager: dansimp
---
# How to determine the appropriate page file size for 64-bit versions of Windows

4
windows/client-management/introduction-page-file.md
View File

@ -7,8 +7,8 @@ ms.topic: troubleshooting
author: Deland-Han
ms.localizationpriority: medium
ms.author: delhan
ms.reviewer: greglin
manager: dcscontentpm
ms.reviewer: dcscontentpm
manager: dansimp
---
# Introduction to page files

47
windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md
View File

@ -37,7 +37,7 @@ The auto-enrollment relies on the presence of an MDM service and the Azure Activ
When the auto-enrollment Group Policy is enabled, a task is created in the background that initiates the MDM enrollment. The task will use the existing MDM service configuration from the Azure Active Directory information of the user. If multi-factor authentication is required, the user will get a prompt to complete the authentication. Once the enrollment is configured, the user can check the status in the Settings page.
In Windows 10, version 1709, when the same policy is configured in GP and MDM, the GP policy wins (GP policy takes precedence over MDM). Since Windows 10, version 1803, a new setting allows you to change the policy conflict winner to MDM. For additional information, see [Windows 10 Group Policy vs. Intune MDM Policy who wins?](https://blogs.technet.microsoft.com/cbernier/2018/04/02/windows-10-group-policy-vs-intune-mdm-policy-who-wins/).
In Windows 10, version 1709 or later, when the same policy is configured in GP and MDM, the GP policy wins (GP policy takes precedence over MDM). Since Windows 10, version 1803, a new setting allows you to change the policy conflict winner to MDM. For additional information, see [Windows 10 Group Policy vs. Intune MDM Policy who wins?](https://blogs.technet.microsoft.com/cbernier/2018/04/02/windows-10-group-policy-vs-intune-mdm-policy-who-wins/)
For this policy to work, you must verify that the MDM service provider allows the GP triggered MDM enrollment for domain joined devices.
@ -54,6 +54,7 @@ The following steps demonstrate required settings using the Intune service:
> [!IMPORTANT]
> For BYOD devices, the MAM user scope takes precedence if both MAM user scope and MDM user scope (automatic MDM enrollment) are enabled for all users (or the same groups of users). The device will use Windows Information Protection (WIP) Policies (if you configured them) rather than being MDM enrolled.
>
> For corporate devices, the MDM user scope takes precedence if both scopes are enabled. The devices get MDM enrolled.
3. Verify that the device OS version is Windows 10, version 1709 or later.
@ -93,7 +94,7 @@ You may contact your domain administrators to verify if the group policy has bee
This procedure is only for illustration purposes to show how the new auto-enrollment policy works. It is not recommended for the production environment in the enterprise. For bulk deployment, you should use the [Group Policy Management Console process](#configure-the-auto-enrollment-for-a-group-of-devices).
Requirements:
- AD-joined PC running Windows 10, version 1709
- AD-joined PC running Windows 10, version 1709 or later
- Enterprise has MDM service already configured
- Enterprise AD must be registered with Azure AD
@ -109,7 +110,7 @@ Requirements:
![MDM policies](images/autoenrollment-mdm-policies.png)
4. Double-click **Enable Automatic MDM enrollment using default Azure AD credentials**.
4. Double-click **Enable automatic MDM enrollment using default Azure AD credentials** (previously called **Auto MDM Enrollment with AAD Token** in Windows 10, version 1709). For ADMX files in Windows 10, version 1903 and later, select **User Credential** (support for Device Credential is coming) as the Selected Credential Type to use. User Credential enrolls Windows 10, version 1709 and later once an Intune licensed user logs into the device. Device Credential will enroll the device and then assign a user later, once support for this is available.
![MDM autoenrollment policy](images/autoenrollment-policy.png)
@ -117,7 +118,7 @@ Requirements:
> [!NOTE]
> In Windows 10, version 1903, the MDM.admx file was updated to include an option to select which credential is used to enroll the device. **Device Credential** is a new option that will only have an effect on clients that have installed Windows 10, version 1903 or later.
The default behavior for older releases is to revert to **User Credential**.
> The default behavior for older releases is to revert to **User Credential**.
When a group policy refresh occurs on the client, a task is created and scheduled to run every 5 minutes for the duration of one day. The task is called " Schedule created by enrollment client for automatically enrolling in MDM from AAD."
@ -159,27 +160,28 @@ Learn more by reading [What is Conditional Access?](https://docs.microsoft.com/a
## Configure the auto-enrollment for a group of devices
Requirements:
- AD-joined PC running Windows 10, version 1709
- AD-joined PC running Windows 10, version 1709 or later
- Enterprise has MDM service already configured (with Intune or a third party service provider)
- Enterprise AD must be integrated with Azure AD.
- Ensure that PCs belong to same computer group.
> [!IMPORTANT]
> If you do not see the policy, it may be because you dont have the ADMX for Windows 10, version 1803, version 1809, or version 1903 installed. To fix the issue, follow these steps (Note: the latest MDM.admx is backwards compatible):
> 1. Download:
> 1803 -->[Administrative Templates (.admx) for Windows 10 April 2018 Update (1803)](https://www.microsoft.com/download/details.aspx?id=56880) or
> 1809 --> [Administrative Templates for Windows 10 October 2018 Update (1809)](https://www.microsoft.com/download/details.aspx?id=57576) or
> 1903 --> [Administrative Templates (.admx) for Windows 10 May 2019 Update (1903)](https://www.microsoft.com/download/details.aspx?id=58495&WT.mc_id=rss_alldownloads_all)
> 2. Install the package on the Domain Controller.
> 3. Navigate, depending on the version to the folder:
> 1803 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 April 2018 Update (1803) v2**, or
> 1809 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 October 2018 Update (1809) v2**, or
> 1903 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 May 2019 Update (1903) v3**
> 4. Rename the extracted Policy Definitions folder to **PolicyDefinitions**.
> 5. Copy PolicyDefinitions folder to **C:\Windows\SYSVOL\domain\Policies**.
> (If this folder does not exist, then be aware that you will be switching to a [central policy store](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra) for your entire domain).
> 6. Restart the Domain Controller for the policy to be available.
> This procedure will work for any future version as well.
[!IMPORTANT]
If you do not see the policy, it may be because you dont have the ADMX for Windows 10, version 1803, version 1809, or version 1903 installed. To fix the issue, follow these steps (Note: the latest MDM.admx is backwards compatible):
1. Download:
1803 -->[Administrative Templates (.admx) for Windows 10 April 2018 Update (1803)](https://www.microsoft.com/download/details.aspx?id=56880) or
1809 --> [Administrative Templates for Windows 10 October 2018 Update (1809)](https://www.microsoft.com/download/details.aspx?id=57576) or
1903 --> [Administrative Templates (.admx) for Windows 10 May 2019 Update (1903)](https://www.microsoft.com/download/details.aspx?id=58495&WT.mc_id=rss_alldownloads_all)
2. Install the package on the Domain Controller.
3. Navigate, depending on the version to the folder:
1803 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 April 2018 Update (1803) v2**, or
1809 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 October 2018 Update (1809) v2**, or
1903 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 May 2019 Update (1903) v3**
4. Rename the extracted Policy Definitions folder to **PolicyDefinitions**.
5. Copy PolicyDefinitions folder to **C:\Windows\SYSVOL\domain\Policies**.
(If this folder does not exist, then be aware that you will be switching to a [central policy store](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra) for your entire domain).
6. Restart the Domain Controller for the policy to be available.
This procedure will work for any future version as well.
1. Create a Group Policy Object (GPO) and enable the Group Policy **Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **MDM** > **Enable automatic MDM enrollment using default Azure AD credentials**.
2. Create a Security Group for the PCs.
@ -187,7 +189,6 @@ Requirements:
4. Filter using Security Groups.
## Troubleshoot auto-enrollment of devices
Investigate the log file if you have issues even after performing all the mandatory verification steps. The first log file to investigate is the event log on the target Windows 10 device.
To collect Event Viewer logs:
@ -241,10 +242,10 @@ To collect Event Viewer logs:
- [Link a Group Policy Object](https://technet.microsoft.com/library/cc732979(v=ws.11).aspx)
- [Filter Using Security Groups](https://technet.microsoft.com/library/cc752992(v=ws.11).aspx)
- [Enforce a Group Policy Object Link](https://technet.microsoft.com/library/cc753909(v=ws.11).aspx)
- [Group Policy Central Store](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra)
### Useful Links
- [Windows 10 Administrative Templates for Windows 10 November 2019 Update 1909](https://www.microsoft.com/download/details.aspx?id=100591)
- [Windows 10 Administrative Templates for Windows 10 May 2019 Update 1903](https://www.microsoft.com/download/details.aspx?id=58495)
- [Windows 10 Administrative Templates for Windows 10 October 2018 Update 1809](https://www.microsoft.com/download/details.aspx?id=57576)
- [Windows 10 Administrative Templates for Windows 10 April 2018 Update 1803](https://www.microsoft.com/download/details.aspx?id=56880)

2
windows/client-management/mdm/esim-enterprise-management.md
View File

@ -8,7 +8,7 @@ ms.sitesec: library
author: dansimp
ms.localizationpriority: medium
ms.author: dansimp
ms.topic:
ms.topic: conceptual
---
# How Mobile Device Management Providers support eSIM Management on Windows

2
windows/client-management/mdm/understanding-admx-backed-policies.md
View File

@ -260,7 +260,7 @@ Note that the data payload of the SyncML needs to be encoded so that it does not
The **LocURI** for the above GP policy is:
`.\Device\Vendor\MSFT\Policy\Config\AppVirtualization\PublishingAllowServer2`
`./Device/Vendor/MSFT/Policy/Config/AppVirtualization/PublishingAllowServer2`
To construct SyncML for your area/policy using the samples below, you need to update the **data id** and the **value** in the `<Data>` section of the SyncML. The items prefixed with an '&' character are the escape characters needed and can be retained as shown.

28
windows/client-management/new-policies-for-windows-10.md
View File

@ -25,6 +25,33 @@ ms.topic: reference
Windows 10 includes the following new policies for management. [Download the complete set of Administrative Template (.admx) files for Windows 10](https://www.microsoft.com/download/100591).
## New Group Policy settings in Windows 10, version 1903
The following Group Policy settings were added in Windows 10, version 1903:
**System**
- System\Service Control Manager Settings\Security Settings\Enable svchost.exe mitigation options
- System\Storage Sense\Allow Storage Sense
- System\Storage Sense\Allow Storage Sense Temporary Files cleanup
- System\Storage Sense\Configure Storage Sense
- System\Storage Sense\Configure Storage Sense Cloud content dehydration threshold
- System\Storage Sense\Configure Storage Sense Recycle Bin cleanup threshold
- System\Storage Sense\Configure Storage Sense Downloads cleanup threshold
- System\Troubleshooting and Diagnostics\Microsoft Support Diagnostic Tool\Troubleshooting:Allow users to access recommended troubleshooting for known problems
**Windows Components**
- Windows Components\App Privacy\Let Windows apps activate with voice
- Windows Components\App Privacy\Let Windows apps activate with voice while the system is locked
- Windows Components\Data Collection and Preview Builds\Allow commercial data pipeline
- Windows Components\Data Collection and Preview Builds\Configure collection of browsing data for Desktop Analytics
- Windows Components\Data Collection and Preview Builds\Configure diagnostic data upload endpoint for Desktop Analytics
- Windows Components\Delivery Optimization\Delay background download Cache Server fallback (in seconds)
- Windows Components\Delivery Optimization\Delay Foreground download Cache Server fallback (in seconds)
- Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment\Use WDDM graphics display driver for Remote Desktop Connections
- Windows Components\Windows Logon Options\Configure the mode of automatically signing in and locking last interactive user after a restart or cold boot
## New Group Policy settings in Windows 10, version 1809
@ -496,4 +523,3 @@ No new [Exchange ActiveSync policies](https://go.microsoft.com/fwlink/p/?LinkId=

4
windows/client-management/system-failure-recovery-options.md
View File

@ -8,8 +8,8 @@ author: Deland-Han
ms.localizationpriority: medium
ms.author: delhan
ms.date: 8/22/2019
ms.reviewer:
manager: dcscontentpm
ms.reviewer: dcscontentpm
manager: dansimp
---
# Configure system failure and recovery options in Windows

16
windows/configuration/TOC.md
View File

@ -2,7 +2,7 @@
## [Accessibility information for IT Pros](windows-10-accessibility-for-ITPros.md)
## [Configure access to Microsoft Store](stop-employees-from-using-microsoft-store.md)
## [Configure Cortana in Windows 10](cortana-at-work/cortana-at-work-overview.md)
## [Set up and test Cortana in Windows 10, version 2004 and later](cortana-at-work/set-up-and-test-cortana-in-windows-10)
## [Set up and test Cortana in Windows 10, version 2004 and later](cortana-at-work/set-up-and-test-cortana-in-windows-10.md)
## [Testing scenarios using Cortana in your business or organization](cortana-at-work/cortana-at-work-testing-scenarios.md)
### [Test scenario 1 - Sign into Azure AD, enable the wake word, and try a voice query](cortana-at-work/cortana-at-work-scenario-1.md)
### [Test scenario 2 - Perform a Bing search with Cortana](cortana-at-work/cortana-at-work-scenario-2.md)
@ -13,13 +13,13 @@
## [Send feedback about Cortana back to Microsoft](cortana-at-work/cortana-at-work-feedback.md)
## [Set up and test Cortana in Windows 10, versions 1909 and earlier, with Microsoft 365 in your organization](cortana-at-work/cortana-at-work-o365.md)
## [Testing scenarios using Cortana in your business or organization](cortana-at-work/cortana-at-work-testing-scenarios.md)
### [Test scenario 1 - Sign into Azure AD, enable the wake word, and try a voice query](cortana-at-work/test-scenario-1)
### [Test scenario 2 - Perform a quick search with Cortana at work](cortana-at-work/test-scenario-2)
### [Test scenario 3 - Set a reminder for a specific location using Cortana at work](cortana-at-work/test-scenario-3)
### [Test scenario 4 - Use Cortana at work to find your upcoming meetings](cortana-at-work/test-scenario-4)
### [Test scenario 5 - Use Cortana to send email to a co-worker](cortana-at-work/test-scenario-5)
### [Test scenario 6 - Review a reminder suggested by Cortana based on what youve promised in email](cortana-at-work/test-scenario-6)
### [Test scenario 7 - Use Cortana and Windows Information Protection (WIP) to help protect your organizations data on a device](cortana-at-work/cortana-at-work-scenario-7)
### [Test scenario 1 - Sign into Azure AD, enable the wake word, and try a voice query](cortana-at-work/test-scenario-1.md)
### [Test scenario 2 - Perform a quick search with Cortana at work](cortana-at-work/test-scenario-2.md)
### [Test scenario 3 - Set a reminder for a specific location using Cortana at work](cortana-at-work/test-scenario-3.md)
### [Test scenario 4 - Use Cortana at work to find your upcoming meetings](cortana-at-work/test-scenario-4.md)
### [Test scenario 5 - Use Cortana to send email to a co-worker](cortana-at-work/test-scenario-5.md)
### [Test scenario 6 - Review a reminder suggested by Cortana based on what youve promised in email](cortana-at-work/test-scenario-6.md)
### [Test scenario 7 - Use Cortana and Windows Information Protection (WIP) to help protect your organizations data on a device](cortana-at-work/cortana-at-work-scenario-7.md)
## [Set up and test custom voice commands in Cortana for your organization](cortana-at-work/cortana-at-work-voice-commands.md)
## [Use Group Policy and mobile device management (MDM) settings to configure Cortana in your organization](cortana-at-work/cortana-at-work-policy-settings.md)
## [Set up a shared or guest PC with Windows 10](set-up-shared-or-guest-pc.md)

2
windows/deployment/TOC.yml
View File

@ -145,6 +145,8 @@
href: update/feature-update-user-install.md
- name: Use Windows Update for Business
items:
- name: What is Windows Update for Business?
href: update/waas-manage-updates-wufb.md
- name: Configure Windows Update for Business
href: update/waas-configure-wufb.md
- name: Enforcing compliance deadlines for updates

88
windows/deployment/deploy-whats-new.md
View File

@ -25,12 +25,16 @@ ms.topic: article
This topic provides an overview of new solutions and online content related to deploying Windows 10 in your organization.
- For an all-up overview of new features in Windows 10, see [What's new in Windows 10](https://docs.microsoft.com/windows/whats-new/index).
- For a detailed list of changes to Windows 10 ITPro TechNet library content, see [Online content change history](#online-content-change-history).
## Recent changes
## Latest news
[SetupDiag](#setupdiag) is included with Windows 10, version 2004 and later.<br>
The [Windows ADK for Windows 10, version 2004](https://docs.microsoft.com/windows-hardware/get-started/adk-install) is available.<br>
New capabilities are available for [Delivery Optimization](#delivery-optimization) and [Windows Update for Business](#windows-update-for-business).<br>
VPN support is added to [Windows Autopilot](#windows-autopilot)<br>
An in-place upgrade wizard is available in [Configuration Manager](#microsoft-endpoint-configuration-manager).<br>
The [Windows ADK](#windows-assessment-and-deployment-kit-adk) for Windows 10, version 2004 is available.<br>
The Windows 10 deployment and update [landing page](index.yml) has been redesigned, with additional content added and more content coming soon.<br>
## The Modern Desktop Deployment Center
@ -47,7 +51,34 @@ See [Deploy Windows 10 with Microsoft 365](deploy-m365.md) for an overview, whic
## Windows 10 servicing and support
- [**Delivery Optimization**](https://docs.microsoft.com/windows/deployment/update/waas-delivery-optimization): Improved Peer Efficiency for enterprises and educational institutions with complex networks is enabled with of [new policies](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deliveryoptimization). This now supports Microsoft 365 Apps for enterprise updates, and Intune content, with Microsoft Endpoint Configuration Manager content coming soon!
### Delivery Optimization
Windows PowerShell cmdlets for Delivery Optimization have been improved:
- **Get-DeliveryOptimizationStatus** has added the **-PeerInfo** option for a real-time peak behind the scenes on peer-to-peer activity (for example the peer IP Address, bytes received / sent).
- **Get-DeliveryOptimizationLogAnalysis** is a new cmdlet that provides a summary of the activity in your DO log (# of downloads, downloads from peers, overall peer efficiency). Use the **-ListConnections** option to for in-depth look at peer-to-peer connections.
- **Enable-DeliveryOptimizationVerboseLogs** is a new cmdlet that enables a greater level of logging detail to assist in troubleshooting.
Additional improvements in [Delivery Optimization](https://docs.microsoft.com/windows/deployment/update/waas-delivery-optimization) include:
- Enterprise network [throttling is enhanced](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new#new-download-throttling-options-for-delivery-optimization-build-18917) to optimize foreground vs. background throttling.
- Automatic cloud-based congestion detection is available for PCs with cloud service support.
- Improved Peer Efficiency for enterprises and educational institutions with complex networks is enabled with of [new policies](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deliveryoptimization). This now supports Microsoft 365 Apps for enterprise updates, and Intune content, with Microsoft Endpoint Configuration Manager content coming soon!
The following Delivery Optimization policies are removed in the Windows 10, version 2004 release:
- Percentage of Maximum Download Bandwidth (DOPercentageMaxDownloadBandwidth)
- Reason: Replaced with separate policies for foreground and background
- Max Upload Bandwidth (DOMaxUploadBandwidth)
- Reason: impacts uploads to internet peers only, which isn't used in Enterprises.
- Absolute max throttle (DOMaxDownloadBandwidth)
- Reason: separated to foreground and background
### Windows Update for Business
[Windows Update for Business](https://docs.microsoft.com/windows/deployment/update/waas-manage-updates-wufb) enhancements in this release include:
- Intune console updates: target version is now available allowing you to specify which version of Windows 10 you want devices to move to. Additionally, this capability enables you to keep devices on their current version until they reach end of service. Check it out in Intune, also available as a Group Policy and Configuration Service Provider (CSP) policy.
- Validation improvements: To ensure devices and end users stay productive and protected, Microsoft uses safeguard holds to block devices from updating when there are known issues that would impact that device. Also, to better enable IT administrators to validate on the latest release, we have created a new policy that enables admins to opt devices out of the built-in safeguard holds.
- [**Automatic Restart Sign-on (ARSO)**](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new#automatic-restart-and-sign-on-arso-for-enterprises-build-18305): Windows will automatically log on as the user and lock their device in order to complete the update, ensuring that when the user returns and unlocks the device, the update will be completed.
- [**Windows Update for Business**](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-Update-for-Business-and-the-retirement-of-SAC-T/ba-p/339523): There will now be a single, common start date for phased deployments (no more SAC-T designation). In addition, there will be a new notification and reboot scheduling experience for end users, the ability to enforce update installation and reboot deadlines, and the ability to provide end user control over reboots for a specific time period.
- **Update rollback improvements**: You can now automatically recover from startup failures by removing updates if the startup failure was introduced after the installation of recent driver or quality updates. When a device is unable to start up properly after the recent installation of Quality of driver updates, Windows will now automatically uninstall the updates to get the device back up and running normally.
@ -68,13 +99,16 @@ Windows 10 Enterprise E3 launched in the Cloud Solution Provider (CSP) channel o
For more information, see [Windows 10 Enterprise E3 in CSP](windows-10-enterprise-e3-overview.md)
## Deployment solutions and tools
### Windows Autopilot
[Windows Autopilot](https://docs.microsoft.com/windows/deployment/windows-autopilot/windows-autopilot) streamlines and automates the process of setting up and configuring new devices, with minimal interaction required from the end user. You can also use Windows Autopilot to reset, repurpose and recover devices.
With the release of Windows 10, version 2004 you can configure [Windows Autopilot user-driven](https://docs.microsoft.com/windows/deployment/windows-autopilot/user-driven) Hybrid Azure Active Directory join with VPN support. This support is also backported to Windows 10, version 1909 and 1903.
If you configure the language settings in the Autopilot profile and the device is connected to Ethernet, all scenarios will now skip the language, locale, and keyboard pages. In previous versions, this was only supported with self-deploying profiles.
The following Windows Autopilot features are available in Windows 10, version 1903 and later:
- [Windows Autopilot for white glove deployment](https://docs.microsoft.com/windows/deployment/windows-autopilot/white-glove) is new in Windows 10, version 1903. "White glove" deployment enables partners or IT staff to pre-provision devices so they are fully configured and business ready for your users.
@ -83,6 +117,10 @@ The following Windows Autopilot features are available in Windows 10, version 19
- Windows Autopilot is self-updating during OOBE. Starting with the Windows 10, version 1903 Autopilot functional and critical updates will begin downloading automatically during OOBE.
- Windows Autopilot will set the [diagnostics data](https://docs.microsoft.com/windows/privacy/windows-diagnostic-data) level to Full on Windows 10 version 1903 and later during OOBE.
### Microsoft Endpoint Configuration Manager
An in-place upgrade wizard is available in Configuration Manager. For more information, see [Simplifying Windows 10 deployment with Configuration Manager](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/simplifying-windows-10-deployment-with-configuration-manager/ba-p/1214364).
### Windows 10 Subscription Activation
Windows 10 Education support has been added to Windows 10 Subscription Activation.
@ -91,9 +129,11 @@ With Windows 10, version 1903, you can step-up from Windows 10 Pro Education to
### SetupDiag
[SetupDiag](upgrade/setupdiag.md) is a standalone diagnostic tool that can be used to obtain details about why a Windows 10 upgrade was unsuccessful.
[SetupDiag](upgrade/setupdiag.md) is a command-line tool that can help diagnose why a Windows 10 update failed. SetupDiag works by searching Windows Setup log files. When searching log files, SetupDiag uses a set of rules to match known issues.
SetupDiag version 1.6.0.42 was released on 08/08/2019.
In Windows 10, version 2004, SetupDiag is now automatically installed.
During the upgrade process, Windows Setup will extract all its sources files to the **%SystemDrive%\$Windows.~bt\Sources** directory. With Windows 10, version 2004 and later, Windows Setup now also installs SetupDiag.exe to this directory. If there is an issue with the upgrade, SetupDiag is automatically run to determine the cause of the failure. If the upgrade process proceeds normally, this directory is moved under %SystemDrive%\Windows.Old for cleanup.
### Upgrade Readiness
@ -129,21 +169,21 @@ There are many benefits to converting the partition style of a disk to GPT, incl
For more information, see [MBR2GPT.EXE](mbr-to-gpt.md).
### Microsoft Deployment Toolkit (MDT)
MDT build 8456 (12/19/2018) is available, including support for Windows 10, version 1809, and Windows Server 2019.
For more information about MDT, see the [MDT resource page](https://docs.microsoft.com/sccm/mdt/).
MDT version 8456 supports Windows 10, version 2004 and earlier operating systems, including Windows Server 2019. There is currently an issue that causes MDT to incorrectly detect that UEFI is present in Windows 10, version 2004. This issue is currently under investigation.
For the latest information about MDT, see the [MDT release notes](https://docs.microsoft.com/mem/configmgr/mdt/release-notes).
### Windows Assessment and Deployment Kit (ADK)
The Windows Assessment and Deployment Kit (Windows ADK) contains tools that can be used by IT Pros to deploy Windows. See the following topics:
The Windows Assessment and Deployment Kit (Windows ADK) contains tools that can be used by IT Pros to deploy Windows.
- [What's new in ADK kits and tools](https://docs.microsoft.com/windows-hardware/get-started/what-s-new-in-kits-and-tools)
- [Windows ADK for Windows 10 scenarios for IT Pros](windows-adk-scenarios-for-it-pros.md)
Download the Windows ADK and Windows PE add-on for Windows 10, version 2004 [here](https://docs.microsoft.com/windows-hardware/get-started/adk-install).
For information about what's new in the ADK, see [What's new in the Windows ADK for Windows 10, version 2004](https://docs.microsoft.com/windows-hardware/get-started/what-s-new-in-kits-and-tools#whats-new-in-the-windows-adk-for-windows-10-version-2004).
Also see [Windows ADK for Windows 10 scenarios for IT Pros](windows-adk-scenarios-for-it-pros.md).
## Testing and validation guidance
@ -157,25 +197,15 @@ For more information, see the following guides:
- [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md)
- [Deploy Windows 10 in a test lab using Microsoft Endpoint Configuration Manager](windows-10-poc-sc-config-mgr.md)
## Troubleshooting guidance
[Resolve Windows 10 upgrade errors](upgrade/resolve-windows-10-upgrade-errors.md) was published in October of 2016 and will continue to be updated with new fixes. The topic provides a detailed explanation of the Windows 10 upgrade process and instructions on how to locate, interpret, and resolve specific errors that can be encountered during the upgrade process.
## Online content change history
The following topics provide a change history for Windows 10 ITPro TechNet library content related to deploying and using Windows 10.
[Change history for Access Protection](/windows/access-protection/change-history-for-access-protection)<br>
[Change history for Device Security](/windows/device-security/change-history-for-device-security)<br>
[Change history for Threat Protection](/windows/threat-protection/change-history-for-threat-protection)
## Related topics
[Overview of Windows as a service](update/waas-overview.md)
<BR>[Windows 10 deployment considerations](planning/windows-10-deployment-considerations.md)
<BR>[Windows 10 release information](https://docs.microsoft.com/windows/windows-10/release-information)
<BR>[Windows 10 Specifications & Systems Requirements](https://www.microsoft.com/windows/windows-10-specifications)
<BR>[Windows 10 upgrade paths](upgrade/windows-10-upgrade-paths.md)
<BR>[Windows 10 deployment tools](windows-deployment-scenarios-and-tools.md)
[Overview of Windows as a service](update/waas-overview.md)<br>
[Windows 10 deployment considerations](planning/windows-10-deployment-considerations.md)<br>
[Windows 10 release information](https://docs.microsoft.com/windows/windows-10/release-information)<br>
[Windows 10 Specifications & Systems Requirements](https://www.microsoft.com/windows/windows-10-specifications)<br>
[Windows 10 upgrade paths](upgrade/windows-10-upgrade-paths.md)<br>
[Windows 10 deployment tools](windows-deployment-scenarios-and-tools.md)<br>

2
windows/deployment/deploy-windows-to-go.md
View File

@ -26,7 +26,7 @@ ms.topic: article
This topic helps you to deploy Windows To Go in your organization. Before you begin deployment, make sure that you have reviewed the topics [Windows To Go: feature overview](planning/windows-to-go-overview.md) and [Prepare your organization for Windows To Go](planning/prepare-your-organization-for-windows-to-go.md) to ensure that you have the correct hardware and are prepared to complete the deployment. You can then use the steps in this topic to start your Windows To Go deployment.
> [!IMPORTANT]
>Windows To Go is no longer being developed. The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs.
> Windows To Go is removed in Windows 10, version 2004 and later operating systems. The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs.
## Deployment tips

5
windows/deployment/planning/best-practice-recommendations-for-windows-to-go.md
View File

@ -10,7 +10,8 @@ ms.prod: w10
ms.mktglfcycl: plan
ms.pagetype: mobility
ms.sitesec: library
audience: itpro author: greg-lindsay
audience: itpro
author: greg-lindsay
ms.topic: article
---
@ -22,7 +23,7 @@ ms.topic: article
- Windows 10
> [!IMPORTANT]
>Windows To Go is no longer being developed. The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs.
> Windows To Go is removed in Windows 10, version 2004 and later operating systems. The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs.
The following are the best practice recommendations for using Windows To Go:

2
windows/deployment/planning/deployment-considerations-for-windows-to-go.md
View File

@ -23,7 +23,7 @@ ms.topic: article
- Windows 10
> [!IMPORTANT]
> Windows To Go is no longer being developed. The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs.
> Windows To Go is removed in Windows 10, version 2004 and later operating systems. The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs.
From the start, Windows To Go was designed to minimize differences between the user experience of working on a laptop and Windows To Go booted from a USB drive. Given that Windows To Go was designed as an enterprise solution, extra consideration was given to the deployment workflows that enterprises already have in place. Additionally, there has been a focus on minimizing the number of differences in deployment between Windows To Go workspaces and laptop PCs.

2
windows/deployment/planning/prepare-your-organization-for-windows-to-go.md
View File

@ -23,7 +23,7 @@ ms.topic: article
- Windows 10
> [!IMPORTANT]
>Windows To Go is no longer being developed. The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs.
> Windows To Go is removed in Windows 10, version 2004 and later operating systems. The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs.
The following information is provided to help you plan and design a new deployment of a Windows To Go in your production environment. It provides answers to the “what”, “why”, and “when” questions an IT professional might have when planning to deploy Windows To Go.

2
windows/deployment/planning/security-and-data-protection-considerations-for-windows-to-go.md
View File

@ -23,7 +23,7 @@ ms.topic: article
- Windows 10
> [!IMPORTANT]
>Windows To Go is no longer being developed. The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs.
> Windows To Go is removed in Windows 10, version 2004 and later operating systems. The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs.
One of the most important requirements to consider when you plan your Windows To Go deployment is to ensure that the data, content, and resources you work with in the Windows To Go workspace is protected and secure.

4
windows/deployment/planning/windows-10-deprecated-features.md
View File

@ -26,7 +26,9 @@ The features described below are no longer being actively developed, and might b
|Feature | Details and mitigation | Announced in version |
| ----------- | --------------------- | ---- |
| Hyper-V vSwitch on LBFO | In a future release, the Hyper-V vSwitch will no longer have the capability to be bound to an LBFO team. Instead, it can be bound via [Switch Embedded Teaming](https://docs.microsoft.com/windows-server/virtualization/hyper-v-virtual-switch/rdma-and-switch-embedded-teaming#bkmk_sswitchembedded) (SET).| 1909 |
| Companion Device Framework | The [Companion Device Framework](https://docs.microsoft.com/windows-hardware/design/device-experiences/windows-hello-companion-device-framework) is no longer under active development.| 2004 |
| Microsoft Edge | The legacy version of Microsoft Edge is no longer being developed.| 2004 |
| Dynamic Disks | The [Dynamic Disks](https://docs.microsoft.com/windows/win32/fileio/basic-and-dynamic-disks#dynamic-disks) feature is no longer being developed. This feature will be fully replaced by [Storage Spaces](https://docs.microsoft.com/windows-server/storage/storage-spaces/overview) in a future release.| 2004 |
| Language Community tab in Feedback Hub | The Language Community tab will be removed from the Feedback Hub. The standard feedback process: [Feedback Hub - Feedback](feedback-hub://?newFeedback=true&feedbackType=2) is the recommended way to provide translation feedback. | 1909 |
| My People / People in the Shell | My People is no longer being developed. It may be removed in a future update. | 1909 |
| Package State Roaming (PSR) | PSR will be removed in a future update. PSR allows non-Microsoft developers to access roaming data on devices, enabling developers of UWP applications to write data to Windows and synchronize it to other instantiations of Windows for that user. <br>&nbsp;<br>The recommended replacement for PSR is [Azure App Service](https://docs.microsoft.com/azure/app-service/). Azure App Service is widely supported, well documented, reliable, and supports cross-platform/cross-ecosystem scenarios such as iOS, Android and web. | 1909 |

3
windows/deployment/planning/windows-10-removed-features.md
View File

@ -27,6 +27,9 @@ The following features and functionalities have been removed from the installed
|Feature | Details and mitigation | Removed in version |
| ----------- | --------------------- | ------ |
| Cortana | Cortana has been updated and enhanced in the Windows 10 May 2020 Update. With [these changes](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-2004#cortana), some previously available consumer skills such as music, connected home, and other non-Microsoft skills are no longer available. | 2004 |
| Windows To Go | Windows To Go was announced as deprecated in Windows 10, version 1903 and is removed in this release. | 2004 |
| Mobile Plans and Messaging apps | Both apps are still supported, but are now distributed in a different way. OEMs can now include these apps in Windows images for cellular enabled devices. The apps are removed for non-cellular devices.| 2004 |
| PNRP APIs| The Peer Name Resolution Protocol (PNRP) cloud service was removed in Windows 10, version 1809. We are planning to complete the removal process by removing the corresponding APIs. | 1909 |
| Taskbar settings roaming | Roaming of taskbar settings is removed in this release. This feature was announced as no longer being developed in Windows 10, version 1903. | 1909 |
| Desktop messaging app doesn't offer messages sync | The messaging app on Desktop has a sync feature that can be used to sync SMS text messages received from Windows Mobile and keep a copy of them on the Desktop. The sync feature has been removed from all devices. Due to this change, you will only be able to access messages from the device that received the message. | 1903 |

2
windows/deployment/planning/windows-to-go-frequently-asked-questions.md
View File

@ -23,7 +23,7 @@ ms.topic: article
- Windows 10
> [!IMPORTANT]
>Windows To Go is no longer being developed. The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs.
> Windows To Go is removed in Windows 10, version 2004 and later operating systems. The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs.
The following list identifies some commonly asked questions about Windows To Go.

2
windows/deployment/planning/windows-to-go-overview.md
View File

@ -23,7 +23,7 @@ ms.topic: article
- Windows 10
> [!IMPORTANT]
> Windows To Go is no longer being developed. The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs.
> Windows To Go is removed in Windows 10, version 2004 and later operating systems. The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs.
Windows To Go is a feature in Windows 10 Enterprise and Windows 10 Education that enables the creation of a Windows To Go workspace that can be booted from a USB-connected external drive on PCs.

59
windows/deployment/update/define-update-strategy.md
View File

@ -1,59 +0,0 @@
---
title: Define update strategy
ms.reviewer:
manager: laurawi
description:
keywords: updates, calendar, servicing, current, deployment, semi-annual channel, feature, quality, rings, insider, tools
ms.prod: w10
ms.mktglfcycl: manage
audience: itpro
author: jaimeo
ms.localizationpriority: medium
ms.audience: itpro
author: jaimeo
ms.topic: article
ms.collection: M365-modern-desktop
---
# Define update strategy
Traditionally, organizations treated the deployment of operating system updates (especially feature updates) as a discrete project that had a beginning, a middle, and an end. A release was "built" (usually in the form of an image) and then distributed to users and their devices.
Today, more organizations are treating deployment as a continual process of updates which roll out across the organization in waves. In this approach, an update is plugged into this process and while it runs, you monitor for anomalies, errors, or user impact and respond as issues arise--withouth interrupting the entire process. Microsoft has been evolving its Windows 10 release cycles, update mechanisms, and relevant tools to support this model. Feature updates are released twice per year, around March and September. All releases of Windows 10 have 18 months of servicing for all editions. Fall releases of the Enterprise and Education editions have an additional 12 months of servicing for specific Windows 10 releases, for a total of 30 months from initial release.
Though we encourage you to deploy every available release and maintain a fast cadence for some portion of your environment, we also recognize that you might have a large number of devices, and a need for little or no disruption, an so you might choose to update annually. The 18/30 month lifecycle cadence lets you to allow some portion of you environment to move faster while a majority can move less quickly.
## Calendar approaches
You can use a calendar approach for either a faster 18-month or twice-per-year cadence or a 30-month or annual cadence. Depending on company size, installing Windows 10 feature updates less often than once annually risks devices going out of service and becoming vulnerable to security threats, because they will stop receiving the monthly security updates.
### Annual
Here's a calendar showing an example schedule that applies one Windows 10 feature update per calendar year, aligned with Microsoft Endpoint Configuration Manager and Microsoft 365 Apps release cycles:
![annual calendar](images/annual-calendar.png)
This approach provides approximately twelve months of use from each feature update before the next update is due to be installed. By aligning to the Windows 10, version 20H2 feature update, each release will be serviced for 30 months from the time of availability, giving you more flexibility when applying future feature updates.
This cadence might be most suitable for you if any of these conditions apply:
- You are just starting your journey with the Windows 10 servicing process. If you are unfamiliar with new processes that support Windows 10 servicing, moving from a once every 3-5 year project to a twice a year feature update process can be daunting. This approach gives you time to learn new approaches and tools to reduce effort and cost.
- You want to wait and see how successful other companies are at adopting a Windows 10 feature update.
- You want to go quickly with feature updates, and want the ability to skip a feature update while keeping Windows 10 serviced in case business priorities change. Aligning to the Windows 10 feature update released in the *second* half of each calendar year, you get additional servicing for Windows 10 (30 months of servicing compared to 18 months).
### Rapid
This calendar shows an example schedule that installs each feature update as it is released, twice per year:
![rapid calendar](images/rapid-calendar.png)
This cadence might be best for you if these conditions apply:
- You have a strong appetite for change.
- You want to continuously update supporting infrastructure and unlock new scenarios.
- Your organization has a large population of information workers that can use the latest features and functionality in Windows 10 and Office.
- You have experience with feature updates for Windows 10.

2
windows/deployment/update/eval-infra-tools.md
View File

@ -45,7 +45,7 @@ Keep security baslines current to help ensure that your environment is secure an
There are a number of Windows policies (set by Group Policy, Intune, or other methods) that affect when Windows updates are installed, deferral, end-user experience, and many other aspects. Check these policies to make sure they are set appropriately.
- **Windows 10 Administrative templates**: Each Windows 10 feature update has a supporting Administrative template (.admx) file. Group Policy tools use Administrative template files to populate policy settings in the user interface. The templates are available in the Download Center, for example, this one for [Windows 10, version 1909](https://www.microsoft.com/download/100591).
- **Policies for update compliance and end-user experience**: A number of settings affect when a device installs updates, whether and for how long a user can defer an update, restart behavior after installation, and many other aspects of update behavior. It's especially important to look for existing policies that are out of date or could conflict with new ones. {SET COMPLIANCE and other policies}
- **Policies for update compliance and end-user experience**: A number of settings affect when a device installs updates, whether and for how long a user can defer an update, restart behavior after installation, and many other aspects of update behavior. It's especially important to look for existing policies that are out of date or could conflict with new ones.
## Define operational readiness criteria

4
windows/deployment/update/update-policies.md
View File

@ -79,7 +79,7 @@ automatic restart. To take advantage of this feature, ensure **ConfigureDeadline
## Device activity policies
Windows typically requires that a device is active and connected to the internet for at least six hours, with at least two
of continuous activity {HOW DO YOU DEFINE ACTIVITY?}, in order to successfully complete a system update. The device could have other
of continuous activity, in order to successfully complete a system update. The device could have other
physical circumstances that prevent successful installation of an update--for example, if a laptop is running low
on battery power, or the user has shut down the device before active hours end and the device cannot comply
with the deadline.
@ -201,4 +201,4 @@ Updates** rather than setting a deferral policy. You can choose a longer period
- **Pause Quality Updates Start Time**. Set to **Disabled** unless there is a known issue requiring time for a resolution.
- **Deadline No Auto Reboot**. Default is **Disabled Set to 0** . We recommend that devices automatically try to restart when an update is received. Windows uses user interactions to dynamically identify the least disruptive time to restart.
There are additional policies are no longer supported or have been superseded. See {LINK TO Policies and settings reference guide Policies to disable or not configure} for more information.
There are additional policies are no longer supported or have been superseded.

2
windows/deployment/update/waas-delivery-optimization-setup.md
View File

@ -129,6 +129,8 @@ To do this with MDM, go to **.Vendor/MSFT/Policy/Config/DeliveryOptimization/**
| ExpireOn | The target expiration date and time for the file. |
| Pinned | A yes/no value indicating whether an item has been "pinned" in the cache (see `setDeliveryOptmizationStatus`). |
Starting in Windows 10, version 2004, `Get-DeliveryOptimizationStatus` has a new option `-PeerInfo` which returns a real-time list of the connected peers.
`Get-DeliveryOptimizationPerfSnap` returns a list of key performance data:
- Number of files downloaded 

5
windows/deployment/update/waas-delivery-optimization.md
View File

@ -73,9 +73,6 @@ The following table lists the minimum Windows 10 version that supports Delivery
<!-- ### Network requirements
{can you share with me what the network requirements are?}-->
@ -144,7 +141,7 @@ For the payloads (optional):
**How does Delivery Optimization handle VPNs?**
Delivery Optimization attempts to identify VPNs by checking the network adapter type and details and will treat the connection as a VPN if the adapter description contains certain keywords, such as "VPN" or "secure."
If the connection is identified as a VPN, Delivery Optimization will not use any peer-to-peer activity. However, you can allow peer-to-peer activity over a VPN by using the {WE SHOULD NAME OR POINT TO THIS POLICY} policy.
If the connection is identified as a VPN, Delivery Optimization will not use any peer-to-peer activity. However, you can allow peer-to-peer activity over a VPN by using the [Enable Peer Caching while the device connects via VPN](waas-delivery-optimization-reference.md#enable-peer-caching-while-the-device-connects-via-vpn) policy.
If you have defined a boundary group in Configuration Manager and have for VPN IP ranges, you can set the DownloadMode policy to 0 for that boundary group to ensure that there will be no peer-to-peer activity over the VPN.

14
windows/deployment/upgrade/setupdiag.md
View File

@ -28,13 +28,25 @@ ms.topic: article
## About SetupDiag
<I>Current version of SetupDiag: 1.6.0.42</I>
<I>Current downloadable version of SetupDiag: 1.6.0.42</I>
>Always be sure to run the most recent version of SetupDiag, so that can access new functionality and fixes to known issues.
SetupDiag is a standalone diagnostic tool that can be used to obtain details about why a Windows 10 upgrade was unsuccessful.
SetupDiag works by examining Windows Setup log files. It attempts to parse these log files to determine the root cause of a failure to update or upgrade the computer to Windows 10. SetupDiag can be run on the computer that failed to update, or you can export logs from the computer to another location and run SetupDiag in offline mode.
## SetupDiag in Windows 10, version 2004 and later
With the release of Windows 10, version 2004, SetupDiag is included with Windows Setup.
During the upgrade process, Windows Setup will extract all its sources files to the **%SystemDrive%$Windows.~bt\Sources** directory. With Windows 10, version 2004 and later, **setupdiag.exe** is also installed to this directory. If there is an issue with the upgrade, SetupDiag will automatically run to determine the cause of the failure.
When run by Windows Setup, results of the SetupDiag analysis can be found at **%WinDir%\Logs\SetupDiag\SetupDiagResults.xml** and in the registry under **HKLM\Setup\SetupDiag\Results**.
If the upgrade process proceeds normally, the **Sources** directory including **setupdiag.exe** is moved under **%SystemDrive%\Windows.Old** for cleanup. If the **Windows.old** directory is deleted later, **setupdiag.exe** will also be removed.
## Using SetupDiag
To quickly use SetupDiag on your current computer:
1. Verify that your system meets the [requirements](#requirements) described below. If needed, install the [.NET framework 4.6](https://www.microsoft.com/download/details.aspx?id=48137).
2. [Download SetupDiag](https://go.microsoft.com/fwlink/?linkid=870142).

2
windows/privacy/TOC.md
View File

@ -8,7 +8,7 @@
### [Diagnostic Data Viewer Overview](diagnostic-data-viewer-overview.md)
### [Diagnostic Data Viewer for PowerShell Overview](Microsoft-DiagnosticDataViewer.md)
## Basic level Windows diagnostic data events and fields
### [Windows 10, version 2005 required Windows diagnostic data events and fields](required-windows-diagnostic-data-events-and-fields-2005.md)
### [Windows 10, version 2004 required Windows diagnostic data events and fields](required-windows-diagnostic-data-events-and-fields-2004.md)
### [Windows 10, version 1903 and Windows 10, version 1909 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1903.md)
### [Windows 10, version 1809 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1809.md)
### [Windows 10, version 1803 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1803.md)

2
windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md
View File

@ -9,7 +9,7 @@ ms.sitesec: library
ms.localizationpriority: high
audience: ITPro
author: medgarmedgar
ms.author: v-medgar
ms.author: dansimp
manager: robsize
ms.date: 3/25/2020
---

2
windows/privacy/manage-windows-1903-endpoints.md
View File

@ -8,7 +8,7 @@ ms.sitesec: library
ms.localizationpriority: high
audience: ITPro
author: danihalfin
ms.author: v-medgar
ms.author: dansimp
manager: sanashar
ms.collection: M365-security-compliance
ms.topic: article

12
windows/privacy/required-windows-diagnostic-data-events-and-fields-2005.md → windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md
View File

@ -1,6 +1,6 @@
---
description: Use this article to learn more about what required Windows diagnostic data is gathered.
title: Windows 10, version 2005 required diagnostic events and fields (Windows 10)
title: Windows 10, version 2004 required diagnostic events and fields (Windows 10)
keywords: privacy, telemetry
ms.prod: w10
ms.mktglfcycl: manage
@ -17,7 +17,7 @@ ms.date: 03/27/2020
---
# Windows 10, version 2005 required Windows diagnostic events and fields
# Windows 10, version 2004 required Windows diagnostic events and fields
> [!IMPORTANT]
@ -26,7 +26,7 @@ ms.date: 03/27/2020
**Applies to**
- Windows 10, version 2005
- Windows 10, version 2004
Required diagnostic data gathers a limited set of information that is critical for understanding the device and its configuration including: basic device information, quality-related information, app compatibility, and Microsoft Store.
@ -90,7 +90,6 @@ The following fields are available:
- **CosDeviceSolutionUrl** Microsoft.Windows.Appraiser.General.DatasourceDevicePnpAdd . Empty string
- **CosPopulatedFromId** The expected uplevel driver matching ID based on driver coverage data.
- **IsBootCritical** Indicates whether the device boot is critical.
- **SdbEntries** Deprecated in RS3.
- **UplevelInboxDriver** Indicates whether there is a driver uplevel for this device.
- **WuDriverCoverage** Indicates whether there is a driver uplevel for this device, according to Windows Update.
- **WuDriverUpdateId** The Windows Update ID of the applicable uplevel driver.
@ -103,10 +102,6 @@ This event sends compatibility database data about driver packages to help keep
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
The following fields are available:
- **SdbEntries** Deprecated in RS3.
### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPassiveRemove
@ -636,7 +631,6 @@ The following fields are available:
- **Categories** A comma separated list of functional categories in which the container belongs.
- **DiscoveryMethod** The discovery method for the device container.
- **FriendlyName** The name of the device container.
- **Icon** Deprecated in RS3. The path or index to the icon file.
- **IsActive** Is the device connected, or has it been seen in the last 14 days?
- **IsConnected** For a physically attached device, this value is the same as IsPresent. For wireless a device, this value represents a communication link.
- **IsMachineContainer** Is the container the root device itself?

60
windows/privacy/stub.md
View File

@ -1,60 +0,0 @@
---
title: Stub topic
description: Use this topic to test localization e2e.
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: high
audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 10/11/2019
ms.reviewer:
---
# Stub topic
Applies to:
- Windows 10, version 1809
- Windows 10, version 1803
- Windows 10, version 1709
- Windows 10, version 1703
- Windows 10 Team Edition, version 1703 for Surface Hub
- Windows Server 2019
- Windows Server 2016
- Windows Analytics
This topic provides IT Decision Makers with a basic understanding of the relationship between users in an organization and Microsoft in the context of the GDPR (General Data Protection Regulation). You will also learn what role an IT organization plays for that relationship.
For more information about the GDPR, see:
* [Microsoft GDPR Overview](https://aka.ms/GDPROverview)
* [Microsoft Trust Center FAQs about the GDPR](https://aka.ms/gdpr-faq)
* [Microsoft Service Trust Portal (STP)](https://aka.ms/stp)
* [Get Started: Support for GDPR Accountability](https://servicetrust.microsoft.com/ViewPage/GDPRGetStarted)
## GDPR fundamentals
Here are some GDPR fundamentals:
* On May 25, 2018, this EU data privacy law is implemented. It sets a new global bar for data privacy rights, security, and compliance.
* The GDPR is fundamentally about protecting and enabling the privacy rights of individuals both customers and employees.
* The European law establishes strict global data privacy requirements governing how organizations manage and protect personal data while respecting individual choice no matter where data is sent, processed, or stored.
* A request by an individual to an organization to take an action on their personal data is referred to here as a *data subject request*, or *DSR*.
Microsoft believes data privacy is a fundamental right, and that the GDPR is an important step forward for clarifying and enabling individual privacy rights. We also recognize that the GDPR required significant changes by organizations all over the world with regard to the discovery, management, protection, and reporting of personal data that is collected, processed, and stored within an organization.
### What is personal data under the GDPR?
Article 4 (1) of [the GDPR](http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679&from=en) defines personal data as any information relating to an identified or identifiable person. There is no distinction between a persons private, public, or work roles. As defined by the GDPR, personal data includes, but is not limited to:
* Name
* Email address
* Credit card numbers
* IP addresses
* Social media posts
* Location information
* Handwriting patterns
* Voice input to cloud-based speech services

21
windows/security/identity-protection/credential-guard/dg-readiness-tool.md
View File

@ -14,11 +14,13 @@ ms.collection: M365-identity-device-management
ms.topic: article
ms.reviewer:
---
# Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool
```powershell
# Script to find out if machine is Device Guard compliant
# requires driver verifier on system.
# Script to find out if a machine is Device Guard compliant.
# The script requires a driver verifier present on the system.
param([switch]$Capable, [switch]$Ready, [switch]$Enable, [switch]$Disable, $SIPolicyPath, [switch]$AutoReboot, [switch]$DG, [switch]$CG, [switch]$HVCI, [switch]$HLK, [switch]$Clear, [switch]$ResetVerifier)
$path = "C:\DGLogs\"
@ -774,13 +776,13 @@ function CheckOSArchitecture
{
$OSArch = $(gwmi win32_operatingsystem).OSArchitecture.ToLower()
Log $OSArch
if($OSArch.Contains("64-bit"))
if($OSArch -match ("^64\-?\s?bit"))
{
LogAndConsoleSuccess "64 bit archictecture"
LogAndConsoleSuccess "64 bit architecture"
}
elseif($OSArch.Contains("32-bit"))
elseif($OSArch -match ("^32\-?\s?bit"))
{
LogAndConsoleError "32 bit archictecture"
LogAndConsoleError "32 bit architecture"
$DGVerifyCrit.AppendLine("32 Bit OS, OS Architecture failure.") | Out-Null
}
else
@ -959,7 +961,7 @@ function PrintToolVersion
LogAndConsole ""
LogAndConsole "###########################################################################"
LogAndConsole ""
LogAndConsole "Readiness Tool Version 3.7.1 Release. `nTool to check if your device is capable to run Device Guard and Credential Guard."
LogAndConsole "Readiness Tool Version 3.7.2 Release. `nTool to check if your device is capable to run Device Guard and Credential Guard."
LogAndConsole ""
LogAndConsole "###########################################################################"
LogAndConsole ""
@ -1182,7 +1184,7 @@ if($Enable)
if(!$_isRedstone)
{
LogAndConsole "OS Not Redstone, enabling IsolatedUserMode separately"
#Enable/Disable IOMMU seperately
#Enable/Disable IOMMU separately
ExecuteCommandAndLog 'DISM.EXE /Online /Enable-Feature:IsolatedUserMode /NoRestart'
}
$CmdOutput = DISM.EXE /Online /Enable-Feature:Microsoft-Hyper-V-Hypervisor /All /NoRestart | Out-String
@ -1251,7 +1253,7 @@ if($Disable)
if(!$_isRedstone)
{
LogAndConsole "OS Not Redstone, disabling IsolatedUserMode separately"
#Enable/Disable IOMMU seperately
#Enable/Disable IOMMU separately
ExecuteCommandAndLog 'DISM.EXE /Online /disable-Feature /FeatureName:IsolatedUserMode /NoRestart'
}
$CmdOutput = DISM.EXE /Online /disable-Feature /FeatureName:Microsoft-Hyper-V-Hypervisor /NoRestart | Out-String
@ -1371,7 +1373,6 @@ if($Capable)
}
# SIG # Begin signature block
## REPLACE
# SIG # End signature block

2
windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md
View File

@ -294,6 +294,8 @@ A **Trusted Certificate** device configuration profile is how you deploy trusted
5. In the **Enterprise Root Certificate** blade, click **Assignments**. In the **Include** tab, select **All Devices** from the **Assign to** list. Click **Save**.
![Intune Profile assignment](images/aadj/intune-device-config-enterprise-root-assignment.png)
6. Sign out of the Microsoft Azure Portal.
> [!NOTE]
> After the creation, the **supported platform** parameter of the profile will contain the value "Windows 8.1 and later", as the certificate configuration for Windows 8.1 and Windows 10 is the same.
## Configure Windows Hello for Business Device Enrollment

9
windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md
View File

@ -36,15 +36,14 @@ The Windows Hello for Business Authentication certificate template is configured
Sign-in the AD FS server with *Domain Admin* equivalent credentials.
1. Open a **Windows PowerShell** prompt.
2. Type the following command
2. Enter the following command:
```PowerShell
Set-AdfsCertificateAuthority -EnrollmentAgent -EnrollmentAgentCertificateTemplate WHFBEnrollmentAgent -WindowsHelloCertificateTemplate WHFBAuthentication -WindowsHelloCertificateProxyEnabled $true
```
>[!NOTE]
> If you gave your Windows Hello for Business Enrollment Agent and Windows Hello for Business Authentication certificate templates different names, then replace **WHFBEnrollmentAgent** and WHFBAuthentication in the above command with the name of your certificate templates. It's important that you use the template name rather than the template display name. You can view the template name on the **General** tab of the certificate template using the **Certificate Template** management console (certtmpl.msc). Or, you can view the template name using the **Get-CATemplate** ADCS Administration Windows PowerShell cmdlet on a Windows Server 2012 or later certificate authority.
> If you gave your Windows Hello for Business Enrollment Agent and Windows Hello for Business Authentication certificate templates different names, then replace **WHFBEnrollmentAgent** and WHFBAuthentication in the preceding command with the name of your certificate templates. It's important that you use the template name rather than the template display name. You can view the template name on the **General** tab of the certificate template by using the **Certificate Template** management console (certtmpl.msc). Or, you can view the template name by using the **Get-CATemplate** ADCS Administration Windows PowerShell cmdlet on a Windows Server 2012 or later certificate authority.
### Group Memberships for the AD FS Service Account
@ -66,8 +65,8 @@ Sign-in a domain controller or management workstation with _Domain Admin_ equiva
### Section Review
> [!div class="checklist"]
> * Configure the registration authority
> * Update group memberships for the AD FS service account
> * Configure the registration authority.
> * Update group memberships for the AD FS service account.
>
>
> [!div class="step-by-step"]

3
windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md
View File

@ -16,6 +16,7 @@ localizationpriority: medium
ms.date: 10/23/2017
ms.reviewer:
---
# Configure Hybrid Windows Hello for Business: Directory Synchronization
**Applies to**
@ -62,7 +63,7 @@ Sign-in a domain controller or management workstation with _Domain Admin_ equiva
6. Click **OK** to return to **Active Directory Users and Computers**.
> [!NOTE]
> If your AD forest has multiple domains. Please make sure you add the ADConnect sync service account (that is, MSOL_12121212) into "Enterprise Key Admins" group to gain permission across the domains in the forest.
> If your AD forest has multiple domains, make sure you add the ADConnect sync service account (ie. MSOL_12121212) into "Enterprise Key Admins" group to gain permission across the domains in the forest.
### Section Review

4
windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
View File

@ -63,7 +63,7 @@ The Windows Hello for Business deployment depends on an enterprise public key in
Key trust deployments do not need client issued certificates for on-premises authentication. Active Directory user accounts are automatically configured for public key mapping by Azure AD Connect synchronizing the public key of the registered Windows Hello for Business credential to an attribute on the user's Active Directory object.
The minimum required enterprise certificate authority that can be used with Windows Hello for Business is Windows Server 2012, but you can also use a third-party enterprise certification authority. The detailed requirements for the Domain Controller certificate are shown below.
The minimum required Enterprise certificate authority that can be used with Windows Hello for Business is Windows Server 2012, but you can also use a third-party Enterprise certification authority. The requirements for the domain controller certificate are shown below. For more details, see [Requirements for domain controller certificates from a third-party CA](https://support.microsoft.com/help/291010/requirements-for-domain-controller-certificates-from-a-third-party-ca).
* The certificate must have a Certificate Revocation List (CRL) distribution point extension that points to a valid CRL.
* The certificate Subject section should contain the directory path of the server object (the distinguished name).
@ -71,7 +71,7 @@ The minimum required enterprise certificate authority that can be used with Wind
* Optionally, the certificate Basic Constraints section should contain: [Subject Type=End Entity, Path Length Constraint=None].
* The certificate Enhanced Key Usage section must contain Client Authentication (1.3.6.1.5.5.7.3.2), Server Authentication (1.3.6.1.5.5.7.3.1), and KDC Authentication (1.3.6.1.5.2.3.5).
* The certificate Subject Alternative Name section must contain the Domain Name System (DNS) name.
* The certificate template must have an extension that has the BMP data value "DomainController".
* The certificate template must have an extension that has the value "DomainController", encoded as a [BMPstring](https://docs.microsoft.com/windows/win32/seccertenroll/about-bmpstring). If you are using Windows Server Enterprise Certificate Authority, this extension is already included in the domain controller certificate template.
* The domain controller certificate must be installed in the local computer's certificate store.

2
windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md
View File

@ -457,7 +457,7 @@ Checking BitLocker status with the control panel is the most common method used
| **Suspended** | BitLocker is suspended and not actively protecting the volume |
| **Waiting for Activation**| BitLocker is enabled with a clear protector key and requires further action to be fully protected|
If a drive is pre-provisioned with BitLocker, a status of "Waiting for Activation" displays with a yellow exclamation icon on volume E. This status means that there was only a clear protector used when encrypting the volume. In this case, the volume is not in a protected state and needs to have a secure key added to the volume before the drive is fully protected. Administrators can use the control panel, manage-bde tool, or WMI APIs to add an appropriate key protector. Once complete, the control panel will update to reflect the new status.
If a drive is pre-provisioned with BitLocker, a status of "Waiting for Activation" displays with a yellow exclamation icon on the volume. This status means that there was only a clear protector used when encrypting the volume. In this case, the volume is not in a protected state and needs to have a secure key added to the volume before the drive is fully protected. Administrators can use the control panel, manage-bde tool, or WMI APIs to add an appropriate key protector. Once complete, the control panel will update to reflect the new status.
Using the control panel, administrators can choose **Turn on BitLocker** to start the BitLocker Drive Encryption wizard and add a protector, like PIN for an operating system volume (or password if no TPM exists), or a password or smart card protector to a data volume.
The drive security window displays prior to changing the volume status. Selecting **Activate BitLocker** will complete the encryption process.

4
windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-non-windows.md
View File

@ -29,7 +29,9 @@ ms.topic: article
Microsoft Defender ATP provides a centralized security operations experience for Windows as well as non-Windows platforms. You'll be able to see alerts from various supported operating systems (OS) in Microsoft Defender Security Center and better protect your organization's network.
You'll need to know the exact Linux distros and macOS versions that are compatible with Microsoft Defender ATP for the integration to work.
You'll need to know the exact Linux distros and macOS versions that are compatible with Microsoft Defender ATP for the integration to work. For more information, see:
- [Microsoft Defender ATP for Linux system requirements](microsoft-defender-atp-linux.md#system-requirements)
- [Microsoft Defender ATP for Mac system requirements](microsoft-defender-atp-mac.md#system-requirements).
## Onboarding non-Windows machines
You'll need to take the following steps to onboard non-Windows machines:

79
windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md
View File

@ -12,14 +12,14 @@ ms.localizationpriority: medium
audience: ITPro
author: levinec
ms.author: ellevin
ms.date: 05/20/2020
ms.date: 05/29/2020
ms.reviewer:
manager: dansimp
---
# Enable attack surface reduction rules
[Attack surface reduction rules](attack-surface-reduction.md) help prevent actions that malware often abuses to compromise devices and networks. You can set attack surface reduction rules for devices running any of the following editions and versions of Windows:
[Attack surface reduction rules](attack-surface-reduction.md) (ASR rules) help prevent actions that malware often abuses to compromise devices and networks. You can set ASR rules for devices running any of the following editions and versions of Windows:
- Windows 10 Pro, [version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) or later
- Windows 10 Enterprise, [version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) or later
- Windows Server, [version 1803 (Semi-Annual Channel)](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803) or later
@ -27,22 +27,22 @@ manager: dansimp
Each ASR rule contains one of three settings:
* Not configured: Disable the ASR rule
* Block: Enable the ASR rule
* Audit: Evaluate how the ASR rule would impact your organization if enabled
- Not configured: Disable the ASR rule
- Block: Enable the ASR rule
- Audit: Evaluate how the ASR rule would impact your organization if enabled
To use ASR rules, you need either a Windows 10 Enterprise E3 or E5 license. We recommend an E5 license so you can take advantage of the advanced monitoring and reporting capabilities available in [Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection) (Microsoft Defender ATP). These advanced capabilities aren't available with an E3 license, but you can develop your own monitoring and reporting tools to use in conjunction with ASR rules.
To use ASR rules, you must have either a Windows 10 Enterprise E3 or E5 license. We recommend E5 licenses so you can take advantage of the advanced monitoring and reporting capabilities that are available in [Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection) (Microsoft Defender ATP). Advanced monitoring and reporting capabilities aren't available with an E3 license, but you can develop your own monitoring and reporting tools to use in conjunction with ASR rules.
> [!TIP]
> To learn more about Windows licensing, see [Windows 10 Licensing](https://www.microsoft.com/licensing/product-licensing/windows10?activetab=windows10-pivot:primaryr5) and get the [Volume Licensing guide for Windows 10](https://download.microsoft.com/download/2/D/1/2D14FE17-66C2-4D4C-AF73-E122930B60F6/Windows-10-Volume-Licensing-Guide.pdf).
You can enable attack surface reduction rules by using any of these methods:
* [Microsoft Intune](#intune)
* [Mobile Device Management (MDM)](#mdm)
* [Microsoft Endpoint Configuration Manager](#microsoft-endpoint-configuration-manager)
* [Group Policy](#group-policy)
* [PowerShell](#powershell)
- [Microsoft Intune](#intune)
- [Mobile Device Management (MDM)](#mdm)
- [Microsoft Endpoint Configuration Manager](#microsoft-endpoint-configuration-manager)
- [Group Policy](#group-policy)
- [PowerShell](#powershell)
Enterprise-level management such as Intune or Microsoft Endpoint Configuration Manager is recommended. Enterprise-level management will overwrite any conflicting Group Policy or PowerShell settings on startup.
@ -50,6 +50,8 @@ Enterprise-level management such as Intune or Microsoft Endpoint Configuration M
You can exclude files and folders from being evaluated by most attack surface reduction rules. This means that even if an ASR rule determines the file or folder contains malicious behavior, it will not block the file from running. This could potentially allow unsafe files to run and infect your devices.
You can also exclude ASR rules from triggering based on certificate and file hashes by allowing specified Microsoft Defender ATP file and certificate indicators. (See [Manage indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators).)
> [!IMPORTANT]
> Excluding files or folders can severely reduce the protection provided by ASR rules. Excluded files will be allowed to run, and no report or event will be recorded.
> If ASR rules are detecting files that you believe shouldn't be detected, you should [use audit mode first to test the rule](evaluate-attack-surface-reduction.md).
@ -67,9 +69,9 @@ The following procedures for enabling ASR rules include instructions for how to
2. In the **Endpoint protection** pane, select **Windows Defender Exploit Guard**, then select **Attack Surface Reduction**. Select the desired setting for each ASR rule.
3. Under **Attack Surface Reduction exceptions**, you can enter individual files and folders, or you can select **Import** to import a CSV file that contains files and folders to exclude from ASR rules. Each line in the CSV file should be in the following format:
3. Under **Attack Surface Reduction exceptions**, you can enter individual files and folders, or you can select **Import** to import a CSV file that contains files and folders to exclude from ASR rules. Each line in the CSV file should be formatted as follows:
*C:\folder*, *%ProgramFiles%\folder\file*, *C:\path*
`C:\folder`, `%ProgramFiles%\folder\file`, `C:\path`
4. Select **OK** on the three configuration panes and then select **Create** if you're creating a new endpoint protection file or **Save** if you're editing an existing one.
@ -79,23 +81,23 @@ Use the [./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules](https
The following is a sample for reference, using [GUID values for ASR rules](attack-surface-reduction.md#attack-surface-reduction-rules).
OMA-URI path: ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules
`OMA-URI path: ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules`
Value: {75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84}=2|{3B576869-A4EC-4529-8536-B80A7769E899}=1|{D4F940AB-401B-4EfC-AADC-AD5F3C50688A}=2|{D3E037E1-3EB8-44C8-A917-57927947596D}=1|{5BEB7EFE-FD9A-4556-801D-275E5FFC04CC}=0|{BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550}=1
`Value: {75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84}=2|{3B576869-A4EC-4529-8536-B80A7769E899}=1|{D4F940AB-401B-4EfC-AADC-AD5F3C50688A}=2|{D3E037E1-3EB8-44C8-A917-57927947596D}=1|{5BEB7EFE-FD9A-4556-801D-275E5FFC04CC}=0|{BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550}=1`
The values to enable, disable, or enable in audit mode are:
* Disable = 0
* Block (enable ASR rule) = 1
* Audit = 2
- Disable = 0
- Block (enable ASR rule) = 1
- Audit = 2
Use the [./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusions](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-attacksurfacereductiononlyexclusions) configuration service provider (CSP) to add exclusions.
Example:
OMA-URI path: ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusions
`OMA-URI path: ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusions`
Value: c:\path|e:\path|c:\Whitelisted.exe
`Value: c:\path|e:\path|c:\Whitelisted.exe`
> [!NOTE]
> Be sure to enter OMA-URI values without spaces.
@ -103,11 +105,16 @@ Value: c:\path|e:\path|c:\Whitelisted.exe
## Microsoft Endpoint Configuration Manager
1. In Microsoft Endpoint Configuration Manager, click **Assets and Compliance** > **Endpoint Protection** > **Windows Defender Exploit Guard**.
1. Click **Home** > **Create Exploit Guard Policy**.
1. Enter a name and a description, click **Attack Surface Reduction**, and click **Next**.
1. Choose which rules will block or audit actions and click **Next**.
1. Review the settings and click **Next** to create the policy.
1. After the policy is created, click **Close**.
2. Click **Home** > **Create Exploit Guard Policy**.
3. Enter a name and a description, click **Attack Surface Reduction**, and click **Next**.
4. Choose which rules will block or audit actions and click **Next**.
5. Review the settings and click **Next** to create the policy.
6. After the policy is created, click **Close**.
## Group Policy
@ -120,13 +127,13 @@ Value: c:\path|e:\path|c:\Whitelisted.exe
3. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Windows Defender Exploit Guard** > **Attack surface reduction**.
4. Select **Configure Attack surface reduction rules** and select **Enabled**. You can then set the individual state for each rule in the options section:
4. Select **Configure Attack surface reduction rules** and select **Enabled**. You can then set the individual state for each rule in the options section.
* Click **Show...** and enter the rule ID in the **Value name** column and your desired state in the **Value** column as follows:
Click **Show...** and enter the rule ID in the **Value name** column and your desired state in the **Value** column as follows:
* Disable = 0
* Block (enable ASR rule) = 1
* Audit = 2
- Disable = 0
- Block (enable ASR rule) = 1
- Audit = 2
![Group policy setting showing a blank attack surface reduction rule ID and value of 1](../images/asr-rules-gp.png)
@ -169,11 +176,11 @@ Value: c:\path|e:\path|c:\Whitelisted.exe
> Set-MpPreference -AttackSurfaceReductionRules_Ids <rule ID 1>,<rule ID 2>,<rule ID 3>,<rule ID 4> -AttackSurfaceReductionRules_Actions Enabled, Enabled, Disabled, AuditMode
> ```
You can also the `Add-MpPreference` PowerShell verb to add new rules to the existing list.
You can also use the `Add-MpPreference` PowerShell verb to add new rules to the existing list.
> [!WARNING]
> `Set-MpPreference` will always overwrite the existing set of rules. If you want to add to the existing set, you should use `Add-MpPreference` instead.
> You can obtain a list of rules and their current state by using `Get-MpPreference`
> You can obtain a list of rules and their current state by using `Get-MpPreference`.
3. To exclude files and folders from ASR rules, use the following cmdlet:
@ -186,7 +193,13 @@ Value: c:\path|e:\path|c:\Whitelisted.exe
> [!IMPORTANT]
> Use `Add-MpPreference` to append or add apps to the list. Using the `Set-MpPreference` cmdlet will overwrite the existing list.
## Related topics
## Related articles
- [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction.md)
- [Evaluate attack surface reduction](evaluate-attack-surface-reduction.md)
- [Attack surface reduction FAQ](attack-surface-reduction.md)
* [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction.md)
* [Evaluate attack surface reduction](evaluate-attack-surface-reduction.md)

8
windows/security/threat-protection/microsoft-defender-atp/machines-view-overview.md
View File

@ -53,7 +53,13 @@ The risk level reflects the overall risk assessment of the machine based on a co
### Exposure level
The exposure level reflects the current exposure of the machine based on the cumulative impact of its pending security recommendations.
The exposure level reflects the current exposure of the machine based on the cumulative impact of its pending security recommendations. The possible levels are low, medium, and high. Low exposure means your machines are less vulnerable from exploitation.
If the exposure level says "No data available," there are a few reasons why this may be the case:
- Device stopped reporting for more than 30 days in that case it is considered inactive, and the exposure isn't computed
- Device OS not supported - see [minimum requirements for Microsoft Defender ATP](minimum-requirements.md)
- Device with stale agent (very unlikely)
### OS Platform

3
windows/security/threat-protection/microsoft-defender-atp/offboard-machine-api.md
View File

@ -34,7 +34,8 @@ Offboard machine from Microsoft Defender ATP.
[!include[Machine actions note](../../includes/machineactionsnote.md)]
>[!Note]
> This does not support offboarding macOS Devices.
> This API is supported on Windows 10, version 1703 and later, or Windows Server 2019 and later.
> This API is not supported on MacOS or Linux devices.
## Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)

5
windows/security/threat-protection/security-policy-settings/domain-member-maximum-machine-account-password-age.md
View File

@ -14,7 +14,7 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 06/27/2019
ms.date: 05/29/2020
---
# Domain member: Maximum machine account password age
@ -42,8 +42,7 @@ For more information, see [Machine Account Password Process](https://techcommuni
### Best practices
1. We recommend that you set **Domain member: Maximum machine account password age** to about 30 days. Setting the value to fewer days can increase replication and affect domain controllers. For example, in Windows NT domains, machine passwords were changed every 7 days. The additional replication churn would affect domain controllers in large organizations that have many computers or slow links between sites.
2. Some organizations pre-build computers and then store them for later use or ship them to remote locations. When a computer is turned on after being offline more than 30 days, the Netlogon service notices the password age and initiates a secure channel to a domain controller to change it. If the secure channel cannot be established, the computer does not authenticate with the domain. For this reason, some organizations might want to create a special organizational unit (OU) for computers that are prebuilt, and then configure the value for this policy setting to a greater number of days.
We recommend that you set **Domain member: Maximum machine account password age** to about 30 days. Setting the value to fewer days can increase replication and affect domain controllers. For example, in Windows NT domains, machine passwords were changed every 7 days. The additional replication churn would affect domain controllers in large organizations that have many computers or slow links between sites.
### Location

12
windows/security/threat-protection/windows-defender-application-control/manage-packaged-apps-with-windows-defender-application-control.md
View File

@ -14,7 +14,7 @@ author: jsuther1974
ms.reviewer: isbrahm
ms.author: dansimp
manager: dansimp
ms.date: 05/14/2019
ms.date: 05/29/2020
---
# Manage Packaged Apps with Windows Defender Application Control
@ -65,8 +65,10 @@ Below are the list of steps you can follow to block one or more packaged apps in
1. Get the app identifier for an installed package
```powershell
$package = Get-AppxPackage -name <example_app>
$package = Get-AppxPackage -name *<example_app>*
```
Where the name of the app is surrounded by asterisks, for example &ast;windowsstore&ast;
2. Make a rule by using the New-CIPolicyRule cmdlet
```powershell
@ -119,9 +121,9 @@ If the app you intend to block is not installed on the system you are using the
3. Copy the GUID in the URL for the app
- Example: the GUID for the Microsoft To-Do app is 9nblggh5r558
- https://www.microsoft.com/p/microsoft-to-do-list-task-reminder/9nblggh5r558?activetab=pivot:overviewtab
- `https://www.microsoft.com/p/microsoft-to-do-list-task-reminder/9nblggh5r558?activetab=pivot:overviewtab`
4. Use the GUID in the following REST query URL to retrieve the identifiers for the app
- Example: for the Microsoft To-Do app, the URL would be https://bspmts.mp.microsoft.com/v1/public/catalog/Retail/Products/9nblggh5r558/applockerdata
- Example: for the Microsoft To-Do app, the URL would be `https://bspmts.mp.microsoft.com/v1/public/catalog/Retail/Products/9nblggh5r558/applockerdata`
- The URL will return:
```
@ -141,4 +143,4 @@ The method for allowing specific packaged apps is similar to the method outlined
$Rule = New-CIPolicyRule -Package $package -allow
```
Since a lot of system apps are packaged apps, it is generally advised that customers rely on the sample policies in C:\Windows\schemas\CodeIntegrity\ExamplePolicies to help allow all inbox apps by the Store signature already included in the policies and control apps with deny rules.
Since a lot of system apps are packaged apps, it is generally advised that customers rely on the sample policies in `C:\Windows\schemas\CodeIntegrity\ExamplePolicies` to help allow all inbox apps by the Store signature already included in the policies and control apps with deny rules.

Some files were not shown because too many files have changed in this diff Show More